[Pkg-openssl-changes] r888 - in openssl/branches/jessie/debian: . patches
Sebastian Andrzej Siewior
bigeasy at moszumanska.debian.org
Thu Jan 26 21:12:45 UTC 2017
Author: bigeasy
Date: 2017-01-26 21:12:45 +0000 (Thu, 26 Jan 2017)
New Revision: 888
Removed:
openssl/branches/jessie/debian/patches/CVE-2016-2177.patch
openssl/branches/jessie/debian/patches/CVE-2016-2178.patch
openssl/branches/jessie/debian/patches/CVE-2016-2179.patch
openssl/branches/jessie/debian/patches/CVE-2016-2180.patch
openssl/branches/jessie/debian/patches/CVE-2016-2181.patch
openssl/branches/jessie/debian/patches/CVE-2016-2182.patch
openssl/branches/jessie/debian/patches/CVE-2016-2183.patch
openssl/branches/jessie/debian/patches/CVE-2016-6302.patch
openssl/branches/jessie/debian/patches/CVE-2016-6303.patch
openssl/branches/jessie/debian/patches/CVE-2016-6304.patch
openssl/branches/jessie/debian/patches/CVE-2016-6306.patch
openssl/branches/jessie/debian/patches/Fix-name-length-limit-check.patch
openssl/branches/jessie/debian/patches/Update-S-MIME-certificates.patch
Modified:
openssl/branches/jessie/debian/changelog
openssl/branches/jessie/debian/patches/series
Log:
Start jessie by updating to latest openssl release containing all the fixups
Modified: openssl/branches/jessie/debian/changelog
===================================================================
--- openssl/branches/jessie/debian/changelog 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/changelog 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,3 +1,9 @@
+openssl (1.0.1u-1+deb8u1) UNRELEASED; urgency=medium
+
+ * Update to 1.0.1u
+
+ -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc> Thu, 26 Jan 2017 21:37:31 +0100
+
openssl (1.0.1t-1+deb8u5) jessie-security; urgency=medium
* The patch for CVE-2016-2182 was missing a fix. (Closes: #838652, #838659)
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2177.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2177.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2177.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,256 +0,0 @@
-From 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-
-A common idiom in the codebase is:
-
-if (p + len > limit)
-{
- return; /* Too long */
-}
-
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2177
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
----
- ssl/s3_srvr.c | 14 +++++++-------
- ssl/ssl_sess.c | 2 +-
- ssl/t1_lib.c | 48 ++++++++++++++++++++++++++----------------------
- 3 files changed, 34 insertions(+), 30 deletions(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index 04cf93a..6c74caa 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s)
-
- session_length = *(p + SSL3_RANDOM_SIZE);
-
-- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s)
- /* get the session-id */
- j = *(p++);
-
-- if (p + j > d + n) {
-+ if ((d + n) - p < j) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s)
-
- if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
- /* cookie stuff */
-- if (p + 1 > d + n) {
-+ if ((d + n) - p < 1) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
- }
- cookie_len = *(p++);
-
-- if (p + cookie_len > d + n) {
-+ if ((d + n ) - p < cookie_len) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s)
- p += cookie_len;
- }
-
-- if (p + 2 > d + n) {
-+ if ((d + n ) - p < 2) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s)
- }
-
- /* i bytes of cipher data + 1 byte for compression length later */
-- if ((p + i + 1) > (d + n)) {
-+ if ((d + n) - p < i + 1) {
- /* not enough data */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s)
-
- /* compression */
- i = *(p++);
-- if ((p + i) > (d + n)) {
-+ if ((d + n) - p < i) {
- /* not enough data */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index 48fc451..a97d060 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
- int r;
- #endif
-
-- if (session_id + len > limit) {
-+ if (limit - session_id < len) {
- fatal = 1;
- goto err;
- }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 0bdb77d..8ed1793 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- 0x02, 0x03, /* SHA-1/ECDSA */
- };
-
-- if (data >= (limit - 2))
-+ if (limit - data <= 2)
- return;
- data += 2;
-
-- if (data > (limit - 4))
-+ if (limit - data < 4)
- return;
- n2s(data, type);
- n2s(data, size);
-@@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- if (type != TLSEXT_TYPE_server_name)
- return;
-
-- if (data + size > limit)
-+ if (limit - data < size)
- return;
- data += size;
-
-@@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- const size_t len1 = sizeof(kSafariExtensionsBlock);
- const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-
-- if (data + len1 + len2 != limit)
-+ if (limit - data != (int)(len1 + len2))
- return;
- if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
- return;
-@@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- } else {
- const size_t len = sizeof(kSafariExtensionsBlock);
-
-- if (data + len != limit)
-+ if (limit - data != (int)(len))
- return;
- if (memcmp(data, kSafariExtensionsBlock, len) != 0)
- return;
-@@ -1019,19 +1019,19 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
- if (data == limit)
- goto ri_check;
-
-- if (data > (limit - 2))
-+ if (limit - data < 2)
- goto err;
-
- n2s(data, len);
-
-- if (data + len != limit)
-+ if (limit - data != len)
- goto err;
-
-- while (data <= (limit - 4)) {
-+ while (limit - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > (limit))
-+ if (limit - data < size)
- goto err;
- # if 0
- fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -1460,20 +1460,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
- SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
-
-- if (data >= (d + n - 2))
-+ if ((d + n) - data <= 2)
- goto ri_check;
-
- n2s(data, length);
-- if (data + length != d + n) {
-+ if ((d + n) - data != length) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
-- while (data <= (d + n - 4)) {
-+ while ((d + n) - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > (d + n))
-+ if ((d + n) - data < size)
- goto ri_check;
-
- if (s->tlsext_debug_cb)
-@@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
- /* Skip past DTLS cookie */
- if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
- i = *(p++);
-- p += i;
-- if (p >= limit)
-+
-+ if (limit - p <= i)
- return -1;
-+
-+ p += i;
- }
- /* Skip past cipher list */
- n2s(p, i);
-- p += i;
-- if (p >= limit)
-+ if (limit - p <= i)
- return -1;
-+ p += i;
-+
- /* Skip past compression algorithm list */
- i = *(p++);
-- p += i;
-- if (p > limit)
-+ if (limit - p < i)
- return -1;
-+ p += i;
-+
- /* Now at start of extensions */
-- if ((p + 2) >= limit)
-+ if (limit - p <= 2)
- return 0;
- n2s(p, i);
-- while ((p + 4) <= limit) {
-+ while (limit - p >= 4) {
- unsigned short type, size;
- n2s(p, type);
- n2s(p, size);
-- if (p + size > limit)
-+ if (limit - p < size)
- return 0;
- if (type == TLSEXT_TYPE_session_ticket) {
- int r;
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2178.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2178.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2178.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,23 +0,0 @@
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index 9a3772e..06cd2a2 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -247,7 +247,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- do
- if (!BN_rand_range(&k, dsa->q))
- goto err;
-- while (BN_is_zero(&k)) ;
-+ while (BN_is_zero(&k));
-+
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- BN_set_flags(&k, BN_FLG_CONSTTIME);
- }
-@@ -264,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- if (!BN_copy(&kq, &k))
- goto err;
-
-+ BN_set_flags(&kq, BN_FLG_CONSTTIME);
-+
- /*
- * We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2179.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2179.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2179.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,253 +0,0 @@
-From 00a4c1421407b6ac796688871b0a49a179c694d9 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 30 Jun 2016 13:17:08 +0100
-Subject: [PATCH] Fix DTLS buffered message DoS attack
-
-DTLS can handle out of order record delivery. Additionally since
-handshake messages can be bigger than will fit into a single packet, the
-messages can be fragmented across multiple records (as with normal TLS).
