stub in initial libtls standalone tree

.gitignore

@@ -63,34 +63,30 @@ tests/*.txt
 # ctags stuff
 TAGS
 
-## The initial / makes these files only get ignored in particular directories.
-/autom4te.cache
+autom4te.cache
 
 # Libtool adds these, at least sometimes
 INSTALL
-/m4/libtool.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
+COPYING
+m4
 
-/aclocal.m4
-/compile
-/doxygen
-/config.guess
-/config.log
-/config.status
-/config.sub
-/configure
-/depcomp
-/config.h
-/config.h.in
-/install-sh
-/libtool
-/ltmain.sh
-/missing
-/stamp-h1
-/stamp-h2
+aclocal.m4
+compile
+doxygen
+config.guess
+config.log
+config.status
+config.sub
+configure
+depcomp
+config.h
+config.h.in
+install-sh
+libtool
+ltmain.sh
+missing
+stamp-h1
+stamp-h2
 
 include/openssl/Makefile.am
 
@@ -106,97 +102,31 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 include/openssl/*.he
-apps/*.h
-apps/*.c
-apps/openssl
-apps/openssl.cnf
-!apps/apps_win.c
-!apps/poll_win.c
-!apps/certhash_disabled.c
 
-crypto/compat/arc4random.c
-crypto/compat/chacha_private.h
-crypto/compat/explicit_bzero.c
-crypto/compat/getentropy_*.c
-crypto/compat/reallocarray.c
-crypto/compat/strlcat.c
-crypto/compat/strlcpy.c
-crypto/compat/strndup.c
-crypto/compat/strnlen.c
-crypto/compat/timingsafe_bcmp.c
-crypto/compat/timingsafe_memcmp.c
-crypto/compat/arc4random_*.h
+/apps/*.h
+/apps/*.c
+/apps/openssl
+/apps/openssl.cnf
+!/apps/apps_win.c
+!/apps/poll_win.c
+!/apps/certhash_disabled.c
+
+/crypto
+!/crypto/Makefile.am.*
+!/crypto/compat/arc4random.h
+!/crypto/compat/b_win.c
+!/crypto/compat/bsd_asprintf.c
+!/crypto/compat/ui_openssl_win.c
+
+/libtls-standalone/include/*.h
+/libtls-standalone/src/*.c
+/libtls-standalone/src/*.h
+/libtls-standalone/src/compat
 
-crypto/aes/
-crypto/asn1/
-crypto/bf/
-crypto/bio/
-crypto/bn/
-crypto/buffer/
-crypto/camellia/
-crypto/cast/
-crypto/camellia/
-crypto/chacha/
-crypto/cmac/
-crypto/comp/
-crypto/conf/
-crypto/cpt_err.c
-crypto/cryptlib.c
-crypto/cryptlib.h
-crypto/cversion.c
-crypto/des/
-crypto/dh/
-crypto/dsa/
-crypto/dso/
-crypto/ec/
-crypto/ecdh/
-crypto/ecdsa/
-crypto/engine/
-crypto/err/
-crypto/evp/
-crypto/ex_data.c
-crypto/gost/
-crypto/hmac/
-crypto/idea/
-crypto/krb5/
-crypto/lhash/
-crypto/malloc-wrapper.c
-crypto/md32_common.h
-crypto/md4/
-crypto/md5/
-crypto/mdc2/
-crypto/mem_clr.c
-crypto/mem_dbg.c
-crypto/modes/
-crypto/o_init.c
-crypto/o_str.c
-crypto/o_time.c
-crypto/o_time.h
-crypto/objects
-crypto/ocsp/
-crypto/pem/
-crypto/pkcs12/
-crypto/pkcs7/
-crypto/poly1305/
-crypto/pqueue/
-crypto/rand/
-crypto/rc2/
-crypto/rc4/
-crypto/ripemd/
-crypto/rsa/
-crypto/sha/
-crypto/stack/
-crypto/ts/
-crypto/txt_db/
-crypto/ui/
-crypto/whrlpool/
-crypto/x509/
-crypto/x509v3/
 openbsd/
+
 *.tar.gz
 apps/*.1*
 man/*.3
 man/*.1
 man/Makefile.am
-.gitmodules
-COPYING

