Log message:
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c:
- Fix HMAC ABI incompatibility. The previous version introduced an ABI
  incompatibility in the handling of HMAC. The previous ABI has now been
  restored.

Log message:
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a:
- Malformed ECParameters causes infinite loop
  When processing an ECParameters structure OpenSSL enters an infinite loop
  if the curve specified is over a specially malformed binary polynomial
  field.
  This can be used to perform denial of service against any
  system which processes public keys, certificate requests or
  certificates.  This includes TLS clients and TLS servers with
  client authentication enabled.
  This issue was reported to OpenSSL by Joseph Barr-Pixton.
  (CVE-2015-1788)
  [Andy Polyakov]
- Exploitable out-of-bounds read in X509_cmp_time
  X509_cmp_time does not properly check the length of the ASN1_TIME
  string and can read a few bytes out of bounds. In addition,
  X509_cmp_time accepts an arbitrary number of fractional seconds in the
  time string.
  An attacker can use this to craft malformed certificates and CRLs of
  various sizes and potentially cause a segmentation fault, resulting in
  a DoS on applications that verify certificates or CRLs. TLS clients
  that verify CRLs are affected. TLS clients and servers with client
  authentication enabled may be affected if they use custom verification
  callbacks.
  This issue was reported to OpenSSL by Robert Swiecki (Google), and
  independently by Hanno Böck.
  (CVE-2015-1789)
  [Emilia Käsper]
- PKCS7 crash with missing EnvelopedContent
  The PKCS#7 parsing code does not handle missing inner EncryptedContent
  correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
  with missing content and trigger a NULL pointer dereference on parsing.
  Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
  structures from untrusted sources are affected. OpenSSL clients and
  servers are not affected.
  This issue was reported to OpenSSL by Michal Zalewski (Google).
  (CVE-2015-1790)
  [Emilia Käsper]
- CMS verify infinite loop with unknown hash function
  When verifying a signedData message the CMS code can enter an infinite loop
  if presented with an unknown hash function OID. This can be used to perform
  denial of service against any system which verifies signedData messages using
  the CMS code.
  This issue was reported to OpenSSL by Johannes Bauer.
  (CVE-2015-1792)
  [Stephen Henson]
- Race condition handling NewSessionTicket
  If a NewSessionTicket is received by a multi-threaded client when
  attempting to reuse a previous ticket then a race condition can occur
  potentially leading to a double free of the ticket data.
  (CVE-2015-1791)
  [Matt Caswell]
- Removed support for the two export grade static DH ciphersuites
  EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
  were newly added (along with a number of other static DH ciphersuites) to
  1.0.2. However the two export ones have *never* worked since they were
  introduced. It seems strange in any case to be adding new export
  ciphersuites, and given "logjam" it also does not seem correct to \ 
fix them.
  [Matt Caswell]
- Only support 256-bit or stronger elliptic curves with the
  'ecdh_auto' setting (server) or by default (client). Of supported
  curves, prefer P-256 (both).
  [Emilia Kasper]
- Reject DH handshakes with parameters shorter than 768 bits.
  [Kurt Roeckx and Emilia Kasper]

Log message:
Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.

Log message:
hppa -> hppa64

Log message:
guard against undefined ABI

Log message:
Fix builtin detection for latest version (introduced a space between
'#' and 'define') - avoids unconditionally building pkgsrc openssl
on netbsd-current.

ok'd for during the freeze after an excessively long discussion :-/

Log message:
Update "openssl" package to version 1.0.2. Changes since version 1.0.2a:
- ClientHello sigalgs DoS fix

  If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
  invalid signature algorithms extension a NULL pointer dereference will
  occur. This can be exploited in a DoS attack against the server.

  This issue was was reported to OpenSSL by David Ramos of Stanford
  University.
  (CVE-2015-0291)
  [Stephen Henson and Matt Caswell]

- Multiblock corrupted pointer fix

  OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
  feature only applies on 64 bit x86 architecture platforms that support AES
  NI instructions. A defect in the implementation of "multiblock" can cause
  OpenSSL's internal write buffer to become incorrectly set to NULL when
  using non-blocking IO. Typically, when the user application is using a
  socket BIO for writing, this will only result in a failed connection.
  However if some other BIO is used then it is likely that a segmentation
  fault will be triggered, thus enabling a potential DoS attack.

  This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
  (CVE-2015-0290)
  [Matt Caswell]

- Segmentation fault in DTLSv1_listen fix

  The DTLSv1_listen function is intended to be stateless and processes the
  initial ClientHello from many peers. It is common for user code to loop
  over the call to DTLSv1_listen until a valid ClientHello is received with
  an associated cookie. A defect in the implementation of DTLSv1_listen means
  that state is preserved in the SSL object from one invocation to the next
  that can lead to a segmentation fault. Errors processing the initial
  ClientHello can trigger this scenario. An example of such an error could be
  that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
  server.

