From 0e52539c38289d36986b62d94e73f04c4befce6f Mon Sep 17 00:00:00 2001 From: Michael Gehring Date: Thu, 12 May 2016 07:42:30 +0200 Subject: [PATCH] nodejs: update to 6.1.0. --- srcpkgs/nodejs/patches/openssl-1.0.2.h.patch | 3418 ------------------ srcpkgs/nodejs/template | 7 +- 2 files changed, 3 insertions(+), 3422 deletions(-) delete mode 100644 srcpkgs/nodejs/patches/openssl-1.0.2.h.patch diff --git a/srcpkgs/nodejs/patches/openssl-1.0.2.h.patch b/srcpkgs/nodejs/patches/openssl-1.0.2.h.patch deleted file mode 100644 index 7f26b114f1..0000000000 --- a/srcpkgs/nodejs/patches/openssl-1.0.2.h.patch +++ /dev/null @@ -1,3418 +0,0 @@ -Only in deps/openssl/openssl.old: .CHANGES.swp -diff -upr deps/openssl/openssl.old/CHANGES deps/openssl/openssl/CHANGES ---- deps/openssl/openssl.old/CHANGES 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/CHANGES 2016-05-03 15:46:41.000000000 +0200 -@@ -2,6 +2,103 @@ - OpenSSL CHANGES - _______________ - -+ Changes between 1.0.2g and 1.0.2h [3 May 2016] -+ -+ *) Prevent padding oracle in AES-NI CBC MAC check -+ -+ A MITM attacker can use a padding oracle attack to decrypt traffic -+ when the connection uses an AES CBC cipher and the server support -+ AES-NI. -+ -+ This issue was introduced as part of the fix for Lucky 13 padding -+ attack (CVE-2013-0169). The padding check was rewritten to be in -+ constant time by making sure that always the same bytes are read and -+ compared against either the MAC or padding bytes. But it no longer -+ checked that there was enough data to have both the MAC and padding -+ bytes. -+ -+ This issue was reported by Juraj Somorovsky using TLS-Attacker. -+ (CVE-2016-2107) -+ [Kurt Roeckx] -+ -+ *) Fix EVP_EncodeUpdate overflow -+ -+ An overflow can occur in the EVP_EncodeUpdate() function which is used for -+ Base64 encoding of binary data. If an attacker is able to supply very large -+ amounts of input data then a length check can overflow resulting in a heap -+ corruption. -+ -+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by -+ the PEM_write_bio* family of functions. These are mainly used within the -+ OpenSSL command line applications, so any application which processes data -+ from an untrusted source and outputs it as a PEM file should be considered -+ vulnerable to this issue. User applications that call these APIs directly -+ with large amounts of untrusted data may also be vulnerable. -+ -+ This issue was reported by Guido Vranken. -+ (CVE-2016-2105) -+ [Matt Caswell] -+ -+ *) Fix EVP_EncryptUpdate overflow -+ -+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker -+ is able to supply very large amounts of input data after a previous call to -+ EVP_EncryptUpdate() with a partial block then a length check can overflow -+ resulting in a heap corruption. Following an analysis of all OpenSSL -+ internal usage of the EVP_EncryptUpdate() function all usage is one of two -+ forms. The first form is where the EVP_EncryptUpdate() call is known to be -+ the first called function after an EVP_EncryptInit(), and therefore that -+ specific call must be safe. The second form is where the length passed to -+ EVP_EncryptUpdate() can be seen from the code to be some small value and -+ therefore there is no possibility of an overflow. Since all instances are -+ one of these two forms, it is believed that there can be no overflows in -+ internal code due to this problem. It should be noted that -+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. -+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances -+ of these calls have also been analysed too and it is believed there are no -+ instances in internal usage where an overflow could occur. -+ -+ This issue was reported by Guido Vranken. -+ (CVE-2016-2106) -+ [Matt Caswell] -+ -+ *) Prevent ASN.1 BIO excessive memory allocation -+ -+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() -+ a short invalid encoding can casuse allocation of large amounts of memory -+ potentially consuming excessive resources or exhausting memory. -+ -+ Any application parsing untrusted data through d2i BIO functions is -+ affected. The memory based functions such as d2i_X509() are *not* affected. -+ Since the memory based functions are used by the TLS library, TLS -+ applications are not affected. -+ -+ This issue was reported by Brian Carpenter. -+ (CVE-2016-2109) -+ [Stephen Henson] -+ -+ *) EBCDIC overread -+ -+ ASN1 Strings that are over 1024 bytes can cause an overread in applications -+ using the X509_NAME_oneline() function on EBCDIC systems. This could result -+ in arbitrary stack data being returned in the buffer. -+ -+ This issue was reported by Guido Vranken. -+ (CVE-2016-2176) -+ [Matt Caswell] -+ -+ *) Modify behavior of ALPN to invoke callback after SNI/servername -+ callback, such that updates to the SSL_CTX affect ALPN. -+ [Todd Short] -+ -+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the -+ default. -+ [Kurt Roeckx] -+ -+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the -+ methods are enabled and ssl2 is disabled the methods return NULL. -+ [Kurt Roeckx] -+ - Changes between 1.0.2f and 1.0.2g [1 Mar 2016] - - * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. -@@ -8572,7 +8669,7 @@ des-cbc 3624.96k 5258.21k - - *) Source code cleanups: use const where appropriate, eliminate casts, - use void * instead of char * in lhash. -- [Ulf Möller] -+ [Ulf Möller] - - *) Bugfix: ssl3_send_server_key_exchange was not restartable - (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of -Only in deps/openssl/openssl: Makefile -Only in deps/openssl/openssl: Makefile.bak -diff -upr deps/openssl/openssl.old/NEWS deps/openssl/openssl/NEWS ---- deps/openssl/openssl.old/NEWS 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/NEWS 2016-05-03 15:46:41.000000000 +0200 -@@ -5,6 +5,19 @@ - This file gives a brief overview of the major changes between each OpenSSL - release. For more details please read the CHANGES file. - -+ Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] -+ -+ o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) -+ o Fix EVP_EncodeUpdate overflow (CVE-2016-2105) -+ o Fix EVP_EncryptUpdate overflow (CVE-2016-2106) -+ o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) -+ o EBCDIC overread (CVE-2016-2176) -+ o Modify behavior of ALPN to invoke callback after SNI/servername -+ callback, such that updates to the SSL_CTX affect ALPN. -+ o Remove LOW from the DEFAULT cipher list. This removes singles DES from -+ the default. -+ o Only remove the SSLv2 methods with the no-ssl2-method option. -+ - Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] - - o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. -diff -upr deps/openssl/openssl.old/README deps/openssl/openssl/README ---- deps/openssl/openssl.old/README 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/README 2016-05-03 15:46:41.000000000 +0200 -@@ -1,5 +1,5 @@ - -- OpenSSL 1.0.2g 1 Mar 2016 -+ OpenSSL 1.0.2h 3 May 2016 - - Copyright (c) 1998-2015 The OpenSSL Project - Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson -Only in deps/openssl/openssl/apps: CA.pl -diff -upr deps/openssl/openssl.old/apps/app_rand.c deps/openssl/openssl/apps/app_rand.c ---- deps/openssl/openssl.old/apps/app_rand.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/apps/app_rand.c 2016-05-03 15:44:42.000000000 +0200 -@@ -124,16 +124,7 @@ int app_RAND_load_file(const char *file, - char buffer[200]; - - #ifdef OPENSSL_SYS_WINDOWS -- /* -- * allocate 2 to dont_warn not to use RAND_screen() via -- * -no_rand_screen option in s_client -- */ -- if (dont_warn != 2) { -- BIO_printf(bio_e, "Loading 'screen' into random state -"); -- BIO_flush(bio_e); -- RAND_screen(); -- BIO_printf(bio_e, " done\n"); -- } -+ RAND_screen(); - #endif - - if (file == NULL) -diff -upr deps/openssl/openssl.old/apps/pkcs7.c deps/openssl/openssl/apps/pkcs7.c ---- deps/openssl/openssl.old/apps/pkcs7.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/apps/pkcs7.c 2016-05-03 15:44:42.000000000 +0200 -@@ -235,12 +235,16 @@ int MAIN(int argc, char **argv) - i = OBJ_obj2nid(p7->type); - switch (i) { - case NID_pkcs7_signed: -- certs = p7->d.sign->cert; -- crls = p7->d.sign->crl; -+ if (p7->d.sign != NULL) { -+ certs = p7->d.sign->cert; -+ crls = p7->d.sign->crl; -+ } - break; - case NID_pkcs7_signedAndEnveloped: -- certs = p7->d.signed_and_enveloped->cert; -- crls = p7->d.signed_and_enveloped->crl; -+ if (p7->d.signed_and_enveloped != NULL) { -+ certs = p7->d.signed_and_enveloped->cert; -+ crls = p7->d.signed_and_enveloped->crl; -+ } - break; - default: - break; -diff -upr deps/openssl/openssl.old/apps/pkeyutl.c deps/openssl/openssl/apps/pkeyutl.c ---- deps/openssl/openssl.old/apps/pkeyutl.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/apps/pkeyutl.c 2016-05-03 15:44:42.000000000 +0200 -@@ -446,14 +446,14 @@ static EVP_PKEY_CTX *init_ctx(int *pkeys - - if (!pkey) - goto end; -- -+ - #ifndef OPENSSL_NO_ENGINE - if (engine_impl) - impl = e; - #endif -- -+ - ctx = EVP_PKEY_CTX_new(pkey, impl); -- -+ - EVP_PKEY_free(pkey); - - if (!ctx) -diff -upr deps/openssl/openssl.old/apps/s_client.c deps/openssl/openssl/apps/s_client.c ---- deps/openssl/openssl.old/apps/s_client.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/apps/s_client.c 2016-05-03 15:44:42.000000000 +0200 -@@ -180,13 +180,6 @@ typedef unsigned int u_int; - # include - #endif - --/* Use Windows API with STD_INPUT_HANDLE when checking for input? -- Don't look at OPENSSL_SYS_MSDOS for this, since it is always defined if -- OPENSSL_SYS_WINDOWS is defined */ --#if defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WINCE) && defined(STD_INPUT_HANDLE) --#define OPENSSL_USE_STD_INPUT_HANDLE --#endif -- - #undef PROG - #define PROG s_client_main - -@@ -236,7 +229,6 @@ static BIO *bio_c_msg = NULL; - static int c_quiet = 0; - static int c_ign_eof = 0; - static int c_brief = 0; --static int c_no_rand_screen = 0; - - #ifndef OPENSSL_NO_PSK - /* Default PSK identity and key */ -@@ -455,10 +447,6 @@ static void sc_usage(void) - " -keymatexport label - Export keying material using label\n"); - BIO_printf(bio_err, - " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); --#ifdef OPENSSL_SYS_WINDOWS -- BIO_printf(bio_err, -- " -no_rand_screen - Do not use RAND_screen() to initialize random state\n"); --#endif - } - - #ifndef OPENSSL_NO_TLSEXT -@@ -1138,10 +1126,6 @@ int MAIN(int argc, char **argv) - keymatexportlen = atoi(*(++argv)); - if (keymatexportlen == 0) - goto bad; --#ifdef OPENSSL_SYS_WINDOWS -- } else if (strcmp(*argv, "-no_rand_screen") == 0) { -- c_no_rand_screen = 1; --#endif - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badop = 1; -@@ -1247,7 +1231,7 @@ int MAIN(int argc, char **argv) - if (!load_excert(&exc, bio_err)) - goto end; - -- if (!app_RAND_load_file(NULL, bio_err, ++c_no_rand_screen) && inrand == NULL -+ if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL - && !RAND_status()) { - BIO_printf(bio_err, - "warning, not much extra random data, consider using the -rand option\n"); -@@ -1780,7 +1764,10 @@ int MAIN(int argc, char **argv) - tv.tv_usec = 0; - i = select(width, (void *)&readfds, (void *)&writefds, - NULL, &tv); --#if defined(OPENSSL_USE_STD_INPUT_HANDLE) -+# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) -+ if (!i && (!_kbhit() || !read_tty)) -+ continue; -+# else - if (!i && (!((_kbhit()) - || (WAIT_OBJECT_0 == - WaitForSingleObject(GetStdHandle -@@ -1788,8 +1775,6 @@ int MAIN(int argc, char **argv) - 0))) - || !read_tty)) - continue; --#else -- if(!i && (!_kbhit() || !read_tty) ) continue; - # endif - } else - i = select(width, (void *)&readfds, (void *)&writefds, -@@ -1991,12 +1976,12 @@ int MAIN(int argc, char **argv) - } - } - #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) --#if defined(OPENSSL_USE_STD_INPUT_HANDLE) -+# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) -+ else if (_kbhit()) -+# else - else if ((_kbhit()) - || (WAIT_OBJECT_0 == - WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) --#else -- else if (_kbhit()) - # endif - #elif defined (OPENSSL_SYS_NETWARE) - else if (_kbhit()) -diff -upr deps/openssl/openssl.old/crypto/aes/asm/aes-ppc.pl deps/openssl/openssl/crypto/aes/asm/aes-ppc.pl ---- deps/openssl/openssl.old/crypto/aes/asm/aes-ppc.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/aes/asm/aes-ppc.pl 2016-05-03 15:38:19.000000000 +0200 -@@ -590,7 +590,7 @@ Lenc_loop: - xor $s2,$t2,$acc14 - xor $s3,$t3,$acc15 - addi $key,$key,16 -- bdnz- Lenc_loop -+ bdnz Lenc_loop - - addi $Tbl2,$Tbl0,2048 - nop -@@ -1068,7 +1068,7 @@ Ldec_loop: - xor $s2,$t2,$acc14 - xor $s3,$t3,$acc15 - addi $key,$key,16 -- bdnz- Ldec_loop -+ bdnz Ldec_loop - - addi $Tbl2,$Tbl0,2048 - nop -diff -upr deps/openssl/openssl.old/crypto/aes/asm/aes-s390x.pl deps/openssl/openssl/crypto/aes/asm/aes-s390x.pl ---- deps/openssl/openssl.old/crypto/aes/asm/aes-s390x.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/aes/asm/aes-s390x.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -818,13 +818,9 @@ $code.=<<___ if (!$softonly); - tmhl %r0,0x4000 # check for message-security assist - jz .Lekey_internal - -- lghi %r0,0 # query capability vector -- la %r1,16($sp) -- .long 0xb92f0042 # kmc %r4,%r2 -- -- llihh %r1,0x8000 -- srlg %r1,%r1,0(%r5) -- ng %r1,16($sp) -+ llihh %r0,0x8000 -+ srlg %r0,%r0,0(%r5) -+ ng %r0,48(%r1) # check kmc capability vector - jz .Lekey_internal - - lmg %r0,%r1,0($inp) # just copy 128 bits... -@@ -1444,13 +1440,10 @@ $code.