Update "openssl" package to version 1.0.1f. Changes since 1.0.1e:

- Fix for TLS record tampering bug. A carefully crafted invalid
  handshake could crash OpenSSL with a NULL pointer exception.
  Thanks to Anton Johansson for reporting this issues.
  (CVE-2013-4353)
- Keep original DTLS digest and encryption contexts in retransmission
  structures so we can use the previous session parameters if they need
  to be resent. (CVE-2013-6450)
  [Steve Henson]
- Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
  avoids preferring ECDHE-ECDSA ciphers when the client appears to be
  Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
  several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
  is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
  10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
  [Rob Stradling, Adam Langley]

9 files changed, 69 insertions, 99 deletions

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 4bb048f7f2b..10818e4fac4 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.182 2013/10/29 21:33:21 joerg Exp $
+# $NetBSD: Makefile,v 1.183 2014/01/10 14:32:42 tron Exp $
 
-DISTNAME=	openssl-1.0.1e
+DISTNAME=	openssl-1.0.1f
 MASTER_SITES=	http://ftp.openssl.org/source/
-PKGREVISION=	2
 SVR4_PKGNAME=	ossl
 CATEGORIES=	security
 
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 0e7f4391f68..4a5b14cb197 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.100 2013/12/21 12:21:47 is Exp $
+$NetBSD: distinfo,v 1.101 2014/01/10 14:32:42 tron Exp $
 
