update changelog for 2.2.6

The build system incorrectly set include directives in AM_CFLAGS which
causes them to be placed after the configured CPPFLAGS.  Thus, if
a user or packaging system sets CPPFLAGS to a location that has
libressl or openssl headers installed, they will be used instead
of the bundled versions.  This corrects that issue by setting up
the variables correctly.

https://github.com/libressl-portable/portable/issues/150

Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

.gitignore

@@ -45,6 +45,7 @@ Makefile.in
 test-driver
 *.log
 *.trs
+!tests/optionstest.c
 tests/aes_wrap*
 tests/arc4random_fork*
 tests/cipher*
@@ -60,7 +61,6 @@ tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
-!tests/optionstest.c
 
 # ctags stuff
 TAGS
@@ -70,8 +70,8 @@ autom4te.cache
 # Libtool adds these, at least sometimes
 INSTALL
 /COPYING
-m4/l*
 !m4/check*.m4
+m4/l*
 
 aclocal.m4
 compile
@@ -106,17 +106,16 @@ tls/*.h
 include/pqueue.h
 include/tls.h
 include/openssl/*.h
-include/openssl/*.he
 
-/apps/*.h
-/apps/*.c
-/apps/openssl
-/apps/openssl.cnf
 !/apps/apps_win.c
 !/apps/poll_win.c
 !/apps/certhash_disabled.c
+/apps/*.h
+/apps/*.c
+/apps/*.cnf
+/apps/*.pem
+/apps/openssl
 
-/crypto
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
@@ -126,14 +125,15 @@ include/openssl/*.he
 !/crypto/compat/inet_pton.c
 !/crypto/compat/ui_openssl_win.c
 !/crypto/CMakeLists.txt
+/crypto
 
+!/libtls-standalone/compat/Makefile.am
 /libtls-standalone/include/*.h
 /libtls-standalone/src/*.c
 /libtls-standalone/src/*.h
 /libtls-standalone/src
 /libtls-standalone/tests/test
 /libtls-standalone/compat
-!/libtls-standalone/compat/Makefile.am
 /libtls-standalone/VERSION
 /libtls-standalone/m4
 /libtls-standalone/man

CMakeLists.txt

@@ -1,5 +1,6 @@
 cmake_minimum_required (VERSION 2.8)
 include(CheckFunctionExists)
+include(CheckLibraryExists)
 include(CheckIncludeFiles)
 
 project (LibreSSL)
@@ -36,6 +37,8 @@ add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
 add_definitions(-DOPENSSL_NO_ASM)
 
+set(CMAKE_POSITION_INDEPENDENT_CODE true)
+
 if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
@@ -157,6 +160,16 @@ set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
+	if (HAVE_CLOCK_GETTIME)
+		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
+	endif()
+endif()
+
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
+	set(BUILD_SHARED true)
+endif()
 
 add_subdirectory(crypto)
 add_subdirectory(ssl)

ChangeLog

@@ -28,6 +28,36 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.2.6
+
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag.
+
+2.2.5 - Reliability Update
+
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+	                   squaring procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint
+	                   data.
+
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
+
+2.2.4 - Build and bug fixes
+
+	* Backported build fixes for CMake on Windows, OSX and Linux
+
+	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
+	  reported by Qualys Security.
+	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
+	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
+
+	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
+
 2.2.3 - Bug fixes, build enhancements
 
 	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat
-AM_CPPFLAGS = -DLIBRESSL_INTERNAL
+AM_CFLAGS =
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL

README.md

@@ -13,7 +13,7 @@ LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
 new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
 present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
 
-LibreSSL it is not ABI compatible with any release of OpenSSL, or necessarily
+LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily
 earlier releases of LibreSSL. You will need to relink your programs to
 LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
 LibreSSL's installed library version numbers are incremented to account for

README.windows

@@ -6,9 +6,8 @@ GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
 then LibreSSL should integrate very nicely. Old versions of the mingw-w64
 toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
 building LibreSSL. Please try it with a recent toolchain if you encounter
-troubles. If you are building under Cygwin, only builds with the mingw-w64
-compiler are supported, though you can easily use Cygwin to drive the build
-process.
+troubles. Cygwin provides an easy method of installing the latest mingw-w64
+cross compilers on Windows.
 
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:

crypto/CMakeLists.txt

@@ -638,12 +638,16 @@ if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
 endif()
 
-add_library(crypto-objects OBJECT ${CRYPTO_SRC})
-set_property(TARGET crypto-objects PROPERTY POSITION_INDEPENDENT_CODE 1)
-add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
-add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
-set_target_properties(crypto-shared PROPERTIES VERSION ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-install(TARGETS crypto crypto-shared DESTINATION lib)
-
+if (BUILD_SHARED)
+	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
+	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
+	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	set_target_properties(crypto-shared PROPERTIES VERSION
+		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
+	install(TARGETS crypto crypto-shared DESTINATION lib)
+else()
+	add_library(crypto STATIC ${CRYPTO_SRC})
+	install(TARGETS crypto DESTINATION lib)
+endif()
 