=<<___ if (0); ######### kmctr cod - - llgfr $s0,%r0 - lgr $s1,%r1 -- lghi %r0,0 -- la %r1,16($sp) -- .long 0xb92d2042 # kmctr %r4,%r2,%r2 -- -+ larl %r1,OPENSSL_s390xcap_P - llihh %r0,0x8000 # check if kmctr supports the function code - srlg %r0,%r0,0($s0) -- ng %r0,16($sp) -+ ng %r0,64(%r1) # check kmctr capability vector - lgr %r0,$s0 - lgr %r1,$s1 - jz .Lctr32_km_loop -@@ -1597,12 +1590,10 @@ $code.=<<___ if(1); - llgfr $s0,%r0 # put aside the function code - lghi $s1,0x7f - nr $s1,%r0 -- lghi %r0,0 # query capability vector -- la %r1,$tweak-16($sp) -- .long 0xb92e0042 # km %r4,%r2 -- llihh %r1,0x8000 -- srlg %r1,%r1,32($s1) # check for 32+function code -- ng %r1,$tweak-16($sp) -+ larl %r1,OPENSSL_s390xcap_P -+ llihh %r0,0x8000 -+ srlg %r0,%r0,32($s1) # check for 32+function code -+ ng %r0,32(%r1) # check km capability vector - lgr %r0,$s0 # restore the function code - la %r1,0($key1) # restore $key1 - jz .Lxts_km_vanilla -@@ -2229,7 +2220,7 @@ ___ - } - $code.=<<___; - .string "AES for s390x, CRYPTOGAMS by " --.comm OPENSSL_s390xcap_P,16,8 -+.comm OPENSSL_s390xcap_P,80,8 - ___ - - $code =~ s/\`([^\`]*)\`/eval $1/gem; -diff -upr deps/openssl/openssl.old/crypto/asn1/a_bytes.c deps/openssl/openssl/crypto/asn1/a_bytes.c ---- deps/openssl/openssl.old/crypto/asn1/a_bytes.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/a_bytes.c 2016-05-03 15:44:42.000000000 +0200 -@@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING - } else { - if (len != 0) { - if ((ret->length < len) || (ret->data == NULL)) { -- if (ret->data != NULL) -- OPENSSL_free(ret->data); - s = (unsigned char *)OPENSSL_malloc((int)len + 1); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; - goto err; - } -+ if (ret->data != NULL) -+ OPENSSL_free(ret->data); - } else - s = ret->data; - memcpy(s, p, (int)len); -diff -upr deps/openssl/openssl.old/crypto/asn1/a_d2i_fp.c deps/openssl/openssl/crypto/asn1/a_d2i_fp.c ---- deps/openssl/openssl.old/crypto/asn1/a_d2i_fp.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/a_d2i_fp.c 2016-05-03 15:44:42.000000000 +0200 -@@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM * - #endif - - #define HEADER_SIZE 8 -+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) - static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) - { - BUF_MEM *b; -@@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BU - /* suck in c.slen bytes of data */ - want = c.slen; - if (want > (len - off)) { -+ size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; -+ - want -= (len - off); - if (want > INT_MAX /* BIO_read takes an int length */ || - len + want < len) { - ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); - goto err; - } -- if (!BUF_MEM_grow_clean(b, len + want)) { -- ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); -- goto err; -- } - while (want > 0) { -- i = BIO_read(in, &(b->data[len]), want); -- if (i <= 0) { -- ASN1err(ASN1_F_ASN1_D2I_READ_BIO, -- ASN1_R_NOT_ENOUGH_DATA); -+ /* -+ * Read content in chunks of increasing size -+ * so we can return an error for EOF without -+ * having to allocate the entire content length -+ * in one go. -+ */ -+ size_t chunk = want > chunk_max ? chunk_max : want; -+ -+ if (!BUF_MEM_grow_clean(b, len + chunk)) { -+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); - goto err; - } -+ want -= chunk; -+ while (chunk > 0) { -+ i = BIO_read(in, &(b->data[len]), chunk); -+ if (i <= 0) { -+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, -+ ASN1_R_NOT_ENOUGH_DATA); -+ goto err; -+ } - /* - * This can't overflow because |len+want| didn't - * overflow. - */ -- len += i; -- want -= i; -+ len += i; -+ chunk -= i; -+ } -+ if (chunk_max < INT_MAX/2) -+ chunk_max *= 2; - } - } - if (off + c.slen < off) { -diff -upr deps/openssl/openssl.old/crypto/asn1/a_type.c deps/openssl/openssl/crypto/asn1/a_type.c ---- deps/openssl/openssl.old/crypto/asn1/a_type.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/a_type.c 2016-05-03 15:44:47.000000000 +0200 -@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co - result = 0; /* They do not have content. */ - break; - case V_ASN1_INTEGER: -- case V_ASN1_NEG_INTEGER: - case V_ASN1_ENUMERATED: -- case V_ASN1_NEG_ENUMERATED: - case V_ASN1_BIT_STRING: - case V_ASN1_OCTET_STRING: - case V_ASN1_SEQUENCE: -diff -upr deps/openssl/openssl.old/crypto/asn1/asn1_lib.c deps/openssl/openssl/crypto/asn1/asn1_lib.c ---- deps/openssl/openssl.old/crypto/asn1/asn1_lib.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/asn1_lib.c 2016-05-03 15:44:42.000000000 +0200 -@@ -63,7 +63,7 @@ - #include - - static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, -- int max); -+ long max); - static void asn1_put_length(unsigned char **pp, int length); - const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT; - -@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char - } - *ptag = tag; - *pclass = xclass; -- if (!asn1_get_length(&p, &inf, plength, (int)max)) -+ if (!asn1_get_length(&p, &inf, plength, max)) - goto err; - - if (inf && !(ret & V_ASN1_CONSTRUCTED)) -@@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char - } - - static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, -- int max) -+ long max) - { - const unsigned char *p = *pp; - unsigned long ret = 0; -- unsigned int i; -+ unsigned long i; - - if (max-- < 1) -- return (0); -+ return 0; - if (*p == 0x80) { - *inf = 1; - ret = 0; -@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigne - *inf = 0; - i = *p & 0x7f; - if (*(p++) & 0x80) { -- if (i > sizeof(long)) -+ if (i > sizeof(ret) || max < (long)i) - return 0; -- if (max-- == 0) -- return (0); - while (i-- > 0) { - ret <<= 8L; - ret |= *(p++); -- if (max-- == 0) -- return (0); - } - } else - ret = i; -@@ -192,7 +188,7 @@ static int asn1_get_length(const unsigne - return 0; - *pp = p; - *rl = (long)ret; -- return (1); -+ return 1; - } - - /* -diff -upr deps/openssl/openssl.old/crypto/asn1/asn1_par.c deps/openssl/openssl/crypto/asn1/asn1_par.c ---- deps/openssl/openssl.old/crypto/asn1/asn1_par.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/asn1_par.c 2016-05-03 15:44:42.000000000 +0200 -@@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const un - if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0)) - goto end; - if (j & V_ASN1_CONSTRUCTED) { -+ const unsigned char *sp; -+ - ep = p + len; - if (BIO_write(bp, "\n", 1) <= 0) - goto end; -@@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const un - goto end; - } - if ((j == 0x21) && (len == 0)) { -+ sp = p; - for (;;) { - r = asn1_parse2(bp, &p, (long)(tot - p), - offset + (p - *pp), depth + 1, -@@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const un - ret = 0; - goto end; - } -- if ((r == 2) || (p >= tot)) -+ if ((r == 2) || (p >= tot)) { -+ len = p - sp; - break; -+ } - } -- } else -+ } else { -+ long tmp = len; -+ - while (p < ep) { -- r = asn1_parse2(bp, &p, (long)len, -- offset + (p - *pp), depth + 1, -+ sp = p; -+ r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1, - indent, dump); - if (r == 0) { - ret = 0; - goto end; - } -+ tmp -= p - sp; - } -+ } - } else if (xclass != 0) { - p += len; - if (BIO_write(bp, "\n", 1) <= 0) -diff -upr deps/openssl/openssl.old/crypto/asn1/t_x509.c deps/openssl/openssl/crypto/asn1/t_x509.c ---- deps/openssl/openssl.old/crypto/asn1/t_x509.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/t_x509.c 2016-05-03 15:44:42.000000000 +0200 -@@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsi - goto err; - - bs = X509_get_serialNumber(x); -- if (bs->length <= (int)sizeof(long)) { -+ if (bs->length < (int)sizeof(long) -+ || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) { - l = ASN1_INTEGER_get(bs); - if (bs->type == V_ASN1_NEG_INTEGER) { - l = -l; -diff -upr deps/openssl/openssl.old/crypto/asn1/tasn_dec.c deps/openssl/openssl/crypto/asn1/tasn_dec.c ---- deps/openssl/openssl.old/crypto/asn1/tasn_dec.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/tasn_dec.c 2016-05-03 15:44:47.000000000 +0200 -@@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const - break; - - case V_ASN1_INTEGER: -- case V_ASN1_NEG_INTEGER: - case V_ASN1_ENUMERATED: -- case V_ASN1_NEG_ENUMERATED: - tint = (ASN1_INTEGER **)pval; - if (!c2i_ASN1_INTEGER(tint, &cont, len)) - goto err; -diff -upr deps/openssl/openssl.old/crypto/asn1/tasn_enc.c deps/openssl/openssl/crypto/asn1/tasn_enc.c ---- deps/openssl/openssl.old/crypto/asn1/tasn_enc.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/tasn_enc.c 2016-05-03 15:44:47.000000000 +0200 -@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig - break; - - case V_ASN1_INTEGER: -- case V_ASN1_NEG_INTEGER: - case V_ASN1_ENUMERATED: -- case V_ASN1_NEG_ENUMERATED: - /* - * These are all have the same content format as ASN1_INTEGER - */ -diff -upr deps/openssl/openssl.old/crypto/asn1/x_name.c deps/openssl/openssl/crypto/asn1/x_name.c ---- deps/openssl/openssl.old/crypto/asn1/x_name.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/x_name.c 2016-05-03 15:44:42.000000000 +0200 -@@ -66,6 +66,13 @@ - typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; - DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) - -+/* -+ * Maximum length of X509_NAME: much larger than anything we should -+ * ever see in practice. -+ */ -+ -+#define X509_NAME_MAX (1024 * 1024) -+ - static int x509_name_ex_d2i(ASN1_VALUE **val, - const unsigned char **in, long len, - const ASN1_ITEM *it, -@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE * - int i, j, ret; - STACK_OF(X509_NAME_ENTRY) *entries; - X509_NAME_ENTRY *entry; -+ if (len > X509_NAME_MAX) { -+ ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); -+ return 0; -+ } - q = p; - - /* Get internal representation of Name */ -diff -upr deps/openssl/openssl.old/crypto/asn1/x_x509.c deps/openssl/openssl/crypto/asn1/x_x509.c ---- deps/openssl/openssl.old/crypto/asn1/x_x509.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/asn1/x_x509.c 2016-05-03 15:44:42.000000000 +0200 -@@ -201,10 +201,20 @@ X509 *d2i_X509_AUX(X509 **a, const unsig - - int i2d_X509_AUX(X509 *a, unsigned char **pp) - { -- int length; -+ int length, tmplen; -+ unsigned char *start = pp != NULL ? *pp : NULL; - length = i2d_X509(a, pp); -- if (a) -- length += i2d_X509_CERT_AUX(a->aux, pp); -+ if (length < 0 || a == NULL) -+ return length; -+ -+ tmplen = i2d_X509_CERT_AUX(a->aux, pp); -+ if (tmplen < 0) { -+ if (start != NULL) -+ *pp = start; -+ return tmplen; -+ } -+ length += tmplen; -+ - return length; - } - -diff -upr deps/openssl/openssl.old/crypto/bn/asm/ppc-mont.pl deps/openssl/openssl/crypto/bn/asm/ppc-mont.pl ---- deps/openssl/openssl.old/crypto/bn/asm/ppc-mont.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/bn/asm/ppc-mont.pl 2016-05-03 15:38:19.000000000 +0200 -@@ -191,7 +191,7 @@ L1st: - - addi $j,$j,$BNSZ ; j++ - addi $tp,$tp,$BNSZ ; tp++ -- bdnz- L1st -+ bdnz L1st - ;L1st - addc $lo0,$alo,$hi0 - addze $hi0,$ahi -@@ -253,7 +253,7 @@ Linner: - addze $hi1,$hi1 - $ST $lo1,0($tp) ; tp[j-1] - addi $tp,$tp,$BNSZ ; tp++ -- bdnz- Linner -+ bdnz Linner - ;Linner - $LD $tj,$BNSZ($tp) ; tp[j] - addc $lo0,$alo,$hi0 -@@ -276,7 +276,7 @@ Linner: - slwi $tj,$num,`log($BNSZ)/log(2)` - $UCMP $i,$tj - addi $i,$i,$BNSZ -- ble- Louter -+ ble Louter - - addi $num,$num,2 ; restore $num - subfc $j,$j,$j ; j=0 and "clear" XER[CA] -@@ -289,7 +289,7 @@ Lsub: $LDX $tj,$tp,$j - subfe $aj,$nj,$tj ; tp[j]-np[j] - $STX $aj,$rp,$j - addi $j,$j,$BNSZ -- bdnz- Lsub -+ bdnz Lsub - - li $j,0 - mtctr $num -@@ -304,7 +304,7 @@ Lcopy: ; copy or in-place refresh - $STX $tj,$rp,$j - $STX $j,$tp,$j ; zap at once - addi $j,$j,$BNSZ -- bdnz- Lcopy -+ bdnz Lcopy - - $POP $tj,0($sp) - li r3,1 -diff -upr deps/openssl/openssl.old/crypto/bn/asm/ppc.pl deps/openssl/openssl/crypto/bn/asm/ppc.pl ---- deps/openssl/openssl.old/crypto/bn/asm/ppc.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/bn/asm/ppc.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -1556,7 +1556,7 @@ Lppcasm_sub_mainloop: - # if carry = 1 this is r7-r8. Else it - # is r7-r8 -1 as we need. - $STU r6,$BNSZ(r3) -- bdnz- Lppcasm_sub_mainloop -+ bdnz Lppcasm_sub_mainloop - Lppcasm_sub_adios: - subfze r3,r0 # if carry bit is set then r3 = 0 else -1 - andi. r3,r3,1 # keep only last bit. -@@ -1603,7 +1603,7 @@ Lppcasm_add_mainloop: - $LDU r8,$BNSZ(r5) - adde r8,r7,r8 - $STU r8,$BNSZ(r3) -- bdnz- Lppcasm_add_mainloop -+ bdnz Lppcasm_add_mainloop - Lppcasm_add_adios: - addze r3,r0 #return carry bit. - blr -@@ -1762,7 +1762,7 @@ Lppcasm_sqr_mainloop: - $UMULH r8,r6,r6 - $STU r7,$BNSZ(r3) - $STU r8,$BNSZ(r3) -- bdnz- Lppcasm_sqr_mainloop -+ bdnz Lppcasm_sqr_mainloop - Lppcasm_sqr_adios: - blr - .long 0 -@@ -1827,7 +1827,7 @@ Lppcasm_mw_LOOP: - - addi r3,r3,`4*$BNSZ` - addi r4,r4,`4*$BNSZ` -- bdnz- Lppcasm_mw_LOOP -+ bdnz Lppcasm_mw_LOOP - - Lppcasm_mw_REM: - andi. r5,r5,0x3 -@@ -1951,7 +1951,7 @@ Lppcasm_maw_mainloop: - $ST r11,`3*$BNSZ`(r3) - addi r3,r3,`4*$BNSZ` - addi r4,r4,`4*$BNSZ` -- bdnz- Lppcasm_maw_mainloop -+ bdnz Lppcasm_maw_mainloop - - Lppcasm_maw_leftover: - andi. r5,r5,0x3 -diff -upr deps/openssl/openssl.old/crypto/bn/asm/ppc64-mont.pl deps/openssl/openssl/crypto/bn/asm/ppc64-mont.pl ---- deps/openssl/openssl.old/crypto/bn/asm/ppc64-mont.