-That means that the messages can arrive mixed up, and we have to
-reassemble them. We keep a queue of buffered messages that are "from the
-future", i.e. messages we're not ready to deal with yet but have arrived
-early. The messages held there may not be full yet - they could be one
-or more fragments that are still in the process of being reassembled.
-
-The code assumes that we will eventually complete the reassembly and
-when that occurs the complete message is removed from the queue at the
-point that we need to use it.
-
-However, DTLS is also tolerant of packet loss. To get around that DTLS
-messages can be retransmitted. If we receive a full (non-fragmented)
-message from the peer after previously having received a fragment of
-that message, then we ignore the message in the queue and just use the
-non-fragmented version. At that point the queued message will never get
-removed.
-
-Additionally the peer could send "future" messages that we never get to
-in order to complete the handshake. Each message has a sequence number
-(starting from 0). We will accept a message fragment for the current
-message sequence number, or for any sequence up to 10 into the future.
-However if the Finished message has a sequence number of 2, anything
-greater than that in the queue is just left there.
-
-So, in those two ways we can end up with "orphaned" data in the queue
-that will never get removed - except when the connection is closed. At
-that point all the queues are flushed.
-
-An attacker could seek to exploit this by filling up the queues with
-lots of large messages that are never going to be used in order to
-attempt a DoS by memory exhaustion.
-
-I will assume that we are only concerned with servers here. It does not
-seem reasonable to be concerned about a memory exhaustion attack on a
-client. They are unlikely to process enough connections for this to be
-an issue.
-
-A "long" handshake with many messages might be 5 messages long (in the
-incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
-CertificateVerify, Finished. So this would be message sequence numbers 0
-to 4. Additionally we can buffer up to 10 messages in the future.
-Therefore the maximum number of messages that an attacker could send
-that could get orphaned would typically be 15.
-
-The maximum size that a DTLS message is allowed to be is defined by
-max_cert_list, which by default is 100k. Therefore the maximum amount of
-"orphaned" memory per connection is 1500k.
-
-Message sequence numbers get reset after the Finished message, so
-renegotiation will not extend the maximum number of messages that can be
-orphaned per connection.
-
-As noted above, the queues do get cleared when the connection is closed.
-Therefore in order to mount an effective attack, an attacker would have
-to open many simultaneous connections.
-
-Issue reported by Quan Luo.
-
-CVE-2016-2179
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
----
- ssl/d1_both.c | 32 ++++++++++++++++----------------
- ssl/d1_clnt.c | 1 +
- ssl/d1_lib.c | 37 ++++++++++++++++++++++++++-----------
- ssl/d1_srvr.c | 3 ++-
- ssl/ssl_locl.h | 3 ++-
- 5 files changed, 47 insertions(+), 29 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 1614d88..ae292c4 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -614,11 +614,23 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
- int al;
-
- *ok = 0;
-- item = pqueue_peek(s->d1->buffered_messages);
-- if (item == NULL)
-- return 0;
-+ do {
-+ item = pqueue_peek(s->d1->buffered_messages);
-+ if (item == NULL)
-+ return 0;
-+
-+ frag = (hm_fragment *)item->data;
-+
-+ if (frag->msg_header.seq < s->d1->handshake_read_seq) {
-+ /* This is a stale message that has been buffered so clear it */
-+ pqueue_pop(s->d1->buffered_messages);
-+ dtls1_hm_fragment_free(frag);
-+ pitem_free(item);
-+ item = NULL;
-+ frag = NULL;
-+ }
-+ } while (item == NULL);
-
-- frag = (hm_fragment *)item->data;
-
- /* Don't return if reassembly still in progress */
- if (frag->reassembly != NULL)
-@@ -1416,18 +1428,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
- return ret;
- }
-
--/* call this function when the buffered messages are no longer needed */
--void dtls1_clear_record_buffer(SSL *s)
--{
-- pitem *item;
--
-- for (item = pqueue_pop(s->d1->sent_messages);
-- item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
-- dtls1_hm_fragment_free((hm_fragment *)item->data);
-- pitem_free(item);
-- }
--}
--
- unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
- unsigned char mt, unsigned long len,
- unsigned long frag_off,
-diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
-index eb371a2..e1f167b 100644
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -751,6 +751,7 @@ int dtls1_connect(SSL *s)
- /* done with handshaking */
- s->d1->handshake_read_seq = 0;
- s->d1->next_handshake_write_seq = 0;
-+ dtls1_clear_received_buffer(s);
- goto end;
- /* break; */
-
-diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
-index 011d7b7..99984df 100644
---- a/ssl/d1_lib.c
-+++ b/ssl/d1_lib.c
-@@ -144,7 +144,6 @@ int dtls1_new(SSL *s)
- static void dtls1_clear_queues(SSL *s)
- {
- pitem *item = NULL;
-- hm_fragment *frag = NULL;
- DTLS1_RECORD_DATA *rdata;
-
- while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
-@@ -165,28 +164,44 @@ static void dtls1_clear_queues(SSL *s)
- pitem_free(item);
- }
-
-+ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
-+ rdata = (DTLS1_RECORD_DATA *)item->data;
-+ if (rdata->rbuf.buf) {
-+ OPENSSL_free(rdata->rbuf.buf);
-+ }
-+ OPENSSL_free(item->data);
-+ pitem_free(item);
-+ }
-+
-+ dtls1_clear_received_buffer(s);
-+ dtls1_clear_sent_buffer(s);
-+}
-+
-+void dtls1_clear_received_buffer(SSL *s)
-+{
-+ pitem *item = NULL;
-+ hm_fragment *frag = NULL;
-+
- while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
- frag = (hm_fragment *)item->data;
- dtls1_hm_fragment_free(frag);
- pitem_free(item);
- }
-+}
-+
-+void dtls1_clear_sent_buffer(SSL *s)
-+{
-+ pitem *item = NULL;
-+ hm_fragment *frag = NULL;
-
- while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
- frag = (hm_fragment *)item->data;
- dtls1_hm_fragment_free(frag);
- pitem_free(item);
- }
--
-- while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
-- rdata = (DTLS1_RECORD_DATA *)item->data;
-- if (rdata->rbuf.buf) {
-- OPENSSL_free(rdata->rbuf.buf);
-- }
-- OPENSSL_free(item->data);
-- pitem_free(item);
-- }
- }
-
-+
- void dtls1_free(SSL *s)
- {
- ssl3_free(s);
-@@ -420,7 +435,7 @@ void dtls1_stop_timer(SSL *s)
- BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
- &(s->d1->next_timeout));
- /* Clear retransmission buffer */
-- dtls1_clear_record_buffer(s);
-+ dtls1_clear_sent_buffer(s);
- }
-
- int dtls1_check_timeout_num(SSL *s)
-diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
-index 60af230..bc30433 100644
---- a/ssl/d1_srvr.c
-+++ b/ssl/d1_srvr.c
-@@ -295,7 +295,7 @@ int dtls1_accept(SSL *s)
- case SSL3_ST_SW_HELLO_REQ_B:
-
- s->shutdown = 0;
-- dtls1_clear_record_buffer(s);
-+ dtls1_clear_sent_buffer(s);
- dtls1_start_timer(s);
- ret = dtls1_send_hello_request(s);
- if (ret <= 0)
-@@ -866,6 +866,7 @@ int dtls1_accept(SSL *s)
- /* next message is server hello */
- s->d1->handshake_write_seq = 0;
- s->d1->next_handshake_write_seq = 0;
-+ dtls1_clear_received_buffer(s);
- goto end;
- /* break; */
-
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index d57b902..7b1fd1f 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -1026,7 +1026,8 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq,
- unsigned long frag_off, int *found);
- int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
- int dtls1_retransmit_buffered_messages(SSL *s);
--void dtls1_clear_record_buffer(SSL *s);
-+void dtls1_clear_received_buffer(SSL *s);
-+void dtls1_clear_sent_buffer(SSL *s);
- void dtls1_get_message_header(unsigned char *data,
- struct hm_header_st *msg_hdr);
- void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2180.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2180.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2180.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,39 +0,0 @@
-From 6adf409c7432b90c06d9890787fe56c48f2a16e7 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Thu, 21 Jul 2016 15:24:16 +0100
-Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
-
-TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
-as a null terminated buffer. The length value returned is the total
-length the complete text reprsentation would need not the amount of
-data written.
