main/openssl: security upgrade to 1.0.1k

CVE-2014-3571 DTLS segmentation fault in dtls1_get_record
CVE-2015-0206 DTLS memory leak in dtls1_buffer_record
CVE-2014-3569 no-ssl3 configuration sets method to NULL
CVE-2014-3572 ECDHE silently downgrades to ECDH [Client]
CVE-2015-0204 RSA silently downgrades to EXPORT_RSA [Client]
CVE-2015-0205 DH client certificates accepted without verification [Server]
CVE-2014-8275 Certificate fingerprints can be modified
CVE-2014-3570 Bignum squaring may produce incorrect results

1 files changed, 12 insertions, 22 deletions

diff --git a/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch b/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch
index c508c9c5a2..74fc3d8e74 100644
--- a/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch
+++ b/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch
@@ -1,22 +1,11 @@
-From 6e182155643a6aeb07cbba1e7f79ac1adfcddad2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Wed, 28 Jul 2010 08:29:09 +0300
-Subject: [PATCH 2/4] engines/e_padlock: backport cvs head changes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
+Backport changes from upstream padlock module.
 Includes support for VIA Nano 64-bit mode.
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
----
- engines/e_padlock.c | 140 +++++++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 122 insertions(+), 18 deletions(-)
 
-diff --git a/engines/e_padlock.c b/engines/e_padlock.c
-index 9f7a85a..6ab42d2 100644
---- a/engines/e_padlock.c
-+++ b/engines/e_padlock.c
+diff -ru openssl-1.0.1k.orig/engines/e_padlock.c openssl-1.0.1k/engines/e_padlock.c
+--- openssl-1.0.1k.orig/engines/e_padlock.c	2015-01-08 16:00:56.000000000 -0200
++++ openssl-1.0.1k/engines/e_padlock.c	2015-01-09 08:08:35.421516799 -0200
 @@ -101,7 +101,10 @@
     compiler choice is limited to GCC and Microsoft C. */
  #undef COMPILE_HW_PADLOCK
@@ -29,7 +18,7 @@ index 9f7a85a..6ab42d2 100644
       (defined(_MSC_VER) && defined(_M_IX86))
  #  define COMPILE_HW_PADLOCK
  # endif
-@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context;
+@@ -304,6 +307,7 @@
   * =======================================================
   */
  #if defined(__GNUC__) && __GNUC__>=2
@@ -37,11 +26,12 @@ index 9f7a85a..6ab42d2 100644
  /*
   * As for excessive "push %ebx"/"pop %ebx" found all over.
   * When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
+@@ -383,23 +387,6 @@
  	return padlock_use_ace + padlock_use_rng;
  }
  
 -#ifndef OPENSSL_NO_AES
+-#ifndef AES_ASM
 -/* Our own htonl()/ntohl() */
 -static inline void
 -padlock_bswapl(AES_KEY *ks)
@@ -55,11 +45,12 @@ index 9f7a85a..6ab42d2 100644
 -	}
 -}
 -#endif
+-#endif
 -
  /* Force key reload from memory to the CPU microcode.
     Loading EFLAGS from the stack clears EFLAGS[30] 
     which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt,		\
+@@ -457,12 +444,129 @@
  		: "edx", "cc", "memory");	\
  	return iv;				\
  }
@@ -172,6 +163,7 @@ index 9f7a85a..6ab42d2 100644
  PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */
  PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */
 +
++#ifndef AES_ASM
 +/* Our own htonl()/ntohl() */
 +static inline void
 +padlock_bswapl(AES_KEY *ks)
@@ -184,10 +176,11 @@ index 9f7a85a..6ab42d2 100644
 +		key++;
 +	}
 +}
++#endif
  #endif
  
  /* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int edx_in)
+@@ -493,8 +597,8 @@
  static inline unsigned char *
  padlock_memcpy(void *dst,const void *src,size_t n)
  {
@@ -198,6 +191,3 @@ index 9f7a85a..6ab42d2 100644
  
  	n /= sizeof(*d);
  	do { *d++ = *s++; } while (--n);
--- 
-1.7.11.3
-