libtls-standalone/Makefile.am

@@ -0,0 +1,7 @@
+SUBDIRS = include src
+ACLOCAL_AMFLAGS = -I m4
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = libtls.pc
+
+EXTRA_DIST = README VERSION

libtls-standalone/VERSION

@@ -0,0 +1 @@
+3:1:0

libtls-standalone/configure.ac

@@ -0,0 +1,254 @@
+AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
+
+AC_CANONICAL_HOST
+AM_INIT_AUTOMAKE([subdir-objects])
+AC_CONFIG_MACRO_DIR([m4])
+
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+# This must be called before AC_PROG_CC
+USER_CFLAGS="$CFLAGS"
+
+AC_PROG_CC
+AC_PROG_CC_STDC
+AM_PROG_CC_C_O
+AC_PROG_LIBTOOL
+LT_INIT
+
+CFLAGS="$CFLAGS -Wall -std=gnu99"
+
+case $host_os in
+	*aix*)
+		HOST_OS=aix
+		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
+			CFLAGS="$USER_CFLAGS"
+		fi
+		;;
+	*cygwin*)
+		HOST_OS=cygwin
+		;;
+	*darwin*)
+		HOST_OS=darwin
+		HOST_ABI=macosx
+		;;
+	*freebsd*)
+		HOST_OS=freebsd
+		HOST_ABI=elf
+		;;
+	*hpux*)
+		HOST_OS=hpux;
+		if test "`echo $CC | cut -d ' ' -f 1`" = "gcc" ; then
+			CFLAGS="$CFLAGS -mlp64"
+		else
+			CFLAGS="-g -O2 +DD64 $USER_CFLAGS"
+		fi
+		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
+		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
+		;;
+	*linux*)
+		HOST_OS=linux
+		HOST_ABI=elf
+		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		;;
+	*netbsd*)
+		HOST_OS=netbsd
+		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
+		;;
+	*openbsd*)
+		HOST_ABI=elf
+		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
+		;;
+	*mingw*)
+		HOST_OS=win
+		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
+		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
+		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600"
+		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG"
+		CFLAGS="$CFLAGS -static-libgcc"
+		LDFLAGS="$LDFLAGS -static-libgcc"
+		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
+		;;
+	*solaris*)
+		HOST_OS=solaris
+		HOST_ABI=elf
+		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
+		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
+		;;
+	*) ;;
+esac
+
+AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
+AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
+AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
+AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
+AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
+AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
+AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
+AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
+
+AC_MSG_CHECKING([if compiling with clang])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
+#ifndef __clang__
+	not clang
+#endif
+	]])],
+	[CLANG=yes],
+	[CLANG=no]
+)
+AC_MSG_RESULT([$CLANG])
+AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
+
+CFLAGS="$CFLAGS $CLANG_FLAGS"
+LDFLAGS="$LDFLAGS $CLANG_FLAGS"
+
+# We want to check for compiler flag support. Prior to clang v5.1, there was no
+# way to make clang's "argument unused" warning fatal.  So we invoke the
+# compiler through a wrapper script that greps for this message.
+saved_CC="$CC"
+saved_LD="$LD"
+flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
+CC="$flag_wrap $CC"
+LD="$flag_wrap $LD"
+
+AC_ARG_ENABLE([hardening],
+	[AS_HELP_STRING([--disable-hardening],
+			[Disable options to frustrate memory corruption exploits])],
+	[], [enable_hardening=yes])
+
+AC_ARG_ENABLE([windows-ssp],
+	[AS_HELP_STRING([--enable-windows-ssp],
+			[Enable building the stack smashing protection on