-
-CVE-2016-2180
-
-Thanks to Shi Lei for reporting this bug.
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
----
- crypto/ts/ts_lib.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
-index c51538a..e0f1063 100644
---- a/crypto/ts/ts_lib.c
-+++ b/crypto/ts/ts_lib.c
-@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
- {
- char obj_txt[128];
-
-- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-- BIO_write(bio, obj_txt, len);
-- BIO_write(bio, "\n", 1);
-+ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-+ BIO_printf(bio, "%s\n", obj_txt);
-
- return 1;
- }
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2181.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2181.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2181.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,209 +0,0 @@
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index ea93a8e..d3ceae0 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
- #endif
- static int dtls1_buffer_record(SSL *s, record_pqueue *q,
- unsigned char *priority);
--static int dtls1_process_record(SSL *s);
-+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
-
- /* copy buffered record into SSL structure */
- static int dtls1_copy_record(SSL *s, pitem *item)
-@@ -319,21 +319,70 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
- static int dtls1_process_buffered_records(SSL *s)
- {
- pitem *item;
-+ SSL3_BUFFER *rb;
-+ SSL3_RECORD *rr;
-+ DTLS1_BITMAP *bitmap;
-+ unsigned int is_next_epoch;
-+ int replayok = 1;
-
- item = pqueue_peek(s->d1->unprocessed_rcds.q);
- if (item) {
- /* Check if epoch is current. */
- if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
-- return (1); /* Nothing to do. */
-+ return 1; /* Nothing to do. */
-+
-+ rr = &s->s3->rrec;
-+ rb = &s->s3->rbuf;
-+
-+ if (rb->left > 0) {
-+ /*
-+ * We've still got data from the current packet to read. There could
-+ * be a record from the new epoch in it - so don't overwrite it
-+ * with the unprocessed records yet (we'll do it when we've
-+ * finished reading the current packet).
-+ */
-+ return 1;
-+ }
-+
-
- /* Process all the records. */
- while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
- dtls1_get_unprocessed_record(s);
-- if (!dtls1_process_record(s))
-- return (0);
-+ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
-+ if (bitmap == NULL) {
-+ /*
-+ * Should not happen. This will only ever be NULL when the
-+ * current record is from a different epoch. But that cannot
-+ * be the case because we already checked the epoch above
-+ */
-+ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
-+ ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+#ifndef OPENSSL_NO_SCTP
-+ /* Only do replay check if no SCTP bio */
-+ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
-+#endif
-+ {
-+ /*
-+ * Check whether this is a repeat, or aged record. We did this
-+ * check once already when we first received the record - but
-+ * we might have updated the window since then due to
-+ * records we subsequently processed.
-+ */
-+ replayok = dtls1_record_replay_check(s, bitmap);
-+ }
-+
-+ if (!replayok || !dtls1_process_record(s, bitmap)) {
-+ /* dump this record */
-+ rr->length = 0;
-+ s->packet_length = 0;
-+ continue;
-+ }
-+
- if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
- s->s3->rrec.seq_num) < 0)
-- return -1;
-+ return 0;
- }
- }
-
-@@ -344,7 +393,7 @@ static int dtls1_process_buffered_records(SSL *s)
- s->d1->processed_rcds.epoch = s->d1->r_epoch;
- s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
-
-- return (1);
-+ return 1;
- }
-
- #if 0
-@@ -391,7 +440,7 @@ static int dtls1_get_buffered_record(SSL *s)
-
- #endif
-
--static int dtls1_process_record(SSL *s)
-+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
- {
- int i, al;
- int enc_err;
-@@ -551,6 +600,10 @@ static int dtls1_process_record(SSL *s)
-
- /* we have pulled in a full packet so zero things */
- s->packet_length = 0;
-+
-+ /* Mark receipt of record. */
-+ dtls1_record_bitmap_update(s, bitmap);
-+
- return (1);
-
- f_err:
-@@ -581,11 +634,12 @@ int dtls1_get_record(SSL *s)
-
- rr = &(s->s3->rrec);
-
-+ again:
- /*
- * The epoch may have changed. If so, process all the pending records.
- * This is a non-blocking operation.
