update changelog

.gitignore

@@ -53,7 +53,6 @@ test-driver
 *.trs
 tests/aes_wrap*
 tests/arc4random_fork*
-tests/asn1evp*
 tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*

CMakeLists.txt

@@ -107,23 +107,26 @@ if(MSVC)
 	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
 	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
 		set(MSVC_DISABLED_WARNINGS_LIST
-			"C4018" # 'expression' : signed/unsigned mismatch
-			"C4057" # 'operator' : 'identifier1' indirection to
-		        	# slightly different base types from 'identifier2'
-			"C4100" # 'identifier' : unreferenced formal parameter
+			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
+		        	# indirection to slightly different base types from 'char [2]'
+			"C4018" # '>=': signed/unsigned mismatch
+			"C4100" # 'exarg' : unreferenced formal parameter
 			"C4127" # conditional expression is constant
-			"C4146" # unary minus operator applied to unsigned type,
-				# result still unsigned
-			"C4244" # 'argument' : conversion from 'type1' to 'type2',
-				# possible loss of data
-			"C4245" # 'conversion' : conversion from 'type1' to 'type2',
-				# signed/unsigned mismatch
-			"C4267" # 'var' : conversion from 'size_t' to 'type',
-				# possible loss of data
-			"C4389" # 'operator' : signed/unsigned mismatch
+			"C4146" # unary minus operator applied to unsigned
+			        # type, result still unsigned
+			"C4242" # 'function' : conversion from 'int' to 'uint8_t',
+			        # possible loss of data
+			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
+			        # possible loss of data
+			"C4245" # 'initializing': conversion from 'long' to
+			        # 'unsigned long', signed/unsigned mismatch
+			"C4267" # conversion from 'size_t' to 'some type that is almost
+				# certainly safe to convert a size_t to'.
+			"C4389" # '!=': signed/unsigned mismatch
 			"C4706" # assignment within conditional expression
-			"C4996" # The POSIX name for this item is deprecated.
-				# Instead, use the ISO C and C++ conformant name
+			"C4820" # 'bytes' bytes padding added after construct 'member_name'
+			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
+			        # use the ISO C++ conformant name: _read.
 		)
 	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
 		add_definitions(-D_CRT_SUPPRESS_RESTRICT)

ChangeLog

@@ -28,32 +28,6 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.7.0 - Bug fixes and improvements
-
-	* Merged more DTLS support into the regular TLS code path, removing
-	  duplicated code.
-
-	* Converted ssl3_send_client_hello(), ssl3_send_server_hello() to CBB.
-
-	* Rewrite ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
-	  This removes the last remaining use of the old M_ASN1_* macros
-	  (asn1_mac.h) from API that needs to continue to exist.
-
-2.6.4 - Bug fixes
-
-	* Make tls_config_parse_protocols() work correctly when passed a NULL
-	  pointer for a protocol string. Issue found by semarie@, who also
-	  provided the diff.
-
-	* Correct TLS extensions handling when no extensions are present.
-	  If no TLS extensions are present in a client hello or server hello,
-	  omit the entire extensions block, rather than including it with a
-	  length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
-	  providing packet captures and testing the fix.
-
-	* Fixed portable builds on older Android systems, and systems with out
-	  IPV6_TCLASS support.
-
 2.6.3 - OpenBSD 6.2 Release
 
 	* No core changes from LibreSSL 2.6.2

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_2

apps/openssl/CMakeLists.txt

@@ -88,5 +88,5 @@ else()
 endif()
 if(ENABLE_LIBRESSL_INSTALL)
 	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
+	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
 endif(ENABLE_LIBRESSL_INSTALL)

apps/openssl/apps_win.c

@@ -13,7 +13,7 @@
 #include "apps.h"
 
 double
-app_timer_user(int stop)
+app_tminterval(int stop, int usertime)
 {
 	static unsigned __int64 tmstart;
 	union {
@@ -22,11 +22,13 @@ app_timer_user(int stop)
 	} ct, et, kt, ut;
 
 	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-	if (stop)
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
 
-	tmstart = ut.u64 + kt.u64;
-	return 0.0;
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
 }
 
 int

include/compat/err.h

@@ -34,9 +34,9 @@ err(int eval, const char *fmt, ...)
 		vfprintf(stderr, fmt, ap);
 		fprintf(stderr, ": ");
 	}
-	va_end(ap);
 	fprintf(stderr, "%s\n", strerror(sverrno));
 	exit(eval);
+	va_end(ap);
 }
 
