update Changelog

Without this, we actually fail to build a library that includes the
bultin getentropy when compiling for 10.11 on 10.12.

CMakeLists.txt

@@ -96,7 +96,7 @@ if(HAVE_STRLCAT)
 	add_definitions(-DHAVE_STRLCAT)
 endif()
 
-check_function_exists(strlcat HAVE_STRLCPY)
+check_function_exists(strlcpy HAVE_STRLCPY)
 if(HAVE_STRLCPY)
 	add_definitions(-DHAVE_STRLCPY)
 endif()
@@ -107,7 +107,7 @@ if(HAVE_STRNDUP)
 endif()
 
 if(MSVC)
-	set(HAVE_STRNLEN)
+	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)

ChangeLog

@@ -28,6 +28,79 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.3.10 - Security and compatibility fixes
+
+	* Avoid a side-channel cache-timing attack that can leak the ECDSA
+	  private keys when signing. This is due to BN_mod_inverse() being
+	  used without the constant time flag being set.
+
+	  This issue was reported by Cesar Pereida Garcia and Billy Brumley
+	  (Tampere University of Technology). The fix was developed by Cesar
+	  Pereida Garcia.
+
+	* iOS and MacOS compatibility updates from Simone Basso and Jacob
+	  Berkman.
+
+2.3.9 - Reliability improvements
+
+	* Avoid continual processing of an unlimited number of TLS records,
+	  which can cause a denial-of-service condition.
+
+2.3.8 - Security and reliability fixes
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.3.7 - OCSP fixes
+
+	* Fix several issues in the OCSP code that could result in the
+	  incorrect generation and parsing of OCSP requests. This remediates a
+	  lack of error checking on time parsing in these functions, and
+	  ensures that only GENERALIZEDTIME formats are accepted for OCSP, as
+	  per RFC 6960.
+
+	  Issues reported, and fixes provided by  Kazuki Yamaguchi <k@rhe.jp>
+	  and Kinichiro Inoguchi <kinichiro.inoguchi@gmail.com>
+
+2.3.6 - Security fix
+
+	* Correct a problem that prevents the DSA signing algorithm from
+	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
+	  This issue was reported by Cesar Pereida (Aalto University), Billy
+	  Brumley (Tampere University of Technology), and Yuval Yarom (The
+	  University of Adelaide and NICTA). The fix was developed by Cesar
+	  Pereida. See OpenBSD 5.9 errata 11, June 6, 2016
+
+2.3.5 - Reliability fix
+
+	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
+
+2.3.4 - Security Update
+
+	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
+	From OpenSSL.
+
+	* Minor build fixes
+
+2.3.3 - OpenBSD 5.9 release branch tagged
+
+	* Reworked build scripts to better sync with OpenNTPD-portable
+
+	* Fixed broken manpage links
+
+	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
+
+	* Fixed HP-UX builds
+
+	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
+	  binary builds
+
+	* cert.pem has been reorganized and synced with Mozilla's certificate store
+
 2.3.2 - Compatibility and Reliability fixes
 
 	* Changed format of LIBRESSL_VERSION_NUMBER to match that of

Makefile.am

@@ -6,3 +6,6 @@ pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
 EXTRA_DIST += CMakeLists.txt
+
+.PHONY: install_sw
+install_sw: install

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_9

apps/nc/Makefile.am

@@ -11,9 +11,9 @@ endif
 EXTRA_DIST = nc.1
 
 nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(top_builddir)/crypto/libcrypto.la
-nc_LDADD += $(top_builddir)/ssl/libssl.la
-nc_LDADD += $(top_builddir)/tls/libtls.la
+nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
+nc_LDADD += $(abs_top_builddir)/tls/libtls.la
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
 if OPENSSLDIR_DEFINED

apps/openssl/Makefile.am

@@ -5,8 +5,8 @@ bin_PROGRAMS = openssl
 dist_man_MANS = openssl.1
 
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
 
 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c

crypto/CMakeLists.txt

@@ -641,6 +641,9 @@ if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	if (MSVC)
+		target_link_libraries(crypto-shared crypto Ws2_32.lib)
+	endif()
 	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})