- */
-- if (dtls1_process_buffered_records(s) < 0)
-+ if (!dtls1_process_buffered_records(s))
- return -1;
-
- /* if we're renegotiating, then there may be buffered records */
-@@ -593,7 +647,6 @@ int dtls1_get_record(SSL *s)
- return 1;
-
- /* get something from the wire */
-- again:
- /* check if we have the header */
- if ((s->rstate != SSL_ST_READ_BODY) ||
- (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
-@@ -717,20 +770,17 @@ int dtls1_get_record(SSL *s)
- if (dtls1_buffer_record
- (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0)
- return -1;
-- /* Mark receipt of record. */
-- dtls1_record_bitmap_update(s, bitmap);
- }
- rr->length = 0;
- s->packet_length = 0;
- goto again;
- }
-
-- if (!dtls1_process_record(s)) {
-+ if (!dtls1_process_record(s, bitmap)) {
- rr->length = 0;
- s->packet_length = 0; /* dump this record */
- goto again; /* get another record */
- }
-- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
-
- return (1);
-
-@@ -1815,8 +1865,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
- if (rr->epoch == s->d1->r_epoch)
- return &s->d1->bitmap;
-
-- /* Only HM and ALERT messages can be from the next epoch */
-+ /*
-+ * Only HM and ALERT messages can be from the next epoch and only if we
-+ * have already processed all of the unprocessed records from the last
-+ * epoch
-+ */
- else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
-+ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
- (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
- *is_next_epoch = 1;
- return &s->d1->next_bitmap;
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index d6c475c..8094450 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -2256,6 +2256,7 @@ void ERR_load_SSL_strings(void);
- # define SSL_F_DTLS1_HEARTBEAT 305
- # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
- # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
-+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
- # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
- # define SSL_F_DTLS1_PROCESS_RECORD 257
- # define SSL_F_DTLS1_READ_BYTES 258
-diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
-index caa671a..ed679d1 100644
---- a/ssl/ssl_err.c
-+++ b/ssl/ssl_err.c
-@@ -1,6 +1,6 @@
- /* ssl/ssl_err.c */
- /* ====================================================================
-- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
- {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
- {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
- {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
-+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS),
-+ "DTLS1_PROCESS_BUFFERED_RECORDS"},
- {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),
- "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
- {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2182.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2182.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2182.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,39 +0,0 @@
-Index: openssl-1.0.1t/crypto/bn/bn_print.c
-===================================================================
---- openssl-1.0.1t.orig/crypto/bn/bn_print.c
-+++ openssl-1.0.1t/crypto/bn/bn_print.c
-@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
- char *p;
- BIGNUM *t = NULL;
- BN_ULONG *bn_data = NULL, *lp;
-+ int bn_data_num;
-
- /*-
- * get an upper bound for the length of the decimal integer
-@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
- */
- i = BN_num_bits(a) * 3;
- num = (i / 10 + i / 1000 + 1) + 1;
-- bn_data =
-- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
-- buf = (char *)OPENSSL_malloc(num + 3);
-+ bn_data_num = num / BN_DEC_NUM + 1;
-+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
-+ buf = OPENSSL_malloc(num + 3);
- if ((buf == NULL) || (bn_data == NULL)) {
- BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
- goto err;
-@@ -140,9 +141,12 @@ char *BN_bn2dec(const BIGNUM *a)
- if (BN_is_negative(t))
- *p++ = '-';
-
-- i = 0;
- while (!BN_is_zero(t)) {
-+ if (lp - bn_data >= bn_data_num)
-+ goto err;
- *lp = BN_div_word(t, BN_DEC_CONV);
-+ if (*lp == (BN_ULONG)-1)
-+ goto err;
- lp++;
- }
- lp--;
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-2183.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-2183.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-2183.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,176 +0,0 @@
-From e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60 Mon Sep 17 00:00:00 2001
-From: Rich Salz <rsalz at openssl.org>
-Date: Thu, 18 Aug 2016 09:26:52 -0400
-Subject: [PATCH] SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
-(cherry picked from commit 0fff5065884d5ac61123a604bbcee30a53c808ff)
----
- CHANGES | 4 +++-
- ssl/s3_lib.c | 34 +++++++++++++++++-----------------
- 2 files changed, 20 insertions(+), 18 deletions(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 35d6587..6b1822d 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -334,7 +334,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -387,7 +387,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -439,7 +439,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -544,7 +544,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -717,7 +717,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_MD5,
- SSL_SSLV3,
-- SSL_NOT_EXP | SSL_HIGH,
-+ SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -1733,7 +1733,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2110,7 +2110,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2190,7 +2190,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2270,7 +2270,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2350,7 +2350,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2480,7 +2480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH,
-+ SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2496,7 +2496,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH,
-+ SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
-@@ -2512,7 +2512,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-- SSL_NOT_EXP | SSL_HIGH,
-+ SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-6302.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6302.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6302.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,52 +0,0 @@
-From 1bbe48ab149893a78bf99c8eb8895c928900a16f Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 23 Aug 2016 18:14:54 +0100
-Subject: [PATCH] Sanity check ticket length.
-
-If a ticket callback changes the HMAC digest to SHA512 the existing
-sanity checks are not sufficient and an attacker could perform a DoS
-attack with a malformed ticket. Add additional checks based on
-HMAC size.
-
-Thanks to Shi Lei for reporting this bug.
-
-CVE-2016-6302
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
-(cherry picked from commit baaabfd8fdcec04a691695fad9a664bea43202b6)
----
- ssl/t1_lib.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index d961e4a..7680491 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -2273,9 +2273,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
- HMAC_CTX hctx;
- EVP_CIPHER_CTX ctx;
- SSL_CTX *tctx = s->initial_ctx;
-- /* Need at least keyname + iv + some encrypted data */
-- if (eticklen < 48)
-- return 2;
-+
- /* Initialize session ticket encryption and HMAC contexts */
- HMAC_CTX_init(&hctx);
- EVP_CIPHER_CTX_init(&ctx);
-@@ -2309,6 +2307,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
- if (mlen < 0) {
- goto err;
- }
-+ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-+ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
-+ HMAC_CTX_cleanup(&hctx);
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return 2;
-+ }
-+
- eticklen -= mlen;
- /* Check HMAC of encrypted ticket */
- if (HMAC_Update(&hctx, etick, eticklen) <= 0
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-6303.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6303.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6303.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,31 +0,0 @@
-From 2b4029e68fd7002d2307e6c3cde0f3784eef9c83 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Fri, 19 Aug 2016 23:28:29 +0100
-Subject: [PATCH] Avoid overflow in MDC2_Update()
-
-Thanks to Shi Lei for reporting this issue.
-
-CVE-2016-6303
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)
----
- crypto/mdc2/mdc2dgst.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
-index 6615cf8..2dce493 100644
---- a/crypto/mdc2/mdc2dgst.c
-+++ b/crypto/mdc2/mdc2dgst.c
-@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len)
-
- i = c->num;
- if (i != 0) {
-- if (i + len < MDC2_BLOCK) {
-+ if (len < MDC2_BLOCK - i) {
- /* partial block */
- memcpy(&(c->data[i]), in, len);
- c->num += (int)len;
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-6304.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6304.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6304.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,70 +0,0 @@
-From 73e8ae66b0b7d6534699492d127d457d2540a762 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Fri, 9 Sep 2016 10:08:45 +0100
-Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
-
-A malicious client can send an excessively large OCSP Status Request
-extension. If that client continually requests renegotiation,
-sending a large OCSP Status Request extension each time, then there will
-be unbounded memory growth on the server. This will eventually lead to a
-Denial Of Service attack through memory exhaustion. Servers with a
-default configuration are vulnerable even if they do not support OCSP.
-Builds using the "no-ocsp" build time option are not affected.
-
-I have also checked other extensions to see if they suffer from a similar
-problem but I could not find any other issues.
-
-CVE-2016-6304
-
-Issue reported by Shi Lei.
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
----
- ssl/t1_lib.c | 24 +++++++++++++++++-------
- 1 file changed, 17 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 7680491..4bc13ca 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1284,6 +1284,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
- size -= 2;
- if (dsize > size)
- goto err;
-+
-+ /*
-+ * We remove any OCSP_RESPIDs from a previous handshake
-+ * to prevent unbounded memory growth - CVE-2016-6304
-+ */
-+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
-+ OCSP_RESPID_free);
-+ if (dsize > 0) {
-+ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
-+ if (s->tlsext_ocsp_ids == NULL) {
-+ *al = SSL_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
-+ } else {
-+ s->tlsext_ocsp_ids = NULL;
-+ }
-+
- while (dsize > 0) {
- OCSP_RESPID *id;
- int idsize;
-@@ -1303,13 +1320,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
- OCSP_RESPID_free(id);
- goto err;
- }
-- if (!s->tlsext_ocsp_ids
-- && !(s->tlsext_ocsp_ids =
-- sk_OCSP_RESPID_new_null())) {
-- OCSP_RESPID_free(id);
-- *al = SSL_AD_INTERNAL_ERROR;
-- return 0;
-- }
- if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
- OCSP_RESPID_free(id);
- *al = SSL_AD_INTERNAL_ERROR;
---
-2.9.3
-
Deleted: openssl/branches/jessie/debian/patches/CVE-2016-6306.patch
===================================================================
--- openssl/branches/jessie/debian/patches/CVE-2016-6306.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/CVE-2016-6306.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,102 +0,0 @@
-From 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Sat, 17 Sep 2016 12:36:58 +0100
-Subject: [PATCH] Fix small OOB reads.
