Add '-windows' to windows binary archive.

The lcov tools (http://ltp.sourceforge.net/coverage/lcov.php) are
required to generate reports.

Original idea from this PR, thanks to Jim Barlow for doing the initial
integration work.

https://github.com/libressl-portable/portable/pull/58

.gitignore

@@ -38,6 +38,7 @@ Makefile.in
 *.lo
 *.la
 
+*.def
 *.pc
 
 # tests
@@ -53,6 +54,7 @@ tests/timingsafe*
 tests/*test
 tests/*test.c
 tests/memmem.c
+tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
@@ -110,6 +112,7 @@ apps/openssl
 apps/openssl.cnf
 !apps/apps_win.c
 !apps/poll_win.c
+!apps/certhash_disabled.c
 
 crypto/compat/arc4random.c
 crypto/compat/chacha_private.h

.travis.yml

@@ -0,0 +1,24 @@
+language: c
+matrix:
+        include:
+                - compiler: clang
+                  os: osx
+                  env: ARCH=native
+                - compiler: gcc
+                  os: osx
+                  env: ARCH=native
+                - compiler: clang
+                  os: linux
+                  env: ARCH=native
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=native
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=mingw32
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=mingw64
+
+script:
+        "./scripts/travis"

ChangeLog

@@ -10,7 +10,7 @@ generation are here:
 
 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
 
-A new simplified SSL wrapper library is here:
+A simplified TLS wrapper library is here:
 
 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
 
@@ -19,15 +19,122 @@ with relevant portions of the C library, to a Git repository. This makes it
 easier to follow all of the relevant changes to the upstream project in a
 single place:
 
-	https://github.com/libressl-portable/openbsd/commits/master
+	https://github.com/libressl-portable/openbsd
 
 The portable bits of the project are largely maintained out-of-tree, and their
 history is also available from Git.
 
-	https://github.com/libressl-portable/portable/commits/master
+	https://github.com/libressl-portable/portable
 
 LibreSSL Portable Release Notes:
 
+2.1.4 - Security and feature updates
+	* Improvements to libtls:
+	  - a new API for loading CA chains directly from memory instead of a
+	    file, allowing verification with privilege separation in a chroot
+	    without direct access to CA certificate files.
+
+	  - Ciphers default to TLSv1.2 with AEAD and PFS.
+
+	  - Improved error handling and message generation
+
+	  - New APIs and improved documentation
+
+	* Added X509_STORE_load_mem API for loading certificates from memory.
+	  This facilitates accessing certificates from a chrooted environment.
+
+	* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
+	  using 'TLSv1.2+AEAD' as the cipher selection string.
+
+	* Dead and disabled code removal including MD5, Netscape workarounds,
+	  non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
+
+	* ASN1 macro maze expanded to aid reading and searching the code.
+
+	* NULL pointer asserts removed in favor of letting the OS/signal
+	  handler catch them.
+
+	* Refactored argument handling in openssl(1) for consistency and
+	  maintainability.
+
+	* New openssl(1) command 'certhash' replaces the c_rehash script.
+
+	* Support for building with OPENSSL_NO_DEPRECATED
+
+	* Server-side support for TLS_FALLBACK_SCSV for compatibility with
+	  various auditor and vulnerability scanners.
+
+	* Dozens of issues found with the Coverity scanner fixed.
+
+	* Security Updates:
+
+	  - Fix a minor information leak that was introduced in t1_lib.c
+	    r1.71, whereby an additional 28 bytes of .rodata (or .data) is
+	    provided to the network. In most cases this is a non-issue since
+	    the memory content is already public. Issue found and reported by
+	    Felix Groebert of the Google Security Team.
+
+	  - Fixes for the following low-severity issues were integrated into
+	    LibreSSL from OpenSSL 1.0.1k:
+
+	     CVE-2015-0205 - DH client certificates accepted without
+	                     verification
+	     CVE-2014-3570 - Bignum squaring may produce incorrect results
+	     CVE-2014-8275 - Certificate fingerprints can be modified
+	     CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
+	     Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
+
+	    The following CVEs were fixed in earlier LibreSSL releases:
+	     CVE-2015-0206 - Memory leak handling repeated DLTS records
+	     CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
+
+	    The following CVEs did not apply to LibreSSL:
+	     CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
+	     CVE-2014-3569 - no-ssl3 configuration sets method to NULL
+	     CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
+
+2.1.3 - Security update and OS support improvements
+	* Fixed various memory leaks in DTLS, including fixes for
+	  CVE-2015-0206.
+
+	* Added Application-Layer Protocol Negotiation (ALPN) support.
+
+	* Removed GOST R 34.10-94 signature authentication.
+
+	* Removed nonfunctional Netscape browser-hang workaround code.
+
+	* Simplfied and refactored SSL/DTLS handshake code.
+
+	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
+
+	* Hide timing info about padding errors during handshakes.
+
+	* Improved libtls support for non-blocking sockets, added randomized
+	  session ID contexts. Work is ongoing with this library - feedback
+	  and potential use-cases are welcome.
+
+	* Support building Windows DLLs.
+	  Thanks to Jan Engelhard.
+
+	* Packaged config wrapper for better compatibility with OpenSSL-based
+	  build systems.
+	  Thanks to @technion from github
+
+	* Ensure the stack is marked non-executable for assembly sections.
+	  Thanks to Anthony G. Bastile.
+
+	* Enable extra compiler hardening flags by default, where applicable.
+	  The default set of hardening features can vary by OS to OS, so
+	  feedback is welcome on this. To disable the default hardening flags,
+	  specify '--disable-hardening' during configure.
+	  Thanks to Jim Barlow
+
+	* Initial HP-UX support, tested with HP-UX 11.31 ia64
+	  Thanks to Kinichiro Inoguchi
+
+	* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
+	  Imported from OpenNTPD, thanks to @gitisihara from github
+
 2.1.2 - Many new features and improvements
 	* Added reworked GOST cipher suite support
 	   thanks to Dmitry Eremin-Solenikov