crypto/Makefile.am

@@ -3,6 +3,7 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -128,6 +129,7 @@ libcrypto_la_SOURCES += mem_dbg.c
 libcrypto_la_SOURCES += o_init.c
 libcrypto_la_SOURCES += o_str.c
 libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h

dist-win.sh

@@ -22,7 +22,7 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST
+	CC=$HOST-gcc ./configure --host=$HOST --with-openssldir=c:/libressl/ssl
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check

include/compat/netinet/ip.h

@@ -3,6 +3,10 @@
  * netinet/ip.h compatibility shim
  */
 
+#if defined(__hpux)
+#include <netinet/in_systm.h>
+#endif
+
 #ifndef _WIN32
 #include_next <netinet/ip.h>
 #else

m4/check-libc.m4

@@ -46,9 +46,57 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
-AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
+AC_CHECK_FUNCS([explicit_bzero getauxval])
+
+AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <unistd.h>
+
+/*
+ * Explanation:
+ *
+ *   - iOS <= 10.1 fails because of missing sys/random.h
+ *
+ *   - in macOS 10.12 getentropy is not tagged as introduced in
+ *     10.12 so we cannot use it for target < 10.12
+ */
+#ifdef __APPLE__
+#  include <AvailabilityMacros.h>
+#  include <TargetConditionals.h>
+
+# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
+#  include <sys/random.h> /* Not available as of iOS <= 10.1 */
+# else
+
+#  include <sys/random.h> /* Pre 10.12 systems should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#  ifndef MAC_OS_X_VERSION_10_12
+#    define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
+#  endif
+#  if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#    if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#      error "Targeting on Mac OSX 10.11 or earlier"
+#    endif
+#  endif
+
+# endif
+#endif /* __APPLE__ */
+		]], [[
+	char buffer;
+	(void)getentropy(&buffer, sizeof (buffer));
+]])],
+	[ ac_cv_func_getentropy="yes" ],
+	[ ac_cv_func_getentropy="no"
+	])
+])
+
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_ARC4RANDOM_UNIFORM], [test "x$ac_cv_func_arc4random_uniform" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
@@ -56,13 +104,15 @@ AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp"
 
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$USE_BUILTIN_ARC4RANDOM" != yes \
+	[test "x$USE_BUILTIN_ARC4RANDOM" != xyes \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
 # Check for getentropy fallback dependencies
 AC_CHECK_FUNC([getauxval])
-AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+AC_SEARCH_LIBS([clock_gettime],[rt posix4])
+AC_CHECK_FUNC([clock_gettime])
+AC_SEARCH_LIBS([dl_iterate_phdr],[dl])
+AC_CHECK_FUNC([dl_iterate_phdr])
 ])
 