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/bn/asm/ppc64-mont.pl 2016-05-03 15:38:19.000000000 +0200 -@@ -734,7 +734,7 @@ $code.=<<___; - ___ - } - $code.=<<___; -- bdnz- L1st -+ bdnz L1st - - fctid $dota,$dota - fctid $dotb,$dotb -@@ -1280,7 +1280,7 @@ $code.=<<___; - ___ - } - $code.=<<___; -- bdnz- Linner -+ bdnz Linner - - fctid $dota,$dota - fctid $dotb,$dotb -@@ -1490,7 +1490,7 @@ Lsub: ldx $t0,$tp,$i - stdx $t0,$rp,$i - stdx $t2,$t6,$i - addi $i,$i,16 -- bdnz- Lsub -+ bdnz Lsub - - li $i,0 - subfe $ovf,$i,$ovf ; handle upmost overflow bit -@@ -1517,7 +1517,7 @@ Lcopy: ; copy or in-place refresh - stdx $i,$tp,$i ; zap tp at once - stdx $i,$t4,$i - addi $i,$i,16 -- bdnz- Lcopy -+ bdnz Lcopy - ___ - $code.=<<___ if ($SIZE_T==4); - subf $np,$num,$np ; rewind np -@@ -1550,7 +1550,7 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] - stw $t5,8($rp) - stw $t6,12($rp) - stwu $t7,16($rp) -- bdnz- Lsub -+ bdnz Lsub - - li $i,0 - subfe $ovf,$i,$ovf ; handle upmost overflow bit -@@ -1582,7 +1582,7 @@ Lcopy: ; copy or in-place refresh - stwu $t3,16($rp) - std $i,8($tp) ; zap tp at once - stdu $i,16($tp) -- bdnz- Lcopy -+ bdnz Lcopy - ___ - - $code.=<<___; -diff -upr deps/openssl/openssl.old/crypto/bn/asm/x86-mont.pl deps/openssl/openssl/crypto/bn/asm/x86-mont.pl ---- deps/openssl/openssl.old/crypto/bn/asm/x86-mont.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/bn/asm/x86-mont.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -85,6 +85,21 @@ $frame=32; # size of above frame roun - - &and ("esp",-64); # align to cache line - -+ # Some OSes, *cough*-dows, insist on stack being "wired" to -+ # physical memory in strictly sequential manner, i.e. if stack -+ # allocation spans two pages, then reference to farmost one can -+ # be punishable by SEGV. But page walking can do good even on -+ # other OSes, because it guarantees that villain thread hits -+ # the guard page before it can make damage to innocent one... -+ &mov ("eax","ebp"); -+ &sub ("eax","esp"); -+ &and ("eax",-4096); -+&set_label("page_walk"); -+ &mov ("edx",&DWP(0,"esp","eax")); -+ &sub ("eax",4096); -+ &data_byte(0x2e); -+ &jnc (&label("page_walk")); -+ - ################################# load argument block... - &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp - &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap -diff -upr deps/openssl/openssl.old/crypto/bn/asm/x86_64-mont.pl deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl ---- deps/openssl/openssl.old/crypto/bn/asm/x86_64-mont.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -130,6 +130,20 @@ $code.=<<___; - - mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp - .Lmul_body: -+ # Some OSes, *cough*-dows, insist on stack being "wired" to -+ # physical memory in strictly sequential manner, i.e. if stack -+ # allocation spans two pages, then reference to farmost one can -+ # be punishable by SEGV. But page walking can do good even on -+ # other OSes, because it guarantees that villain thread hits -+ # the guard page before it can make damage to innocent one... -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lmul_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x66,0x2e # predict non-taken -+ jnc .Lmul_page_walk -+ - mov $bp,%r12 # reassign $bp - ___ - $bp="%r12"; -@@ -342,6 +356,14 @@ $code.=<<___; - - mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp - .Lmul4x_body: -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lmul4x_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lmul4x_page_walk -+ - mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp - mov %rdx,%r12 # reassign $bp - ___ -@@ -795,6 +817,15 @@ bn_sqr8x_mont: - sub %r11,%rsp - .Lsqr8x_sp_done: - and \$-64,%rsp -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lsqr8x_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lsqr8x_page_walk -+ - mov $num,%r10 - neg $num - -@@ -932,8 +963,17 @@ bn_mulx4x_mont: - sub $num,%r10 # -$num - mov ($n0),$n0 # *n0 - lea -72(%rsp,%r10),%rsp # alloca(frame+$num+8) -- lea ($bp,$num),%r10 - and \$-128,%rsp -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lmulx4x_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x66,0x2e # predict non-taken -+ jnc .Lmulx4x_page_walk -+ -+ lea ($bp,$num),%r10 - ############################################################## - # Stack layout - # +0 num -diff -upr deps/openssl/openssl.old/crypto/bn/asm/x86_64-mont5.pl deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl ---- deps/openssl/openssl.old/crypto/bn/asm/x86_64-mont5.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -115,6 +115,20 @@ $code.=<<___; - - mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp - .Lmul_body: -+ # Some OSes, *cough*-dows, insist on stack being "wired" to -+ # physical memory in strictly sequential manner, i.e. if stack -+ # allocation spans two pages, then reference to farmost one can -+ # be punishable by SEGV. But page walking can do good even on -+ # other OSes, because it guarantees that villain thread hits -+ # the guard page before it can make damage to innocent one... -+ sub %rsp,%rax -+ and \$-4096,%rax -+.Lmul_page_walk: -+ mov (%rsp,%rax),%r11 -+ sub \$4096,%rax -+ .byte 0x2e # predict non-taken -+ jnc .Lmul_page_walk -+ - lea 128($bp),%r12 # reassign $bp (+size optimization) - ___ - $bp="%r12"; -@@ -469,6 +483,15 @@ $code.=<<___; - sub %r11,%rsp - .Lmul4xsp_done: - and \$-64,%rsp -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lmul4x_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lmul4x_page_walk -+ - neg $num - - mov %rax,40(%rsp) -@@ -1058,6 +1081,15 @@ $code.=<<___; - sub %r11,%rsp - .Lpwr_sp_done: - and \$-64,%rsp -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lpwr_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lpwr_page_walk -+ - mov $num,%r10 - neg $num - -@@ -2028,7 +2060,16 @@ bn_from_mont8x: - sub %r11,%rsp - .Lfrom_sp_done: - and \$-64,%rsp -- mov $num,%r10 -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lfrom_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lfrom_page_walk -+ -+ mov $num,%r10 - neg $num - - ############################################################## -@@ -2173,6 +2214,15 @@ bn_mulx4x_mont_gather5: - sub %r11,%rsp - .Lmulx4xsp_done: - and \$-64,%rsp # ensure alignment -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lmulx4x_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lmulx4x_page_walk -+ - ############################################################## - # Stack layout - # +0 -num -@@ -2619,6 +2669,15 @@ bn_powerx5: - sub %r11,%rsp - .Lpwrx_sp_done: - and \$-64,%rsp -+ mov %rax,%r11 -+ sub %rsp,%r11 -+ and \$-4096,%r11 -+.Lpwrx_page_walk: -+ mov (%rsp,%r11),%r10 -+ sub \$4096,%r11 -+ .byte 0x2e # predict non-taken -+ jnc .Lpwrx_page_walk -+ - mov $num,%r10 - neg $num - -diff -upr deps/openssl/openssl.old/crypto/comp/comp.h deps/openssl/openssl/crypto/comp/comp.h ---- deps/openssl/openssl.old/crypto/comp/comp.h 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/comp/comp.h 2016-05-03 15:44:42.000000000 +0200 -@@ -4,6 +4,10 @@ - - # include - -+# ifdef OPENSSL_NO_COMP -+# error COMP is disabled. -+# endif -+ - #ifdef __cplusplus - extern "C" { - #endif -Only in deps/openssl/openssl/crypto/des: t -diff -upr deps/openssl/openssl.old/crypto/evp/Makefile deps/openssl/openssl/crypto/evp/Makefile ---- deps/openssl/openssl.old/crypto/evp/Makefile 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/evp/Makefile 2016-05-03 15:46:33.000000000 +0200 -@@ -199,8 +199,8 @@ e_aes.o: ../../include/openssl/opensslv. - e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h - e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h - e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h --e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h --e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h -+e_aes_cbc_hmac_sha1.o: ../../e_os.h ../../include/openssl/aes.h -+e_aes_cbc_hmac_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h - e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h - e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h - e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h -@@ -214,9 +214,9 @@ e_aes_cbc_hmac_sha1.o: ../../include/ope - e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h - e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h - e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h --e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../modes/modes_lcl.h --e_aes_cbc_hmac_sha1.o: e_aes_cbc_hmac_sha1.c --e_aes_cbc_hmac_sha256.o: ../../include/openssl/aes.h -+e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h -+e_aes_cbc_hmac_sha1.o: ../modes/modes_lcl.h e_aes_cbc_hmac_sha1.c -+e_aes_cbc_hmac_sha256.o: ../../e_os.h ../../include/openssl/aes.h - e_aes_cbc_hmac_sha256.o: ../../include/openssl/asn1.h - e_aes_cbc_hmac_sha256.o: ../../include/openssl/bio.h - e_aes_cbc_hmac_sha256.o: ../../include/openssl/crypto.h -@@ -232,7 +232,8 @@ e_aes_cbc_hmac_sha256.o: ../../include/o - e_aes_cbc_hmac_sha256.o: ../../include/openssl/safestack.h - e_aes_cbc_hmac_sha256.o: ../../include/openssl/sha.h - e_aes_cbc_hmac_sha256.o: ../../include/openssl/stack.h --e_aes_cbc_hmac_sha256.o: ../../include/openssl/symhacks.h ../modes/modes_lcl.h -+e_aes_cbc_hmac_sha256.o: ../../include/openssl/symhacks.h -+e_aes_cbc_hmac_sha256.o: ../constant_time_locl.h ../modes/modes_lcl.h - e_aes_cbc_hmac_sha256.o: e_aes_cbc_hmac_sha256.c - e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h - e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h -diff -upr deps/openssl/openssl.old/crypto/evp/digest.c deps/openssl/openssl/crypto/evp/digest.c ---- deps/openssl/openssl.old/crypto/evp/digest.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/evp/digest.c 2016-05-03 15:44:42.000000000 +0200 -@@ -212,8 +212,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - } - #endif - if (ctx->digest != type) { -- if (ctx->digest && ctx->digest->ctx_size) -+ if (ctx->digest && ctx->digest->ctx_size) { - OPENSSL_free(ctx->md_data); -+ ctx->md_data = NULL; -+ } - ctx->digest = type; - if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { - ctx->update = type->update; -diff -upr deps/openssl/openssl.old/crypto/evp/e_aes_cbc_hmac_sha1.c deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c ---- deps/openssl/openssl.old/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-05-03 15:44:47.000000000 +0200 -@@ -60,6 +60,7 @@ - # include - # include - # include "modes_lcl.h" -+# include "constant_time_locl.h" - - # ifndef EVP_CIPH_FLAG_AEAD_CIPHER - # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 -@@ -578,6 +579,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV - maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); - maxpad &= 255; - -+ ret &= constant_time_ge(maxpad, pad); -+ - inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); - mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); - inp_len &= mask; -diff -upr deps/openssl/openssl.old/crypto/evp/e_aes_cbc_hmac_sha256.c deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c ---- deps/openssl/openssl.old/crypto/evp/e_aes_cbc_hmac_sha256.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c 2016-05-03 15:44:47.000000000 +0200 -@@ -60,6 +60,7 @@ - # include - # include - # include "modes_lcl.h" -+# include "constant_time_locl.h" - - # ifndef EVP_CIPH_FLAG_AEAD_CIPHER - # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 -@@ -589,6 +590,8 @@ static int aesni_cbc_hmac_sha256_cipher( - maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); - maxpad &= 255; - -+ ret &= constant_time_ge(maxpad, pad); -+ - inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); - mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); - inp_len &= mask; -diff -upr deps/openssl/openssl.old/crypto/evp/encode.c deps/openssl/openssl/crypto/evp/encode.c ---- deps/openssl/openssl.old/crypto/evp/encode.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/evp/encode.c 2016-05-03 15:44:42.000000000 +0200 -@@ -57,6 +57,7 @@ - */ - - #include -+#include - #include "cryptlib.h" - #include - -@@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct - const unsigned char *in, int inl) - { - int i, j; -- unsigned int total = 0; -+ size_t total = 0; - - *outl = 0; - if (inl <= 0) - return; - OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); -- if ((ctx->num + inl) < ctx->length) { -+ if (ctx->length - ctx->num > inl) { - memcpy(&(ctx->enc_data[ctx->num]), in, inl); - ctx->num += inl; - return; -@@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct - *out = '\0'; - total = j + 1; - } -- while (inl >= ctx->length) { -+ while (inl >= ctx->length && total <= INT_MAX) { - j = EVP_EncodeBlock(out, in, ctx->length); - in += ctx->length; - inl -= ctx->length; -@@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct - *out = '\0'; - total += j + 1; - } -+ if (total > INT_MAX) { -+ /* Too much output data! */ -+ *outl = 0; -+ return; -+ } - if (inl != 0) - memcpy(&(ctx->enc_data[0]), in, inl); - ctx->num = inl; -diff -upr deps/openssl/openssl.old/crypto/evp/evp_enc.c deps/openssl/openssl/crypto/evp/evp_enc.c ---- deps/openssl/openssl.old/crypto/evp/evp_enc.c 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/evp/evp_enc.c 2016-05-03 15:44:42.000000000 +0200 -@@ -347,7 +347,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct - bl = ctx->cipher->block_size; - OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); - if (i != 0) { -- if (i + inl < bl) { -+ if (bl - i > inl) { - memcpy(&(ctx->buf[i]), in, inl); - ctx->buf_len += inl; - *outl = 0; -diff -upr deps/openssl/openssl.old/crypto/modes/asm/ghash-s390x.pl deps/openssl/openssl/crypto/modes/asm/ghash-s390x.pl ---- deps/openssl/openssl.old/crypto/modes/asm/ghash-s390x.pl 2016-04-26 21:50:09.000000000 +0200 -+++ deps/openssl/openssl/crypto/modes/asm/ghash-s390x.