Makefile.am

@@ -8,4 +8,4 @@ if ENABLE_LIBTLS
 pkgconfig_DATA += libtls.pc
 endif
 
-EXTRA_DIST = VERSION
+EXTRA_DIST = README README.windows VERSION config scripts

README

@@ -18,6 +18,10 @@ The LibreSSL portable build framework is also mirrored in Github:
 
 	https://github.com/libressl-portable/portable
 
+Please report bugs either to tech@openbsd.org, or to the github issue tracker:
+
+	https://github.com/libressl-portable/portable/issues
+
 If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 

README.windows

@@ -0,0 +1,40 @@
+# Building
+
+For Windows systems, LibreSSL supports the mingw-w64 toolchain, which can use
+GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
+32-bit and 64-bit build environments. If your project already uses mingw-w64,
+then LibreSSL should integrate very nicely. Old versions of the mingw-w64
+toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
+building LibreSSL. Please try it with a recent toolchain if you encounter
+troubles. If you are building under Cygwin, only builds with the mingw-w64
+compiler are supported, though you can easily use Cygwin to drive the build
+process.
+
+To configure and build LibreSSL for a 32-bit system, use the following
+build steps:
+
+ CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
+ make
+ make check
+
+For 64-bit builds, use these instead:
+
+ CC=x86_64-w64-mingw32-gcc ./configure --host=x86_64-w64-mingw32
+ make
+ make check
+
+# Using Libressl with Visual Studio
+
+A script for generating ready-to-use .DLL and static .LIB files is included in
+the source repository at
+https://github.com/libressl-portable/portable/blob/master/dist-win.sh
+
+This script uses mingw-w64 to build LibreSSL and then uses Visual Studio tools
+to generate compatible library import files ready-to-use with Visual
+Studio projects. Static and dynamic libraries are included. The script uses
+cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
+tool developed for the D language and can be found here:
+https://github.com/rainers/cv2pdb
+
+Pre-build Windows binaries are available with the LibreSSL release for your
+convenience.