-SHA1 (openssl-1.0.1e.tar.gz) = 3f1b1223c9e8189bfe4e186d86449775bd903460
-RMD160 (openssl-1.0.1e.tar.gz) = 380827c16f18bed4f2eb3d54a387c7c089b2b299
-Size (openssl-1.0.1e.tar.gz) = 4459777 bytes
+SHA1 (openssl-1.0.1f.tar.gz) = 9ef09e97dfc9f14ac2c042f3b7e301098794fc0f
+RMD160 (openssl-1.0.1f.tar.gz) = db8c07f8753fab2b76118d4c18175290356ed144
+Size (openssl-1.0.1f.tar.gz) = 4509212 bytes
 SHA1 (patch-aa) = 8311c7af603513d4574946386ba11f4a36953b0c
 SHA1 (patch-ac) = ecdafa378e73bd2d6789c985ea28ef4ab2126aa6
 SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3
@@ -13,22 +13,21 @@ SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0
 SHA1 (patch-crypto_dso_dso__dlfcn.c) = d5d6ca9a517151357efecb6aa9a5f528a5014290
 SHA1 (patch-doc_apps_cms.pod) = 24792a0db2d8566e0f8b52833de300f538f6a92e
 SHA1 (patch-doc_apps_smine.pod) = 277aee087892f867402ea73bae10383fe24d6e08
-SHA1 (patch-doc_crypto_X509__STORE__CTX__get__error.pod) = 39ceb8d8d88f47794c257286c958daa5c408dfd2
 SHA1 (patch-doc_ssl_SSL__COMP__add__compression__method.pod) = f3fcbe0eae26ac8e24fe937e529ea0dba6ea1639
 SHA1 (patch-doc_ssl_SSL__CTX__add__session.pod) = db72b7e04bb74595a78bc09379854957dcfaa4c7
 SHA1 (patch-doc_ssl_SSL__CTX__load__verify__locations.pod) = d0fd17e118a1bd19c729a0930a52925b9bb81d6d
-SHA1 (patch-doc_ssl_SSL__CTX__set__client__CA__list.pod) = 964ea426276741f89a9d02dd75baaaabc97e0943
+SHA1 (patch-doc_ssl_SSL__CTX__set__client__CA__list.pod) = df3ab7287667f32454357a3a2eaca8275f01ce08
 SHA1 (patch-doc_ssl_SSL__CTX__set__session__id__context.pod) = b5d711fcf9512c82ec2c7aa61303377006ebfca7
 SHA1 (patch-doc_ssl_SSL__CTX__set__ssl__version.pod) = 79340b3f4cfa4293362a79c336e0768711153930
-SHA1 (patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod) = e39c7f0ac0edaadf0462f78947fa40b11084cced
-SHA1 (patch-doc_ssl_SSL__accept.pod) = c5ca9e0333de10d2032d03cf3ce0d9e41b6b495f
+SHA1 (patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod) = eb4d8ccfa47ecc3f50dbda5b0ffd98ea740f4ebf
+SHA1 (patch-doc_ssl_SSL__accept.pod) = c68aa6eb518d5ca72ae5bd142fd3895e378ca638
 SHA1 (patch-doc_ssl_SSL__clear.pod) = c7d2eb126137ee642294466f0ea9019fcd5e9b92
-SHA1 (patch-doc_ssl_SSL__connect.pod) = 78a21f325f5749f0ed491ee71467a4a89848dfe3
-SHA1 (patch-doc_ssl_SSL__do__handshake.pod) = 7b8c392568ef965c1709fc3fefe572f591007b24
+SHA1 (patch-doc_ssl_SSL__connect.pod) = 07327bdb408493c6696efb71070b1b0f7294982c
+SHA1 (patch-doc_ssl_SSL__do__handshake.pod) = f62a43b7b9e59b321cd8dd00d6ea448e3c11d77f
 SHA1 (patch-doc_ssl_SSL__read.pod) = 2a6db16242aceeee645f5b48a9725c5530fbbb8c
 SHA1 (patch-doc_ssl_SSL__session__reused.pod) = 0ed7425cf8b098c97ab223cd368c4b18f5187ae5
 SHA1 (patch-doc_ssl_SSL__set__fd.pod) = 68e3f6f3ff0fdfb2113cebb8f08e6d42c442fa2f
 SHA1 (patch-doc_ssl_SSL__set__session.pod) = e4d8442f4fc827520ca20f108050fcd6314dd41d
-SHA1 (patch-doc_ssl_SSL__shutdown.pod) = ca5b1fd9fda9405907697e848614f050978cfb90
+SHA1 (patch-doc_ssl_SSL__shutdown.pod) = 21682f3385a66ba8f0ebd11bb9bb3c6198352783
 SHA1 (patch-doc_ssl_SSL__write.pod) = 67efd6d0de0a0db34c18c62e4a939c0ea49442ca
 SHA1 (patch-engines_ccgost_Makefile) = 08999f0f40969883482ad9ffc1aa9959ed7d402c
diff --git a/security/openssl/patches/patch-doc_crypto_X509__STORE__CTX__get__error.pod b/security/openssl/patches/patch-doc_crypto_X509__STORE__CTX__get__error.pod
deleted file mode 100644
index 0a7d34a3a45..00000000000
--- a/security/openssl/patches/patch-doc_crypto_X509__STORE__CTX__get__error.pod
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-doc_crypto_X509__STORE__CTX__get__error.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
-
-Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
-
---- doc/crypto/X509_STORE_CTX_get_error.pod.orig	2013-02-11 15:26:04.000000000 +0000
-+++ doc/crypto/X509_STORE_CTX_get_error.pod
-@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
- an application specific error. This will never be returned unless explicitly
- set by an application.
- 
-+=back
-+
- =head1 NOTES
- 
- The above functions should be used instead of directly referencing the fields
diff --git a/security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod b/security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod
index b50748f0a0f..a3a23aa3b08 100644
--- a/security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod
+++ b/security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod
@@ -1,20 +1,22 @@
-$NetBSD: patch-doc_ssl_SSL__CTX__set__client__CA__list.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
+$NetBSD: patch-doc_ssl_SSL__CTX__set__client__CA__list.pod,v 1.2 2014/01/10 14:32:42 tron Exp $
 
 Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
 
---- doc/ssl/SSL_CTX_set_client_CA_list.pod.orig	2013-02-11 15:02:48.000000000 +0000
-+++ doc/ssl/SSL_CTX_set_client_CA_list.pod
-@@ -66,11 +66,11 @@ values:
+--- doc/ssl/SSL_CTX_set_client_CA_list.pod.orig	2014-01-06 13:47:42.000000000 +0000
++++ doc/ssl/SSL_CTX_set_client_CA_list.pod	2014-01-10 13:19:11.000000000 +0000
+@@ -66,13 +66,13 @@
  
  =over 4
  
--=item 1
-+=item Z<>1
- 
- The operation succeeded.
- 
 -=item 0
 +=item Z<>0
  
  A failure while manipulating the STACK_OF(X509_NAME) object occurred or
  the X509_NAME could not be extracted from B<cacert>. Check the error stack
+ to find out the reason.
+ 
+-=item 1
++=item Z<>1
+ 
+ The operation succeeded.
+ 
diff --git a/security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod b/security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod
index a72c37e8bef..d8b69bd1a8c 100644
--- a/security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod
+++ b/security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod
@@ -1,19 +1,10 @@
-$NetBSD: patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
+$NetBSD: patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod,v 1.2 2014/01/10 14:32:42 tron Exp $
 
 Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
 
---- doc/ssl/SSL_CTX_use_psk_identity_hint.pod.orig	2013-02-11 15:26:04.000000000 +0000
-+++ doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_
- 
- Return values from the server callback are interpreted as follows:
- 
-+=over 1
-+
- =item > 0
- 
- PSK identity was found and the server callback has provided the PSK
-@@ -94,9 +96,11 @@ data to B<psk> and return the length of
+--- doc/ssl/SSL_CTX_use_psk_identity_hint.pod.orig	2014-01-06 13:47:42.000000000 +0000
++++ doc/ssl/SSL_CTX_use_psk_identity_hint.pod	2014-01-10 13:23:46.000000000 +0000
+@@ -96,7 +96,7 @@
  connection will fail with decryption_error before it will be finished
  completely.
  
@@ -22,7 +13,3 @@ Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
  
  PSK identity was not found. An "unknown_psk_identity" alert message
  will be sent and the connection setup fails.
- 
-+=back
-+
- =cut
diff --git a/security/openssl/patches/patch-doc_ssl_SSL__accept.pod b/security/openssl/patches/patch-doc_ssl_SSL__accept.pod
index bfd66b493b6..b8870183f69 100644
--- a/security/openssl/patches/patch-doc_ssl_SSL__accept.pod
+++ b/security/openssl/patches/patch-doc_ssl_SSL__accept.pod
@@ -1,21 +1,22 @@
-$NetBSD: patch-doc_ssl_SSL__accept.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
+$NetBSD: patch-doc_ssl_SSL__accept.pod,v 1.2 2014/01/10 14:32:42 tron Exp $
 
 Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
 
---- doc/ssl/SSL_accept.pod.orig	2013-02-11 15:02:48.000000000 +0000
-+++ doc/ssl/SSL_accept.pod
-@@ -44,12 +44,12 @@ The following return values can occur:
+--- doc/ssl/SSL_accept.pod.orig	2014-01-06 13:47:42.000000000 +0000
++++ doc/ssl/SSL_accept.pod	2014-01-10 13:25:21.000000000 +0000
+@@ -44,13 +44,13 @@
  
  =over 4
  
--=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
 -=item 0
 +=item Z<>0
  
  The TLS/SSL handshake was not successful but was shut down controlled and
  by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+ return value B<ret> to find out the reason.
+ 
+-=item 1
++=item Z<>1
+ 
+ The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+ established.
diff --git a/security/openssl/patches/patch-doc_ssl_SSL__connect.pod b/security/openssl/patches/patch-doc_ssl_SSL__connect.pod
index 00bea074f7d..7094d34add4 100644
--- a/security/openssl/patches/patch-doc_ssl_SSL__connect.pod
+++ b/security/openssl/patches/patch-doc_ssl_SSL__connect.pod
@@ -1,19 +1,13 @@
-$NetBSD: patch-doc_ssl_SSL__connect.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
+$NetBSD: patch-doc_ssl_SSL__connect.pod,v 1.2 2014/01/10 14:32:42 tron Exp $
 
 Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
 
---- doc/ssl/SSL_connect.pod.orig	2013-02-11 15:02:48.000000000 +0000
-+++ doc/ssl/SSL_connect.pod
-@@ -41,18 +41,18 @@ The following return values can occur:
+--- doc/ssl/SSL_connect.pod.orig	2014-01-06 13:47:42.000000000 +0000
++++ doc/ssl/SSL_connect.pod	2014-01-10 13:30:56.000000000 +0000
+@@ -41,13 +41,13 @@
  
  =over 4
  
--=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
 -=item 0
 +=item Z<>0
  
@@ -21,8 +15,8 @@ Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
  by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
  return value B<ret> to find out the reason.
  
--=item E<lt>0
-+=item Z<>E<lt>0
+-=item 1
++=item Z<>1
  
- The TLS/SSL handshake was not successful, because a fatal error occurred either
- at the protocol level or a connection failure occurred. The shutdown was
+ The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+ established.
diff --git a/security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod b/security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod
index 53bb7079746..a40c208b65a 100644
--- a/security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod
+++ b/security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod
@@ -1,21 +1,22 @@
-$NetBSD: patch-doc_ssl_SSL__do__handshake.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
+$NetBSD: patch-doc_ssl_SSL__do__handshake.pod,v 1.2 2014/01/10 14:32:42 tron Exp $
 
 Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
 
---- doc/ssl/SSL_do_handshake.pod.orig	2013-02-11 15:02:48.000000000 +0000
-+++ doc/ssl/SSL_do_handshake.pod
-@@ -45,12 +45,12 @@ The following return values can occur:
+--- doc/ssl/SSL_do_handshake.pod.orig	2014-01-06 13:47:42.000000000 +0000
++++ doc/ssl/SSL_do_handshake.pod	2014-01-10 13:32:08.000000000 +0000
+@@ -45,13 +45,13 @@
  
  =over 4
  
--=item 1
-+=item Z<>1
- 
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
- 
 -=item 0
 +=item Z<>0
  
  The TLS/SSL handshake was not successful but was shut down controlled and
  by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+ return value B<ret> to find out the reason.
+ 
+-=item 1
++=item Z<>1
+ 
+ The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+ established.
diff --git a/security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod b/security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod
index a6f6dae6692..8e687f43d77 100644
--- a/security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod
+++ b/security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod
@@ -1,21 +1,23 @@
-$NetBSD: patch-doc_ssl_SSL__shutdown.pod,v 1.1 2013/06/01 08:03:55 sbd Exp $
+$NetBSD: patch-doc_ssl_SSL__shutdown.pod,v 1.2 2014/01/10 14:32:42 tron Exp $
 
 Fix openssl pod docs to work with the very picky pod2man from perl-5.18.0.
 
---- doc/ssl/SSL_shutdown.pod.orig	2013-02-11 15:02:48.000000000 +0000
-+++ doc/ssl/SSL_shutdown.pod
-@@ -92,12 +92,12 @@ The following return values can occur:
+--- doc/ssl/SSL_shutdown.pod.orig	2014-01-06 13:47:42.000000000 +0000
++++ doc/ssl/SSL_shutdown.pod	2014-01-10 13:32:54.000000000 +0000
+@@ -92,14 +92,14 @@
  
  =over 4
  
--=item 1
-+=item Z<>1
- 
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
- 
 -=item 0
 +=item Z<>0
  
  The shutdown is not yet finished. Call SSL_shutdown() for a second time,
  if a bidirectional shutdown shall be performed.
+ The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
+ erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
+ 
+-=item 1
++=item Z<>1
+ 
+ The shutdown was successfully completed. The "close notify" alert was sent
+ and the peer's "close notify" alert was received.