  This issue was reported to OpenSSL by Per Allansson.
  (CVE-2015-0207)
  [Matt Caswell]

- Segmentation fault in ASN1_TYPE_cmp fix

  The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
  made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
  certificate signature algorithm consistency this can be used to crash any
  certificate verification operation and exploited in a DoS attack. Any
  application which performs certificate verification is vulnerable including
  OpenSSL clients and servers which enable client authentication.
  (CVE-2015-0286)
  [Stephen Henson]

- Segmentation fault for invalid PSS parameters fix

  The signature verification routines will crash with a NULL pointer
  dereference if presented with an ASN.1 signature using the RSA PSS
  algorithm and invalid parameters. Since these routines are used to verify
  certificate signature algorithms this can be used to crash any
  certificate verification operation and exploited in a DoS attack. Any
  application which performs certificate verification is vulnerable including
  OpenSSL clients and servers which enable client authentication.

  This issue was was reported to OpenSSL by Brian Carpenter.
  (CVE-2015-0208)
  [Stephen Henson]

- ASN.1 structure reuse memory corruption fix

  Reusing a structure in ASN.1 parsing may allow an attacker to cause
  memory corruption via an invalid write. Such reuse is and has been
  strongly discouraged and is believed to be rare.

  Applications that parse structures containing CHOICE or ANY DEFINED BY
  components may be affected. Certificate parsing (d2i_X509 and related
  functions) are however not affected. OpenSSL clients and servers are
  not affected.
  (CVE-2015-0287)
  [Stephen Henson]

- PKCS7 NULL pointer dereferences fix

  The PKCS#7 parsing code does not handle missing outer ContentInfo
  correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
  missing content and trigger a NULL pointer dereference on parsing.

  Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
  otherwise parse PKCS#7 structures from untrusted sources are
  affected. OpenSSL clients and servers are not affected.

  This issue was reported to OpenSSL by Michal Zalewski (Google).
  (CVE-2015-0289)
  [Emilia Käsper]

- DoS via reachable assert in SSLv2 servers fix

  A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
  servers that both support SSLv2 and enable export cipher suites by sending
  a specially crafted SSLv2 CLIENT-MASTER-KEY message.

  This issue was discovered by Sean Burford (Google) and Emilia Käsper
  (OpenSSL development team).
  (CVE-2015-0293)
  [Emilia Käsper]

- Empty CKE with client auth and DHE fix

  If client auth is used then a server can seg fault in the event of a DHE
  ciphersuite being selected and a zero length ClientKeyExchange message
  being sent by the client. This could be exploited in a DoS attack.
  (CVE-2015-1787)
  [Matt Caswell]

- Handshake with unseeded PRNG fix

  Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
  with an unseeded PRNG. The conditions are:
  - The client is on a platform where the PRNG has not been seeded
  automatically, and the user has not seeded manually
  - A protocol specific client method version has been used (i.e. not
  SSL_client_methodv23)
  - A ciphersuite is used that does not require additional random data from
  the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).

  If the handshake succeeds then the client random that has been used will
  have been generated from a PRNG with insufficient entropy and therefore the
  output may be predictable.

  For example using the following command with an unseeded openssl will
  succeed on an unpatched platform:

  openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
  (CVE-2015-0285)
  [Matt Caswell]

- Use After Free following d2i_ECPrivatekey error fix

  A malformed EC private key file consumed via the d2i_ECPrivateKey function
  could cause a use after free condition. This, in turn, could cause a double
  free in several private key parsing functions (such as d2i_PrivateKey
  or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
  for applications that receive EC private keys from untrusted
  sources. This scenario is considered rare.

  This issue was discovered by the BoringSSL project and fixed in their
  commit 517073cd4b.
  (CVE-2015-0209)
  [Matt Caswell]

- X509_to_X509_REQ NULL pointer deref fix

  The function X509_to_X509_REQ will crash with a NULL pointer dereference if
  the certificate key is invalid. This function is rarely used in practice.