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -85,9 +85,7 @@ $code.=<<___ if(!$softonly && 0); # hard - tmhl %r0,0x4000 # check for message-security-assist - jz .Lsoft_gmult - lghi %r0,0 -- la %r1,16($sp) -- .long 0xb93e0004 # kimd %r0,%r4 -- lg %r1,24($sp) -+ lg %r1,24(%r1) # load second word of kimd capabilities vector - tmhh %r1,0x4000 # check for function 65 - jz .Lsoft_gmult - stg %r0,16($sp) # arrange 16 bytes of zero input -diff -upr deps/openssl/openssl.old/crypto/opensslconf.h deps/openssl/openssl/crypto/opensslconf.h ---- deps/openssl/openssl.old/crypto/opensslconf.h 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/opensslconf.h 2016-05-03 15:46:42.000000000 +0200 -@@ -1 +1,265 @@ --#include "../../config/opensslconf.h" -+/* opensslconf.h */ -+/* WARNING: Generated automatically from opensslconf.h.in by Configure. */ -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+/* OpenSSL was configured with the following options: */ -+#ifndef OPENSSL_DOING_MAKEDEPEND -+ -+ -+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -+# define OPENSSL_NO_EC_NISTP_64_GCC_128 -+#endif -+#ifndef OPENSSL_NO_GMP -+# define OPENSSL_NO_GMP -+#endif -+#ifndef OPENSSL_NO_JPAKE -+# define OPENSSL_NO_JPAKE -+#endif -+#ifndef OPENSSL_NO_KRB5 -+# define OPENSSL_NO_KRB5 -+#endif -+#ifndef OPENSSL_NO_LIBUNBOUND -+# define OPENSSL_NO_LIBUNBOUND -+#endif -+#ifndef OPENSSL_NO_MD2 -+# define OPENSSL_NO_MD2 -+#endif -+#ifndef OPENSSL_NO_RC5 -+# define OPENSSL_NO_RC5 -+#endif -+#ifndef OPENSSL_NO_RFC3779 -+# define OPENSSL_NO_RFC3779 -+#endif -+#ifndef OPENSSL_NO_SCTP -+# define OPENSSL_NO_SCTP -+#endif -+#ifndef OPENSSL_NO_SSL_TRACE -+# define OPENSSL_NO_SSL_TRACE -+#endif -+#ifndef OPENSSL_NO_SSL2 -+# define OPENSSL_NO_SSL2 -+#endif -+#ifndef OPENSSL_NO_STORE -+# define OPENSSL_NO_STORE -+#endif -+#ifndef OPENSSL_NO_UNIT_TEST -+# define OPENSSL_NO_UNIT_TEST -+#endif -+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS -+# define OPENSSL_NO_WEAK_SSL_CIPHERS -+#endif -+ -+#endif /* OPENSSL_DOING_MAKEDEPEND */ -+ -+#ifndef OPENSSL_NO_DYNAMIC_ENGINE -+# define OPENSSL_NO_DYNAMIC_ENGINE -+#endif -+ -+/* The OPENSSL_NO_* macros are also defined as NO_* if the application -+ asks for it. This is a transient feature that is provided for those -+ who haven't had the time to do the appropriate changes in their -+ applications. */ -+#ifdef OPENSSL_ALGORITHM_DEFINES -+# if defined(OPENSSL_NO_EC_NISTP_64_GCC_128) && !defined(NO_EC_NISTP_64_GCC_128) -+# define NO_EC_NISTP_64_GCC_128 -+# endif -+# if defined(OPENSSL_NO_GMP) && !defined(NO_GMP) -+# define NO_GMP -+# endif -+# if defined(OPENSSL_NO_JPAKE) && !defined(NO_JPAKE) -+# define NO_JPAKE -+# endif -+# if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) -+# define NO_KRB5 -+# endif -+# if defined(OPENSSL_NO_LIBUNBOUND) && !defined(NO_LIBUNBOUND) -+# define NO_LIBUNBOUND -+# endif -+# if defined(OPENSSL_NO_MD2) && !defined(NO_MD2) -+# define NO_MD2 -+# endif -+# if defined(OPENSSL_NO_RC5) && !defined(NO_RC5) -+# define NO_RC5 -+# endif -+# if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779) -+# define NO_RFC3779 -+# endif -+# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP) -+# define NO_SCTP -+# endif -+# if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE) -+# define NO_SSL_TRACE -+# endif -+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2) -+# define NO_SSL2 -+# endif -+# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE) -+# define NO_STORE -+# endif -+# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST) -+# define NO_UNIT_TEST -+# endif -+# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS) -+# define NO_WEAK_SSL_CIPHERS -+# endif -+#endif -+ -+/* crypto/opensslconf.h.in */ -+ -+/* Generate 80386 code? */ -+#undef I386_ONLY -+ -+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ -+#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) -+#define ENGINESDIR "/usr/local/ssl/lib/engines" -+#define OPENSSLDIR "/usr/local/ssl" -+#endif -+#endif -+ -+#undef OPENSSL_UNISTD -+#define OPENSSL_UNISTD -+ -+#undef OPENSSL_EXPORT_VAR_AS_FUNCTION -+ -+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) -+#define IDEA_INT unsigned int -+#endif -+ -+#if defined(HEADER_MD2_H) && !defined(MD2_INT) -+#define MD2_INT unsigned int -+#endif -+ -+#if defined(HEADER_RC2_H) && !defined(RC2_INT) -+/* I need to put in a mod for the alpha - eay */ -+#define RC2_INT unsigned int -+#endif -+ -+#if defined(HEADER_RC4_H) -+#if !defined(RC4_INT) -+/* using int types make the structure larger but make the code faster -+ * on most boxes I have tested - up to %20 faster. */ -+/* -+ * I don't know what does "most" mean, but declaring "int" is a must on: -+ * - Intel P6 because partial register stalls are very expensive; -+ * - elder Alpha because it lacks byte load/store instructions; -+ */ -+#define RC4_INT unsigned int -+#endif -+#if !defined(RC4_CHUNK) -+/* -+ * This enables code handling data aligned at natural CPU word -+ * boundary. See crypto/rc4/rc4_enc.c for further details. -+ */ -+#undef RC4_CHUNK -+#endif -+#endif -+ -+#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) -+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a -+ * %20 speed up (longs are 8 bytes, int's are 4). */ -+#ifndef DES_LONG -+#define DES_LONG unsigned long -+#endif -+#endif -+ -+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) -+#define CONFIG_HEADER_BN_H -+#undef BN_LLONG -+ -+/* Should we define BN_DIV2W here? */ -+ -+/* Only one for the following should be defined */ -+#undef SIXTY_FOUR_BIT_LONG -+#undef SIXTY_FOUR_BIT -+#define THIRTY_TWO_BIT -+#endif -+ -+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) -+#define CONFIG_HEADER_RC4_LOCL_H -+/* if this is defined data[i] is used instead of *data, this is a %20 -+ * speedup on x86 */ -+#undef RC4_INDEX -+#endif -+ -+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) -+#define CONFIG_HEADER_BF_LOCL_H -+#undef BF_PTR -+#endif /* HEADER_BF_LOCL_H */ -+ -+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) -+#define CONFIG_HEADER_DES_LOCL_H -+#ifndef DES_DEFAULT_OPTIONS -+/* the following is tweaked from a config script, that is why it is a -+ * protected undef/define */ -+#ifndef DES_PTR -+#undef DES_PTR -+#endif -+ -+/* This helps C compiler generate the correct code for multiple functional -+ * units. It reduces register dependancies at the expense of 2 more -+ * registers */ -+#ifndef DES_RISC1 -+#undef DES_RISC1 -+#endif -+ -+#ifndef DES_RISC2 -+#undef DES_RISC2 -+#endif -+ -+#if defined(DES_RISC1) && defined(DES_RISC2) -+#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! -+#endif -+ -+/* Unroll the inner loop, this sometimes helps, sometimes hinders. -+ * Very mucy CPU dependant */ -+#ifndef DES_UNROLL -+#undef DES_UNROLL -+#endif -+ -+/* These default values were supplied by -+ * Peter Gutman -+ * They are only used if nothing else has been defined */ -+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) -+/* Special defines which change the way the code is built depending on the -+ CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find -+ even newer MIPS CPU's, but at the moment one size fits all for -+ optimization options. Older Sparc's work better with only UNROLL, but -+ there's no way to tell at compile time what it is you're running on */ -+ -+#if defined( __sun ) || defined ( sun ) /* Newer Sparc's */ -+# define DES_PTR -+# define DES_RISC1 -+# define DES_UNROLL -+#elif defined( __ultrix ) /* Older MIPS */ -+# define DES_PTR -+# define DES_RISC2 -+# define DES_UNROLL -+#elif defined( __osf1__ ) /* Alpha */ -+# define DES_PTR -+# define DES_RISC2 -+#elif defined ( _AIX ) /* RS6000 */ -+ /* Unknown */ -+#elif defined( __hpux ) /* HP-PA */ -+ /* Unknown */ -+#elif defined( __aux ) /* 68K */ -+ /* Unknown */ -+#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ -+# define DES_UNROLL -+#elif defined( __sgi ) /* Newer MIPS */ -+# define DES_PTR -+# define DES_RISC2 -+# define DES_UNROLL -+#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ -+# define DES_PTR -+# define DES_RISC1 -+# define DES_UNROLL -+#endif /* Systems-specific speed defines */ -+#endif -+ -+#endif /* DES_DEFAULT_OPTIONS */ -+#endif /* HEADER_DES_LOCL_H */ -+#ifdef __cplusplus -+} -+#endif -diff -upr deps/openssl/openssl.old/crypto/opensslv.h deps/openssl/openssl/crypto/opensslv.h ---- deps/openssl/openssl.old/crypto/opensslv.h 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/opensslv.h 2016-05-03 15:46:41.000000000 +0200 -@@ -30,11 +30,11 @@ extern "C" { - * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for - * major minor fix final patch/beta) - */ --# define OPENSSL_VERSION_NUMBER 0x1000207fL -+# define OPENSSL_VERSION_NUMBER 0x1000208fL - # ifdef OPENSSL_FIPS --# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g-fips 1 Mar 2016" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h-fips 3 May 2016" - # else --# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g 1 Mar 2016" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h 3 May 2016" - # endif - # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT - -diff -upr deps/openssl/openssl.old/crypto/pem/pem_lib.c deps/openssl/openssl/crypto/pem/pem_lib.c ---- deps/openssl/openssl.old/crypto/pem/pem_lib.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/pem/pem_lib.c 2016-05-03 15:44:42.000000000 +0200 -@@ -348,7 +348,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, - - if (enc != NULL) { - objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc)); -- if (objstr == NULL) { -+ if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) { - PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER); - goto err; - } -diff -upr deps/openssl/openssl.old/crypto/pem/pvkfmt.c deps/openssl/openssl/crypto/pem/pvkfmt.c ---- deps/openssl/openssl.old/crypto/pem/pvkfmt.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/pem/pvkfmt.c 2016-05-03 15:44:42.000000000 +0200 -@@ -131,6 +131,10 @@ static int read_lebn(const unsigned char - # define MS_PVKMAGIC 0xb0b5f11eL - /* Salt length for PVK files */ - # define PVK_SALTLEN 0x10 -+/* Maximum length in PVK header */ -+# define PVK_MAX_KEYLEN 102400 -+/* Maximum salt length */ -+# define PVK_MAX_SALTLEN 10240 - - static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, - unsigned int bitlen, int ispub); -@@ -644,6 +648,9 @@ static int do_PVK_header(const unsigned - *psaltlen = read_ledword(&p); - *pkeylen = read_ledword(&p); - -+ if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN) -+ return 0; -+ - if (is_encrypted && !*psaltlen) { - PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER); - return 0; -diff -upr deps/openssl/openssl.old/crypto/perlasm/x86_64-xlate.pl deps/openssl/openssl/crypto/perlasm/x86_64-xlate.pl ---- deps/openssl/openssl.old/crypto/perlasm/x86_64-xlate.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/perlasm/x86_64-xlate.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -195,6 +195,7 @@ my %globals; - sub out { - my $self = shift; - -+ $self->{value} =~ s/\b(0b[0-1]+)/oct($1)/eig; - if ($gas) { - # Solaris /usr/ccs/bin/as can't handle multiplications - # in $self->{value} -@@ -205,7 +206,6 @@ my %globals; - } - sprintf "\$%s",$self->{value}; - } else { -- $self->{value} =~ s/(0b[0-1]+)/oct($1)/eig; - $self->{value} =~ s/0x([0-9a-f]+)/0$1h/ig if ($masm); - sprintf "%s",$self->{value}; - } -diff -upr deps/openssl/openssl.old/crypto/perlasm/x86masm.pl deps/openssl/openssl/crypto/perlasm/x86masm.pl ---- deps/openssl/openssl.old/crypto/perlasm/x86masm.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/perlasm/x86masm.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -18,10 +18,10 @@ sub ::generic - - if ($opcode =~ /lea/ && @arg[1] =~ s/.*PTR\s+(\(.*\))$/OFFSET $1/) # no [] - { $opcode="mov"; } -- elsif ($opcode !~ /mov[dq]$/) -+ elsif ($opcode !~ /movq/) - { # fix xmm references -- $arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[-1]=~/\bxmm[0-7]\b/i); -- $arg[-1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i); -+ $arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[1]=~/\bxmm[0-7]\b/i); -+ $arg[1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i); - } - - &::emit($opcode,@arg); -@@ -82,7 +82,7 @@ TITLE $_[0].asm - IF \@Version LT 800 - ECHO MASM version 8.00 or later is strongly recommended. - ENDIF --.686 -+.486 - .MODEL FLAT - OPTION DOTNAME - IF \@Version LT 800 -@@ -160,13 +160,13 @@ sub ::public_label - { push(@out,"PUBLIC\t".&::LABEL($_[0],$nmdecor.$_[0])."\n"); } - - sub ::data_byte --{ push(@out,("DB\t").join(',',splice(@_,0,16))."\n") while(@_); } -+{ push(@out,("DB\t").join(',',@_)."\n"); } - - sub ::data_short --{ push(@out,("DW\t").join(',',splice(@_,0,8))."