VERSION

@@ -1 +1 @@
-2.1.2
+2.1.4

apps/Makefile.am

@@ -57,6 +57,12 @@ openssl_SOURCES += verify.c
 openssl_SOURCES += version.c
 openssl_SOURCES += x509.c
 
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += certhash_disabled.c
+endif
+
 if HOST_WIN
 openssl_SOURCES += apps_win.c
 else

apps/certhash_disabled.c

@@ -0,0 +1,13 @@
+/*
+ * Public domain
+ * certhash dummy implementation for platforms without symlinks
+ */
+
+#include "apps.h"
+
+int
+certhash_main(int argc, char **argv)
+{
+	fprintf(stderr, "certhash is not enabled on this platform\n");
+	return (1);
+}

configure.ac

@@ -22,18 +22,26 @@ case $host_os in
 		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
+	*hpux*)
+		HOST_OS=hpux;
+		CFLAGS="$CFLAGS -mlp64 -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
+		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
+		;;
 	*linux*)
 		HOST_OS=linux
 		HOST_ABI=elf
 		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
+	*netbsd*)
+		HOST_OS=netbsd
+		;;
 	*openbsd*)
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
-		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -D__USE_MINGW_ANSI_STDIO"
+		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -DNO_SYSLOG -D__USE_MINGW_ANSI_STDIO"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
@@ -47,7 +55,9 @@ esac
 
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
 AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
+AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
+AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 
@@ -57,12 +67,117 @@ AC_CHECK_FUNC([clock_gettime],,
 AC_CHECK_FUNC([dl_iterate_phdr],,
 	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 
-AM_PROG_AS
 AC_PROG_CC
 AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
 
+AC_MSG_CHECKING([if compiling with clang])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
+#ifndef __clang__
+	not clang
+#endif
+	]])],
+	[CLANG=yes],
+	[CLANG=no]
+)
+AC_MSG_RESULT([$CLANG])
+AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
+
+# We want to check for compiler flag support. Prior to clang v5.1, there was no
+# way to make clang's "argument unused" warning fatal.  So we invoke the
+# compiler through a wrapper script that greps for this message.
+saved_CC="$CC"
+saved_LD="$LD"
+flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
+CC="$flag_wrap $CC"
+LD="$flag_wrap $LD"
+
+AC_ARG_ENABLE([hardening],
+	[AS_HELP_STRING([--disable-hardening],
+			[Disable options to frustrate memory corruption exploits])],
+	[], [enable_hardening=yes])
+
+AC_ARG_ENABLE([windows-ssp],
+	[AS_HELP_STRING([--enable-windows-ssp],
+			[Enable building the stack smashing protection on
+			 Windows. This currently distributing libssp-0.dll.])])
+
+AC_DEFUN([CHECK_CFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
+	 old_cflags="$CFLAGS"
+	 CFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     CFLAGS=$old_cflags
+		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     CFLAGS=$old_cflags
+		     [$2])
+])
+
+AC_DEFUN([CHECK_LDFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
+	 old_ldflags="$LDFLAGS"
+	 LDFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     LDFLAGS=$old_ldflags
+		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     LDFLAGS=$old_ldflags
+		     [$2])
+])
+
+AS_IF([test "x$enable_hardening" = "xyes"], [
+	# Tell GCC to NOT optimize based on signed arithmetic overflow
+	CHECK_CFLAG([[-fno-strict-overflow]])
+
+	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
+	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
+
+	# Enable read only relocations
+	CHECK_LDFLAG([[-Wl,-z,relro]])
+	CHECK_LDFLAG([[-Wl,-z,now]])
+
+	# Windows security flags
+	AS_IF([test "x$HOST_OS" = "xwin"], [
+		CHECK_LDFLAG([[-Wl,--nxcompat]])
+		CHECK_LDFLAG([[-Wl,--dynamicbase]])
+		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
+	])
+
+	# Use stack-protector-strong if available; if not, fallback to
+	# stack-protector-all which is considered to be overkill
+	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
+		CHECK_CFLAG([[-fstack-protector-strong]],
+			CHECK_CFLAG([[-fstack-protector-all]],
+				AC_MSG_WARN([compiler does not appear to support stack protection])
+			)
+		)
+		AS_IF([test "x$HOST_OS" = "xwin"], [
+			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
+		])
+	])
+])
+
+
+# Restore CC, LD
+CC="$saved_CC"
+LD="$saved_LD"
+
+CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
+
+# Removing the dependency on -Wno-pointer-sign should be a goal
 save_cflags="$CFLAGS"
 CFLAGS=-Wno-pointer-sign
 AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
@@ -73,22 +188,25 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
 
