update version and changelog for 2.1.9

The API/ABI for the LibreSSL 2.1.x series is now fixed, so we can safely
enable libtls it by default. This is useful for new OpenNTPD and
OpenSMTPD releases as well.

ok deraadt@ beck@ sthen@

ChangeLog

@@ -28,12 +28,75 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+This release primarily addresses a number of security issues in coordination
+with the OpenSSL project.
+
+2.1.9 - Reliability Update
+
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery squaring
+	                   procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint data.
+
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
+
+2.1.8 - Security Update
+
+	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
+	  reported by Qualys Security.
+	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
+	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
+
+	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
+
+2.1.7 - Security Update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.7:
+	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
+	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
+	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+	* The following CVEs did not apply to LibreSSL or were fixed in
+	  earlier releases:
+	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
+	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
+	 - CVE-2014-8176 - Invalid free in DTLS
+
+	* Fixes for the following CVEs are still in review for LibreSSL
+	 - CVE-2015-1791 - Race condition handling NewSessionTicket
+
+2.1.6 - Security update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
+	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
+	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
+	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption
+	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
+	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences
+
+	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
+	  is integrated for safety, but LibreSSL is not vulnerable.
+
+	* Libtls is now built by default. The --enable-libtls
+	  configuration option is no longer required.
+	  The libtls API is now stable for the 2.1.x series.
+
 2.1.5 - Bug fixes and a security update
 	* Fix incorrect comparison function in openssl(1) certhash command.
+	  Thanks to Christian Neukirchen / Void Linux.
 
 	* Windows port improvements and bug fixes.
+	  - Removed a dependency on libgcc in 32-bit dynamic libraries.
+	  - Correct a hang in openssl(1) reading from stdin on an connection.
+	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
+	    any other network-related commands to function properly.
 
-	* Reject server DH keys smaller than 1024 bits.
+	* Reject all server DH keys smaller than 1024 bits.
 
 2.1.4 - Security and feature updates
 	* Improvements to libtls:

Makefile.am

@@ -2,10 +2,6 @@ SUBDIRS = crypto ssl tls include apps tests man
 ACLOCAL_AMFLAGS = -I m4
 
 pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libcrypto.pc libssl.pc openssl.pc
-
-if ENABLE_LIBTLS
-pkgconfig_DATA += libtls.pc
-endif
+pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README README.windows VERSION config scripts

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_7

VERSION

@@ -1 +1 @@
-2.1.5
+2.1.9

configure.ac

@@ -310,11 +310,6 @@ AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
     [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 
-AC_ARG_ENABLE([libtls],
-	AS_HELP_STRING([--enable-libtls], [Enable building the libtls library]))
-AM_CONDITIONAL([ENABLE_LIBTLS], [test "x$enable_libtls" = xyes])
-AM_COND_IF([ENABLE_LIBTLS], [AC_CONFIG_FILES([libtls.pc])])
-
 LT_INIT
 
 AC_CONFIG_FILES([
@@ -329,6 +324,7 @@ AC_CONFIG_FILES([
 	man/Makefile
 	libcrypto.pc
 	libssl.pc
+	libtls.pc
 	openssl.pc
 ])
 

dist-win.sh

@@ -22,7 +22,7 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST --enable-libtls
+	CC=$HOST-gcc ./configure --host=$HOST
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check

dist.sh

@@ -3,5 +3,5 @@ set -e
 
 rm -f man/*.1 man/*.3
 ./autogen.sh
-./configure --enable-libtls
+./configure
 make distcheck

gen-coverage-report.sh

@@ -20,7 +20,7 @@ find -name '*.gcda' -o -name '*.gcno' -delete
 rm -fr $DESTDIR
 
 echo "Configuring to build with code coverage support"
-./configure --enable-libtls CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
+./configure CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
 
 echo "Running all code paths"
 make clean

include/Makefile.am

@@ -28,6 +28,4 @@ noinst_HEADERS += sys/times.h
 noinst_HEADERS += sys/types.h
 noinst_HEADERS += sys/uio.h
 
-if ENABLE_LIBTLS
 include_HEADERS = tls.h
-endif

scripts/travis

@@ -4,7 +4,7 @@ set -e
 ./autogen.sh
 
 if [ "x$ARCH" = "xnative" ]; then
-	./configure --enable-libtls
+	./configure
 	if [ `uname` = "Darwin" ]; then
 		# OS X runs out of resources if we run 'make -j check'
 		make check
@@ -28,6 +28,6 @@ else
 		export PATH=$PATH:/opt/$ARCH/bin
 	fi
 
-	./configure --host=$CPU-w64-mingw32 --enable-libtls
+	./configure --host=$CPU-w64-mingw32
 	make -j
 fi

tls/Makefile.am

@@ -1,6 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-if ENABLE_LIBTLS
 lib_LTLIBRARIES = libtls.la
 
 EXTRA_DIST = VERSION
@@ -20,5 +19,3 @@ noinst_HEADERS = tls_internal.h
 if !HAVE_STRSEP
 libtls_la_SOURCES += strsep.c
 endif
-
-endif

update.sh

@@ -185,7 +185,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
 	fi
 done
 # patch for openssl(1) oscp on windows
-(cd apps; patch -p5 < $CWD/patches/win_bio_sock_init.diff)
+(cd apps; patch -p4 < $CWD/patches/win_bio_sock_init.diff)
 
 # copy libssl source
 echo "copying libssl source"
@@ -304,9 +304,7 @@ echo "copying manpages"
 	$CP $openssl_app_src/openssl.1 .
 	echo "dist_man_MANS += openssl.1" >> Makefile.am
 	$CP $libtls_src/tls_init.3 .
-	echo "if ENABLE_LIBTLS" >> Makefile.am
 	echo "dist_man_MANS += tls_init.3" >> Makefile.am
-	echo "endif" >> Makefile.am
 
 	# convert remaining POD manpages
 	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
@@ -328,23 +326,19 @@ echo "copying manpages"
 		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
 		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
-	echo "if ENABLE_LIBTLS" >> Makefile.am
 	for i in $TLS_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
 		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
-	echo "endif" >> Makefile.am
 	echo "" >> Makefile.am
 	echo "uninstall-local:" >> Makefile.am
 	for i in $SSL_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
-	echo "if ENABLE_LIBTLS" >> Makefile.am
 	for i in $TLS_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
-	echo "endif" >> Makefile.am
 )