\n") while(@_); } -+{ push(@out,("DW\t").join(',',@_)."\n"); } - - sub ::data_word --{ push(@out,("DD\t").join(',',splice(@_,0,4))."\n") while(@_); } -+{ push(@out,("DD\t").join(',',@_)."\n"); } - - sub ::align - { push(@out,"ALIGN\t$_[0]\n"); } -diff -upr deps/openssl/openssl.old/crypto/s390xcpuid.S deps/openssl/openssl/crypto/s390xcpuid.S ---- deps/openssl/openssl.old/crypto/s390xcpuid.S 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/s390xcpuid.S 2016-05-03 15:44:42.000000000 +0200 -@@ -5,14 +5,46 @@ - .align 16 - OPENSSL_s390x_facilities: - lghi %r0,0 -- larl %r2,OPENSSL_s390xcap_P -- stg %r0,8(%r2) -- .long 0xb2b02000 # stfle 0(%r2) -+ larl %r4,OPENSSL_s390xcap_P -+ stg %r0,8(%r4) # wipe capability vectors -+ stg %r0,16(%r4) -+ stg %r0,24(%r4) -+ stg %r0,32(%r4) -+ stg %r0,40(%r4) -+ stg %r0,48(%r4) -+ stg %r0,56(%r4) -+ stg %r0,64(%r4) -+ stg %r0,72(%r4) -+ -+ .long 0xb2b04000 # stfle 0(%r4) - brc 8,.Ldone - lghi %r0,1 -- .long 0xb2b02000 # stfle 0(%r2) -+ .long 0xb2b04000 # stfle 0(%r4) - .Ldone: -- lg %r2,0(%r2) -+ lmg %r2,%r3,0(%r4) -+ tmhl %r2,0x4000 # check for message-security-assist -+ jz .Lret -+ -+ lghi %r0,0 # query kimd capabilities -+ la %r1,16(%r4) -+ .long 0xb93e0002 # kimd %r0,%r2 -+ -+ lghi %r0,0 # query km capability vector -+ la %r1,32(%r4) -+ .long 0xb92e0042 # km %r4,%r2 -+ -+ lghi %r0,0 # query kmc capability vector -+ la %r1,48(%r4) -+ .long 0xb92f0042 # kmc %r4,%r2 -+ -+ tmhh %r3,0x0004 # check for message-security-assist-4 -+ jz .Lret -+ -+ lghi %r0,0 # query kmctr capability vector -+ la %r1,64(%r4) -+ .long 0xb92d2042 # kmctr %r4,%r2,%r2 -+ -+.Lret: - br %r14 - .size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities - -@@ -96,4 +128,4 @@ OPENSSL_cleanse: - .section .init - brasl %r14,OPENSSL_cpuid_setup - --.comm OPENSSL_s390xcap_P,16,8 -+.comm OPENSSL_s390xcap_P,80,8 -diff -upr deps/openssl/openssl.old/crypto/sha/asm/sha1-ppc.pl deps/openssl/openssl/crypto/sha/asm/sha1-ppc.pl ---- deps/openssl/openssl.old/crypto/sha/asm/sha1-ppc.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/sha/asm/sha1-ppc.pl 2016-05-03 15:38:19.000000000 +0200 -@@ -227,7 +227,7 @@ Lunaligned: - srwi. $t1,$t1,6 ; t1/=64 - beq Lcross_page - $UCMP $num,$t1 -- ble- Laligned ; didn't cross the page boundary -+ ble Laligned ; didn't cross the page boundary - mtctr $t1 - subfc $num,$t1,$num - bl Lsha1_block_private -@@ -255,7 +255,7 @@ Lmemcpy: - bl Lsha1_block_private - $POP $inp,`$FRAME-$SIZE_T*18`($sp) - addic. $num,$num,-1 -- bne- Lunaligned -+ bne Lunaligned - - Ldone: - $POP r0,`$FRAME+$LRSAVE`($sp) -@@ -329,7 +329,7 @@ $code.=<<___; - stw r20,16($ctx) - mr $E,r20 - addi $inp,$inp,`16*4` -- bdnz- Lsha1_block_private -+ bdnz Lsha1_block_private - blr - .long 0 - .byte 0,12,0x14,0,0,0,0,0 -diff -upr deps/openssl/openssl.old/crypto/sha/asm/sha1-s390x.pl deps/openssl/openssl/crypto/sha/asm/sha1-s390x.pl ---- deps/openssl/openssl.old/crypto/sha/asm/sha1-s390x.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/sha/asm/sha1-s390x.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -167,10 +167,7 @@ $code.=<<___ if ($kimdfunc); - lg %r0,0(%r1) - tmhl %r0,0x4000 # check for message-security assist - jz .Lsoftware -- lghi %r0,0 -- la %r1,`2*$SIZE_T`($sp) -- .long 0xb93e0002 # kimd %r0,%r2 -- lg %r0,`2*$SIZE_T`($sp) -+ lg %r0,16(%r1) # check kimd capabilities - tmhh %r0,`0x8000>>$kimdfunc` - jz .Lsoftware - lghi %r0,$kimdfunc -@@ -237,7 +234,7 @@ $code.=<<___; - br %r14 - .size sha1_block_data_order,.-sha1_block_data_order - .string "SHA1 block transform for s390x, CRYPTOGAMS by " --.comm OPENSSL_s390xcap_P,16,8 -+.comm OPENSSL_s390xcap_P,80,8 - ___ - - $code =~ s/\`([^\`]*)\`/eval $1/gem; -diff -upr deps/openssl/openssl.old/crypto/sha/asm/sha512-ppc.pl deps/openssl/openssl/crypto/sha/asm/sha512-ppc.pl ---- deps/openssl/openssl.old/crypto/sha/asm/sha512-ppc.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/sha/asm/sha512-ppc.pl 2016-05-03 15:38:19.000000000 +0200 -@@ -259,7 +259,7 @@ Lunaligned: - andi. $t1,$t1,`4096-16*$SZ` ; distance to closest page boundary - beq Lcross_page - $UCMP $num,$t1 -- ble- Laligned ; didn't cross the page boundary -+ ble Laligned ; didn't cross the page boundary - subfc $num,$t1,$num - add $t1,$inp,$t1 - $PUSH $num,`$FRAME-$SIZE_T*25`($sp) ; save real remaining num -@@ -317,7 +317,7 @@ $code.=<<___; - $POP $inp,`$FRAME-$SIZE_T*26`($sp) ; restore real inp - $POP $num,`$FRAME-$SIZE_T*25`($sp) ; restore real num - addic. $num,$num,`-16*$SZ` ; num-- -- bne- Lunaligned -+ bne Lunaligned - - Ldone: - $POP r0,`$FRAME+$LRSAVE`($sp) -@@ -396,7 +396,7 @@ for(;$i<32;$i++) { - unshift(@V,pop(@V)); - } - $code.=<<___; -- bdnz- Lrounds -+ bdnz Lrounds - - $POP $ctx,`$FRAME-$SIZE_T*22`($sp) - $POP $inp,`$FRAME-$SIZE_T*23`($sp) ; inp pointer -@@ -644,7 +644,7 @@ for(;$i<32;$i++) { - ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1); - } - $code.=<<___; -- bdnz- Lrounds -+ bdnz Lrounds - - $POP $ctx,`$FRAME-$SIZE_T*22`($sp) - $POP $inp,`$FRAME-$SIZE_T*23`($sp) ; inp pointer -diff -upr deps/openssl/openssl.old/crypto/sha/asm/sha512-s390x.pl deps/openssl/openssl/crypto/sha/asm/sha512-s390x.pl ---- deps/openssl/openssl.old/crypto/sha/asm/sha512-s390x.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/sha/asm/sha512-s390x.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -240,10 +240,7 @@ $code.=<<___ if ($kimdfunc); - lg %r0,0(%r1) - tmhl %r0,0x4000 # check for message-security assist - jz .Lsoftware -- lghi %r0,0 -- la %r1,`2*$SIZE_T`($sp) -- .long 0xb93e0002 # kimd %r0,%r2 -- lg %r0,`2*$SIZE_T`($sp) -+ lg %r0,16(%r1) # check kimd capabilities - tmhh %r0,`0x8000>>$kimdfunc` - jz .Lsoftware - lghi %r0,$kimdfunc -@@ -311,7 +308,7 @@ $code.=<<___; - br %r14 - .size $Func,.-$Func - .string "SHA${label} block transform for s390x, CRYPTOGAMS by " --.comm OPENSSL_s390xcap_P,16,8 -+.comm OPENSSL_s390xcap_P,80,8 - ___ - - $code =~ s/\`([^\`]*)\`/eval $1/gem; -diff -upr deps/openssl/openssl.old/crypto/x509/x509.h deps/openssl/openssl/crypto/x509/x509.h ---- deps/openssl/openssl.old/crypto/x509/x509.h 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/x509/x509.h 2016-05-03 15:44:42.000000000 +0200 -@@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void); - # define X509_R_LOADING_CERT_DIR 103 - # define X509_R_LOADING_DEFAULTS 104 - # define X509_R_METHOD_NOT_SUPPORTED 124 -+# define X509_R_NAME_TOO_LONG 134 - # define X509_R_NEWER_CRL_NOT_NEWER 132 - # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 - # define X509_R_NO_CRL_NUMBER 130 -diff -upr deps/openssl/openssl.old/crypto/x509/x509_err.c deps/openssl/openssl/crypto/x509/x509_err.c ---- deps/openssl/openssl.old/crypto/x509/x509_err.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/x509/x509_err.c 2016-05-03 15:44:42.000000000 +0200 -@@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[ - {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"}, - {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"}, - {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"}, -+ {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"}, - {ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"}, - {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), - "no cert set for us to verify"}, -diff -upr deps/openssl/openssl.old/crypto/x509/x509_obj.c deps/openssl/openssl/crypto/x509/x509_obj.c ---- deps/openssl/openssl.old/crypto/x509/x509_obj.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/crypto/x509/x509_obj.c 2016-05-03 15:44:42.000000000 +0200 -@@ -63,6 +63,13 @@ - #include - #include - -+/* -+ * Limit to ensure we don't overflow: much greater than -+ * anything enountered in practice. -+ */ -+ -+#define NAME_ONELINE_MAX (1024 * 1024) -+ - char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) - { - X509_NAME_ENTRY *ne; -@@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, ch - goto err; - b->data[0] = '\0'; - len = 200; -+ } else if (len == 0) { -+ return NULL; - } - if (a == NULL) { - if (b) { -@@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, ch - - type = ne->value->type; - num = ne->value->length; -+ if (num > NAME_ONELINE_MAX) { -+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG); -+ goto end; -+ } - q = ne->value->data; - #ifdef CHARSET_EBCDIC - if (type == V_ASN1_GENERALSTRING || -@@ -117,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch - type == V_ASN1_PRINTABLESTRING || - type == V_ASN1_TELETEXSTRING || - type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { -- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) -- ? sizeof ebcdic_buf : num); -+ if (num > (int)sizeof(ebcdic_buf)) -+ num = sizeof(ebcdic_buf); -+ ascii2ebcdic(ebcdic_buf, q, num); - q = ebcdic_buf; - } - #endif -@@ -154,6 +168,10 @@ char *X509_NAME_oneline(X509_NAME *a, ch - - lold = l; - l += 1 + l1 + 1 + l2; -+ if (l > NAME_ONELINE_MAX) { -+ X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG); -+ goto end; -+ } - if (b != NULL) { - if (!BUF_MEM_grow(b, l + 1)) - goto err; -@@ -206,7 +224,7 @@ char *X509_NAME_oneline(X509_NAME *a, ch - return (p); - err: - X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE); -- if (b != NULL) -- BUF_MEM_free(b); -+ end: -+ BUF_MEM_free(b); - return (NULL); - } -Only in deps/openssl/openssl: demos -Only in deps/openssl/openssl: doc -Only in deps/openssl/openssl.old/include: openssl -diff -upr deps/openssl/openssl.old/openssl.spec deps/openssl/openssl/openssl.spec ---- deps/openssl/openssl.old/openssl.spec 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/openssl.spec 2016-05-03 15:46:41.000000000 +0200 -@@ -6,7 +6,7 @@ Release: 1 - - Summary: Secure Sockets Layer and cryptography libraries and tools - Name: openssl --Version: 1.0.2g -+Version: 1.0.2h - Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz - License: OpenSSL - Group: System Environment/Libraries -diff -upr deps/openssl/openssl.old/ssl/d1_both.c deps/openssl/openssl/ssl/d1_both.c ---- deps/openssl/openssl.old/ssl/d1_both.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/d1_both.c 2016-05-03 15:44:42.000000000 +0200 -@@ -1459,6 +1459,8 @@ int dtls1_process_heartbeat(SSL *s) - * plus 2 bytes payload length, plus payload, plus padding - */ - buffer = OPENSSL_malloc(write_length); -+ if (buffer == NULL) -+ return -1; - bp = buffer; - - /* Enter response type, length and copy payload */ -diff -upr deps/openssl/openssl.old/ssl/s2_lib.c deps/openssl/openssl/ssl/s2_lib.c ---- deps/openssl/openssl.old/ssl/s2_lib.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/s2_lib.c 2016-05-03 15:44:42.000000000 +0200 -@@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_RC4, - SSL_MD5, - SSL_SSLV2, -- SSL_NOT_EXP | SSL_MEDIUM, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - 0, - 128, - 128, -@@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_RC4, - SSL_MD5, - SSL_SSLV2, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL2_CF_5_BYTE_ENC, - 40, - 128, -@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_RC2, - SSL_MD5, - SSL_SSLV2, -- SSL_NOT_EXP | SSL_MEDIUM, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - 0, - 128, - 128, -@@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_RC2, - SSL_MD5, - SSL_SSLV2, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL2_CF_5_BYTE_ENC, - 40, - 128, -@@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_IDEA, - SSL_MD5, - SSL_SSLV2, -- SSL_NOT_EXP | SSL_MEDIUM, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - 0, - 128, - 128, -@@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_DES, - SSL_MD5, - SSL_SSLV2, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - 0, - 56, - 56, -@@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_3DES, - SSL_MD5, - SSL_SSLV2, -- SSL_NOT_EXP | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, - 0, - 112, - 168, -@@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip - SSL_RC4, - SSL_MD5, - SSL_SSLV2, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL2_CF_8_BYTE_ENC, - 64, - 64, -diff -upr deps/openssl/openssl.old/ssl/s2_meth.c deps/openssl/openssl/ssl/s2_meth.c ---- deps/openssl/openssl.old/ssl/s2_meth.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/s2_meth.c 2016-05-03 15:44:42.000000000 +0200 -@@ -57,7 +57,8 @@ - */ - - #include "ssl_locl.h" --#ifndef OPENSSL_NO_SSL2 -+#ifndef OPENSSL_NO_SSL2_METHOD -+# ifndef OPENSSL_NO_SSL2 - # include - # include - -@@ -72,7 +73,16 @@ static const SSL_METHOD *ssl2_get_method - - IMPLEMENT_ssl2_meth_func(SSLv2_method, - ssl2_accept, ssl2_connect, ssl2_get_method) --#else /* !OPENSSL_NO_SSL2 */ -+ -+# else /* !OPENSSL_NO_SSL2 */ -+ -+const SSL_METHOD *SSLv2_method(void) { return NULL; } -+const SSL_METHOD *SSLv2_client_method(void) { return NULL; } -+const SSL_METHOD *SSLv2_server_method(void) { return NULL; } -+ -+# endif -+ -+#else /* !OPENSSL_NO_SSL2_METHOD */ - - # if PEDANTIC - static void *dummy = &dummy; -diff -upr deps/openssl/openssl.old/ssl/s3_clnt.c deps/openssl/openssl/ssl/s3_clnt.c ---- deps/openssl/openssl.old/ssl/s3_clnt.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/s3_clnt.c 2016-05-03 15:44:42.000000000 +0200 -@@ -2199,6 +2199,7 @@ int ssl3_get_certificate_request(SSL *s) - SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; - } -+ xn = NULL; - - p += l; - nc += l + 2; -@@ -2222,6 +2223,7 @@ int ssl3_get_certificate_request(SSL *s) - err: - s->state = SSL_ST_ERR; - done: -+ X509_NAME_free(xn); - if (ca_sk != NULL) - sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); - return (ret); -diff -upr deps/openssl/openssl.old/ssl/s3_lib.c deps/openssl/openssl/ssl/s3_lib.c ---- deps/openssl/openssl.old/ssl/s3_lib.