-AC_MSG_CHECKING([if compiling with clang])
+save_cflags="$CFLAGS"
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
+CFLAGS=
-#ifndef __clang__
+AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
-	not clang
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#endif
+__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
-	]])],
 	[AC_MSG_RESULT([yes])]
-	[CLANG_FLAGS=-Qunused-arguments],
+	[AM_CFLAGS=-DHAVE_GNU_STACK],
 	[AC_MSG_RESULT([no])]
 )
+CFLAGS="$save_cflags $AM_CFLAGS"
+AM_PROG_AS
+
 CFLAGS="$CFLAGS $CLANG_CFLAGS"
 LDFLAGS="$LDFLAGS $CLANG_FLAGS"
 
 AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
 AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
-AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strtonum])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AC_CHECK_FUNCS([symlink])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 
 # Share test results with automake
@@ -104,13 +222,23 @@ AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
+AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
+AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
 
 # overrides for arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$HOST_OS" != xdarwin -a "x$HOST_OS" != xfreebsd -a "x$ac_cv_func_arc4random_buf" = xyes])
+	[test "x$HOST_OS" != xdarwin \
+	   -a "x$HOST_OS" != xfreebsd \
+	   -a "x$HOST_OS" != xnetbsd \
+	   -a "x$ac_cv_func_arc4random_buf" = xyes])
+
+# overrides for issetugid implementations with known issues
+AM_CONDITIONAL([HAVE_ISSETUGID],
+       [test "x$HOST_OS" != xdarwin \
+	  -a "x$ac_cv_func_issetugid" = xyes])
 
 AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
@@ -155,6 +283,23 @@ AC_ARG_ENABLE([asm],
 	AS_HELP_STRING([--disable-asm], [Disable assembly]))
 AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
 
+old_cflags=$CFLAGS
+CFLAGS="$old_cflags -I$srcdir/include"
+AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
+	       [int a = 0; BSWAP4(a);],
+	       BSWAP4=yes, BSWAP4=no)
+CFLAGS="$old_cflags"
+
+case $host_cpu in
+	*sparc*)
+		CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT"
+		;;
+	*arm*)
+		AS_IF([test "x$BSWAP4" = "xyes"],,
+		    CFLAGS="$old_cflags -D__STRICT_ALIGNMENT")
+		;;
+esac
+
 AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
     [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],

crypto/Makefile.am

@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
 libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
@@ -74,9 +74,15 @@ if !HAVE_GETENTROPY
 if HOST_FREEBSD
 libcompat_la_SOURCES += compat/getentropy_freebsd.c
 endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/getentropy_hpux.c
+endif
 if HOST_LINUX
 libcompat_la_SOURCES += compat/getentropy_linux.c
 endif
+if HOST_NETBSD
+libcompat_la_SOURCES += compat/getentropy_netbsd.c
+endif
 if HOST_DARWIN
 libcompat_la_SOURCES += compat/getentropy_osx.c
 endif
@@ -94,6 +100,12 @@ if !HAVE_ISSETUGID
 if HOST_LINUX
 libcompat_la_SOURCES += compat/issetugid_linux.c
 endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/issetugid_hpux.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/issetugid_osx.c
+endif
 if HOST_WIN
 libcompat_la_SOURCES += compat/issetugid_win.c
 endif
@@ -102,7 +114,9 @@ endif
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_freebsd.h
+noinst_HEADERS += compat/arc4random_hpux.h
 noinst_HEADERS += compat/arc4random_linux.h
+noinst_HEADERS += compat/arc4random_netbsd.h
 noinst_HEADERS += compat/arc4random_osx.h
 noinst_HEADERS += compat/arc4random_solaris.h
 noinst_HEADERS += compat/arc4random_win.h
@@ -484,8 +498,6 @@ libcrypto_la_SOURCES += evp/bio_b64.c
 libcrypto_la_SOURCES += evp/bio_enc.c
 libcrypto_la_SOURCES += evp/bio_md.c
 libcrypto_la_SOURCES += evp/c_all.c
-libcrypto_la_SOURCES += evp/c_allc.c
-libcrypto_la_SOURCES += evp/c_alld.c
 libcrypto_la_SOURCES += evp/digest.c
 libcrypto_la_SOURCES += evp/e_aes.c
 libcrypto_la_SOURCES += evp/e_aes_cbc_hmac_sha1.c
@@ -762,6 +774,7 @@ noinst_HEADERS += whrlpool/wp_locl.h
 # x509
 libcrypto_la_SOURCES += x509/by_dir.c
 libcrypto_la_SOURCES += x509/by_file.c
+libcrypto_la_SOURCES += x509/by_mem.c
 libcrypto_la_SOURCES += x509/x509_att.c
 libcrypto_la_SOURCES += x509/x509_cmp.c
 libcrypto_la_SOURCES += x509/x509_d2.c

crypto/compat/arc4random.h

@@ -6,9 +6,15 @@
 #if defined(__FreeBSD__)
 #include "arc4random_freebsd.h"
 