 AC_DEFUN([CHECK_VA_COPY], [

m4/check-os-options.m4

@@ -1,10 +1,10 @@
 AC_DEFUN([CHECK_OS_OPTIONS], [
 
 CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
+BUILD_NC=yes
 
 case $host_os in
 	*aix*)
-		BUILD_NC=yes
 		HOST_OS=aix
 		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
 			CFLAGS="-qnoansialias $USER_CFLAGS"
@@ -12,24 +12,57 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
 		;;
 	*cygwin*)
-		BUILD_NC=yes
 		HOST_OS=cygwin
 		;;
 	*darwin*)
-		BUILD_NC=yes
-                # weak seed on failure to open /dev/random, based on latest public source
-                # http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
-                USE_BUILTIN_ARC4RANDOM=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		#
+		# Don't use arc4random on systems before 10.12 because of
+		# weak seed on failure to open /dev/random, based on latest
+		# public source:
+		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
+		#
+		# We use the presence of getentropy() to detect 10.12. The
+		# following check take into account that:
+ 		#
+		#   - iOS <= 10.1 fails because of missing getentropy and
+		#     hence they miss sys/random.h
+		#
+		#   - in macOS 10.12 getentropy is not tagged as introduced in
+		#     10.12 so we cannot use it for target < 10.12
+		#
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <AvailabilityMacros.h>
+#include <unistd.h>
+#include <sys/random.h>  /* Systems without getentropy() should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#ifndef MAC_OS_X_VERSION_10_12
+#  define MAC_OS_X_VERSION_10_12 101200
+#endif
+#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#  if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#    error "Running on Mac OSX 10.11 or earlier"
+#  endif
+#endif
+                       ]], [[
+char buf[1]; getentropy(buf, 1);
+					   ]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
+		AC_MSG_CHECKING([whether to use builtin arc4random])
+		AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
+		# Not available on iOS
+		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;
 	*freebsd*)
-		BUILD_NC=yes
+		HOST_OS=freebsd
+		HOST_ABI=elf
 		# fork detection missing, weak seed on failure
 		# https://svnweb.freebsd.org/base/head/lib/libc/gen/arc4random.c?revision=268642&view=markup
 		USE_BUILTIN_ARC4RANDOM=yes
-		HOST_OS=freebsd
-		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
@@ -43,13 +76,13 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
-		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
-		BUILD_NC=yes
+		HOST_OS=netbsd
+		HOST_ABI=elf
 		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <sys/param.h>
 #if __NetBSD_Version__ < 700000001
@@ -59,18 +92,16 @@ case $host_os in
                        [ USE_BUILTIN_ARC4RANDOM=no ],
                        [ USE_BUILTIN_ARC4RANDOM=yes ]
 		)
-
-		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
-		BUILD_NC=yes
 		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
+		BUILD_NC=no
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
@@ -80,7 +111,6 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
-		BUILD_NC=yes
 		HOST_OS=solaris
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"