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/s3_lib.c 2016-05-03 15:44:42.000000000 +0200 -@@ -208,7 +208,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_MD5, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -258,7 +258,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC2, - SSL_MD5, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -294,7 +294,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -312,7 +312,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -347,7 +347,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -365,7 +365,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -399,7 +399,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -417,7 +417,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -452,7 +452,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -470,7 +470,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -556,7 +556,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_MD5, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -573,7 +573,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_MD5, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_MEDIUM, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -590,7 +590,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -608,7 +608,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -625,7 +625,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, -@@ -695,7 +695,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -761,7 +761,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_MD5, - SSL_SSLV3, -- SSL_NOT_EXP | SSL_LOW, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -827,7 +827,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -845,7 +845,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC2, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -863,7 +863,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_SHA1, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -881,7 +881,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_MD5, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, -@@ -899,7 +899,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC2, - SSL_MD5, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -917,7 +917,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_MD5, - SSL_SSLV3, -- SSL_EXPORT | SSL_EXP40, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, -@@ -1011,7 +1011,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -1106,7 +1106,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, -@@ -1302,7 +1302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_CAMELLIA128, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -1322,7 +1322,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_MD5, - SSL_TLSV1, -- SSL_EXPORT | SSL_EXP56, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, -@@ -1338,7 +1338,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC2, - SSL_MD5, - SSL_TLSV1, -- SSL_EXPORT | SSL_EXP56, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, -@@ -1356,7 +1356,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_TLSV1, -- SSL_EXPORT | SSL_EXP56, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -1374,7 +1374,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_DES, - SSL_SHA1, - SSL_TLSV1, -- SSL_EXPORT | SSL_EXP56, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, -@@ -1392,7 +1392,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, -- SSL_EXPORT | SSL_EXP56, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, -@@ -1410,7 +1410,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, -- SSL_EXPORT | SSL_EXP56, -+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, -@@ -1525,7 +1525,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES128, - SSL_SHA256, - SSL_TLSV1_2, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -1541,7 +1541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES256, - SSL_SHA256, - SSL_TLSV1_2, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, -@@ -1694,7 +1694,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_CAMELLIA256, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, -@@ -1860,7 +1860,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_SEED, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_MEDIUM, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -2040,7 +2040,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES128GCM, - SSL_AEAD, - SSL_TLSV1_2, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, -@@ -2056,7 +2056,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES256GCM, - SSL_AEAD, - SSL_TLSV1_2, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, - 256, - 256, -@@ -2424,7 +2424,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_MEDIUM, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -2440,7 +2440,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_3DES, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, -@@ -2456,7 +2456,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES128, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, -@@ -2472,7 +2472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] - SSL_AES256, - SSL_SHA1, - SSL_TLSV1, -- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, -+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, -diff -upr deps/openssl/openssl.old/ssl/ssl.h deps/openssl/openssl/ssl/ssl.h ---- deps/openssl/openssl.old/ssl/ssl.h 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssl.h 2016-05-03 15:44:42.000000000 +0200 -@@ -338,7 +338,7 @@ extern "C" { - * The following cipher list is used by default. It also is substituted when - * an application-defined cipher list string starts with 'DEFAULT'. - */ --# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" -+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2" - /* - * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always - * starts with a reasonable order, and all we have to do for DEFAULT is -@@ -2345,7 +2345,7 @@ const char *SSL_get_version(const SSL *s - /* This sets the 'default' SSL version that SSL_new() will create */ - int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); - --# ifndef OPENSSL_NO_SSL2 -+# ifndef OPENSSL_NO_SSL2_METHOD - const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ - const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ - const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ -diff -upr deps/openssl/openssl.old/ssl/ssl_cert.c deps/openssl/openssl/ssl/ssl_cert.c ---- deps/openssl/openssl.old/ssl/ssl_cert.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssl_cert.c 2016-05-03 15:44:42.000000000 +0200 -@@ -504,6 +504,8 @@ void ssl_cert_free(CERT *c) - #ifndef OPENSSL_NO_TLSEXT - custom_exts_free(&c->cli_ext); - custom_exts_free(&c->srv_ext); -+ if (c->alpn_proposed) -+ OPENSSL_free(c->alpn_proposed); - #endif - OPENSSL_free(c); - } -@@ -1057,13 +1059,18 @@ static int ssl_add_cert_to_buf(BUF_MEM * - unsigned char *p; - - n = i2d_X509(x, NULL); -- if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { -+ if (n < 0 || !BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { - SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); - return 0; - } - p = (unsigned char *)&(buf->data[*l]); - l2n3(n, p); -- i2d_X509(x, &p); -+ n = i2d_X509(x, &p); -+ if (n < 0) { -+ /* Shouldn't happen */ -+ SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); -+ return 0; -+ } - *l += n + 3; - - return 1; -diff -upr deps/openssl/openssl.old/ssl/ssl_ciph.c deps/openssl/openssl/ssl/ssl_ciph.c ---- deps/openssl/openssl.old/ssl/ssl_ciph.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssl_ciph.c 2016-05-03 15:44:42.000000000 +0200 -@@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[] - * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in - * ALL!) - */ -- {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2, -- SSL_EXP_MASK, 0, 0, 0}, -+ {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0}, - - /* - * key exchange aliases (some of those using only a single bit here -@@ -1030,10 +1029,6 @@ static void ssl_cipher_apply_rule(unsign - if (cipher_id && cipher_id != cp->id) - continue; - #endif -- if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp)) -- goto ok; -- if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2) -- goto ok; - if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) - continue; - if (alg_auth && !(alg_auth & cp->algorithm_auth)) -@@ -1050,10 +1045,11 @@ static void ssl_cipher_apply_rule(unsign - if ((algo_strength & SSL_STRONG_MASK) - && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) - continue; -+ if ((algo_strength & SSL_NOT_DEFAULT) -+ && !(cp->algo_strength & SSL_NOT_DEFAULT)) -+ continue; - } - -- ok: -- - #ifdef CIPHER_DEBUG - fprintf(stderr, "Action = %d\n", rule); - #endif -@@ -1337,6 +1333,10 @@ static int ssl_cipher_process_rulestr(co - ca_list[j]->algo_strength & SSL_STRONG_MASK; - } - -+ if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) { -+ algo_strength |= SSL_NOT_DEFAULT; -+ } -+ - if (ca_list[j]->valid) { - /* - * explicit ciphersuite found; its protocol version does not -diff -upr deps/openssl/openssl.old/ssl/ssl_lib.c deps/openssl/openssl/ssl/ssl_lib.c ---- deps/openssl/openssl.old/ssl/ssl_lib.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssl_lib.c 2016-05-03 15:44:42.000000000 +0200 -@@ -244,7 +244,16 @@ int SSL_clear(SSL *s) - ssl_clear_hash_ctx(&s->write_hash); - - s->first_packet = 0; -- -+#ifndef OPENSSL_NO_TLSEXT -+ if (s->cert != NULL) { -+ if (s->cert->alpn_proposed) { -+ OPENSSL_free(s->cert->alpn_proposed); -+ s->cert->alpn_proposed = NULL; -+ } -+ s->cert->alpn_proposed_len = 0; -+ s->cert->alpn_sent = 0; -+ } -+#endif - #if 1 - /* - * Check to see if we were changed into a different method, if so, revert -@@ -3174,6 +3183,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_C - ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen; - ocert->ciphers_raw = NULL; - } -+#ifndef OPENSSL_NO_TLSEXT -+ ssl->cert->alpn_proposed = ocert->alpn_proposed; -+ ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len; -+ ocert->alpn_proposed = NULL; -+ ssl->cert->alpn_sent = ocert->alpn_sent; -+#endif - ssl_cert_free(ocert); - } - -diff -upr deps/openssl/openssl.old/ssl/ssl_locl.h deps/openssl/openssl/ssl/ssl_locl.h ---- deps/openssl/openssl.old/ssl/ssl_locl.h 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssl_locl.h 2016-05-03 15:44:42.000000000 +0200 -@@ -436,8 +436,9 @@ - # define SSL_MEDIUM 0x00000040L - # define SSL_HIGH 0x00000080L - # define SSL_FIPS 0x00000100L -+# define SSL_NOT_DEFAULT 0x00000200L - --/* we have used 000001ff - 23 bits left to go */ -+/* we have used 000003ff - 22 bits left to go */ - - /*- - * Macros to check the export status and cipher strength for export ciphers. -@@ -687,6 +688,10 @@ typedef struct cert_st { - custom_ext_methods cli_ext; - custom_ext_methods srv_ext; - int references; /* >1 only if SSL_copy_session_id is used */ -+ /* non-optimal, but here due to compatibility */ -+ unsigned char *alpn_proposed; /* server */ -+ unsigned int alpn_proposed_len; -+ int alpn_sent; /* client */ - } CERT; - - typedef struct sess_cert_st { -diff -upr deps/openssl/openssl.old/ssl/ssl_rsa.c deps/openssl/openssl/ssl/ssl_rsa.c ---- deps/openssl/openssl.old/ssl/ssl_rsa.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssl_rsa.c 2016-05-03 15:44:42.000000000 +0200 -@@ -841,7 +841,7 @@ static int serverinfo_srv_add_cb(SSL *s, - return 0; /* No extension found, don't send extension */ - return 1; /* Send extension */ - } -- return -1; /* No serverinfo data found, don't send -+ return 0; /* No serverinfo data found, don't send - * extension */ - } - -@@ -870,12 +870,26 @@ static int serverinfo_process_buffer(con - - /* Register callbacks for extensions */ - ext_type = (serverinfo[0] << 8) + serverinfo[1]; -- if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type, -- serverinfo_srv_add_cb, -- NULL, NULL, -- serverinfo_srv_parse_cb, -- NULL)) -- return 0; -+ if (ctx) { -+ int have_ext_cbs = 0; -+ size_t i; -+ custom_ext_methods *exts = &ctx->cert->srv_ext; -+ custom_ext_method *meth = exts->meths; -+ -+ for (i = 0; i < exts->meths_count; i++, meth++) { -+ if (ext_type == meth->ext_type) { -+ have_ext_cbs = 1; -+ break; -+ } -+ } -+ -+ if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type, -+ serverinfo_srv_add_cb, -+ NULL, NULL, -+ serverinfo_srv_parse_cb, -+ NULL)) -+ return 0; -+ } - - serverinfo += 2; - serverinfo_length -= 2; -diff -upr deps/openssl/openssl.old/ssl/ssltest.c deps/openssl/openssl/ssl/ssltest.c ---- deps/openssl/openssl.old/ssl/ssltest.