+			 Windows. This currently distributing libssp-0.dll.])])
+
+AC_DEFUN([CHECK_CFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
+	 old_cflags="$CFLAGS"
+	 CFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     CFLAGS=$old_cflags
+		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     CFLAGS=$old_cflags
+		     [$2])
+])
+
+AC_DEFUN([CHECK_LDFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
+	 old_ldflags="$LDFLAGS"
+	 LDFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     LDFLAGS=$old_ldflags
+		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     LDFLAGS=$old_ldflags
+		     [$2])
+])
+
+AS_IF([test "x$enable_hardening" = "xyes"], [
+	# Tell GCC to NOT optimize based on signed arithmetic overflow
+	CHECK_CFLAG([[-fno-strict-overflow]])
+
+	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
+	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
+
+	# Enable read only relocations
+	CHECK_LDFLAG([[-Wl,-z,relro]])
+	CHECK_LDFLAG([[-Wl,-z,now]])
+
+	# Windows security flags
+	AS_IF([test "x$HOST_OS" = "xwin"], [
+		CHECK_LDFLAG([[-Wl,--nxcompat]])
+		CHECK_LDFLAG([[-Wl,--dynamicbase]])
+		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
+	])
+
+	# Use stack-protector-strong if available; if not, fallback to
+	# stack-protector-all which is considered to be overkill
+	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
+		CHECK_CFLAG([[-fstack-protector-strong]],
+			CHECK_CFLAG([[-fstack-protector-all]],
+				AC_MSG_WARN([compiler does not appear to support stack protection])
+			)
+		)
+		AS_IF([test "x$HOST_OS" = "xwin"], [
+			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
+		])
+	])
+])
+
+
+# Restore CC, LD
+CC="$saved_CC"
+LD="$saved_LD"
+
+CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
+
+# Removing the dependency on -Wno-pointer-sign should be a goal
+save_cflags="$CFLAGS"
+CFLAGS=-Wno-pointer-sign
+AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-Wno-pointer-sign],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+
+save_cflags="$CFLAGS"
+CFLAGS=
+AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-DHAVE_GNU_STACK],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+AM_PROG_AS
+
+AC_CHECK_FUNCS([explicit_bzero strsep])
+AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
+AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
+
+#AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
+#AC_CHECK_FUNCS([getentropy memmem poll reallocarray])
+#AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strtonum])
+#AC_CHECK_FUNCS([symlink])
+#AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+#
+## Share test results with automake
+#AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+#AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+#AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
+#AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
+#AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+#AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+#AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
+#AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
+#AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
+#AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
+#AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
+#AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
+#AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
+#AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
+
+AC_CONFIG_FILES([
+	Makefile
+	include/Makefile
+	src/Makefile
+	libtls.pc
+])
+
+AC_OUTPUT