 #if defined(_MSC_VER)
@@ -52,9 +52,9 @@ errx(int eval, const char *fmt, ...)
 	va_start(ap, fmt);
 	if (fmt != NULL)
 		vfprintf(stderr, fmt, ap);
-	va_end(ap);
 	fprintf(stderr, "\n");
 	exit(eval);
+	va_end(ap);
 }
 
 static inline void
@@ -68,8 +68,8 @@ warn(const char *fmt, ...)
 		vfprintf(stderr, fmt, ap);
 		fprintf(stderr, ": ");
 	}
-	va_end(ap);
 	fprintf(stderr, "%s\n", strerror(sverrno));
+	va_end(ap);
 }
 
 static inline void
@@ -80,8 +80,8 @@ warnx(const char *fmt, ...)
 	va_start(ap, fmt);
 	if (fmt != NULL)
 		vfprintf(stderr, fmt, ap);
-	va_end(ap);
 	fprintf(stderr, "\n");
+	va_end(ap);
 }
 
 #endif

include/compat/sys/time.h

@@ -13,20 +13,4 @@ int gettimeofday(struct timeval *tp, void *tzp);
 #include_next <sys/time.h>
 #endif
 
-#ifndef CLOCK_MONOTONIC
-#define CLOCK_MONOTONIC CLOCK_REALTIME
-#endif
-
-#ifndef timersub
-#define timersub(tvp, uvp, vvp)                                         \
-	do {                                                            \
-		(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec;          \
-		(vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec;       \
-		if ((vvp)->tv_usec < 0) {                               \
-			(vvp)->tv_sec--;                                \
-			(vvp)->tv_usec += 1000000;                      \
-		}                                                       \
-	} while (0)
-#endif
-
 #endif

include/compat/time.h

@@ -21,15 +21,3 @@ struct tm *__gmtime_r(const time_t * t, struct tm * tm);
 #ifndef HAVE_TIMEGM
 time_t timegm(struct tm *tm);
 #endif
-
-#ifndef timespecsub
-#define timespecsub(tsp, usp, vsp)                                      \
-        do {                                                            \
-                (vsp)->tv_sec = (tsp)->tv_sec - (usp)->tv_sec;          \
-                (vsp)->tv_nsec = (tsp)->tv_nsec - (usp)->tv_nsec;       \
-                if ((vsp)->tv_nsec < 0) {                               \
-                        (vsp)->tv_sec--;                                \
-                        (vsp)->tv_nsec += 1000000000L;                  \
-                }                                                       \
-        } while (0)
-#endif

m4/check-libc.m4

@@ -2,23 +2,10 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf freezero inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
 AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
-AC_CACHE_CHECK([for getpagesize], ac_cv_func_getpagesize, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-// Since Android NDK v16 getpagesize is defined as inline inside unistd.h
-#ifdef __ANDROID__
-#	include <unistd.h>
-#endif
-		]], [[
-	getpagesize();
-]])],
-	[ ac_cv_func_getpagesize="yes" ],
-	[ ac_cv_func_getpagesize="no"
-	])
-])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
 AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])

man/links

@@ -2052,7 +2052,6 @@ tls_config_verify.3,tls_config_insecure_noverifytime.3
 tls_conn_version.3,tls_conn_alpn_selected.3
 tls_conn_version.3,tls_conn_cipher.3
 tls_conn_version.3,tls_conn_servername.3
-tls_conn_version.3,tls_peer_cert_chain_pem.3
 tls_conn_version.3,tls_peer_cert_contains_name.3
 tls_conn_version.3,tls_peer_cert_hash.3
 tls_conn_version.3,tls_peer_cert_issuer.3

patches/netcat.c.patch

@@ -134,7 +134,7 @@
  			err(1, "set IPv6 traffic class");
 +#else
 +		else if (af == AF_INET6) {
-+			errno = ENOPROTOOPT;
++			errno = ENOPROTOOPT
 +			err(1, "set IPv6 traffic class not supported");
 +		}
 +#endif

patches/tlsexttest.c.patch

@@ -1,6 +1,6 @@
---- tests/tlsexttest.c.orig	2017-12-30 20:03:09.279079726 +0900
-+++ tests/tlsexttest.c	2017-12-30 20:07:21.849939140 +0900
-@@ -1676,7 +1676,9 @@ static unsigned char tlsext_sni_clienthe
+--- tests/tlsexttest.c.orig	Sun Sep  3 00:44:51 2017
++++ tests/tlsexttest.c	Sun Sep  3 00:47:06 2017
+@@ -1676,7 +1676,9 @@ static unsigned char tlsext_sni_clienthello[] = {
  };
  
