Commit Graph

2709 Commits

Author SHA1 Message Date
christos ee85abc417 merge conflicts 2016-12-25 00:07:46 +00:00
christos 210ad7912c Import OpenSSH-7.4
OpenSSH 7.4 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in future releases,
specifically:

 * In approximately August 2017, removing remaining support for the
   SSH v.1 protocol (client-only and currently compile-time disabled).

 * In the same release, removing support for Blowfish and RC4 ciphers
   and the RIPE-MD160 HMAC. (These are currently run-time disabled).

 * Refusing all RSA keys smaller than 1024 bits (the current minimum
   is 768 bits)

 * The next release of OpenSSH will remove support for running sshd(8)
   with privilege separation disabled.

 * The next release of portable OpenSSH will remove support for
   OpenSSL version prior to 1.0.1.

This list reflects our current intentions, but please check the final
release notes for future releases.

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * This release removes server support for the SSH v.1 protocol.

 * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
   block ciphers are not safe in 2016 and we don't want to wait until
   attacks like SWEET32 are extended to SSH. As 3des-cbc was the
   only mandatory cipher in the SSH RFCs, this may cause problems
   connecting to older devices using the default configuration,
   but it's highly likely that such devices already need explicit
   configuration for key exchange and hostkey algorithms already
   anyway.

 * sshd(8): Remove support for pre-authentication compression.
   Doing compression early in the protocol probably seemed reasonable
   in the 1990s, but today it's clearly a bad idea in terms of both
   cryptography (cf. multiple compression oracle attacks in TLS) and
   attack surface. Pre-auth compression support has been disabled by
   default for >10 years. Support remains in the client.

 * ssh-agent will refuse to load PKCS#11 modules outside a whitelist
   of trusted paths by default. The path whitelist may be specified
   at run-time.

 * sshd(8): When a forced-command appears in both a certificate and
   an authorized keys/principals command= restriction, sshd will now
   refuse to accept the certificate unless they are identical.
   The previous (documented) behaviour of having the certificate
   forced-command override the other could be a bit confusing and
   error-prone.

 * sshd(8): Remove the UseLogin configuration directive and support
   for having /bin/login manage login sessions.
2016-12-25 00:00:13 +00:00
joerg e887dd50b2 Mark the new SPARCv9-in-32bit-mode modules as needing V9. 2016-11-03 22:18:29 +00:00
christos c03ab36ba4 conditionalize bits 2016-10-19 00:11:03 +00:00
joerg e9e26132dd Add basic glue for AArch64, including not-yet-used assembler files. 2016-10-17 00:24:13 +00:00
joerg 11ff370a53 Make assembler modules optional for ARM architectures. 2016-10-17 00:23:47 +00:00
christos a419901429 Adapt from powerpc(32) 2016-10-15 12:19:02 +00:00
spz 31b855a025 merge for openssl 1.0.2j 2016-10-14 16:23:17 +00:00
spz cff8db61e4 periphereal updates and generated files for the new openssl.
Expect at least one more commit until the tree builds again.
2016-10-14 16:09:43 +00:00
spz a6054fbf77 Import of OpenSSL 1.0.2j.
The 1.0.2 branch of OpenSSL is the current long term support branch.

Differences between 1.0.1 and 1.0.2:
      o Suite B support for TLS 1.2 and DTLS 1.2
      o Support for DTLS 1.2
      o TLS automatic EC curve selection.
      o API to set TLS supported signature algorithms and curves
      o SSL_CONF configuration API.
      o TLS Brainpool support.
      o ALPN support.
      o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

Security fixes from the previous version (1.0.1t) in NetBSD:
      o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
      o SWEET32 Mitigation (CVE-2016-2183)
      o OOB write in MDC2_Update() (CVE-2016-6303)
      o Malformed SHA512 ticket DoS (CVE-2016-6302)
      o OOB write in BN_bn2dec() (CVE-2016-2182)
      o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
      o Pointer arithmetic undefined behaviour (CVE-2016-2177)
      o Constant time flag not preserved in DSA signing (CVE-2016-2178)
      o DTLS buffered message DoS (CVE-2016-2179)
      o DTLS replay protection DoS (CVE-2016-2181)
      o Certificate message OOB reads (CVE-2016-6306)
2016-10-14 16:02:36 +00:00
spz 218f7bfcf1 Import of OpenSSL 1.0.2j.
The 1.0.2 branch of OpenSSL is the current long term support branch.