man/links

@@ -941,6 +941,30 @@ SSL_want.3,SSL_want_nothing.3
 SSL_want.3,SSL_want_read.3
 SSL_want.3,SSL_want_write.3
 SSL_want.3,SSL_want_x509_lookup.3
+UI_new.3,ERR_load_UI_strings.3
+UI_new.3,UI_OpenSSL.3
+UI_new.3,UI_add_error_string.3
+UI_new.3,UI_add_info_string.3
+UI_new.3,UI_add_input_boolean.3
+UI_new.3,UI_add_input_string.3
+UI_new.3,UI_add_user_data.3
+UI_new.3,UI_add_verify_string.3
+UI_new.3,UI_construct_prompt.3
+UI_new.3,UI_ctrl.3
+UI_new.3,UI_dup_error_string.3
+UI_new.3,UI_dup_info_string.3
+UI_new.3,UI_dup_input_boolean.3
+UI_new.3,UI_dup_input_string.3
+UI_new.3,UI_dup_verify_string.3
+UI_new.3,UI_free.3
+UI_new.3,UI_get0_result.3
+UI_new.3,UI_get0_user_data.3
+UI_new.3,UI_get_default_method.3
+UI_new.3,UI_get_method.3
+UI_new.3,UI_new_method.3
+UI_new.3,UI_process.3
+UI_new.3,UI_set_default_method.3
+UI_new.3,UI_set_method.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_NID.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_OBJ.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_txt.3
@@ -1018,35 +1042,6 @@ bn_dump.3,bn_wexpand.3
 bn_dump.3,mul.3
 bn_dump.3,mul_add.3
 bn_dump.3,sqr.3
-bn_internal.3,bn_add_words.3
-bn_internal.3,bn_check_top.3
-bn_internal.3,bn_cmp_words.3
-bn_internal.3,bn_div_words.3
-bn_internal.3,bn_dump.3
-bn_internal.3,bn_expand.3
-bn_internal.3,bn_expand2.3
-bn_internal.3,bn_fix_top.3
-bn_internal.3,bn_mul_add_words.3
-bn_internal.3,bn_mul_comba4.3
-bn_internal.3,bn_mul_comba8.3
-bn_internal.3,bn_mul_high.3
-bn_internal.3,bn_mul_low_normal.3
-bn_internal.3,bn_mul_low_recursive.3
-bn_internal.3,bn_mul_normal.3
-bn_internal.3,bn_mul_part_recursive.3
-bn_internal.3,bn_mul_recursive.3
-bn_internal.3,bn_mul_words.3
-bn_internal.3,bn_print.3
-bn_internal.3,bn_set_high.3
-bn_internal.3,bn_set_low.3
-bn_internal.3,bn_set_max.3
-bn_internal.3,bn_sqr_comba4.3
-bn_internal.3,bn_sqr_comba8.3
-bn_internal.3,bn_sqr_normal.3
-bn_internal.3,bn_sqr_recursive.3
-bn_internal.3,bn_sqr_words.3
-bn_internal.3,bn_sub_words.3
-bn_internal.3,bn_wexpand.3
 crypto.3,crypto_dispatch.3
 crypto.3,crypto_done.3
 crypto.3,crypto_freereq.3
@@ -1074,12 +1069,6 @@ d2i_ECPKParameters.3,d2i_ECPKParameters_fp.3
 d2i_ECPKParameters.3,i2d_ECPKParameters.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_fp.3
 d2i_PKCS8PrivateKey_bio.3,d2i_PKCS8PrivateKey_fp.3
 d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_bio.3
 d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_fp.3
@@ -1114,18 +1103,6 @@ d2i_X509_SIG.3,i2d_X509_SIG.3
 des_read_pw.3,des_read_2passwords.3
 des_read_pw.3,des_read_password.3
 des_read_pw.3,des_read_pw_string.3
-ecdsa.3,ECDSA_SIG_free.3
-ecdsa.3,ECDSA_SIG_new.3
-ecdsa.3,ECDSA_do_sign.3
-ecdsa.3,ECDSA_do_sign_ex.3
-ecdsa.3,ECDSA_do_verify.3
-ecdsa.3,ECDSA_sign.3
-ecdsa.3,ECDSA_sign_ex.3
-ecdsa.3,ECDSA_sign_setup.3
-ecdsa.3,ECDSA_size.3
-ecdsa.3,ECDSA_verify.3
-ecdsa.3,d2i_ECDSA_SIG.3
-ecdsa.3,i2d_ECDSA_SIG.3
 engine.3,ENGINE_add.3
 engine.3,ENGINE_by_id.3
 engine.3,ENGINE_finish.3
@@ -1153,14 +1130,6 @@ lh_stats.3,lh_node_stats_bio.3
 lh_stats.3,lh_node_usage_stats.3
 lh_stats.3,lh_node_usage_stats_bio.3
 lh_stats.3,lh_stats_bio.3
-lhash.3,lh_delete.3
-lhash.3,lh_doall.3
-lhash.3,lh_doall_arg.3
-lhash.3,lh_error.3
-lhash.3,lh_free.3
-lhash.3,lh_insert.3
-lhash.3,lh_new.3
-lhash.3,lh_retrieve.3
 tls_init.3,tls_accept_fds.3
 tls_init.3,tls_accept_socket.3
 tls_init.3,tls_client.3
@@ -1211,56 +1180,3 @@ tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3
 tls_init.3,tls_write.3
-ui.3,ERR_load_UI_strings.3
-ui.3,UI_OpenSSL.3
-ui.3,UI_add_error_string.3
-ui.3,UI_add_info_string.3
-ui.3,UI_add_input_boolean.3
-ui.3,UI_add_input_string.3
-ui.3,UI_add_user_data.3
-ui.3,UI_add_verify_string.3
-ui.3,UI_construct_prompt.3
-ui.3,UI_ctrl.3
-ui.3,UI_dup_error_string.3
-ui.3,UI_dup_info_string.3
-ui.3,UI_dup_input_boolean.3
-ui.3,UI_dup_input_string.3
-ui.3,UI_dup_verify_string.3
-ui.3,UI_free.3
-ui.3,UI_get0_result.3
-ui.3,UI_get0_user_data.3
-ui.3,UI_get_default_method.3
-ui.3,UI_get_method.3
-ui.3,UI_new.3
-ui.3,UI_new_method.3
-ui.3,UI_process.3
-ui.3,UI_set_default_method.3
-ui.3,UI_set_method.3
-ui_compat.3,des_read_2passwords.3
-ui_compat.3,des_read_password.3
-ui_compat.3,des_read_pw.3
-ui_compat.3,des_read_pw_string.3
-ui_new.3,ERR_load_UI_strings.3
-ui_new.3,UI_OpenSSL.3
-ui_new.3,UI_add_error_string.3
-ui_new.3,UI_add_info_string.3
-ui_new.3,UI_add_input_boolean.3
-ui_new.3,UI_add_input_string.3
-ui_new.3,UI_add_user_data.3
-ui_new.3,UI_add_verify_string.3
-ui_new.3,UI_construct_prompt.3
-ui_new.3,UI_ctrl.3
-ui_new.3,UI_dup_error_string.3
-ui_new.3,UI_dup_info_string.3
-ui_new.3,UI_dup_input_boolean.3
-ui_new.3,UI_dup_input_string.3
-ui_new.3,UI_dup_verify_string.3
-ui_new.3,UI_free.3
-ui_new.3,UI_get0_result.3
-ui_new.3,UI_get0_user_data.3
-ui_new.3,UI_get_default_method.3
-ui_new.3,UI_get_method.3
-ui_new.3,UI_new_method.3
-ui_new.3,UI_process.3
-ui_new.3,UI_set_default_method.3
-ui_new.3,UI_set_method.3

