Index: branches/2016Q3/security/openssl/Makefile =================================================================== --- branches/2016Q3/security/openssl/Makefile (revision 422668) +++ branches/2016Q3/security/openssl/Makefile (revision 422669) @@ -1,243 +1,241 @@ # Created by: Dirk Froemberg # $FreeBSD$ PORTNAME= openssl -PORTVERSION= 1.0.2 -DISTVERSIONSUFFIX= h -PORTREVISION= 14 +PORTVERSION= 1.0.2i +PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/source/ \ ftp://ftp.openssl.org/source/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ DIST_SUBDIR= ${DISTNAME} MAINTAINER= dinoex@FreeBSD.org COMMENT= SSL and crypto library LICENSE= OpenSSL LICENSE_FILE= ${WRKSRC}/LICENSE MAKE_JOBS_UNSAFE= yes CPE_VERSION= ${PORTVERSION}${DISTVERSIONSUFFIX} CONFLICTS= libressl-[0-9]* \ libressl-devel-[0-9]* \ openssl-devel-[0-9]* .ifdef USE_OPENSSL .error You have `USE_OPENSSL' variable defined either in environment or in make(1) arguments. Please undefine and try again. .endif OPTIONS_DEFINE= SHARED THREADS I386 SSE2 ASM PADLOCK ZLIB GMP SCTP SSL2 SSL3 RFC3779 MD2 RC5 EXPCIPHERS DOCS MAN3 OPTIONS_DEFAULT=SHARED THREADS SSE2 SCTP SSL2 SSL3 MD2 MAN3 .for a in amd64 ia64 OPTIONS_DEFINE_${a}= EC OPTIONS_DEFAULT_${a}= EC .endfor TARGET_ARCH?= ${MACHINE_ARCH} .if ${TARGET_ARCH} == "mips64el" OPTIONS_DEFINE_mips= EC OPTIONS_DEFAULT_mips= EC .endif NO_OPTIONS_SORT=yes OPTIONS_SUB= yes I386_DESC?= Optimize for i386 (instead of i486+) SSE2_DESC?= runtime SSE2 detection ASM_DESC?= optimized Assembler code PADLOCK_DESC?= VIA Padlock support SHARED_DESC?= build of shared libs ZLIB_DESC?= zlib compression support GMP_DESC?= gmp support (LGPLv3) SCTP_DESC?= SCTP protocol support SSL2_DESC?= SSLv2 protocol support SSL3_DESC?= SSLv3 protocol support RFC3779_DESC?= RFC3779 support (BGP) MD2_DESC?= MD2 hash (obsolete) RC5_DESC?= RC5 cipher (patented) EXPCIPHERS_DESC?= Include experimental ciphers EC_DESC?= Optimize NIST elliptic curves MAN3_DESC?= Install API manpages (section 3) GMP_LIB_DEPENDS= libgmp.so:math/gmp USES= perl5 cpe USE_PERL5= build MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= SUB_FILES= pkg-message .include .if ${PREFIX} == /usr IGNORE= the OpenSSL port can not be installed over the base version .endif OPENSSLDIR?= ${PREFIX}/openssl PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} OPENSSL_BASE_SONAME!= readlink ${DESTDIR}/usr/lib/libcrypto.so || true OPENSSL_SHLIBVER_BASE= ${OPENSSL_BASE_SONAME:E} OPENSSL_BASE_SOPATH= ${OPENSSL_BASE_SONAME:H} OPENSSL_SHLIBVER?= 8 .if ${PORT_OPTIONS:MI386} .if ${ARCH} == "i386" EXTRACONFIGURE+= 386 .endif .endif .if empty(PORT_OPTIONS:MSSE2) # disable runtime SSE2 detection EXTRACONFIGURE+= no-sse2 .endif .if ${PORT_OPTIONS:MASM} BROKEN_sparc64= option ASM generates illegal instructions EXTRACONFIGURE+= enable-asm .else EXTRACONFIGURE+= no-asm .endif .if ${PORT_OPTIONS:MTHREADS} EXTRACONFIGURE+= threads .else EXTRACONFIGURE+= no-threads .endif .if ${PORT_OPTIONS:MSHARED} EXTRACONFIGURE+= shared MAKE_ENV+= SHLIBVER=${OPENSSL_SHLIBVER} PLIST_SUB+= SHLIBVER=${OPENSSL_SHLIBVER} USE_LDCONFIG= yes .endif .if ${PORT_OPTIONS:MZLIB} EXTRACONFIGURE+= zlib zlib-dynamic .else EXTRACONFIGURE+= no-zlib no-zlib-dynamic .endif .if ${PORT_OPTIONS:MSCTP} EXTRACONFIGURE+= sctp .else EXTRACONFIGURE+= no-sctp .endif .if ${PORT_OPTIONS:MSSL2} EXTRACONFIGURE+= enable-ssl2 .else EXTRACONFIGURE+= no-ssl2 .endif .if ${PORT_OPTIONS:MSSL3} EXTRACONFIGURE+= enable-ssl3 .else EXTRACONFIGURE+= no-ssl3 no-ssl3-method .endif .if ${PORT_OPTIONS:MMD2} EXTRACONFIGURE+= enable-md2 .else EXTRACONFIGURE+= no-md2 .endif .if ${PORT_OPTIONS:MRC5} EXTRACONFIGURE+= enable-rc5 .else EXTRACONFIGURE+= no-rc5 .endif .if ${PORT_OPTIONS:MPADLOCK} PATCH_DIST_STRIP= -p1 PATCH_SITES+= http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock PATCHFILES+= 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \ 1002-backport-changes-from-upstream-padlock-module.patch:padlock \ 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \ 1004-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock .endif .if ${PORT_OPTIONS:MGMP} EXTRACONFIGURE+= enable-gmp -I${LOCALBASE}/include IGNORE= can not be linked because GMP is LGPLv3 .else EXTRACONFIGURE+= no-gmp .endif .if ${PORT_OPTIONS:MRFC3779} EXTRACONFIGURE+= enable-rfc3779 .else EXTRACONFIGURE+= no-rfc3779 .endif .if ${PORT_OPTIONS:MEC} EXTRACONFIGURE+= enable-ec_nistp_64_gcc_128 .else EXTRACONFIGURE+= no-ec_nistp_64_gcc_128 .endif .if ${OPENSSL_SHLIBVER_BASE} > ${OPENSSL_SHLIBVER} pre-everything:: @${ECHO_CMD} "#" @${ECHO_CMD} "# this ports conflicts with your base system" @${ECHO_CMD} "# you have to uninstall your ssl port" @${ECHO_CMD} "# please use DEFAULT_VERSIONS+= ssl=base instead." @${ECHO_CMD} "#" @${FALSE} - .endif post-patch: ${REINPLACE_CMD} -e 's|m4 -B 8192|m4|g' \ ${WRKSRC}/crypto/des/Makefile ${REINPLACE_CMD} -e 's|SHLIB_VERSION_NUMBER "1.0.0"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \ ${WRKSRC}/crypto/opensslv.h ${REINPLACE_CMD} -e 's|ERR_R_MALLOC_ERROR|ERR_R_MALLOC_FAILURE|' \ ${WRKSRC}/crypto/bio/bss_dgram.c .if ${PORT_OPTIONS:MEXPCIPHERS} ${REINPLACE_CMD} -e 's|TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0|TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1|' \ ${WRKSRC}/ssl/tls1.h .endif do-configure: ${REINPLACE_CMD} -e "s|options 386|options|" \ ${WRKSRC}/config .if ${PORT_OPTIONS:MTHREADS} cd ${WRKSRC} \ && ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \ ./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \ --install_prefix=${STAGEDIR} \ -L${PREFIX}/lib ${EXTRACONFIGURE} .else cd ${WRKSRC} \ && ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \ ./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \ --install_prefix=${STAGEDIR} \ -L${PREFIX}/lib ${EXTRACONFIGURE} .endif ${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(PREFIX)/man|' \ -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ -e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \ ${WRKSRC}/Makefile post-install: .if ${PORT_OPTIONS:MSHARED} .for i in libcrypto libssl ${INSTALL_DATA} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib ${LN} -sf $i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib/$i.so .endfor .endif .if empty(PORT_OPTIONS:MMAN3) ${RM} -rf ${STAGEDIR}/${PREFIX}/man/man3 ${REINPLACE_CMD} -e 's|^man/man3/.*||' ${TMPPLIST} .endif post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/doc/openssl.txt ${STAGEDIR}${DOCSDIR}/ test: build cd ${WRKSRC} && ${MAKE} test regression-test: test .include Index: branches/2016Q3/security/openssl/distinfo =================================================================== --- branches/2016Q3/security/openssl/distinfo (revision 422668) +++ branches/2016Q3/security/openssl/distinfo (revision 422669) @@ -1,10 +1,11 @@ -SHA256 (openssl-1.0.2h/openssl-1.0.2h.tar.gz) = 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 -SIZE (openssl-1.0.2h/openssl-1.0.2h.tar.gz) = 5274412 -SHA256 (openssl-1.0.2h/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 -SIZE (openssl-1.0.2h/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717 -SHA256 (openssl-1.0.2h/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 -SIZE (openssl-1.0.2h/1002-backport-changes-from-upstream-padlock-module.patch) = 5770 -SHA256 (openssl-1.0.2h/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea -SIZE (openssl-1.0.2h/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20935 -SHA256 (openssl-1.0.2h/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 97eb4411d0fc0890e94bc7c2d682f68b71135da782af769ca73914b37da2b1fd -SIZE (openssl-1.0.2h/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 832 +TIMESTAMP = 1474552146 +SHA256 (openssl-1.0.2i/openssl-1.0.2i.tar.gz) = 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f +SIZE (openssl-1.0.2i/openssl-1.0.2i.tar.gz) = 5308232 +SHA256 (openssl-1.0.2i/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 +SIZE (openssl-1.0.2i/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717 +SHA256 (openssl-1.0.2i/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 +SIZE (openssl-1.0.2i/1002-backport-changes-from-upstream-padlock-module.patch) = 5770 +SHA256 (openssl-1.0.2i/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea +SIZE (openssl-1.0.2i/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20935 +SHA256 (openssl-1.0.2i/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 97eb4411d0fc0890e94bc7c2d682f68b71135da782af769ca73914b37da2b1fd +SIZE (openssl-1.0.2i/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 832 Index: branches/2016Q3/security/openssl/files/patch-t1_lib.c =================================================================== --- branches/2016Q3/security/openssl/files/patch-t1_lib.c (revision 422668) +++ branches/2016Q3/security/openssl/files/patch-t1_lib.c (nonexistent) @@ -1,163 +0,0 @@ -CVE-2016-2177 - ---- ssl/t1_lib.c.orig -+++ ssl/t1_lib.c -@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, - if (s->hit || s->cert->srv_ext.meths_count == 0) - return 1; - -- if (data >= limit - 2) -+ if (limit - data <= 2) - return 1; - n2s(data, len); - -- if (data > limit - len) -+ if (limit - data < len) - return 1; - -- while (data <= limit - 4) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > limit) -+ if (limit - data < size) - return 1; - if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) - return 0; -@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -1.9.1 - Property changes on: branches/2016Q3/security/openssl/files/patch-t1_lib.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2016Q3/security/openssl/files/patch-dsa_ossl.c =================================================================== --- branches/2016Q3/security/openssl/files/patch-dsa_ossl.c (revision 422668) +++ branches/2016Q3/security/openssl/files/patch-dsa_ossl.c (nonexistent) @@ -1,35 +0,0 @@ - -Fix DSA, preserve BN_FLG_CONSTTIME - -Operations in the DSA signing algorithm should run in constant time in -order to avoid side channel attacks. A flaw in the OpenSSL DSA -implementation means that a non-constant time codepath is followed for -certain operations. This has been demonstrated through a cache-timing -attack to be sufficient for an attacker to recover the private DSA key. - -CVE-2016-2178 - ---- crypto/dsa/dsa_ossl.c.orig 2016-05-03 15:44:42.000000000 +0200 -+++ crypto/dsa/dsa_ossl.c 2016-06-12 22:57:49.000000000 +0200 -@@ -248,9 +248,6 @@ - if (!BN_rand_range(&k, dsa->q)) - goto err; - while (BN_is_zero(&k)) ; -- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -- BN_set_flags(&k, BN_FLG_CONSTTIME); -- } - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -282,6 +279,11 @@ - } else { - K = &k; - } -+ -+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -+ BN_set_flags(&k, BN_FLG_CONSTTIME); -+ } -+ - DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, - dsa->method_mont_p); - if (!BN_mod(r, r, dsa->q, ctx)) Property changes on: branches/2016Q3/security/openssl/files/patch-dsa_ossl.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2016Q3/security/openssl/files/patch-s3_srvr.c =================================================================== --- branches/2016Q3/security/openssl/files/patch-s3_srvr.c (revision 422668) +++ branches/2016Q3/security/openssl/files/patch-s3_srvr.c (nonexistent) @@ -1,66 +0,0 @@ -CVE-2016-2177 - ---- ssl/s3_srvr.c.orig -+++ ssl/s3_srvr.c -@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) - } - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); Property changes on: branches/2016Q3/security/openssl/files/patch-s3_srvr.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2016Q3/security/openssl/files/patch-ssl_sess.c =================================================================== --- branches/2016Q3/security/openssl/files/patch-ssl_sess.c (revision 422668) +++ branches/2016Q3/security/openssl/files/patch-ssl_sess.c (nonexistent) @@ -1,13 +0,0 @@ -CVE-2016-2177 - ---- ssl/ssl_sess.c.orig -+++ ssl/ssl_sess.c -@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } Property changes on: branches/2016Q3/security/openssl/files/patch-ssl_sess.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2016Q3 =================================================================== --- branches/2016Q3 (revision 422668) +++ branches/2016Q3 (revision 422669) Property changes on: branches/2016Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r422668