remove duplicate entry

Primarily this is to select whether 'lib64' or 'lib' is used on linux type systems.

CMakeLists.txt

@@ -4,8 +4,9 @@ include(CheckLibraryExists)
 include(CheckIncludeFiles)
 include(CheckTypeSize)
 
-set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
 include(cmake_export_symbol)
+include(GNUInstallDirs)
 
 project (LibreSSL C)
 

ChangeLog

@@ -28,7 +28,43 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.5.2 - OpenBSD 6.1 Release
+2.5.5 - Bug fixes
+
+	* Distinguish between self-issued certificates and self-signed
+	  certificates. The certificate verification code has special cases
+	  for self-signed certificates and without this change, self-issued
+	  certificates (which it seems are common place with
+	  openvpn/easyrsa) were also being included in this category.
+
+	* Added getpagesize fallback, needed for Android bionic libc.
+
+2.5.4 - Security Updates
+
+	* Revert a previous change that forced consistency between return
+	  value and error code when specifing a certificate verification
+	  callback, since this breaks the documented API. When a user supplied
+	  callback always returns 1, and later code checks the error code to
+	  potentially abort post verification, this will result in incorrect
+	  successul certificate verification.
+
+	* Switched Linux getrandom() usage to non-blocking mode, continuing to
+	  use fallback mechanims if unsuccessful. This works around a design
+	  flaw in Linux getrandom(2) where early boot usage in a library makes
+	  it impossible to recover if getrandom(2) is not yet initialized.
+
+	* Fixed a bug caused by the return value being set early to signal
+	  successful DTLS cookie validation. This can mask a later failure and
+	  result in a positive return value being returned from
+	  ssl3_get_client_hello(), when it should return a negative value to
+	  propagate the error.
+
+	* Fixed a build error on non-x86/x86_64 systems running Solaris.
+
+2.5.3 - OpenBSD 6.1 Release
+
+	* Documentation updates
+
+	* Improved ocspcheck(1) error handling
 
 2.5.2 - Security features and bugfixes
 

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_1

apps/nc/CMakeLists.txt

@@ -53,8 +53,8 @@ add_executable(nc ${NC_SRC})
 target_link_libraries(nc tls ${OPENSSL_LIBS})
 
 if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
-	install(FILES nc.1 DESTINATION share/man/man1)
+	install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
 endif()
 
 endif()

apps/nc/Makefile.am

@@ -4,6 +4,7 @@ if BUILD_NC
 
 if ENABLE_NC
 bin_PROGRAMS = nc
+dist_man_MANS = nc.1
 else
 noinst_PROGRAMS = nc
 endif

apps/ocspcheck/CMakeLists.txt

@@ -36,7 +36,7 @@ endif()
 add_executable(ocspcheck ${OCSPCHECK_SRC})
 target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
 
-install(TARGETS ocspcheck DESTINATION bin)
-install(FILES ocspcheck.8 DESTINATION share/man/man8)
+install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
 
 endif()

apps/openssl/CMakeLists.txt

@@ -76,8 +76,8 @@ endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
 
-install(TARGETS openssl DESTINATION bin)
-install(FILES openssl.1 DESTINATION share/man/man1)
+install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
 
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")

crypto/CMakeLists.txt

@@ -823,9 +823,9 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	install(TARGETS crypto crypto-shared DESTINATION lib)
+	install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
-	install(TARGETS crypto DESTINATION lib)
+	install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()
 

crypto/Makefile.am

@@ -15,7 +15,10 @@ EXTRA_DIST += crypto.sym
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols $(top_srcdir)/crypto/crypto_portable.sym
+BUILT_SOURCES = crypto_portable.sym
+CLEANFILES = crypto_portable.sym
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la

crypto/compat/getpagesize.c

@@ -1,12 +1,18 @@
 /* $OpenBSD$ */
 
 #include <unistd.h>
+
+#ifdef _MSC_VER
 #include <windows.h>
+#endif
 
 int
-getpagesize(void)
-{
+getpagesize(void) {
+#ifdef _MSC_VER
 	SYSTEM_INFO system_info;
 	GetSystemInfo(&system_info);
 	return system_info.dwPageSize;
+#else
+	return sysconf(_SC_PAGESIZE);
+#endif
 }

dist.sh

@@ -4,4 +4,4 @@ set -e
 rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
-make distcheck
+make -j2 distcheck

include/CMakeLists.txt

@@ -1,5 +1,5 @@
 install(DIRECTORY .
-        DESTINATION include
+        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
         PATTERN "Makefile*" EXCLUDE)

libcrypto.pc.in

@@ -5,8 +5,8 @@ exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 
-Name: LibreSSL-libssl
-Description: Secure Sockets Layer and cryptography libraries
+Name: LibreSSL-libcrypto
+Description: LibreSSL cryptography library
 Version: @VERSION@
 Requires:
 Conflicts:

m4/check-libc.m4

@@ -149,10 +149,16 @@ fi
 ])
 
 AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
+AS_CASE([$host_cpu],
+	[i?86], [HOSTARCH=intel],
+	[x86_64], [HOSTARCH=intel],
+	[amd64], [HOSTARCH=intel],
+)
+AC_SUBST([HOSTARCH])
 crypto_sym=$srcdir/crypto/crypto.sym
-crypto_p_sym=$srcdir/crypto/crypto_portable.sym
+crypto_p_sym=./crypto/crypto_portable.sym
 echo "generating $crypto_p_sym ..."
-chmod u+w $srcdir/crypto
+mkdir -p ./crypto
 cp $crypto_sym $crypto_p_sym
 chmod u+w $crypto_p_sym
 if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
@@ -203,6 +209,9 @@ fi
 if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
 	echo timingsafe_memcmp >> $crypto_p_sym
 fi
+if test "x$HOSTARCH" = "xintel" ; then
+	echo OPENSSL_ia32cap_P >> $crypto_p_sym
+fi
 if test "x$HOST_OS" = "xwin" ; then
 	echo posix_perror >> $crypto_p_sym
 	echo posix_fopen >> $crypto_p_sym

m4/check-os-options.m4

@@ -106,8 +106,6 @@ char buf[1]; getentropy(buf, 1);
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)

man/CMakeLists.txt

@@ -1,9 +1,9 @@
 install(DIRECTORY .
-    DESTINATION share/man/man3
+    DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
     FILES_MATCHING PATTERN "*.3"
     )
 
 install(DIRECTORY .
-    DESTINATION share/man/man1
+    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
     FILES_MATCHING PATTERN "*.1"
     )