libtls-standalone/include/Makefile.am

@@ -0,0 +1,27 @@
+#noinst_HEADERS = err.h
+#noinst_HEADERS += netdb.h
+#noinst_HEADERS += poll.h
+#noinst_HEADERS += pqueue.h
+#noinst_HEADERS += stdio.h
+#noinst_HEADERS += stdlib.h
+#noinst_HEADERS += string.h
+#noinst_HEADERS += syslog.h
+#noinst_HEADERS += unistd.h
+#noinst_HEADERS += win32netcompat.h
+#
+#noinst_HEADERS += arpa/inet.h
+#
+#noinst_HEADERS += machine/endian.h
+#
+#noinst_HEADERS += netinet/in.h
+#noinst_HEADERS += netinet/tcp.h
+#
+#noinst_HEADERS += sys/ioctl.h
+#noinst_HEADERS += sys/mman.h
+#noinst_HEADERS += sys/select.h
+#noinst_HEADERS += sys/socket.h
+#noinst_HEADERS += sys/times.h
+#noinst_HEADERS += sys/types.h
+#noinst_HEADERS += sys/uio.h
+
+include_HEADERS = tls.h

libtls-standalone/include/string.h

@@ -0,0 +1,28 @@
+/*
+ * Public domain
+ * string.h compatibility shim
+ */
+
+#include_next <string.h>
+
+#ifndef LIBCRYPTOCOMPAT_STRING_H
+#define LIBCRYPTOCOMPAT_STRING_H
+
+#include <sys/types.h>
+
+#if defined(__sun) || defined(__hpux)
+/* Some functions historically defined in string.h were placed in strings.h by
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ */
+#include <strings.h>
+#endif
+
+#ifndef HAVE_EXPLICIT_BZERO
+void explicit_bzero(void *, size_t);
+#endif
+
+#ifndef HAVE_STRSEP
+char *strsep(char **stringp, const char *delim);
+#endif
+
+#endif

libtls-standalone/libtls.pc.in

@@ -0,0 +1,16 @@
+#libtls pkg-config source file
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: LibreSSL-libtls
+Description: Secure communications using the TLS socket protocol.
+Version: @LIBTLS_VERSION@
+Requires:
+Requires.private: libcrypto libssl
+Conflicts:
+Libs: -L${libdir} -ltls
+Libs.private: @LIBS@ -lcrypto -lssl
+Cflags: -I${includedir}

libtls-standalone/src/Makefile.am

@@ -0,0 +1,18 @@
+AM_CFLAGS = -I$(top_srcdir)/include
+
+lib_LTLIBRARIES = libtls.la
+
+libtls_la_LDFLAGS = -no-undefined
+libtls_la_LIBADD = -lcrypto -lssl $(PLATFORM_LDADD)
+
+libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_config.c
+libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_util.c
+libtls_la_SOURCES += tls_verify.c
+noinst_HEADERS = tls_internal.h
+
+if !HAVE_STRSEP
+libtls_la_SOURCES += strsep.c
+endif

tls/Makefile.am

@@ -1,11 +1,9 @@
-include $(top_srcdir)/Makefile.am.common
+AM_CFLAGS = -I$(top_srcdir)/include
 
 lib_LTLIBRARIES = libtls.la
 
-EXTRA_DIST = VERSION
-
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
+libtls_la_LDFLAGS = -no-undefined
+libtls_la_LIBADD = -lcrypto -lssl $(PLATFORM_LDADD)
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c

update.sh

@@ -43,6 +43,7 @@ source $libtls_src/shlib_version
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
+echo $libtls_version > libtls-standalone/VERSION
 
 do_mv() {
 	if ! cmp -s "$1" "$2"
@@ -62,6 +63,7 @@ $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
 $CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 $CP $libtls_src/tls.h include
+$CP $libtls_src/tls.h libtls-standalone/include
 
 for i in explicit_bzero.c strlcpy.c strlcat.c strndup.c strnlen.c \
 		timingsafe_bcmp.c timingsafe_memcmp.c; do
@@ -73,6 +75,9 @@ $CP $libc_src/crypt/chacha_private.h crypto/compat
 $CP $libcrypto_src/crypto/getentropy_*.c crypto/compat
 $CP $libcrypto_src/crypto/arc4random_*.h crypto/compat
 
+$CP $libcrypto_src/crypto/getentropy_*.c libtls-standalone/src/compat
+$CP $libcrypto_src/crypto/arc4random_*.h libtls-standalone/src/compat
+
 (cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
@@ -166,14 +171,15 @@ done
 
 # copy libtls source
 echo copying libtls source
-rm -f tls/*.c tls/*.h
+rm -f tls/*.c tls/*.h libtls/src/*.c libtls/src/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	if [ -e $libtls_src/$i ]; then
 		$CP $libtls_src/$i tls
-	else
-		$CP $libc_src/string/$i tls
+		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
+$CP $libc_src/string/strsep.c tls
+$CP $libc_src/string/strsep.c libtls-standalone/src/compat
 
 # copy openssl(1) source
 echo "copying openssl(1) source"