  This issue was discovered by Brian Carpenter.
  (CVE-2015-0288)
  [Stephen Henson]

- Removed the export ciphers from the DEFAULT ciphers
  [Kurt Roeckx]

Log message:
unconditionally wants dlopen

Log message:
Changes 1.0.2:
Suite B support for TLS 1.2 and DTLS 1.2
Support for DTLS 1.2
TLS automatic EC curve selection.
API to set TLS supported signature algorithms and curves
SSL_CONF configuration API.
TLS Brainpool support.
ALPN support.
CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

Log message:
Update to 1.0.1k:

 Changes between 1.0.1j and 1.0.1k [8 Jan 2015]

  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
     message can cause a segmentation fault in OpenSSL due to a NULL pointer
     dereference. This could lead to a Denial Of Service attack. Thanks to
     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
     (CVE-2014-3571)
     [Steve Henson]

  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
     dtls1_buffer_record function under certain conditions. In particular this
     could occur if an attacker sent repeated DTLS records with the same
     sequence number but for the next epoch. The memory leak could be exploited
     by an attacker in a Denial of Service attack through memory exhaustion.
     Thanks to Chris Mueller for reporting this issue.
     (CVE-2015-0206)
     [Matt Caswell]

  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
     method would be set to NULL which could later result in a NULL pointer
     dereference. Thanks to Frank Schmirler for reporting this issue.
     (CVE-2014-3569)
     [Kurt Roeckx]

  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.

     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
     reporting this issue.
     (CVE-2014-3572)
     [Steve Henson]

  *) Remove non-export ephemeral RSA code on client and server. This code
     violated the TLS standard by allowing the use of temporary RSA keys in
     non-export ciphersuites and could be used by a server to effectively
     downgrade the RSA key length used to a value smaller than the server
     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
     INRIA or reporting this issue.
     (CVE-2015-0204)
     [Steve Henson]

  *) Fixed issue where DH client certificates are accepted without verification.
     An OpenSSL server will accept a DH certificate for client authentication
     without the certificate verify message. This effectively allows a client to
     authenticate without the use of a private key. This only affects servers
     which trust a client certificate authority which issues certificates
     containing DH keys: these are extremely rare and hardly ever encountered.
     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
     this issue.
     (CVE-2015-0205)
     [Steve Henson]

  *) Ensure that the session ID context of an SSL is updated when its
     SSL_CTX is updated via SSL_set_SSL_CTX.

     The session ID context is typically set from the parent SSL_CTX,
     and can vary with the CTX.
     [Adam Langley]

  *) Fix various certificate fingerprint issues.

     By using non-DER or invalid encodings outside the signed portion of a
     certificate the fingerprint can be changed without breaking the signature.
     Although no details of the signed portion of the certificate can be changed
     this can cause problems with some applications: e.g. those using the
     certificate fingerprint for blacklists.

     1. Reject signatures with non zero unused bits.

     If the BIT STRING containing the signature has non zero unused bits reject
     the signature. All current signature algorithms require zero unused bits.

     2. Check certificate algorithm consistency.

     Check the AlgorithmIdentifier inside TBS matches the one in the
     certificate signature. NB: this will result in signature failure
     errors for some broken certificates.

     Thanks to Konrad Kraszewski from Google for reporting this issue.

     3. Check DSA/ECDSA signatures use DER.

     Reencode DSA/ECDSA signatures and compare with the original received
     signature. Return an error if there is a mismatch.

     This will reject various cases including garbage after signature
     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
     (negative or with leading zeroes).

     Further analysis was conducted and fixes were developed by Stephen Henson
     of the OpenSSL core team.

     (CVE-2014-8275)
     [Steve Henson]

   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
      results on some platforms, including x86_64. This bug occurs at random
      with a very low probability, and is not known to be exploitable in any
      way, though its exact impact is difficult to determine. Thanks to Pieter
      Wuille (Blockstream) who reported this issue and also suggested an initial
      fix. Further analysis was conducted by the OpenSSL development team and
      Adam Langley of Google. The final fix was developed by Andy Polyakov of
      the OpenSSL core team.
      (CVE-2014-3570)
      [Andy Polyakov]

   *) Do not resume sessions on the server if the negotiated protocol
      version does not match the session's version. Resuming with a different
      version, while not strictly forbidden by the RFC, is of questionable
      sanity and breaks all known clients.
      [David Benjamin, Emilia Käsper]

   *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
      early CCS messages during renegotiation. (Note that because
      renegotiation is encrypted, this early CCS was not exploitable.)
      [Emilia Käsper]

   *) Tighten client-side session ticket handling during renegotiation:
      ensure that the client only accepts a session ticket if the server sends
      the extension anew in the ServerHello. Previously, a TLS client would
      reuse the old extension state and thus accept a session ticket if one was
      announced in the initial ServerHello.

      Similarly, ensure that the client requires a session ticket if one
      was advertised in the ServerHello. Previously, a TLS client would
      ignore a missing NewSessionTicket message.
      [Emilia Käsper]