  static unsigned char tlsext_sni_serverhello[] = {
@@ -39,73 +39,3 @@
  	if (!tlsext_sni_serverhello_parse(ssl, &cbs, &alert)) {
  		FAIL("failed to parse serverhello SNI\n");
  		goto err;
-@@ -2741,7 +2743,10 @@ unsigned char tlsext_clienthello_default
- 	0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
- };
- 
--unsigned char tlsext_clienthello_disabled[] = {};
-+unsigned char tlsext_clienthello_disabled[] = {
-+	0x00
-+};
-+const size_t sizeof_tlsext_clienthello_disabled = 0;
- 
- static int
- test_tlsext_clienthello_build(void)
-@@ -2806,18 +2811,18 @@ test_tlsext_clienthello_build(void)
- 	if (!CBB_finish(&cbb, &data, &dlen))
- 		errx(1, "failed to finish CBB");
- 
--	if (dlen != sizeof(tlsext_clienthello_disabled)) {
-+	if (dlen != sizeof_tlsext_clienthello_disabled) {
- 		FAIL("got clienthello extensions with length %zu, "
- 		    "want length %zu\n", dlen,
--		    sizeof(tlsext_clienthello_disabled));
-+		    sizeof_tlsext_clienthello_disabled);
- 		compare_data(data, dlen, tlsext_clienthello_disabled,
--		    sizeof(tlsext_clienthello_disabled));
-+		    sizeof_tlsext_clienthello_disabled);
- 		goto err;
- 	}
- 	if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
- 		FAIL("clienthello extensions differs:\n");
- 		compare_data(data, dlen, tlsext_clienthello_disabled,
--		    sizeof(tlsext_clienthello_disabled));
-+		    sizeof_tlsext_clienthello_disabled);
- 		goto err;
- 	}
- 
-@@ -2832,7 +2837,10 @@ test_tlsext_clienthello_build(void)
- 	return (failure);
- }
- 
--unsigned char tlsext_serverhello_default[] = {};
-+unsigned char tlsext_serverhello_default[] = {
-+	0x00
-+};
-+const size_t sizeof_tlsext_serverhello_default = 0;
- 
- unsigned char tlsext_serverhello_enabled[] = {
- 	0x00, 0x13, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
-@@ -2872,18 +2880,18 @@ test_tlsext_serverhello_build(void)
- 	if (!CBB_finish(&cbb, &data, &dlen))
- 		errx(1, "failed to finish CBB");
- 
--	if (dlen != sizeof(tlsext_serverhello_default)) {
-+	if (dlen != sizeof_tlsext_serverhello_default) {
- 		FAIL("got serverhello extensions with length %zu, "
- 		    "want length %zu\n", dlen,
--		    sizeof(tlsext_serverhello_default));
-+		    sizeof_tlsext_serverhello_default);
- 		compare_data(data, dlen, tlsext_serverhello_default,
--		    sizeof(tlsext_serverhello_default));
-+		    sizeof_tlsext_serverhello_default);
- 		goto err;
- 	}
- 	if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
- 		FAIL("serverhello extensions differs:\n");
- 		compare_data(data, dlen, tlsext_serverhello_default,
--		    sizeof(tlsext_serverhello_default));
-+		    sizeof_tlsext_serverhello_default);
- 		goto err;
- 	}
- 

tests/CMakeLists.txt

@@ -41,11 +41,6 @@ if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()
 
-# asn1evp
-add_executable(asn1evp asn1evp.c)
-target_link_libraries(asn1evp ${TESTS_LIBS})
-add_test(asn1evp asn1evp)
-
 # asn1test
 add_executable(asn1test asn1test.c)
 target_link_libraries(asn1test ${TESTS_LIBS})
@@ -110,11 +105,6 @@ add_executable(clienttest clienttest.c)
 target_link_libraries(clienttest ${TESTS_LIBS})
 add_test(clienttest clienttest)
 
-# configtest
-add_executable(configtest configtest.c)
-target_link_libraries(configtest ${TESTS_LIBS})
-add_test(configtest configtest)
-
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${TESTS_LIBS})

tests/Makefile.am

@@ -43,11 +43,6 @@ arc4randomforktest_SOURCES = arc4randomforktest.c
 endif
 EXTRA_DIST += arc4randomforktest.sh
 
-# asn1evp
-TESTS += asn1evp
-check_PROGRAMS += asn1evp
-asn1evp_SOURCES = asn1evp.c
-
 # asn1test
 TESTS += asn1test
 check_PROGRAMS += asn1test
@@ -113,11 +108,6 @@ TESTS += clienttest
 check_PROGRAMS += clienttest
 clienttest_SOURCES = clienttest.c
 
-# configtest
-TESTS += configtest
-check_PROGRAMS += configtest
-configtest_SOURCES = configtest.c
-
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -187,6 +177,7 @@ exptest_SOURCES = exptest.c
 # freenull
 TESTS += freenull
 check_PROGRAMS += freenull
+freenull_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 freenull_SOURCES = freenull.c
 
 # gcm128test
@@ -368,6 +359,7 @@ timingsafe_SOURCES = timingsafe.c
 # tlsexttest
 TESTS += tlsexttest
 check_PROGRAMS += tlsexttest
+tlsexttest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 tlsexttest_SOURCES = tlsexttest.c
 
 # tlstest

update.sh

@@ -13,7 +13,6 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
- git fetch
  git checkout $openbsd_branch
  git pull --rebase)