crypto/Makefile.am

@@ -1,17 +1,21 @@
 include $(top_srcdir)/Makefile.am.common
 
-AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
 
 lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
+# needed for a CMake target
+EXTRA_DIST += compat/strcasecmp.c
+
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = -DLIBRESSL_INTERNAL
+libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
+libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3
+rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
 make distcheck

include/Makefile.am

@@ -1,5 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
+EXTRA_DIST = CMakeLists.txt
+
 SUBDIRS = openssl
 
 noinst_HEADERS = pqueue.h

include/compat/stdio.h

@@ -7,7 +7,13 @@
 #define LIBCRYPTOCOMPAT_STDIO_H
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#include <../ucrt/corecrt_io.h>
+#include <../ucrt/stdio.h>
+#else
 #include <../include/stdio.h>
+#endif
 #else
 #include_next <stdio.h>
 #endif

include/compat/stdlib.h

@@ -4,7 +4,11 @@
  */
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
 #include <../include/stdlib.h>
+#endif
 #else
 #include_next <stdlib.h>
 #endif

include/compat/string.h

@@ -7,7 +7,11 @@
 #define LIBCRYPTOCOMPAT_STRING_H
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
 #include <../include/string.h>
+#endif
 #else
 #include_next <string.h>
 #endif

include/compat/sys/stat.h

@@ -11,7 +11,11 @@
 #else
 
 #include <windows.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/stat.h>
+#else
 #include <../include/sys/stat.h>
+#endif
 
 /* File type and permission flags for stat() */
 #if !defined(S_IFMT)

include/compat/sys/types.h

@@ -4,7 +4,11 @@
  */
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/types.h>
+#else
 #include <../include/sys/types.h>
+#endif
 #else
 #include_next <sys/types.h>
 #endif

include/compat/time.h

@@ -4,7 +4,11 @@
  */
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/time.h>
+#else
 #include <../include/time.h>
+#endif
 #define gmtime_r(tp, tm) ((gmtime_s((tm), (tp)) == 0) ? (tm) : NULL)
 #else
 #include_next <time.h>

libtls-standalone/include/string.h

@@ -7,7 +7,11 @@
 #define LIBCRYPTOCOMPAT_STRING_H
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
 #include <../include/string.h>
+#endif
 #else
 #include_next <string.h>
 #endif

scripts/travis

@@ -4,12 +4,29 @@ set -e
 ./autogen.sh
 
 if [ "x$ARCH" = "xnative" ]; then
+	# test autotools
 	./configure
+	make -j 4 check
+
+	# make distribution
+	make dist
+	tar zxvf libressl-*.tar.gz
+	cd libressl-*
+	mkdir build
+	cd build
+
+	# test cmake and ninja
 	if [ `uname` = "Darwin" ]; then
-		# OS X runs out of resources if we run 'make -j check'
-		make check
+		cmake ..
+		make
 	else
-		make -j distcheck
+		sudo apt-get update
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:kalakris/cmake
+		sudo apt-get update
+		sudo apt-get install -y cmake ninja-build
+		cmake -GNinja ..
+		ninja
 	fi
 else
 	CPU=i686

ssl/CMakeLists.txt

@@ -51,11 +51,15 @@ set(
 	t1_srvr.c
 )
 
-add_library(ssl-objects OBJECT ${SSL_SRC})
-set_property(TARGET ssl-objects PROPERTY POSITION_INDEPENDENT_CODE 1)
-add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
-add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
-set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION} SOVERSION ${SSL_MAJOR_VERSION})
-
-install(TARGETS ssl ssl-shared DESTINATION lib)
+if (BUILD_SHARED)
+	add_library(ssl-objects OBJECT ${SSL_SRC})
+	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
+	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
+	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
+		SOVERSION ${SSL_MAJOR_VERSION})
+	install(TARGETS ssl ssl-shared DESTINATION lib)
+else()
+	add_library(ssl STATIC ${SSL_SRC})
+	install(TARGETS ssl DESTINATION lib)
+endif()

tls/CMakeLists.txt

@@ -19,11 +19,16 @@ if(NOT HAVE_STRCASECMP)
 	set(TLS_SRC ${TLS_SRC} strsep.c)
 endif()
 
-add_library(tls-objects OBJECT ${TLS_SRC})
-set_property(TARGET tls-objects PROPERTY POSITION_INDEPENDENT_CODE 1)
-add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
-add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
-set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION} SOVERSION ${TLS_MAJOR_VERSION})
+if (BUILD_SHARED)
+	add_library(tls-objects OBJECT ${TLS_SRC})
+	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
+	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
+	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
+		SOVERSION ${TLS_MAJOR_VERSION})
+	install(TARGETS tls tls-shared DESTINATION lib)
+else()
+	add_library(tls STATIC ${TLS_SRC})
+	install(TARGETS tls DESTINATION lib)
+endif()
 
-install(TARGETS tls tls-shared DESTINATION lib)

update.sh

@@ -280,7 +280,8 @@ done
 
 # copy manpages
 echo "copying manpages"
-echo dist_man_MANS= > man/Makefile.am
+echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
+echo dist_man_MANS = >> man/Makefile.am
 
 $CP $openssl_app_src/openssl.1 man
 echo "dist_man_MANS += openssl.1" >> man/Makefile.am