Differences between 1.0.1 and 1.0.2:
      o Suite B support for TLS 1.2 and DTLS 1.2
      o Support for DTLS 1.2
      o TLS automatic EC curve selection.
      o API to set TLS supported signature algorithms and curves
      o SSL_CONF configuration API.
      o TLS Brainpool support.
      o ALPN support.
      o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

Security fixes from the previous version (1.0.1t) in NetBSD:
      o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
      o SWEET32 Mitigation (CVE-2016-2183)
      o OOB write in MDC2_Update() (CVE-2016-6303)
      o Malformed SHA512 ticket DoS (CVE-2016-6302)
      o OOB write in BN_bn2dec() (CVE-2016-2182)
      o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
      o Pointer arithmetic undefined behaviour (CVE-2016-2177)
      o Constant time flag not preserved in DSA signing (CVE-2016-2178)
      o DTLS buffered message DoS (CVE-2016-2179)
      o DTLS replay protection DoS (CVE-2016-2181)
      o Certificate message OOB reads (CVE-2016-6306)
2016-10-14 16:01:16 +00:00
christos de2aa956c1 PR/51543: Henning Petersen: replace , with ; 2016-10-09 15:01:49 +00:00
bouyer ba1fe8e391 Remove, should have been added on netbsd-6-0 2016-10-05 10:30:19 +00:00
bouyer 2b8667ab73 src/doc/3RDPARTY patch
src/distrib/sets/lists/comp/mi						patch
src/crypto/external/bsd/openssl/dist/CHANGES				patch
src/crypto/external/bsd/openssl/dist/CONTRIBUTING			patch
src/crypto/external/bsd/openssl/dist/Configure				patch
src/crypto/external/bsd/openssl/dist/Makefile				patch
src/crypto/external/bsd/openssl/dist/NEWS				patch
src/crypto/external/bsd/openssl/dist/README				patch
src/crypto/external/bsd/openssl/dist/openssl.spec			patch
src/crypto/external/bsd/openssl/dist/apps/apps.c			patch
src/crypto/external/bsd/openssl/dist/apps/enc.c				patch
src/crypto/external/bsd/openssl/dist/apps/passwd.c			patch
src/crypto/external/bsd/openssl/dist/apps/s_server.c			patch
src/crypto/external/bsd/openssl/dist/apps/x509.c			patch
src/crypto/external/bsd/openssl/dist/crypto/md32_common.h		patch
src/crypto/external/bsd/openssl/dist/crypto/opensslv.h			patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/a_bytes.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/a_object.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/a_set.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_lib.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/d2i_pr.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/f_enum.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/f_int.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/f_string.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/p5_pbe.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/p5_pbev2.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_prn.c		patch
src/crypto/external/bsd/openssl/dist/crypto/asn1/x_name.c		patch
src/crypto/external/bsd/openssl/dist/crypto/bio/bf_nbio.c		patch
src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c			patch
src/crypto/external/bsd/openssl/dist/crypto/bn/bn_print.c		patch
src/crypto/external/bsd/openssl/dist/crypto/bn/bn_rand.c		patch
src/crypto/external/bsd/openssl/dist/crypto/cms/cms_enc.c		patch
src/crypto/external/bsd/openssl/dist/crypto/cms/cms_ess.c		patch
src/crypto/external/bsd/openssl/dist/crypto/cms/cms_pwri.c		patch
src/crypto/external/bsd/openssl/dist/crypto/des/des.c			patch
src/crypto/external/bsd/openssl/dist/crypto/des/enc_writ.c		patch
src/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_gen.c		patch
src/crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ossl.c		patch
src/crypto/external/bsd/openssl/dist/crypto/evp/bio_ok.c		patch
src/crypto/external/bsd/openssl/dist/crypto/evp/digest.c		patch
src/crypto/external/bsd/openssl/dist/crypto/evp/e_seed.c		patch
src/crypto/external/bsd/openssl/dist/crypto/md2/md2_dgst.c		patch
src/crypto/external/bsd/openssl/dist/crypto/mdc2/mdc2dgst.c		patch
src/crypto/external/bsd/openssl/dist/crypto/ocsp/ocsp_ext.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pem/pem.h			patch
src/crypto/external/bsd/openssl/dist/crypto/pem/pem_err.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pem/pem_lib.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_mutl.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_npas.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_utl.c		patch
src/crypto/external/bsd/openssl/dist/crypto/pkcs12/pkcs12.h		patch
src/crypto/external/bsd/openssl/dist/crypto/pkcs7/pk7_doit.c		patch
src/crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c		patch
src/crypto/external/bsd/openssl/dist/crypto/srp/srp_lib.c		patch
src/crypto/external/bsd/openssl/dist/crypto/srp/srp_vfy.c		patch
src/crypto/external/bsd/openssl/dist/crypto/ts/ts_lib.c			patch
src/crypto/external/bsd/openssl/dist/crypto/whrlpool/wp_dgst.c		patch
src/crypto/external/bsd/openssl/dist/crypto/x509/x509.h			patch
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_err.c		patch
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_txt.c		patch
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c		patch
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.h		patch
src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c		patch
src/crypto/external/bsd/openssl/dist/doc/apps/cms.pod			patch
src/crypto/external/bsd/openssl/dist/doc/apps/smime.pod			patch
src/crypto/external/bsd/openssl/dist/doc/apps/verify.pod		patch
src/crypto/external/bsd/openssl/dist/doc/crypto/X509_verify_cert.pod	patch
src/crypto/external/bsd/openssl/dist/doc/crypto/d2i_PrivateKey.pod	patch
src/crypto/external/bsd/openssl/dist/ssl/d1_both.c			patch
src/crypto/external/bsd/openssl/dist/ssl/d1_clnt.c			patch
src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c			patch
src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c			patch
src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s2_clnt.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s2_srvr.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s3_both.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c			patch
src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c			patch
src/crypto/external/bsd/openssl/dist/ssl/ssl.h				patch
src/crypto/external/bsd/openssl/dist/ssl/ssl_err.c			patch
src/crypto/external/bsd/openssl/dist/ssl/ssl_lib.c			patch
src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h			patch
src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c			patch
src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c			patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa1.pem	patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa2.pem	patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smdsa3.pem	patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smroot.pem	patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa1.pem	patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa2.pem	patch
src/crypto/external/bsd/openssl/dist/test/smime-certs/smrsa3.pem	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man.inc			patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ASN1_OBJECT_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ASN1_STRING_length.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ASN1_STRING_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ASN1_STRING_print_ex.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ASN1_generate_nconf.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_ctrl.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_f_base64.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_f_buffer.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_f_cipher.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_f_md.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_f_null.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_f_ssl.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_find_type.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_new_CMS.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_push.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_read.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_accept.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_bio.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_connect.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_fd.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_file.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_mem.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_null.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_s_socket.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_set_callback.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BIO_should_retry.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_BLINDING_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_CTX_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_CTX_start.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_add.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_add_word.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_bn2bin.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_cmp.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_copy.