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/ssltest.c 2016-05-03 15:44:42.000000000 +0200 -@@ -217,6 +217,9 @@ - # define TEST_CLIENT_CERT "../apps/client.pem" - #endif - -+static SSL_CTX *s_ctx = NULL; -+static SSL_CTX *s_ctx2 = NULL; -+ - /* - * There is really no standard for this, so let's assign some tentative - * numbers. In any case, these numbers are only for this test -@@ -300,9 +303,51 @@ static BIO *bio_err = NULL; - static BIO *bio_stdout = NULL; - - static const char *alpn_client; --static const char *alpn_server; -+static char *alpn_server; -+static char *alpn_server2; - static const char *alpn_expected; - static unsigned char *alpn_selected; -+static const char *sn_client; -+static const char *sn_server1; -+static const char *sn_server2; -+static int sn_expect = 0; -+ -+static int servername_cb(SSL *s, int *ad, void *arg) -+{ -+ const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); -+ if (sn_server2 == NULL) { -+ BIO_printf(bio_stdout, "Servername 2 is NULL\n"); -+ return SSL_TLSEXT_ERR_NOACK; -+ } -+ -+ if (servername != NULL) { -+ if (s_ctx2 != NULL && sn_server2 != NULL && -+ !strcasecmp(servername, sn_server2)) { -+ BIO_printf(bio_stdout, "Switching server context.\n"); -+ SSL_set_SSL_CTX(s, s_ctx2); -+ } -+ } -+ return SSL_TLSEXT_ERR_OK; -+} -+static int verify_servername(SSL *client, SSL *server) -+{ -+ /* just need to see if sn_context is what we expect */ -+ SSL_CTX* ctx = SSL_get_SSL_CTX(server); -+ if (sn_expect == 0) -+ return 0; -+ if (sn_expect == 1 && ctx == s_ctx) -+ return 0; -+ if (sn_expect == 2 && ctx == s_ctx2) -+ return 0; -+ BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect); -+ if (ctx == s_ctx2) -+ BIO_printf(bio_stdout, "Servername: context is 2\n"); -+ else if (ctx == s_ctx) -+ BIO_printf(bio_stdout, "Servername: context is 1\n"); -+ else -+ BIO_printf(bio_stdout, "Servername: context is unknown\n"); -+ return -1; -+} - - /*- - * next_protos_parse parses a comma separated list of strings into a string -@@ -350,11 +395,12 @@ static int cb_server_alpn(SSL *s, const - { - unsigned char *protos; - unsigned short protos_len; -+ char* alpn_str = arg; - -- protos = next_protos_parse(&protos_len, alpn_server); -+ protos = next_protos_parse(&protos_len, alpn_str); - if (protos == NULL) { - fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", -- alpn_server); -+ alpn_str); - abort(); - } - -@@ -417,8 +463,17 @@ static int verify_alpn(SSL *client, SSL - BIO_printf(bio_stdout, "', server: '"); - BIO_write(bio_stdout, server_proto, server_proto_len); - BIO_printf(bio_stdout, "'\n"); -- BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", -- alpn_client, alpn_server); -+ BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: ", -+ alpn_client); -+ if (SSL_get_SSL_CTX(server) == s_ctx2) { -+ BIO_printf(bio_stdout, "'%s'\n", -+ alpn_server2); -+ } else if (SSL_get_SSL_CTX(server) == s_ctx){ -+ BIO_printf(bio_stdout, "'%s'\n", -+ alpn_server); -+ } else { -+ BIO_printf(bio_stdout, "unknown\n"); -+ } - return -1; - } - -@@ -756,8 +811,15 @@ static void sv_usage(void) - " -custom_ext - try various custom extension callbacks\n"); - fprintf(stderr, " -alpn_client - have client side offer ALPN\n"); - fprintf(stderr, " -alpn_server - have server side offer ALPN\n"); -+ fprintf(stderr, " -alpn_server1 - alias for -alpn_server\n"); -+ fprintf(stderr, " -alpn_server2 - have server side context 2 offer ALPN\n"); - fprintf(stderr, - " -alpn_expected - the ALPN protocol that should be negotiated\n"); -+ fprintf(stderr, " -sn_client - have client request this servername\n"); -+ fprintf(stderr, " -sn_server1 - have server context 1 respond to this servername\n"); -+ fprintf(stderr, " -sn_server2 - have server context 2 respond to this servername\n"); -+ fprintf(stderr, " -sn_expect1 - expected server 1\n"); -+ fprintf(stderr, " -sn_expect2 - expected server 2\n"); - } - - static void print_details(SSL *c_ssl, const char *prefix) -@@ -896,7 +958,6 @@ int main(int argc, char *argv[]) - #ifndef OPENSSL_NO_ECDH - char *named_curve = NULL; - #endif -- SSL_CTX *s_ctx = NULL; - SSL_CTX *c_ctx = NULL; - const SSL_METHOD *meth = NULL; - SSL *c_ssl, *s_ssl; -@@ -1151,14 +1212,35 @@ int main(int argc, char *argv[]) - if (--argc < 1) - goto bad; - alpn_client = *(++argv); -- } else if (strcmp(*argv, "-alpn_server") == 0) { -+ } else if (strcmp(*argv, "-alpn_server") == 0 || -+ strcmp(*argv, "-alpn_server1") == 0) { - if (--argc < 1) - goto bad; - alpn_server = *(++argv); -+ } else if (strcmp(*argv, "-alpn_server2") == 0) { -+ if (--argc < 1) -+ goto bad; -+ alpn_server2 = *(++argv); - } else if (strcmp(*argv, "-alpn_expected") == 0) { - if (--argc < 1) - goto bad; - alpn_expected = *(++argv); -+ } else if (strcmp(*argv, "-sn_client") == 0) { -+ if (--argc < 1) -+ goto bad; -+ sn_client = *(++argv); -+ } else if (strcmp(*argv, "-sn_server1") == 0) { -+ if (--argc < 1) -+ goto bad; -+ sn_server1 = *(++argv); -+ } else if (strcmp(*argv, "-sn_server2") == 0) { -+ if (--argc < 1) -+ goto bad; -+ sn_server2 = *(++argv); -+ } else if (strcmp(*argv, "-sn_expect1") == 0) { -+ sn_expect = 1; -+ } else if (strcmp(*argv, "-sn_expect2") == 0) { -+ sn_expect = 2; - } else { - fprintf(stderr, "unknown option %s\n", *argv); - badop = 1; -@@ -1304,7 +1386,8 @@ int main(int argc, char *argv[]) - - c_ctx = SSL_CTX_new(meth); - s_ctx = SSL_CTX_new(meth); -- if ((c_ctx == NULL) || (s_ctx == NULL)) { -+ s_ctx2 = SSL_CTX_new(meth); /* no SSL_CTX_dup! */ -+ if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) { - ERR_print_errors(bio_err); - goto end; - } -@@ -1312,7 +1395,9 @@ int main(int argc, char *argv[]) - if (cipher != NULL) { - SSL_CTX_set_cipher_list(c_ctx, cipher); - SSL_CTX_set_cipher_list(s_ctx, cipher); -+ SSL_CTX_set_cipher_list(s_ctx2, cipher); - } -+ - #ifndef OPENSSL_NO_DH - if (!no_dhe) { - if (dhe1024dsa) { -@@ -1320,12 +1405,14 @@ int main(int argc, char *argv[]) - * use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks - */ - SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); -+ SSL_CTX_set_options(s_ctx2, SSL_OP_SINGLE_DH_USE); - dh = get_dh1024dsa(); - } else if (dhe512) - dh = get_dh512(); - else - dh = get_dh1024(); - SSL_CTX_set_tmp_dh(s_ctx, dh); -+ SSL_CTX_set_tmp_dh(s_ctx2, dh); - DH_free(dh); - } - #else -@@ -1353,7 +1440,9 @@ int main(int argc, char *argv[]) - } - - SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); -+ SSL_CTX_set_tmp_ecdh(s_ctx2, ecdh); - SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); -+ SSL_CTX_set_options(s_ctx2, SSL_OP_SINGLE_ECDH_USE); - EC_KEY_free(ecdh); - } - #else -@@ -1362,15 +1451,18 @@ int main(int argc, char *argv[]) - - #ifndef OPENSSL_NO_RSA - SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); -+ SSL_CTX_set_tmp_rsa_callback(s_ctx2, tmp_rsa_cb); - #endif - - #ifdef TLSEXT_TYPE_opaque_prf_input - SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb); - SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb); -+ SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx2, opaque_prf_input_cb); - /* or &co2 or NULL */ - SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); - /* or &so2 or NULL */ - SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); -+ SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx2, &so1); - #endif - - if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { -@@ -1383,6 +1475,16 @@ int main(int argc, char *argv[]) - goto end; - } - -+ if (!SSL_CTX_use_certificate_file(s_ctx2, server_cert, SSL_FILETYPE_PEM)) { -+ ERR_print_errors(bio_err); -+ } else if (!SSL_CTX_use_PrivateKey_file(s_ctx2, -+ (server_key ? server_key : -+ server_cert), -+ SSL_FILETYPE_PEM)) { -+ ERR_print_errors(bio_err); -+ goto end; -+ } -+ - if (client_auth) { - SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM); - SSL_CTX_use_PrivateKey_file(c_ctx, -@@ -1392,6 +1494,8 @@ int main(int argc, char *argv[]) - - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(s_ctx)) || -+ (!SSL_CTX_load_verify_locations(s_ctx2, CAfile, CApath)) || -+ (!SSL_CTX_set_default_verify_paths(s_ctx2)) || - (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(c_ctx))) { - /* fprintf(stderr,"SSL_load_verify_locations\n"); */ -@@ -1406,6 +1510,11 @@ int main(int argc, char *argv[]) - verify_callback); - SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, - &app_verify_arg); -+ SSL_CTX_set_verify(s_ctx2, -+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, -+ verify_callback); -+ SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback, -+ &app_verify_arg); - } - if (server_auth) { - BIO_printf(bio_err, "server authentication\n"); -@@ -1418,6 +1527,8 @@ int main(int argc, char *argv[]) - int session_id_context = 0; - SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, - sizeof session_id_context); -+ SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context, -+ sizeof session_id_context); - } - - /* Use PSK only if PSK key is given */ -@@ -1436,6 +1547,7 @@ int main(int argc, char *argv[]) - #ifndef OPENSSL_NO_PSK - SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback); - SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback); -+ SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback); - if (debug) - BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n"); - if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint")) { -@@ -1443,6 +1555,11 @@ int main(int argc, char *argv[]) - ERR_print_errors(bio_err); - goto end; - } -+ if (!SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) { -+ BIO_printf(bio_err, "error setting PSK identity hint to s_ctx2\n"); -+ ERR_print_errors(bio_err); -+ goto end; -+ } - #endif - } - #ifndef OPENSSL_NO_SRP -@@ -1461,8 +1578,11 @@ int main(int argc, char *argv[]) - - if (srp_server_arg.expected_user != NULL) { - SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback); -+ SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); -+ SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg); - SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); -+ SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb); - } - #endif - -@@ -1475,11 +1595,16 @@ int main(int argc, char *argv[]) - NULL, NULL, NULL, - serverinfo_cli_parse_cb, NULL); - -- if (serverinfo_file) -+ if (serverinfo_file) { - if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) { - BIO_printf(bio_err, "missing serverinfo file\n"); - goto end; - } -+ if (!SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) { -+ BIO_printf(bio_err, "missing serverinfo file\n"); -+ goto end; -+ } -+ } - - if (custom_ext) { - SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, -@@ -1515,10 +1640,29 @@ int main(int argc, char *argv[]) - custom_ext_3_srv_add_cb, - NULL, NULL, - custom_ext_3_srv_parse_cb, NULL); -+ -+ SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0, -+ custom_ext_0_srv_add_cb, -+ NULL, NULL, -+ custom_ext_0_srv_parse_cb, NULL); -+ SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1, -+ custom_ext_1_srv_add_cb, -+ NULL, NULL, -+ custom_ext_1_srv_parse_cb, NULL); -+ SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2, -+ custom_ext_2_srv_add_cb, -+ NULL, NULL, -+ custom_ext_2_srv_parse_cb, NULL); -+ SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3, -+ custom_ext_3_srv_add_cb, -+ NULL, NULL, -+ custom_ext_3_srv_parse_cb, NULL); - } - - if (alpn_server) -- SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL); -+ SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server); -+ if (alpn_server2) -+ SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2); - - if (alpn_client) { - unsigned short alpn_len; -@@ -1532,9 +1676,15 @@ int main(int argc, char *argv[]) - OPENSSL_free(alpn); - } - -+ if (sn_server1 || sn_server2) -+ SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb); -+ - c_ssl = SSL_new(c_ctx); - s_ssl = SSL_new(s_ctx); - -+ if (sn_client) -+ SSL_set_tlsext_host_name(c_ssl, sn_client); -+ - #ifndef OPENSSL_NO_KRB5 - if (c_ssl && c_ssl->kssl_ctx) { - char localhost[MAXHOSTNAMELEN + 2]; -@@ -1588,12 +1738,19 @@ int main(int argc, char *argv[]) - #endif - } - -+ if (verify_alpn(c_ssl, s_ssl) < 0) -+ ret = 1; -+ if (verify_servername(c_ssl, s_ssl) < 0) -+ ret = 1; -+ - SSL_free(s_ssl); - SSL_free(c_ssl); - - end: - if (s_ctx != NULL) - SSL_CTX_free(s_ctx); -+ if (s_ctx2 != NULL) -+ SSL_CTX_free(s_ctx2); - if (c_ctx != NULL) - SSL_CTX_free(c_ctx); - -@@ -1961,10 +2118,6 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, - ret = 1; - goto err; - } -- if (verify_alpn(c_ssl, s_ssl) < 0) { -- ret = 1; -- goto err; -- } - - if (custom_ext_error) { - ret = 1; -diff -upr deps/openssl/openssl.old/ssl/t1_lib.c deps/openssl/openssl/ssl/t1_lib.c ---- deps/openssl/openssl.old/ssl/t1_lib.c 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/ssl/t1_lib.c 2016-05-03 15:44:42.000000000 +0200 -@@ -1539,6 +1539,7 @@ unsigned char *ssl_add_clienthello_tlsex - s2n(s->alpn_client_proto_list_len, ret); - memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); - ret += s->alpn_client_proto_list_len; -+ s->cert->alpn_sent = 1; - } - # ifndef OPENSSL_NO_SRTP - if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { -@@ -1906,7 +1907,7 @@ static void ssl_check_for_safari(SSL *s, - # endif /* !OPENSSL_NO_EC */ - - /* -- * tls1_alpn_handle_client_hello is called to process the ALPN extension in a -+ * tls1_alpn_handle_client_hello is called to save the ALPN extension in a - * ClientHello. data: the contents of the extension, not including the type - * and length. data_len: the number of bytes in |data| al: a pointer to the - * alert value to send in the event of a non-zero return. returns: 0 on -@@ -1917,12 +1918,6 @@ static int tls1_alpn_handle_client_hello - { - unsigned i; - unsigned proto_len; -- const unsigned char *selected; -- unsigned char selected_len; -- int r; -- -- if (s->ctx->alpn_select_cb == NULL) -- return 0; - - if (data_len < 2) - goto