man/links

@@ -50,6 +50,7 @@ ASN1_STRING_new.3,DISPLAYTEXT_free.3
 ASN1_STRING_new.3,DISPLAYTEXT_new.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print_ex_fp.3
+ASN1_STRING_print_ex.3,ASN1_tag2str.3
 ASN1_TIME_set.3,ASN1_TIME_adj.3
 ASN1_TIME_set.3,ASN1_TIME_check.3
 ASN1_TIME_set.3,ASN1_TIME_print.3
@@ -146,6 +147,9 @@ BIO_new.3,BIO_free.3
 BIO_new.3,BIO_free_all.3
 BIO_new.3,BIO_set.3
 BIO_new.3,BIO_vfree.3
+BIO_printf.3,BIO_snprintf.3
+BIO_printf.3,BIO_vprintf.3
+BIO_printf.3,BIO_vsnprintf.3
 BIO_push.3,BIO_pop.3
 BIO_read.3,BIO_gets.3
 BIO_read.3,BIO_puts.3
@@ -298,6 +302,7 @@ BN_set_bit.3,BN_lshift1.3
 BN_set_bit.3,BN_mask_bits.3
 BN_set_bit.3,BN_rshift.3
 BN_set_bit.3,BN_rshift1.3
+BN_set_flags.3,BN_get_flags.3
 BN_set_negative.3,BN_is_negative.3
 BN_zero.3,BN_get_word.3
 BN_zero.3,BN_one.3
@@ -566,6 +571,7 @@ EVP_DigestInit.3,EVP_MD_CTX_cleanup.3
 EVP_DigestInit.3,EVP_MD_CTX_copy.3
 EVP_DigestInit.3,EVP_MD_CTX_copy_ex.3
 EVP_DigestInit.3,EVP_MD_CTX_create.3
+EVP_DigestInit.3,EVP_MD_CTX_ctrl.3
 EVP_DigestInit.3,EVP_MD_CTX_destroy.3
 EVP_DigestInit.3,EVP_MD_CTX_init.3
 EVP_DigestInit.3,EVP_MD_CTX_md.3
@@ -582,6 +588,7 @@ EVP_DigestInit.3,EVP_get_digestbynid.3
 EVP_DigestInit.3,EVP_get_digestbyobj.3
 EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
+EVP_DigestInit.3,EVP_md5_sha1.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
 EVP_DigestInit.3,EVP_sha1.3
@@ -1263,6 +1270,8 @@ SSL_load_client_CA_file.3,SSL_add_file_cert_subjects_to_stack.3
 SSL_num_renegotiations.3,SSL_clear_num_renegotiations.3
 SSL_num_renegotiations.3,SSL_total_renegotiations.3
 SSL_read.3,SSL_peek.3
+SSL_renegotiate.3,SSL_renegotiate_abbreviated.3
+SSL_renegotiate.3,SSL_renegotiate_pending.3
 SSL_rstate_string.3,SSL_rstate_string_long.3
 SSL_set1_param.3,SSL_CTX_set1_param.3
 SSL_set_connect_state.3,SSL_set_accept_state.3
@@ -1293,6 +1302,28 @@ TS_REQ_new.3,TS_STATUS_INFO_free.3
 TS_REQ_new.3,TS_STATUS_INFO_new.3
 TS_REQ_new.3,TS_TST_INFO_free.3
 TS_REQ_new.3,TS_TST_INFO_new.3
+UI_UTIL_read_pw.3,UI_UTIL_read_pw_string.3
+UI_create_method.3,UI_destroy_method.3
+UI_create_method.3,UI_method_get_closer.3
+UI_create_method.3,UI_method_get_flusher.3
+UI_create_method.3,UI_method_get_opener.3
+UI_create_method.3,UI_method_get_prompt_constructor.3
+UI_create_method.3,UI_method_get_reader.3
+UI_create_method.3,UI_method_get_writer.3
+UI_create_method.3,UI_method_set_closer.3
+UI_create_method.3,UI_method_set_flusher.3
+UI_create_method.3,UI_method_set_opener.3
+UI_create_method.3,UI_method_set_prompt_constructor.3
+UI_create_method.3,UI_method_set_reader.3
+UI_create_method.3,UI_method_set_writer.3
+UI_get_string_type.3,UI_get0_action_string.3
+UI_get_string_type.3,UI_get0_output_string.3
+UI_get_string_type.3,UI_get0_result_string.3
+UI_get_string_type.3,UI_get0_test_string.3
+UI_get_string_type.3,UI_get_input_flags.3
+UI_get_string_type.3,UI_get_result_maxsize.3
+UI_get_string_type.3,UI_get_result_minsize.3
+UI_get_string_type.3,UI_set_result.3
 UI_new.3,UI_OpenSSL.3
 UI_new.3,UI_add_error_string.3
 UI_new.3,UI_add_info_string.3
@@ -1427,6 +1458,11 @@ X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
 X509_check_host.3,X509_check_email.3
 X509_check_host.3,X509_check_ip.3
 X509_check_host.3,X509_check_ip_asc.3
+X509_digest.3,PKCS7_ISSUER_AND_SERIAL_digest.3
+X509_digest.3,X509_CRL_digest.3
+X509_digest.3,X509_NAME_digest.3
+X509_digest.3,X509_REQ_digest.3
+X509_digest.3,X509_pubkey_digest.3
 X509_get_pubkey.3,X509_REQ_get_pubkey.3
 X509_get_pubkey.3,X509_REQ_set_pubkey.3
 X509_get_pubkey.3,X509_get_X509_PUBKEY.3
@@ -1931,6 +1967,13 @@ engine.3,ENGINE_unregister_STORE.3
 engine.3,ENGINE_unregister_ciphers.3
 engine.3,ENGINE_unregister_digests.3
 engine.3,ENGINE_up_ref.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_1024.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_768.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_1536.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_2048.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_3072.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_4096.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_6144.3
 lh_new.3,DECLARE_LHASH_OF.3
 lh_new.3,LHASH_COMP_FN_TYPE.3
 lh_new.3,LHASH_DOALL_ARG_FN_TYPE.3
@@ -1961,8 +2004,6 @@ tls_accept_socket.3,tls_accept_fds.3
 tls_client.3,tls_configure.3
 tls_client.3,tls_free.3
 tls_client.3,tls_server.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_file.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_mem.3
 tls_config_set_protocols.3,tls_config_parse_protocols.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_client.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_server.3
@@ -1994,6 +2035,8 @@ tls_init.3,tls_config_free.3
 tls_init.3,tls_config_new.3
 tls_load_file.3,tls_config_add_keypair_file.3
 tls_load_file.3,tls_config_add_keypair_mem.3
+tls_load_file.3,tls_config_add_keypair_ocsp_file.3
+tls_load_file.3,tls_config_add_keypair_ocsp_mem.3
 tls_load_file.3,tls_config_clear_keys.3
 tls_load_file.3,tls_config_set_ca_file.3
 tls_load_file.3,tls_config_set_ca_mem.3
@@ -2004,6 +2047,10 @@ tls_load_file.3,tls_config_set_key_file.3
 tls_load_file.3,tls_config_set_key_mem.3
 tls_load_file.3,tls_config_set_keypair_file.3
 tls_load_file.3,tls_config_set_keypair_mem.3
+tls_load_file.3,tls_config_set_keypair_ocsp_file.3
+tls_load_file.3,tls_config_set_keypair_ocsp_mem.3
+tls_load_file.3,tls_config_set_ocsp_staple_file.3
+tls_load_file.3,tls_config_set_ocsp_staple_mem.3
 tls_load_file.3,tls_config_set_verify_depth.3
 tls_load_file.3,tls_config_verify_client.3
 tls_load_file.3,tls_config_verify_client_optional.3

ssl/CMakeLists.txt

@@ -60,8 +60,8 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	install(TARGETS ssl ssl-shared DESTINATION lib)
+	install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	install(TARGETS ssl DESTINATION lib)
+	install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()

tls/CMakeLists.txt

@@ -39,9 +39,9 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	install(TARGETS tls tls-shared DESTINATION lib)
+	install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	install(TARGETS tls DESTINATION lib)
+	install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()
 

update.sh

@@ -151,7 +151,7 @@ done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 # add the libcrypto symbol export list
-grep '^[[:alpha:]]' < $libcrypto_src/Symbols.list > crypto/crypto.sym
+grep -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | grep '^[[:alpha:]]' > crypto/crypto.sym
 
 # generate assembly crypto algorithms
 asm_src=$libcrypto_src