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_generate_prime.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_mod_inverse.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_mod_mul_montgomery.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_mod_mul_reciprocal.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_num_bytes.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_rand.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_set_bit.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_swap.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/BN_zero.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_add0_cert.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_add1_recipient_cert.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_add1_signer.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_compress.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_decrypt.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_encrypt.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_final.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_get0_RecipientInfos.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_get0_SignerInfos.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_get0_type.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_sign.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_sign_receipt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_uncompress.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_verify.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CMS_verify_receipt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CONF_modules_free.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CONF_modules_load_file.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/CRYPTO_set_ex_data.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DH_generate_key.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DH_generate_parameters.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DH_get_ex_new_index.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DH_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DH_set_method.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DH_size.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_SIG_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_do_sign.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_dup_DH.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_generate_key.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_generate_parameters.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_get_ex_new_index.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_set_method.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_sign.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/DSA_size.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_GET_LIB.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_clear_error.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_error_string.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_get_error.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_load_crypto_strings.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_load_strings.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_print_errors.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_put_error.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_remove_state.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ERR_set_mark.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_BytesToKey.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_DigestInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_DigestSignInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_DigestVerifyInit.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_EncodeInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_EncryptInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_OpenInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_CTX_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_cmp.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_decrypt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_derive.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_encrypt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_get_default_digest.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_keygen.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_print_private.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_set1_RSA.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_sign.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_verify.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_PKEY_verify_recover.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_SealInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_SignInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/EVP_VerifyInit.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OBJ_nid2obj.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OPENSSL_Applink.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OPENSSL_config.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OPENSSL_ia32cap.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS12_create.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS12_parse.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS7_decrypt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS7_encrypt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS7_sign.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS7_sign_add_signer.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/PKCS7_verify.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RAND_add.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RAND_bytes.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RAND_cleanup.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RAND_egd.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RAND_load_file.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RAND_set_rand_method.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_blinding_on.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_check_key.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_generate_key.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_get_ex_new_index.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_print.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_private_encrypt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_public_encrypt.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_set_method.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_sign.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/RSA_size.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SMIME_read_CMS.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SMIME_read_PKCS7.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SMIME_write_CMS.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SMIME_write_PKCS7.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CIPHER_get_name.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_COMP_add_compression_method.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_add_extra_chain_cert.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_add_session.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_ctrl.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_flush_sessions.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_free.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_get_ex_new_index.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_get_verify_mode.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_load_verify_locations.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_sess_number.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_sess_set_cache_size.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_sess_set_get_cb.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_sessions.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_cert_store.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_cert_verify_callback.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_cipher_list.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_client_CA_list.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_client_cert_cb.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_default_passwd_cb.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_generate_session_id.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_info_callback.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_max_cert_list.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_mode.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_msg_callback.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_options.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_psk_client_callback.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_quiet_shutdown.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_read_ahead.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_session_cache_mode.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_session_id_context.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_ssl_version.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_timeout.