-
-In ssl3_get_client_certificate, ssl3_get_server_certificate and
-ssl3_get_certificate_request check we have enough room
-before reading a length.
-
-Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
-
-CVE-2016-6306
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)
----
- ssl/s3_clnt.c | 11 +++++++++++
- ssl/s3_srvr.c | 6 ++++++
- 2 files changed, 17 insertions(+)
-
-Index: openssl-1.0.1t/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1t.orig/ssl/s3_clnt.c
-+++ openssl-1.0.1t/ssl/s3_clnt.c
-@@ -1143,6 +1143,12 @@ int ssl3_get_server_certificate(SSL *s)
- goto f_err;
- }
- for (nc = 0; nc < llen;) {
-+ if (nc + 3 > llen) {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
-+ SSL_R_CERT_LENGTH_MISMATCH);
-+ goto f_err;
-+ }
- n2l3(p, l);
- if ((l + nc + 3) > llen) {
- al = SSL_AD_DECODE_ERROR;
-@@ -2072,6 +2078,11 @@ int ssl3_get_certificate_request(SSL *s)
- }
-
- for (nc = 0; nc < llen;) {
-+ if (nc + 2 > llen) {
-+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-+ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
-+ goto err;
-+ }
- n2s(p, l);
- if ((l + nc + 2) > llen) {
- if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-Index: openssl-1.0.1t/ssl/s3_srvr.c
-===================================================================
---- openssl-1.0.1t.orig/ssl/s3_srvr.c
-+++ openssl-1.0.1t/ssl/s3_srvr.c
-@@ -3237,6 +3237,12 @@ int ssl3_get_client_certificate(SSL *s)
- goto f_err;
- }
- for (nc = 0; nc < llen;) {
-+ if (nc + 3 > llen) {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
-+ SSL_R_CERT_LENGTH_MISMATCH);
-+ goto f_err;
-+ }
- n2l3(p, l);
- if ((l + nc + 3) > llen) {
- al = SSL_AD_DECODE_ERROR;
-Index: openssl-1.0.1t/ssl/d1_both.c
-===================================================================
---- openssl-1.0.1t.orig/ssl/d1_both.c
-+++ openssl-1.0.1t/ssl/d1_both.c
-@@ -577,9 +577,12 @@ static int dtls1_preprocess_fragment(SSL
- /*
- * msg_len is limited to 2^24, but is effectively checked against max
- * above
-+ *
-+ * Make buffer slightly larger than message length as a precaution
-+ * against small OOB reads e.g. CVE-2016-6306
- */
- if (!BUF_MEM_grow_clean
-- (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
-+ (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
- SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
- return SSL_AD_INTERNAL_ERROR;
- }
-Index: openssl-1.0.1t/ssl/s3_both.c
-===================================================================
---- openssl-1.0.1t.orig/ssl/s3_both.c
-+++ openssl-1.0.1t/ssl/s3_both.c
-@@ -502,7 +502,11 @@ long ssl3_get_message(SSL *s, int st1, i
- SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
- goto f_err;
- }
-- if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) {
-+ /*
-+ * Make buffer slightly larger than message length as a precaution
-+ * against small OOB reads e.g. CVE-2016-6306
-+ */
-+ if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4 + 16)) {
- SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
- goto err;
- }
Deleted: openssl/branches/jessie/debian/patches/Fix-name-length-limit-check.patch
===================================================================
--- openssl/branches/jessie/debian/patches/Fix-name-length-limit-check.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/Fix-name-length-limit-check.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,40 +0,0 @@
-From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 4 May 2016 16:09:06 +0100
-Subject: [PATCH] Fix name length limit check.
-
-The name length limit check in x509_name_ex_d2i() includes
-the containing structure as well as the actual X509_NAME. This will
-cause large CRLs to be rejected.
-
-Fix by limiting the length passed to ASN1_item_ex_d2i() which will
-then return an error if the passed X509_NAME exceeds the length.
-
-RT#4531
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
-(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
----
- crypto/asn1/x_name.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
-index a858c29..26378fd 100644
---- a/crypto/asn1/x_name.c
-+++ b/crypto/asn1/x_name.c
-@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
- int i, j, ret;
- STACK_OF(X509_NAME_ENTRY) *entries;
- X509_NAME_ENTRY *entry;
-- if (len > X509_NAME_MAX) {
-- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
-- return 0;
-- }
-+ if (len > X509_NAME_MAX)
-+ len = X509_NAME_MAX;
- q = p;
-
- /* Get internal representation of Name */
---
-2.8.1
-
Deleted: openssl/branches/jessie/debian/patches/Update-S-MIME-certificates.patch
===================================================================
--- openssl/branches/jessie/debian/patches/Update-S-MIME-certificates.patch 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/Update-S-MIME-certificates.patch 2017-01-26 21:12:45 UTC (rev 888)
@@ -1,596 +0,0 @@
-From 24762dee178bace3c39d6bdbea44f0455d9a240b Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 11 May 2016 18:00:52 +0100
-Subject: [PATCH] Update S/MIME certificates.
-
-Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
----
- test/smime-certs/smdsa1.pem | 75 ++++++++++++++++++++++++++-------------------
- test/smime-certs/smdsa2.pem | 75 ++++++++++++++++++++++++++-------------------
- test/smime-certs/smdsa3.pem | 75 ++++++++++++++++++++++++++-------------------
- test/smime-certs/smroot.pem | 75 ++++++++++++++++++++++++++++-----------------
- test/smime-certs/smrsa1.pem | 74 +++++++++++++++++++++++++++-----------------
- test/smime-certs/smrsa2.pem | 74 +++++++++++++++++++++++++++-----------------
- test/smime-certs/smrsa3.pem | 74 +++++++++++++++++++++++++++-----------------
- 7 files changed, 317 insertions(+), 205 deletions(-)
-
-diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
-index d5677dbfbec4..b424f6704ed9 100644
---- a/test/smime-certs/smdsa1.pem
-+++ b/test/smime-certs/smdsa1.pem
-@@ -1,34 +1,47 @@
-------BEGIN DSA PRIVATE KEY-----
--MIIBuwIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
--OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
--GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
--jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
--wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
--+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
--SJCBQw5zAoGATQlPPF+OeU8nu3rsdXGDiZdJzOkuCce3KQfTABA9C+Dk4CVcvBdd
--YRLGpnykumkNTO1sTO+4/Gphsuje1ujK9td4UEhdYqylCe5QjEMrszDlJtelDQF9
--C0yhdjKGTP0kxofLhsGckcuQvcKEKffT2pDDKJIy4vWQO0UyJl1vjLcCFG2uiGGx
--9fMUZq1v0ePD4Wo0Xkxo
-------END DSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-+TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsWMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
--CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
--mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
--jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
--CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
--kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
--xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBN
--CU88X455Tye7eux1cYOJl0nM6S4Jx7cpB9MAED0L4OTgJVy8F11hEsamfKS6aQ1M
--7WxM77j8amGy6N7W6Mr213hQSF1irKUJ7lCMQyuzMOUm16UNAX0LTKF2MoZM/STG
--h8uGwZyRy5C9woQp99PakMMokjLi9ZA7RTImXW+Mt6OBgzCBgDAdBgNVHQ4EFgQU
--4Qfbhpi5yqXaXuCLXj427mR25MkwHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
--aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
--c21pbWVkc2ExQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBAFrdUzKK1pWO
--kd02S423KUBc4GWWyiGlVoEO7WxVhHLJ8sm67X7OtJOwe0UGt+Nc5qLtyJYSirw8
--phjiTdNpQCTJ8+Kc56tWkJ6H7NAI4vTJtPL5BM/EmeYrVSU9JI9xhqpyKw9IBD+n
--hRJ79W9FaiJRvaAOX+TkyTukJrxAWRyv
-+ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-+g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-+0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-+yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-+7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-+aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
-+EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