parse_error; -@@ -1953,19 +1948,15 @@ static int tls1_alpn_handle_client_hello - i += proto_len; - } - -- r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len, -- s->ctx->alpn_select_cb_arg); -- if (r == SSL_TLSEXT_ERR_OK) { -- if (s->s3->alpn_selected) -- OPENSSL_free(s->s3->alpn_selected); -- s->s3->alpn_selected = OPENSSL_malloc(selected_len); -- if (!s->s3->alpn_selected) { -- *al = SSL_AD_INTERNAL_ERROR; -- return -1; -- } -- memcpy(s->s3->alpn_selected, selected, selected_len); -- s->s3->alpn_selected_len = selected_len; -+ if (s->cert->alpn_proposed != NULL) -+ OPENSSL_free(s->cert->alpn_proposed); -+ s->cert->alpn_proposed = OPENSSL_malloc(data_len); -+ if (s->cert->alpn_proposed == NULL) { -+ *al = SSL_AD_INTERNAL_ERROR; -+ return -1; - } -+ memcpy(s->cert->alpn_proposed, data, data_len); -+ s->cert->alpn_proposed_len = data_len; - return 0; - - parse_error: -@@ -1973,6 +1964,43 @@ static int tls1_alpn_handle_client_hello - return -1; - } - -+/* -+ * Process the ALPN extension in a ClientHello. -+ * ret: a pointer to the TLSEXT return value: SSL_TLSEXT_ERR_* -+ * al: a pointer to the alert value to send in the event of a failure. -+ * returns 1 on success, 0 on failure: al/ret set only on failure -+ */ -+static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al) -+{ -+ const unsigned char *selected = NULL; -+ unsigned char selected_len = 0; -+ -+ if (s->ctx->alpn_select_cb != NULL && s->cert->alpn_proposed != NULL) { -+ int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, -+ s->cert->alpn_proposed, -+ s->cert->alpn_proposed_len, -+ s->ctx->alpn_select_cb_arg); -+ -+ if (r == SSL_TLSEXT_ERR_OK) { -+ OPENSSL_free(s->s3->alpn_selected); -+ s->s3->alpn_selected = OPENSSL_malloc(selected_len); -+ if (s->s3->alpn_selected == NULL) { -+ *al = SSL_AD_INTERNAL_ERROR; -+ *ret = SSL_TLSEXT_ERR_ALERT_FATAL; -+ return 0; -+ } -+ memcpy(s->s3->alpn_selected, selected, selected_len); -+ s->s3->alpn_selected_len = selected_len; -+# ifndef OPENSSL_NO_NEXTPROTONEG -+ /* ALPN takes precedence over NPN. */ -+ s->s3->next_proto_neg_seen = 0; -+# endif -+ } -+ } -+ -+ return 1; -+} -+ - static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - unsigned char *limit, int *al) - { -@@ -1992,6 +2020,12 @@ static int ssl_scan_clienthello_tlsext(S - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - } -+ s->s3->alpn_selected_len = 0; -+ if (s->cert->alpn_proposed) { -+ OPENSSL_free(s->cert->alpn_proposed); -+ s->cert->alpn_proposed = NULL; -+ } -+ s->cert->alpn_proposed_len = 0; - # ifndef OPENSSL_NO_HEARTBEATS - s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); -@@ -2359,8 +2393,7 @@ static int ssl_scan_clienthello_tlsext(S - # endif - # ifndef OPENSSL_NO_NEXTPROTONEG - else if (type == TLSEXT_TYPE_next_proto_neg && -- s->s3->tmp.finish_md_len == 0 && -- s->s3->alpn_selected == NULL) { -+ s->s3->tmp.finish_md_len == 0) { - /*- - * We shouldn't accept this extension on a - * renegotiation. -@@ -2383,13 +2416,9 @@ static int ssl_scan_clienthello_tlsext(S - # endif - - else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && -- s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { -+ s->s3->tmp.finish_md_len == 0) { - if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) - return 0; --# ifndef OPENSSL_NO_NEXTPROTONEG -- /* ALPN takes precedence over NPN. */ -- s->s3->next_proto_neg_seen = 0; --# endif - } - - /* session ticket processed earlier */ -@@ -2698,7 +2727,7 @@ static int ssl_scan_serverhello_tlsext(S - unsigned len; - - /* We must have requested it. */ -- if (s->alpn_client_proto_list == NULL) { -+ if (!s->cert->alpn_sent) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } -@@ -2863,6 +2892,7 @@ int ssl_prepare_clienthello_tlsext(SSL * - } - # endif - -+ s->cert->alpn_sent = 0; - return 1; - } - -@@ -3066,6 +3096,10 @@ int ssl_check_clienthello_tlsext_late(SS - } else - s->tlsext_status_expected = 0; - -+ if (!tls1_alpn_handle_client_hello_late(s, &ret, &al)) { -+ goto err; -+ } -+ - err: - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: -@@ -3415,8 +3449,10 @@ static int tls_decrypt_ticket(SSL *s, co - p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); - eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); - sdec = OPENSSL_malloc(eticklen); -- if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { -+ if (sdec == NULL -+ || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { - EVP_CIPHER_CTX_cleanup(&ctx); -+ OPENSSL_free(sdec); - return -1; - } - if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { -@@ -3856,6 +3892,8 @@ int tls1_process_heartbeat(SSL *s) - * plus 2 bytes payload length, plus payload, plus padding - */ - buffer = OPENSSL_malloc(1 + 2 + payload + padding); -+ if (buffer == NULL) -+ return -1; - bp = buffer; - - /* Enter response type, length and copy payload */ -Only in deps/openssl/openssl: test -Only in deps/openssl/openssl/tools: c_rehash -diff -upr deps/openssl/openssl.old/util/libeay.num deps/openssl/openssl/util/libeay.num ---- deps/openssl/openssl.old/util/libeay.num 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/util/libeay.num 2016-05-03 15:46:28.000000000 +0200 -@@ -1065,8 +1065,8 @@ d2i_ASN1_BMPSTRING - i2d_ASN1_BMPSTRING 1093 EXIST::FUNCTION: - BIO_f_ber 1094 NOEXIST::FUNCTION: - BN_init 1095 EXIST::FUNCTION: --COMP_CTX_new 1096 EXIST::FUNCTION: --COMP_CTX_free 1097 EXIST::FUNCTION: -+COMP_CTX_new 1096 EXIST::FUNCTION:COMP -+COMP_CTX_free 1097 EXIST::FUNCTION:COMP - COMP_CTX_compress_block 1098 NOEXIST::FUNCTION: - COMP_CTX_expand_block 1099 NOEXIST::FUNCTION: - X509_STORE_CTX_get_ex_new_index 1100 EXIST::FUNCTION: -@@ -1113,10 +1113,10 @@ PKCS7_digest_from_attributes - PKCS7_get_attribute 1141 EXIST::FUNCTION: - PKCS7_get_issuer_and_serial 1142 EXIST::FUNCTION: - PKCS7_get_signed_attribute 1143 EXIST::FUNCTION: --COMP_compress_block 1144 EXIST::FUNCTION: --COMP_expand_block 1145 EXIST::FUNCTION: --COMP_rle 1146 EXIST::FUNCTION: --COMP_zlib 1147 EXIST::FUNCTION: -+COMP_compress_block 1144 EXIST::FUNCTION:COMP -+COMP_expand_block 1145 EXIST::FUNCTION:COMP -+COMP_rle 1146 EXIST::FUNCTION:COMP -+COMP_zlib 1147 EXIST::FUNCTION:COMP - ms_time_diff 1148 NOEXIST::FUNCTION: - ms_time_new 1149 NOEXIST::FUNCTION: - ms_time_free 1150 NOEXIST::FUNCTION: -@@ -1945,7 +1945,7 @@ ENGINE_get_ctrl_function - ENGINE_set_ctrl_function 2522 EXIST::FUNCTION:ENGINE - BN_pseudo_rand_range 2523 EXIST::FUNCTION: - X509_STORE_CTX_set_verify_cb 2524 EXIST::FUNCTION: --ERR_load_COMP_strings 2525 EXIST::FUNCTION: -+ERR_load_COMP_strings 2525 EXIST::FUNCTION:COMP - PKCS12_item_decrypt_d2i 2526 EXIST::FUNCTION: - ASN1_UTF8STRING_it 2527 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: - ASN1_UTF8STRING_it 2527 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -@@ -3545,8 +3545,8 @@ X509at_get0_data_by_OBJ - ASN1_TYPE_set1 3932 EXIST::FUNCTION: - ASN1_STRING_set0 3933 EXIST::FUNCTION: - i2d_X509_ALGORS 3934 EXIST::FUNCTION: --BIO_f_zlib 3935 EXIST:ZLIB:FUNCTION: --COMP_zlib_cleanup 3936 EXIST::FUNCTION: -+BIO_f_zlib 3935 EXIST:ZLIB:FUNCTION:COMP -+COMP_zlib_cleanup 3936 EXIST::FUNCTION:COMP - d2i_X509_ALGORS 3937 EXIST::FUNCTION: - CMS_ReceiptRequest_free 3938 EXIST::FUNCTION:CMS - PEM_write_CMS 3939 EXIST:!WIN16:FUNCTION:CMS -diff -upr deps/openssl/openssl.old/util/mk1mf.pl deps/openssl/openssl/util/mk1mf.pl ---- deps/openssl/openssl.old/util/mk1mf.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/util/mk1mf.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -291,8 +291,9 @@ $cflags.=" -DOPENSSL_FIPS" if $fips; - $cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake; - $cflags.=" -DOPENSSL_NO_EC2M" if $no_ec2m; - $cflags.=" -DOPENSSL_NO_WEAK_SSL_CIPHERS" if $no_weak_ssl; --$cflags.= " -DZLIB" if $zlib_opt; --$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2; -+$cflags.=" -DZLIB" if $zlib_opt; -+$cflags.=" -DZLIB_SHARED" if $zlib_opt == 2; -+$cflags.=" -DOPENSSL_NO_COMP" if $no_comp; - - if ($no_static_engine) - { -@@ -850,6 +851,7 @@ sub var_add - return("") if $no_gost && $dir =~ /\/ccgost/; - return("") if $no_cms && $dir =~ /\/cms/; - return("") if $no_jpake && $dir =~ /\/jpake/; -+ return("") if $no_comp && $dir =~ /\/comp/; - if ($no_des && $dir =~ /\/des/) - { - if ($val =~ /read_pwd/) -@@ -1198,6 +1200,7 @@ sub read_options - "nw-mwasm" => \$nw_mwasm, - "gaswin" => \$gaswin, - "no-ssl2" => \$no_ssl2, -+ "no-ssl2-method" => 0, - "no-ssl3" => \$no_ssl3, - "no-ssl3-method" => 0, - "no-tlsext" => \$no_tlsext, -@@ -1242,6 +1245,7 @@ sub read_options - "no-unit-test" => 0, - "no-libunbound" => 0, - "no-multiblock" => 0, -+ "no-comp" => \$no_comp, - "fips" => \$fips - ); - -@@ -1259,7 +1263,6 @@ sub read_options - } - } - } -- elsif (/^no-comp$/) { $xcflags = "-DOPENSSL_NO_COMP $xcflags"; } - elsif (/^enable-zlib$/) { $zlib_opt = 1 if $zlib_opt == 0 } - elsif (/^enable-zlib-dynamic$/) - { -diff -upr deps/openssl/openssl.old/util/mkdef.pl deps/openssl/openssl/util/mkdef.pl ---- deps/openssl/openssl.old/util/mkdef.pl 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/util/mkdef.pl 2016-05-03 15:44:42.000000000 +0200 -@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", " - "CAPIENG", - # SSL v2 - "SSL2", -+ # SSL v2 method -+ "SSL2_METHOD", - # SSL v3 method - "SSL3_METHOD", - # JPAKE -@@ -145,7 +147,7 @@ my $no_fp_api; my $no_static_engine=1; m - my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng; - my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; - my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace; --my $no_unit_test; my $no_ssl3_method; -+my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method; - - my $fips; - -@@ -240,6 +242,7 @@ foreach (@ARGV, split(/ /, $options)) - elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; } - elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; } - elsif (/^no-ssl2$/) { $no_ssl2=1; } -+ elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; } - elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; } - elsif (/^no-ssl-trace$/) { $no_ssl_trace=1; } - elsif (/^no-capieng$/) { $no_capieng=1; } -@@ -1215,6 +1218,7 @@ sub is_valid - if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc) - { return 0; } - if ($keyword eq "SSL2" && $no_ssl2) { return 0; } -+ if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) { return 0; } - if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; } - if ($keyword eq "SSL_TRACE" && $no_ssl_trace) { return 0; } - if ($keyword eq "CAPIENG" && $no_capieng) { return 0; } -diff -upr deps/openssl/openssl.old/util/shlib_wrap.sh deps/openssl/openssl/util/shlib_wrap.sh ---- deps/openssl/openssl.old/util/shlib_wrap.sh 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/util/shlib_wrap.sh 2016-05-03 15:44:42.000000000 +0200 -@@ -27,6 +27,15 @@ SunOS|IRIX*) - LD_PRELOAD_64="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_64 - preload_var=LD_PRELOAD_64 - ;; -+ *ELF\ 32*SPARC*|*ELF\ 32*80386*) -+ # We only need to change LD_PRELOAD_32 and LD_LIBRARY_PATH_32 -+ # on a multi-arch system. Otherwise, trust the fallbacks. -+ if [ -f /lib/64/ld.so.1 ]; then -+ [ -n "$LD_LIBRARY_PATH_32" ] && rld_var=LD_LIBRARY_PATH_32 -+ LD_PRELOAD_32="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_32 -+ preload_var=LD_PRELOAD_32 -+ fi -+ ;; - # Why are newly built .so's preloaded anyway? Because run-time - # .so lookup path embedded into application takes precedence - # over LD_LIBRARY_PATH and as result application ends up linking -diff -upr deps/openssl/openssl.old/util/ssleay.num deps/openssl/openssl/util/ssleay.num ---- deps/openssl/openssl.old/util/ssleay.num 2016-04-26 21:50:10.000000000 +0200 -+++ deps/openssl/openssl/util/ssleay.num 2016-05-03 15:46:29.000000000 +0200 -@@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms - SSLv23_client_method 110 EXIST::FUNCTION:RSA - SSLv23_method 111 EXIST::FUNCTION:RSA - SSLv23_server_method 112 EXIST::FUNCTION:RSA --SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2 --SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2 --SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2 -+SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2_METHOD -+SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2_METHOD -+SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2_METHOD - SSLv3_client_method 116 EXIST::FUNCTION:SSL3_METHOD - SSLv3_method 117 EXIST::FUNCTION:SSL3_METHOD - SSLv3_server_method 118 EXIST::FUNCTION:SSL3_METHOD diff --git a/srcpkgs/nodejs/template b/srcpkgs/nodejs/template index abec258616..34f9192e74 100644 --- a/srcpkgs/nodejs/template +++ b/srcpkgs/nodejs/template @@ -1,7 +1,7 @@ # Template file for 'nodejs' pkgname=nodejs -version=6.0.0 -revision=2 +version=6.1.0 +revision=1 wrksrc=node-v${version} hostmakedepends="pkg-config python" makedepends="zlib-devel python-devel @@ -13,14 +13,13 @@ maintainer="Enno Boland " license="MIT" homepage="http://nodejs.org/" distfiles="${homepage}/dist/v${version}/node-v${version}.tar.gz" -checksum=6db56d81a4e07ff4017809ad4ee49a5256fad804cd8527f8724f8e149e3dfc32 +checksum=9e67ef0b8611e16e6e311eccf0489a50fe76ceebeea3023ef4f51be647ae4bc3 build_options="ssl libuv http_parser" desc_option_libuv="Enable shared libuv" desc_option_http_parser="Enable shared http-parser" build_options_default="libuv http_parser" -broken="openssl broke it" replaces="iojs>=0" do_configure() {