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_tlsext_status_cb.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_tlsext_ticket_key_cb.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_tmp_dh_callback.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_tmp_rsa_callback.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_set_verify.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_use_certificate.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_CTX_use_psk_identity_hint.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_SESSION_free.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_SESSION_get_ex_new_index.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_SESSION_get_time.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_accept.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_alert_type_string.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_clear.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_connect.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_do_handshake.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_free.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_SSL_CTX.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_ciphers.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_client_CA_list.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_current_cipher.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_default_timeout.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_error.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_ex_new_index.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_fd.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_peer_cert_chain.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_peer_certificate.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_psk_identity.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_rbio.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_session.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_verify_result.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_get_version.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_library_init.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_load_client_CA_file.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_pending.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_read.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_rstate_string.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_session_reused.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_set_bio.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_set_connect_state.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_set_fd.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_set_session.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_set_shutdown.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_set_verify_result.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_shutdown.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_state_string.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_want.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/SSL_write.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_NAME_print_ex.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_STORE_CTX_get_error.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_STORE_CTX_new.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_new.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/X509_verify_cert.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/crypto.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_ASN1_OBJECT.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_CMS_ContentInfo.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_DHparams.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_DSAPublicKey.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_ECPrivateKey.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_PKCS8PrivateKey.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_PrivateKey.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_RSAPublicKey.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_SSL_SESSION.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_X509.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_X509_ALGOR.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_X509_CRL.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_X509_NAME.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_X509_REQ.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/d2i_X509_SIG.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/des_modes.7		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/i2d_CMS_bio_stream.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/lh_stats.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl.cnf.5		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_CA.pl.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_asn1parse.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_bio.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_blowfish.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_bn.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_bn_internal.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_buffer.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_c_rehash.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ca.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ciphers.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_cms.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_crl.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_crl2pkcs7.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_des.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_dgst.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_dh.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_dhparam.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_dsa.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_dsa.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_dsaparam.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ec.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ecdsa.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ecparam.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_enc.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_engine.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_err.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_errstr.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_evp.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_gendsa.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_genpkey.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_genrsa.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_hmac.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_lhash.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_md5.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_mdc2.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_nseq.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ocsp.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_passwd.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pem.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pkcs12.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pkcs7.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pkcs8.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pkey.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pkeyparam.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_pkeyutl.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_rand.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_rand.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_rc4.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_req.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ripemd.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_rsa.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_rsa.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_rsautl.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_s_client.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_s_server.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_s_time.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_sess_id.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_sha.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_smime.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_speed.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_spkac.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_threads.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ts.1		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_tsget.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ui.3		patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_ui_compat.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_verify.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_version.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_x509.1	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_x509.3	patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/openssl_x509v3_config.1 patch
src/crypto/external/bsd/openssl/lib/libcrypto/man/ssl.3			patch