-+86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
-+DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
-+O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
-+1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
-+MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
-+xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-+MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
-+d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
-+MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
-+Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
-+17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
-+0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem
-index ef86c115d7f9..648447fc89a1 100644
---- a/test/smime-certs/smdsa2.pem
-+++ b/test/smime-certs/smdsa2.pem
-@@ -1,34 +1,47 @@
-------BEGIN DSA PRIVATE KEY-----
--MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
--OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
--GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
--jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
--wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
--+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
--SJCBQw5zAoGBAIPmO8BtJ+Yac58trrPwq9b/6VW3jQTWzTLWSH84/QQdqQa+Pz3v
--It/+hHM0daNF5uls8ICsPL1aLXmRx0pHvIyb0aAzYae4T4Jv/COPDMTdKbA1uitJ
--VbkGZrm+LIrs7I9lOkb4T0vI6kL/XdOCXY1469zsqCgJ/O2ibn6mq0nWAhR716o2
--Nf8SimTZYB0/CKje6M5ufA==
-------END DSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-+TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDpTCCAw6gAwIBAgIJAMtotfHYdEsXMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
--CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
--mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
--jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
--CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
--kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
--xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhQACgYEA
--g+Y7wG0n5hpzny2us/Cr1v/pVbeNBNbNMtZIfzj9BB2pBr4/Pe8i3/6EczR1o0Xm
--6WzwgKw8vVoteZHHSke8jJvRoDNhp7hPgm/8I48MxN0psDW6K0lVuQZmub4siuzs
--j2U6RvhPS8jqQv9d04JdjXjr3OyoKAn87aJufqarSdajgYMwgYAwHQYDVR0OBBYE
--FHsAGNfVltSYUq4hC+YVYwsYtA+dMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcXdsab
--rWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMCAGA1UdEQQZMBeB
--FXNtaW1lZHNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCx9BtCbaYF
--FXjLClkuKXbESaDZA1biPgY25i00FsUzARuhCpqD2v+0tu5c33ZzIhL6xlvBRU5l
--6Atw/xpZhae+hdBEtxPJoGekLLrHOau7Md3XwDjV4lFgcEJkWZoaSOOIK+4D5jF0
--jZWtHjnwEzuLYlo7ScHSsbcQfjH0M1TP5A==
-+ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-+g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-+0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-+yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-+7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-+aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
-+h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
-+tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
-+LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
-+3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
-+KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
-+MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
-+qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-+MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
-+VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
-+uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
-+6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
-+2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
-+GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem
-index eeb848dabc50..77acc5e46ffc 100644
---- a/test/smime-certs/smdsa3.pem
-+++ b/test/smime-certs/smdsa3.pem
-@@ -1,34 +1,47 @@
-------BEGIN DSA PRIVATE KEY-----
--MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
--OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
--GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
--jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
--wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
--+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
--SJCBQw5zAoGAYzOpPmh8Je1IDauEXhgaLz14wqYUHHcrj2VWVJ6fRm8GhdQFJSI7
--GUk08pgKZSKic2lNqxuzW7/vFxKQ/nvzfytY16b+2i+BR4Q6yvMzCebE1hHVg0Ju
--TwfUMwoFEOhYP6ZwHSUiQl9IBMH9TNJCMwYMxfY+VOrURFsjGTRUgpwCFQCIGt5g
--Y+XZd0Sv69CatDIRYWvaIA==
-------END DSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-+TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsYMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
--CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
--mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
--jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
--CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
--kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
--xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBj
--M6k+aHwl7UgNq4ReGBovPXjCphQcdyuPZVZUnp9GbwaF1AUlIjsZSTTymAplIqJz
--aU2rG7Nbv+8XEpD+e/N/K1jXpv7aL4FHhDrK8zMJ5sTWEdWDQm5PB9QzCgUQ6Fg/
--pnAdJSJCX0gEwf1M0kIzBgzF9j5U6tREWyMZNFSCnKOBgzCBgDAdBgNVHQ4EFgQU
--VhpVXqQ/EzUMdxLvP7o9EhJ8h70wHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
--aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
--c21pbWVkc2EzQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBACM9e75EQa8m
--k/AZkH/tROqf3yeqijULl9x8FjFatqoY+29OM6oMGM425IqSkKd2ipz7OxO0SShu
--rE0O3edS7DvYBwvhWPviRaYBMyZ4iFJVup+fOzoYK/j/bASxS3BHQBwb2r4rhe25
--OlTyyFEk7DJyW18YFOG97S1P52oQ5f5x
-+ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-+g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-+0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-+yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-+7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-+aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
-+msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
-+zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
-+cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
-+N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
-+2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
-+MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
-+FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-+MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
-+pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
-+YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
-+khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
-+Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
-+4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem
-index a59eb2684ca4..d1a253f40958 100644
---- a/test/smime-certs/smroot.pem
-+++ b/test/smime-certs/smroot.pem
-@@ -1,30 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICXAIBAAKBgQDBV1Z/Q5gPF7lojc8pKUdyz5+Jf2B3vs4he6egekugWnoJduki
--9Lnae/JchB/soIX0co3nLc11NuFFlnAWJNMDJr08l5AHAJLYNHevF5l/f9oDQwvZ
--speKh1xpIAJNqCTzVeQ/ZLx6/GccIXV/xDuKIiovqJTPgR5WPkYKaw++lQIDAQAB
--AoGALXnUj5SflJU4+B2652ydMKUjWl0KnL/VjkyejgGV/j6py8Ybaixz9q8Gv7oY
--JDlRqMC1HfZJCFQDQrHy5VJ+CywA/H9WrqKo/Ch9U4tJAZtkig1Cmay/BAYixVu0
--xBeim10aKF6hxHH4Chg9We+OCuzWBWJhqveNjuDedL/i7JUCQQDlejovcwBUCbhJ
--U12qKOwlaboolWbl7yF3XdckTJZg7+1UqQHZH5jYZlLZyZxiaC92SNV0SyTLJZnS
--Jh5CO+VDAkEA16/pPcuVtMMz/R6SSPpRSIAa1stLs0mFSs3NpR4pdm0n42mu05pO
--1tJEt3a1g7zkreQBf53+Dwb+lA841EkjRwJBAIFmt0DifKDnCkBu/jZh9SfzwsH3
--3Zpzik+hXxxdA7+ODCrdUul449vDd5zQD5t+XKU61QNLDGhxv5e9XvrCg7kCQH/a
--3ldsVF0oDaxxL+QkxoREtCQ5tLEd1u7F2q6Tl56FDE0pe6Ih6bQ8RtG+g9EI60IN
--U7oTrOO5kLWx5E0q4ccCQAZVgoenn9MhRU1agKOCuM6LT2DxReTu4XztJzynej+8
--0J93n3ebanB1MlRpn1XJwhQ7gAC8ImaQKLJK5jdJzFc=
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq
-+nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL
-+DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc
-+BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI
-+MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV
-+kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q