+#elif defined(__hpux)
+#include "arc4random_hpux.h"
+
 #elif defined(__linux__)
 #include "arc4random_linux.h"
 
+#elif defined(__NetBSD__)
+#include "arc4random_netbsd.h"
+
 #elif defined(__APPLE__)
 #include "arc4random_osx.h"
 

crypto/compat/issetugid_hpux.c

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/pstat.h>
+
+/*
+ * HP-UX does not have issetugid().
+ * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
+ * cannot be used, assume we must be running in a privileged environment.
+ */
+int issetugid(void)
+{
+	struct pst_status buf;
+	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
+	    !(buf.pst_flag & PS_CHANGEDPRIV))
+		return 0;
+	return 1;
+}

crypto/compat/issetugid_osx.c

@@ -0,0 +1,16 @@
+/*
+ * issetugid implementation for OS X
+ * Public domain
+ */
+
+#include <unistd.h>
+
+/*
+ * OS X has issetugid, but it is not fork-safe as of version 10.10.
+ * See this Solaris report for test code that fails similarly:
+ * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
+ */
+int issetugid(void)
+{
+	return 1;
+}

dist-win.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+#set -x
+
+export PATH=/cygdrive/c/Program\ Files\ \(x86\)/Microsoft\ Visual\ Studio\ 12.0/VC/bin:$PATH
+VERSION=`cat VERSION`
+DIST=libressl-$VERSION-windows
+
+rm -fr $DIST
+mkdir -p $DIST
+
+for ARCH in X86 X64; do
+
+	if [ $ARCH = X86 ]; then
+		HOST=i686-w64-mingw32
+		ARCHDIR=x86
+	else
+		HOST=x86_64-w64-mingw32
+		ARCHDIR=x64
+	fi
+
+	echo Building for $HOST
+
+	CC=$HOST-gcc ./configure --host=$HOST --enable-libtls
+	make clean
+	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
+	   make -j 4 check
+	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
+
+	mkdir -p $DIST/$ARCHDIR
+	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
+	if [ ! -e $DIST/include ]; then
+		cp -a stage-$ARCHDIR/usr/local/include $DIST
+		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e "s/__attr.*;/;/"  \
+		       -e "s/sys\/time.h/winsock2.h/" \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+	fi
+
+	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
+	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
+
+	for i in libcrypto libssl libtls; do
+		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)
+		echo EXPORTS > $DLL.def
+		dumpbin /exports $DIST/$ARCHDIR/$DLL.dll | \
+		    awk '{print $4}' | awk 'NF' |tail -n +9 >> $DLL.def
+		lib /MACHINE:$ARCH /def:$DLL.def /out:$DIST/$ARCHDIR/$DLL.lib
+		cv2pdb $DIST/$ARCHDIR/$DLL.dll
+	done
+done
+
+zip -r $DIST.zip $DIST

gen-coverage-report.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+VERSION=$(cat VERSION)
+DESTDIR=libressl-coverage-$VERSION
+
+echo "This will generate a code coverage report under $DESTDIR"
+echo
+
+if [ "x$(which lcov)" = "x" ]; then
+	echo "'lcov' is required but not found!"
+	exit 1
+fi
+
+if [ "x$(which genhtml)" = "x" ]; then
+	echo "'genhtml' is required but not found!"
+	exit 1
+fi
+
+find -name '*.gcda' -o -name '*.gcno' -delete
+rm -fr $DESTDIR
+
+echo "Configuring to build with code coverage support"
+./configure --enable-libtls CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
+
+echo "Running all code paths"
+make clean
+make check
+
+echo "Generating report"
+mkdir -p $DESTDIR
+find tests -name '*.gcda' -o -name '*.gcno' -delete
+lcov --directory . --capture --output-file $DESTDIR/coverage.tmp \
+    --test-name "LibreSSL $VERSION"
+genhtml --prefix . --output-directory $DESTDIR \
+    --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
+
+echo "Code coverage report is available under $DESTDIR"