	Update OpenSSL to 1.0.1u.
	Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016]

	    o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
	    o SWEET32 Mitigation (CVE-2016-2183)
	    o OOB write in MDC2_Update() (CVE-2016-6303)
	    o Malformed SHA512 ticket DoS (CVE-2016-6302)
	    o OOB write in BN_bn2dec() (CVE-2016-2182)
	    o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
	    o Pointer arithmetic undefined behaviour (CVE-2016-2177)
	    o Constant time flag not preserved in DSA signing (CVE-2016-2178)
	    o DTLS buffered message DoS (CVE-2016-2179)
	    o DTLS replay protection DoS (CVE-2016-2181)
	    o Certificate message OOB reads (CVE-2016-6306)
	[spz, ticket 1409]
2016-10-05 10:23:17 +00:00
abhinav 269b3adc7a Add section number to the Xrefs
Remove a blank space at the end of the line 130 (makes mandoc -Tlint happy)
2016-09-12 16:54:31 +00:00
christos 968a6448d4 Fix the error handling so that we print the earliest error message. 2016-09-03 09:31:22 +00:00
christos 328016aa2a Avoid segv when the end signature is not found! 2016-08-28 15:52:22 +00:00
jakllsch a392713e10 Add some missing __attribute__((format(printf annotations. 2016-08-03 15:24:28 +00:00
christos efdc9ac20d remove unused code 2016-08-02 13:53:44 +00:00
christos 5101d40313 merge conflicts. 2016-08-02 13:45:12 +00:00
christos 92af1b7ef2 OpenSSH 7.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in a near-future
release, specifically:

 * Refusing all RSA keys smaller than 1024 bits (the current minimum
   is 768 bits)
 * Removing server-side support for the SSH v.1 protocol (currently
   compile-time disabled).
 * In approximately 1 year, removing all support for the SSH v.1
   protocol (currently compile-time disabled).

This list reflects our current intentions, but please check the final
release notes for future releases.

Changes since OpenSSH 7.2
=========================

This is primarily a bugfix release.

Security
--------

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve operation ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.

 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.

New Features
------------

 * ssh(1): Add a ProxyJump option and corresponding -J command-line
   flag to allow simplified indirection through a one or more SSH
   bastions or "jump hosts".

 * ssh(1): Add an IdentityAgent option to allow specifying specific
   agent sockets instead of accepting one from the environment.

 * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
   optionally overridden when using ssh -W. bz#2577

 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
   per draft-sgtatham-secsh-iutf8-00.

 * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
   2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.

 * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
   signatures in certificates;

 * ssh(1): Add an Include directive for ssh_config(5) files.

 * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
   from the server. bz#2058

Bugfixes
--------

 * ssh(1), sshd(8): Reduce the syslog level of some relatively common
   protocol events from LOG_CRIT. bz#2585

 * sshd(8): Refuse AuthenticationMethods="" in configurations and
   accept AuthenticationMethods=any for the default behaviour of not
   requiring multiple authentication. bz#2398

 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
   ATTEMPT!" message when forward and reverse DNS don't match. bz#2585

 * ssh(1): Close ControlPersist background process stderr except
   in debug mode or when logging to syslog. bz#1988

 * misc: Make PROTOCOL description for direct-streamlocal@openssh.com
   channel open messages match deployed code. bz#2529

 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
   failures when both ExitOnForwardFailure and hostname
   canonicalisation are enabled. bz#2562

 * sshd(8): Remove fallback from moduli to obsolete "primes" file
   that was deprecated in 2001. bz#2559.