-+LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c
-+b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R
-+Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu
-+ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4
-+Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF
-+ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp
-+PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx
-+mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw
-+nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z
-+8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw
-+fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu
-+PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T
-+5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP
-+aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq
-+qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr
-+yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK
-+NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53
-+bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI
-+vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
-+KfvPCYimQwBjVrEnSntLPR0=
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICaTCCAdKgAwIBAgIJAP6VN47boiXRMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDdaFw0xNjA1MTExMzUzMDdaMEQx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRU
--ZXN0IFMvTUlNRSBSU0EgUm9vdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
--wVdWf0OYDxe5aI3PKSlHcs+fiX9gd77OIXunoHpLoFp6CXbpIvS52nvyXIQf7KCF
--9HKN5y3NdTbhRZZwFiTTAya9PJeQBwCS2DR3rxeZf3/aA0ML2bKXiodcaSACTagk
--81XkP2S8evxnHCF1f8Q7iiIqL6iUz4EeVj5GCmsPvpUCAwEAAaNjMGEwHQYDVR0O
--BBYEFBPPS6e7iS6zOFcXdsabrWhb5e0XMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcX
--dsabrWhb5e0XMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
--SIb3DQEBBQUAA4GBAIECprq5viDvnDbkyOaiSr9ubMUmWqvycfAJMdPZRKcOZczS
--l+L9R9lF3JSqbt3knOe9u6bGDBOTY2285PdCCuHRVMk2Af1f6El1fqAlRUwNqipp
--r68sWFuRqrcRNtk6QQvXfkOhrqQBuDa7te/OVQLa2lGN9Dr2mQsD8ijctatG
-+MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
-+CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-+ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-+ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
-+JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
-+LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
-+J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
-+MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
-+untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
-+i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
-+A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
-+AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
-+Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
-+zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
-+9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
-+7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
-+Emsny2ah6fU2z7PztrUy/A80
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem
-index 2cf3148e334b..d0d0b9e66b01 100644
---- a/test/smime-certs/smrsa1.pem
-+++ b/test/smime-certs/smrsa1.pem
-@@ -1,31 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICXgIBAAKBgQC6A978j4pmPgUtUQqF+bjh6vdhwGOGZSD7xXgFTMjm88twfv+E
--ixkq2KXSDjD0ZXoQbdOaSbvGRQrIJpG2NGiKAFdYNrP025kCCdh5wF/aEI7KLEm7
--JlHwXpQsuj4wkMgmkFjL3Ty4Z55aNH+2pPQIa0k+ENJXm2gDuhqgBmduAwIDAQAB
--AoGBAJMuYu51aO2THyeHGwt81uOytcCbqGP7eoib62ZOJhxPRGYjpmuqX+R9/V5i
--KiwGavm63JYUx0WO9YP+uIZxm1BUATzkgkS74u5LP6ajhkZh6/Bck1oIYYkbVOXl
--JVrdENuH6U7nupznsyYgONByo+ykFPVUGmutgiaC7NMVo/MxAkEA6KLejWXdCIEn
--xr7hGph9NlvY9xuRIMexRV/WrddcFfCdjI1PciIupgrIkR65M9yr7atm1iU6/aRf
--KOr8rLZsSQJBAMyyXN71NsDNx4BP6rtJ/LJMP0BylznWkA7zWfGCbAYn9VhZVlSY
--Eu9Gyr7quD1ix7G3kInKVYOEEOpockBLz+sCQQCedyMmKjcQLfpMVYW8uhbAynvW
--h36qV5yXZxszO7nMcCTBsxhk5IfmLv5EbCs3+p9avCDGyoGOeUMg+kC33WORAkAg
--oUIarH4o5+SoeJTTfCzTA0KF9H5U0vYt2+73h7HOnWoHxl3zqDZEfEVvf50U8/0f
--QELDJETTbScBJtsnkq43AkEA38etvoZ2i4FJvvo7R/9gWBHVEcrGzcsCBYrNnIR1
--SZLRwHEGaiOK1wxMsWzqp7PJwL9z/M8A8DyOFBx3GPOniA==
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC
-+xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID
-+3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU
-+/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D
-+orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs
-+CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH
-+XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp
-+KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i
-+cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL
-+s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35
-+27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak
-+cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT
-+8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze
-+j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG
-+ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da
-+ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk
-+LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+
-+msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q
-+55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or
-+sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8
-+d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR
-+355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG
-+hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu
-+iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
-+1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn
-+zQpuMJliRlrq/5JkIbH6SA==
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICizCCAfSgAwIBAgIJAMtotfHYdEsTMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
-+MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
--ALoD3vyPimY+BS1RCoX5uOHq92HAY4ZlIPvFeAVMyObzy3B+/4SLGSrYpdIOMPRl
--ehBt05pJu8ZFCsgmkbY0aIoAV1g2s/TbmQIJ2HnAX9oQjsosSbsmUfBelCy6PjCQ
--yCaQWMvdPLhnnlo0f7ak9AhrST4Q0lebaAO6GqAGZ24DAgMBAAGjgYMwgYAwHQYD
--VR0OBBYEFE2vMvKz5jrC7Lbdg68XwZ95iL/QMB8GA1UdIwQYMBaAFBPPS6e7iS6z
--OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
--EQQZMBeBFXNtaW1lcnNhMUBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQAi
--O3GOkUl646oLnOimc36i9wxZ1tejsqs8vMjJ0Pym6Uq9FE2JoGzJ6OhB1GOsEVmj
--9cQ5UNQcRYL3cqOFtl6f4Dpu/lhzfbaqgmLjv29G1mS0uuTZrixhlyCXjwcbOkNC
--I/+wvHHENYIK5+T/79M9LaZ2Qk4F9MNE1VMljdz9Qw==
-+ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
-+2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
-++W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
-+Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
-+bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
-+kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-+VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
-+HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-+dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
-+E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
-+WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
-+lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
-+GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
-+9Hjq6s316fk4Ne0EUF3PbA==
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem
-index d41f69c82f67..2f17cb2978f4 100644
---- a/test/smime-certs/smrsa2.pem
-+++ b/test/smime-certs/smrsa2.pem
-@@ -1,31 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICWwIBAAKBgQCwBfryW4Vu5U9wNIDKspJO/N9YF4CcTlrCUyzVlKgb+8urHlSe
--59i5verR9IOCCXkemjOzZ/3nALTGqYZlnEvHp0Rjk+KdKXnKBIB+SRPpeu3LcXMT
--WPgsThPa0UQxedNKG0g6aG+kLhsDlFBCoxd09jJtSpb9jmroJOq0ZYEHLwIDAQAB
--AoGAKa/w4677Je1W5+r3SYoLDnvi5TkDs4D3C6ipKJgBTEdQz+DqB4w/DpZE4551
--+rkFn1LDxcxuHGRVa+tAMhZW97fwq9YUbjVZEyOz79qrX+BMyl/NbHkf1lIKDo3q
--dWalzQvop7nbzeLC+VmmviwZfLQUbA61AQl3jm4dswT4XykCQQDloDadEv/28NTx
--bvvywvyGuvJkCkEIycm4JrIInvwsd76h/chZ3oymrqzc7hkEtK6kThqlS5y+WXl6
--QzPruTKTAkEAxD2ro/VUoN+scIVaLmn0RBmZ67+9Pdn6pNSfjlK3s0T0EM6/iUWS
--M06l6L9wFS3/ceu1tIifsh9BeqOGTa+udQJARIFnybTBaIqw/NZ/lA1YCVn8tpvY
--iyaoZ6gjtS65TQrsdKeh/i3HCHNUXxUpoZ3F/H7QtD+6o49ODou+EbVOwQJAVmex
--A2gp8wuJKaINqxIL81AybZLnCCzKJ3lXJ5tUNyLNM/lUbGStktm2Q1zHRQwTxV07