include/Makefile.am

@@ -26,6 +26,7 @@ noinst_HEADERS += sys/select.h
 noinst_HEADERS += sys/socket.h
 noinst_HEADERS += sys/times.h
 noinst_HEADERS += sys/types.h
+noinst_HEADERS += sys/uio.h
 
 if ENABLE_LIBTLS
 include_HEADERS = tls.h

include/string.h

@@ -33,6 +33,10 @@ size_t strnlen(const char *str, size_t maxlen);
 #endif
 #endif
 
+#ifndef HAVE_STRSEP
+char *strsep(char **stringp, const char *delim);
+#endif
+
 #ifndef HAVE_EXPLICIT_BZERO
 void explicit_bzero(void *, size_t);
 #endif

include/sys/uio.h

@@ -0,0 +1,17 @@
+/*
+ * Public domain
+ * sys/select.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/uio.h>
+#else
+
+#include <sys/types.h>
+
+struct iovec {
+	void *iov_base;
+	size_t iov_len;
+};
+
+#endif

libcrypto.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBCRYPTO_VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto

libssl.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBSSL_VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:

libtls.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
-Version: @VERSION@
+Version: @LIBTLS_VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:

scripts/travis

@@ -0,0 +1,33 @@
+#!/bin/sh
+set -e
+
+./autogen.sh
+
+if [ "x$ARCH" = "xnative" ]; then
+	./configure --enable-libtls
+	if [ `uname` = "Darwin" ]; then
+		# OS X runs out of resources if we run 'make -j check'
+		make check
+	else
+		make -j distcheck
+	fi
+else
+	CPU=i686
+	if [ "x$ARCH" = "xmingw64" ]; then
+		CPU=x86_64
+	fi
+	export CC=$CPU-w64-mingw32-gcc
+
+	if [ -z $(which $CC) ]; then
+		# Update Ubuntu 12.04 with current mingw toolchain
+		sudo apt-get update
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
+		sudo apt-get update
+		sudo apt-get install -y $ARCH-x-gcc make
+		export PATH=$PATH:/opt/$ARCH/bin
+	fi
+
+	./configure --host=$CPU-w64-mingw32 --enable-libtls
+	make -j
+fi

scripts/wrap-compiler-for-flag-check

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# This file is in the public domain.
+# https://github.com/kmcallister/autoharden/blob/c5c7842f39c2f8d19836bb5427d6479db4436d62/LICENSE
+#
+# From kmcallister: 
+# https://github.com/kmcallister/autoharden/blob/efaf5a16612589808c276a11536ea9a47071f74b/scripts/wrap-compiler-for-flag-check
+
+# Prior to clang v5.1, there was no way to make
+# clang's "argument unused" warning fatal.  This
+# wrapper script that greps for this warning message. Newer clang's have no issues.
+#
+# Ideally the search string would also include 'clang: ' but this output might
+# depend on clang's argv[0].
+#
+set -o errexit
+set -o nounset
+
+if out=`"$@" 2>&1`; then
+  echo "$out"
+  if echo "$out" | grep 'warning: argument unused' >/dev/null; then
+    echo "$0: found clang warning"
+    exit 1
+  else
+    exit 0
+  fi
+else
+  code=$?
+  echo "$out"
+  exit $code
+fi

ssl/Makefile.am

@@ -4,10 +4,14 @@ lib_LTLIBRARIES = libssl.la
 
 EXTRA_DIST = VERSION
 
-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
 libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libssl_la_LIBADD = ../crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
+libssl_la_SOURCES += bs_ber.c
+libssl_la_SOURCES += bs_cbb.c
+libssl_la_SOURCES += bs_cbs.c
 libssl_la_SOURCES += d1_both.c
 libssl_la_SOURCES += d1_clnt.c
 libssl_la_SOURCES += d1_enc.c
@@ -50,3 +54,4 @@ libssl_la_SOURCES += t1_srvr.c
 
 noinst_HEADERS = srtp.h
 noinst_HEADERS += ssl_locl.h
+noinst_HEADERS += bytestring.h