 * sshd_config(5): Correct description of UseDNS: it affects ssh
   hostname processing for authorized_keys, not known_hosts; bz#2554

 * ssh(1): Fix authentication using lone certificate keys in an agent
   without corresponding private keys on the filesystem. bz#2550

 * sshd(8): Send ClientAliveInterval pings when a time-based
   RekeyLimit is set; previously keepalive packets were not being
   sent. bz#2252

Portability
-----------

 * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
   not supported by OpenSSL. bz#2466

 * misc: Fix compilation failures on some versions of AIX's compiler
   related to the definition of the VA_COPY macro. bz#2589

 * sshd(8): Whitelist more architectures to enable the seccomp-bpf
   sandbox. bz#2590

 * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
   using setpflags(__PROC_PROTECT, ...). bz#2584

 * sshd(8): On Solaris, don't call Solaris setproject() with
   UsePAM=yes it's PAM's responsibility. bz#2425

Checksums:
==========

 - SHA1 (openssh-7.3.tar.gz) = b1641e5265d9ec68a9a19decc3a7edd1203cbd33
 - SHA256 (openssh-7.3.tar.gz) = vS0X35qrX9OOPBkyDMYhOje/DBwHBVEV7nv5rkzw4vM=

 - SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
 - SHA256 (openssh-7.3p1.tar.gz) = P/uYmm3KppWUw7VQ1IVaWi4XGMzd5/XjY4e0JCIPvsw=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available as RELEASE_KEY.asc from
the mirror sites.

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
2016-08-02 13:30:06 +00:00
christos 417e1b99d5 OpenSSH 7.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in a near-future
release, specifically:

 * Refusing all RSA keys smaller than 1024 bits (the current minimum
   is 768 bits)
 * Removing server-side support for the SSH v.1 protocol (currently
   compile-time disabled).
 * In approximately 1 year, removing all support for the SSH v.1
   protocol (currently compile-time disabled).

This list reflects our current intentions, but please check the final
release notes for future releases.

Changes since OpenSSH 7.2
=========================

This is primarily a bugfix release.

Security
--------

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve operation ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.

 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.

New Features
------------

 * ssh(1): Add a ProxyJump option and corresponding -J command-line
   flag to allow simplified indirection through a one or more SSH
   bastions or "jump hosts".

 * ssh(1): Add an IdentityAgent option to allow specifying specific
   agent sockets instead of accepting one from the environment.

 * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
   optionally overridden when using ssh -W. bz#2577

 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
   per draft-sgtatham-secsh-iutf8-00.

 * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
   2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.

 * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
   signatures in certificates;

 * ssh(1): Add an Include directive for ssh_config(5) files.

 * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
   from the server. bz#2058

Bugfixes
--------

 * ssh(1), sshd(8): Reduce the syslog level of some relatively common
   protocol events from LOG_CRIT. bz#2585

 * sshd(8): Refuse AuthenticationMethods="" in configurations and
   accept AuthenticationMethods=any for the default behaviour of not
   requiring multiple authentication. bz#2398

 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
   ATTEMPT!" message when forward and reverse DNS don't match. bz#2585

 * ssh(1): Close ControlPersist background process stderr except
   in debug mode or when logging to syslog. bz#1988

 * misc: Make PROTOCOL description for direct-streamlocal@openssh.com
   channel open messages match deployed code. bz#2529

 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
   failures when both ExitOnForwardFailure and hostname
   canonicalisation are enabled. bz#2562

 * sshd(8): Remove fallback from moduli to obsolete "primes" file
   that was deprecated in 2001. bz#2559.

 * sshd_config(5): Correct description of UseDNS: it affects ssh
   hostname processing for authorized_keys, not known_hosts; bz#2554

 * ssh(1): Fix authentication using lone certificate keys in an agent
   without corresponding private keys on the filesystem. bz#2550

 * sshd(8): Send ClientAliveInterval pings when a time-based
   RekeyLimit is set; previously keepalive packets were not being
   sent. bz#2252

Portability
-----------

 * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
   not supported by OpenSSL. bz#2466

 * misc: Fix compilation failures on some versions of AIX's compiler
   related to the definition of the VA_COPY macro. bz#2589

 * sshd(8): Whitelist more architectures to enable the seccomp-bpf
   sandbox. bz#2590

 * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
   using setpflags(__PROC_PROTECT, ...). bz#2584

 * sshd(8): On Solaris, don't call Solaris setproject() with
   UsePAM=yes it's PAM's responsibility. bz#2425

Checksums:
==========

 - SHA1 (openssh-7.3.tar.gz) = b1641e5265d9ec68a9a19decc3a7edd1203cbd33
 - SHA256 (openssh-7.3.tar.gz) = vS0X35qrX9OOPBkyDMYhOje/DBwHBVEV7nv5rkzw4vM=

 - SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
 - SHA256 (openssh-7.3p1.tar.gz) = P/uYmm3KppWUw7VQ1IVaWi4XGMzd5/XjY4e0JCIPvsw=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available as RELEASE_KEY.asc from
the mirror sites.

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
2016-08-02 13:29:06 +00:00
christos fe3d7b70d6 -Wno-stack-protector 2016-07-25 06:20:26 +00:00
christos 2fcbe1519f CID 977755: Resource leaks. 2016-06-28 16:34:40 +00:00
agc 0ad97abd01 Update netpgpverify to 20160617
Sync with changes in pkgsrc

+ don't assume a string is NUL-terminated - use fwrite(3) with a specific size
2016-06-15 20:34:28 +00:00
agc f0cd146e8f Update netpgpverify to 20160616:
+ Bring over change from pkgsrc to add version.asc signature verification
to complement the noversion.asc cleartext signatures

+ Update version to 20160616
2016-06-15 16:51:46 +00:00
joerg d9ced641b5 Mark obuf_printf as printf-like. 2016-06-15 15:47:50 +00:00
mrg e6e96483bf replace the previous hack with something that i believe is actually
correct and, more importantly ;), works properly.

thanks for riastradh for hints about which bit was actually broken.
2016-06-15 05:01:58 +00:00
agc 02fd82b2cb netpgpverify: bring over changes in 20160615 from pkgsrc
+ perform check for start of ascii-armoured signature in a more efficient
way
2016-06-15 03:37:50 +00:00
mrg 6bfcf96505 build convert_endian() with "no-strict-aliases" optimiser attribute
to avoid some unknown miscompilation in endian_convert() that causes
ssh to exit on some output (for me, "cc -v".)

note in HACKS.  we should investigate this further if possible as
this seems to indicate a strict aliasing violation.  there certainly
are 32 and 64 bit object arrays being accessed with 8 bit accessors,
but i don't have time currently.
2016-06-15 02:12:14 +00:00
agc ffd13a8c6d add file used for testing gpg --emit-no-version case 2016-06-14 20:55:00 +00:00
agc 4dc60d040f add test for signatures produced by gpg --no-emit-version 2016-06-14 20:47:43 +00:00
agc dd98b26d9b Sync with pkgsrc sources as of version 20160614
+ pick up renaming changes to internal routines
+ fix for issue verifying signatures created by gpg --no-emit-version
+ add test for same
2016-06-14 20:47:08 +00:00
abhinav 65652ab083 Fix spelling of the month in the date (sent pull request upstream). 2016-06-10 18:55:52 +00:00
christos 22cce15d1f revert, everything coredumps with this change. 2016-06-04 18:22:45 +00:00
joerg 78fd5ce7d6 Regenerate to use .ctor. 2016-06-03 15:42:15 +00:00
joerg 80379e533e Replace init sections with the simpler .ctor sections. 2016-06-03 15:41:57 +00:00
snj 7ce81240c1 hook new man pages into build 2016-05-06 09:30:05 +00:00
snj 9cda733fe1 regen for openssl 1.0.1t 2016-05-06 09:28:31 +00:00
christos 411ef98e1a merge conflicts 2016-05-03 17:21:32 +00:00
christos 43fd2ac1eb Security fixes:
*) Prevent padding oracle in AES-NI CBC MAC check

     A MITM attacker can use a padding oracle attack to decrypt traffic
     when the connection uses an AES CBC cipher and the server support
     AES-NI.

     This issue was introduced as part of the fix for Lucky 13 padding
     attack (CVE-2013-0169). The padding check was rewritten to be in
     constant time by making sure that always the same bytes are read and
     compared against either the MAC or padding bytes. But it no longer
     checked that there was enough data to have both the MAC and padding
     bytes.