--jFn7trn8YrtNjzcjYQJAUKIJRt38A8Jw3HoPT+D0WS2IgxjVL0eYGsZX1lyeammG
--6rfnQ3u5uP7mEK2EH2o8mDUpAE0gclWBU9UkKxJsGA==
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2
-+iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq
-+V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD
-+lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5
-+U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3
-+NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB
-+Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1
-+J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI
-+dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW
-+3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz
-+XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK
-+3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK
-+Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa
-+P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI
-+LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN
-+bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX
-+q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8
-+38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm
-+hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t
-+QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb
-+0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS
-+8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0
-+KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e
-+y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR
-+hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
-+yrLyf+8hjm6H6zkjqiOkHAl+
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICizCCAfSgAwIBAgIJAMtotfHYdEsUMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
-+MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
--ALAF+vJbhW7lT3A0gMqykk7831gXgJxOWsJTLNWUqBv7y6seVJ7n2Lm96tH0g4IJ
--eR6aM7Nn/ecAtMaphmWcS8enRGOT4p0pecoEgH5JE+l67ctxcxNY+CxOE9rRRDF5
--00obSDpob6QuGwOUUEKjF3T2Mm1Klv2Oaugk6rRlgQcvAgMBAAGjgYMwgYAwHQYD
--VR0OBBYEFIL/u+mEvaw7RuKLRuElfVkxSQjYMB8GA1UdIwQYMBaAFBPPS6e7iS6z
--OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
--EQQZMBeBFXNtaW1lcnNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQC2
--rXR5bm/9RtOMQPleNpd3y6uUX3oy+0CafK5Yl3PMnItjjnKJ0l1/DbLbDj2twehe
--ewaB8CROcBCA3AMLSmGvPKgUCFMGtWam3328M4fBHzon5ka7qDXzM+imkAly/Yx2
--YNdR/aNOug+5sXygHmTSKqiCpQjOIClzXoPVVeEVHw==
-+ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
-+AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
-+cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
-+0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
-+NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
-+EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-+VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
-+HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-+I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
-+Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
-+/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
-+XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
-+6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
-+NzYzLAPBkHCMY0Is3KKIBw==
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem
-index c8cbe55151ef..14c27f64aa90 100644
---- a/test/smime-certs/smrsa3.pem
-+++ b/test/smime-certs/smrsa3.pem
-@@ -1,31 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICXAIBAAKBgQC6syTZtZNe1hRScFc4PUVyVLsr7+C1HDIZnOHmwFoLayX6RHwy
--ep/TkdwiPHnemVLuwvpSjLMLZkXy/J764kSHJrNeVl3UvmCVCOm40hAtK1+F39pM
--h8phkbPPD7i+hwq4/Vs79o46nzwbVKmzgoZBJhZ+codujUSYM3LjJ4aq+wIDAQAB
--AoGAE1Zixrnr3bLGwBMqtYSDIOhtyos59whImCaLr17U9MHQWS+mvYO98if1aQZi
--iQ/QazJ+wvYXxWJ+dEB+JvYwqrGeuAU6He/rAb4OShG4FPVU2D19gzRnaButWMeT
--/1lgXV08hegGBL7RQNaN7b0viFYMcKnSghleMP0/q+Y/oaECQQDkXEwDYJW13X9p
--ijS20ykWdY5lLknjkHRhhOYux0rlhOqsyMZjoUmwI2m0qj9yrIysKhrk4MZaM/uC
--hy0xp3hdAkEA0Uv/UY0Kwsgc+W6YxeypECtg1qCE6FBib8n4iFy/6VcWqhvE5xrs
--OdhKv9/p6aLjLneGd1sU+F8eS9LGyKIbNwJBAJPgbNzXA7uUZriqZb5qeTXxBDfj
--RLfXSHYKAKEULxz3+JvRHB9SR4yHMiFrCdExiZrHXUkPgYLSHLGG5a4824UCQD6T
--9XvhquUARkGCAuWy0/3Eqoihp/t6BWSdQ9Upviu7YUhtUxsyXo0REZB7F4pGrJx5
--GlhXgFaewgUzuUHFzlMCQCzJMMWslWpoLntnR6sMhBMhBFHSw+Y5CbxBmFrdtSkd
--VdtNO1VuDCTxjjW7W3Khj7LX4KZ1ye/5jfAgnnnXisc=
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji
-+OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3
-+Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX
-+63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H
-+XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l
-+vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6
-+L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP
-+lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf
-+BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR
-+OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+
-+i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se
-+snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9
-+wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn
-+8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+
-+ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm
-+oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX
-+LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E
-+yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7
-+2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc
-+RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK
-+KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk
-+isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL
-+rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw
-+IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh
-+yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
-+RvOAi5wVkYylDxV4238MAZIq
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICizCCAfSgAwIBAgIJAMtotfHYdEsVMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
--ALqzJNm1k17WFFJwVzg9RXJUuyvv4LUcMhmc4ebAWgtrJfpEfDJ6n9OR3CI8ed6Z
--Uu7C+lKMswtmRfL8nvriRIcms15WXdS+YJUI6bjSEC0rX4Xf2kyHymGRs88PuL6H
--Crj9Wzv2jjqfPBtUqbOChkEmFn5yh26NRJgzcuMnhqr7AgMBAAGjgYMwgYAwHQYD
--VR0OBBYEFDsSFjNtYZzd0tTHafNS7tneQQj6MB8GA1UdIwQYMBaAFBPPS6e7iS6z
--OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
--EQQZMBeBFXNtaW1lcnNhM0BvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQBE
--tUDB+1Dqigu4p1xtdq7JRK6S+gfA7RWmhz0j2scb2zhpS12h37JLHsidGeKAzZYq
--jUjOrH/j3xcV5AnuJoqImJaN23nzzxtR4qGGX2mrq6EtObzdEGgCUaizsGM+0slJ
--PYxcy8KeY/63B1BpYhj2RjGkL6HrvuAaxVORa3acoA==
-+ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
-+FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
-+STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
-+m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
-+v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
-+1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-+VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
-+HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-+JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
-+sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
-+VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
-+O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
-+tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
-+CscFo2Z2pYROGtZDmYqhRw==
- -----END CERTIFICATE-----
---
-2.8.1
-
Modified: openssl/branches/jessie/debian/patches/series
===================================================================
--- openssl/branches/jessie/debian/patches/series 2017-01-26 21:05:54 UTC (rev 887)
+++ openssl/branches/jessie/debian/patches/series 2017-01-26 21:12:45 UTC (rev 888)
@@ -19,16 +19,3 @@
defaults.patch
openssl_fix_for_x32.patch
ppc64el.patch
-Update-S-MIME-certificates.patch
-Fix-name-length-limit-check.patch
-CVE-2016-2177.patch
-CVE-2016-2178.patch
-CVE-2016-2179.patch
-CVE-2016-2180.patch
-CVE-2016-2181.patch
-CVE-2016-2182.patch
-CVE-2016-2183.patch
-CVE-2016-6302.patch
-CVE-2016-6303.patch
-CVE-2016-6304.patch
-CVE-2016-6306.patch
More information about the Pkg-openssl-changes
mailing list