tests/Makefile.am.tpl

@@ -2,6 +2,7 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I $(top_srcdir)/ssl
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la

tls/Makefile.am

@@ -5,8 +5,9 @@ lib_LTLIBRARIES = libtls.la
 
 EXTRA_DIST = VERSION
 
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
 libtls_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
@@ -15,4 +16,9 @@ libtls_la_SOURCES += tls_server.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
+
+if !HAVE_STRSEP
+libtls_la_SOURCES += strsep.c
+endif
+
 endif

update.sh

@@ -86,7 +86,7 @@ copy_hdrs() {
 	done
 }
 
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h opensslv.h
+copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
@@ -96,12 +96,16 @@ copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h opensslv.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
 	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h mdc2/mdc2.h
-	rc2/rc2.h rc4/rc4.h rc5/rc5.h ui/ui_compat.h txt_db/txt_db.h
+	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
 	gost/gost.h"
 
 copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
+sed -e "s/\"LibreSSL .*\"/\"LibreSSL ${libressl_version}\"/" \
+	$libssl_src/src/crypto/opensslv.h > include/openssl/opensslv.h.lcl
+$MV include/openssl/opensslv.h.lcl include/openssl/opensslv.h
+
 # copy libcrypto source
 echo copying libcrypto source
 rm -f crypto/*.c crypto/*.h
@@ -121,10 +125,20 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui
 asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
+	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	#if defined(HAVE_GNU_STACK)
+	.section .note.GNU-stack,"",%progbits
+	#endif
+	EOF
 	$MV $3.tmp $3
 }
 gen_asm() {
 	perl $asm_src/$2 $1 $3.tmp
+	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	#if defined(HAVE_GNU_STACK)
+	.section .note.GNU-stack,"",%progbits
+	#endif
+	EOF
 	$MV $3.tmp $3
 }
 for abi in elf macosx; do
@@ -154,7 +168,11 @@ done
 echo copying libtls source
 rm -f tls/*.c tls/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
-	$CP $libtls_src/$i tls
+	if [ -e $libtls_src/$i ]; then
+		$CP $libtls_src/$i tls
+	else
+		$CP $libc_src/string/$i tls
+	fi
 done
 
 # copy openssl(1) source
@@ -176,30 +194,23 @@ done
 
 # copy libcrypto tests
 echo "copying tests"
-rm -f tests/biotest.c
+for i in `find $libcrypto_regress -name '*.c'`; do
-for i in aead/aeadtest.c aeswrap/aes_wrap.c base64/base64test.c bf/bftest.c \
+	 $CP "$i" tests
-	bn/general/bntest.c bn/mont/mont.c \
-	cast/casttest.c chacha/chachatest.c cts128/cts128test.c \
-	des/destest.c dh/dhtest.c dsa/dsatest.c ec/ectest.c ecdh/ecdhtest.c \
-	ecdsa/ecdsatest.c engine/enginetest.c evp/evptest.c exp/exptest.c \
-	gcm128/gcm128test.c hmac/hmactest.c idea/ideatest.c ige/igetest.c \
-	md4/md4test.c md5/md5test.c mdc2/mdc2test.c poly1305/poly1305test.c \
-	pkcs7/pkcs7test.c pqueue/pq_test.c rand/randtest.c rc2/rc2test.c \
-	rc4/rc4test.c rmd/rmdtest.c sha/shatest.c sha1/sha1test.c \
-	sha256/sha256test.c sha512/sha512test.c utf8/utf8test.c \
-	gost/gost2814789t.c ; do
-	 $CP $libcrypto_regress/$i tests
 done
 
+# the BIO tests rely on resolver results that are OS and environment-specific
+rm tests/biotest.c
+
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
-$CP $libssl_regress/asn1/asn1test.c tests
 $CP $libssl_regress/ssl/testssl tests
-$CP $libssl_regress/ssl/ssltest.c tests
+for i in `find $libssl_regress -name '*.c'`; do
+	 $CP "$i" tests
+done
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
@@ -283,6 +294,11 @@ echo "copying manpages"
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
+	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man_MANS += $NAME" >> Makefile.am
+	done
 	$CP $openssl_app_src/openssl.1 .
 	echo "dist_man_MANS += openssl.1" >> Makefile.am
 	$CP $libtls_src/tls_init.3 .