     This issue was reported by Juraj Somorovsky using TLS-Attacker.
     (CVE-2016-2107)
     [Kurt Roeckx]

  *) Fix EVP_EncodeUpdate overflow

     An overflow can occur in the EVP_EncodeUpdate() function which is used for
     Base64 encoding of binary data. If an attacker is able to supply very large
     amounts of input data then a length check can overflow resulting in a heap
     corruption.

     Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
     the PEM_write_bio* family of functions. These are mainly used within the
     OpenSSL command line applications, so any application which processes data
     from an untrusted source and outputs it as a PEM file should be considered
     vulnerable to this issue. User applications that call these APIs directly
     with large amounts of untrusted data may also be vulnerable.

     This issue was reported by Guido Vranken.
     (CVE-2016-2105)
     [Matt Caswell]

  *) Fix EVP_EncryptUpdate overflow

     An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
     is able to supply very large amounts of input data after a previous call to
     EVP_EncryptUpdate() with a partial block then a length check can overflow
     resulting in a heap corruption. Following an analysis of all OpenSSL
     internal usage of the EVP_EncryptUpdate() function all usage is one of two
     forms. The first form is where the EVP_EncryptUpdate() call is known to be
     the first called function after an EVP_EncryptInit(), and therefore that
     specific call must be safe. The second form is where the length passed to
     EVP_EncryptUpdate() can be seen from the code to be some small value and
     therefore there is no possibility of an overflow. Since all instances are
     one of these two forms, it is believed that there can be no overflows in
     internal code due to this problem. It should be noted that
     EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
     Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
     of these calls have also been analysed too and it is believed there are no
     instances in internal usage where an overflow could occur.

     This issue was reported by Guido Vranken.
     (CVE-2016-2106)
     [Matt Caswell]

  *) Prevent ASN.1 BIO excessive memory allocation

     When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
     a short invalid encoding can casuse allocation of large amounts of memory
     potentially consuming excessive resources or exhausting memory.

     Any application parsing untrusted data through d2i BIO functions is
     affected. The memory based functions such as d2i_X509() are *not* affected.
     Since the memory based functions are used by the TLS library, TLS
     applications are not affected.

     This issue was reported by Brian Carpenter.
     (CVE-2016-2109)
     [Stephen Henson]

  *) EBCDIC overread

     ASN1 Strings that are over 1024 bytes can cause an overread in applications
     using the X509_NAME_oneline() function on EBCDIC systems. This could result
     in arbitrary stack data being returned in the buffer.

     This issue was reported by Guido Vranken.
     (CVE-2016-2176)
     [Matt Caswell]

  *) Modify behavior of ALPN to invoke callback after SNI/servername
     callback, such that updates to the SSL_CTX affect ALPN.
     [Todd Short]

  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
     default.
     [Kurt Roeckx]

  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
     methods are enabled and ssl2 is disabled the methods return NULL.
     [Kurt Roeckx]
2016-05-03 17:10:26 +00:00
wiz 2ac4fbecd9 Fix xref. 2016-04-28 08:18:05 +00:00
christos db1e653281 If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.

CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
https://anongit.mindrot.org/openssh.git/commit/?\
id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

XXX: pullup-7
2016-04-14 16:42:09 +00:00
christos 30150afc85 Don't die on RC5 warning 2016-04-13 21:33:52 +00:00
christos 743c16df37 regen with old assembly stubs. 2016-03-21 19:13:15 +00:00
christos ddfe1626d6 revert change from openssl-1.1.0-pre4, breaks gcc-4.8 2016-03-21 19:12:26 +00:00
christos 66aed21df4 regen 2016-03-20 22:27:44 +00:00
christos b09de184c8 elide bug with new cpuid code. 2016-03-20 22:27:31 +00:00
christos e3b47d16a6 bring newer versions from 1.1.0-pre4 2016-03-20 22:26:56 +00:00
christos 5a840fc796 re-gen to fix sha1. there were also improvements for montgomery multiplications
that we did not have from a previous change.
2016-03-20 22:18:43 +00:00