patches/modes_lcl.h

@@ -0,0 +1,21 @@
+--- openbsd/src/lib/libssl/src/crypto/modes/modes_lcl.h	Sat Dec  6 17:15:50 2014
++++ crypto/modes/modes_lcl.h	Sun Jul 17 17:45:27 2016
+@@ -43,14 +43,16 @@
+ 			asm ("bswapl %0"		\
+ 			: "+r"(ret));	ret;		})
+ # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
+-#  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
++#  if (__ARM_ARCH >= 6)
++#   define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
+ 			asm ("rev %0,%0; rev %1,%1"	\
+ 			: "+r"(hi),"+r"(lo));		\
+ 			(u64)hi<<32|lo;			})
+-#  define BSWAP4(x) ({	u32 ret;			\
++#   define BSWAP4(x) ({	u32 ret;			\
+ 			asm ("rev %0,%1"		\
+ 			: "=r"(ret) : "r"((u32)(x)));	\
+ 			ret;				})
++#  endif
+ # endif
+ #endif
+ #endif

patches/ssl_txt.c.patch

@@ -0,0 +1,19 @@
+--- ssl/ssl_txt.orig	Sun Jul 17 17:26:59 2016
++++ ssl/ssl_txt.c	Sun Jul 17 17:35:44 2016
+@@ -82,6 +82,7 @@
+  * OTHERWISE.
+  */
+ 
++#include <inttypes.h>
+ #include <stdio.h>
+ 
+ #include <openssl/buffer.h>
+@@ -163,7 +164,7 @@
+ 	}
+ 
+ 	if (x->time != 0) {
+-		if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
++		if (BIO_printf(bp, "\n    Start Time: %"PRId64, (int64_t)x->time) <= 0)
+ 			goto err;
+ 	}
+ 	if (x->timeout != 0L) {

ssl/CMakeLists.txt

@@ -52,6 +52,9 @@ if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
+	if (MSVC)
+		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+	endif()
 	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})

ssl/Makefile.am

@@ -6,7 +6,7 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
-libssl_la_LIBADD = ../crypto/libcrypto.la
+libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
 libssl_la_SOURCES += bs_ber.c

tests/Makefile.am

@@ -7,9 +7,9 @@ AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(top_builddir)/ssl/libssl.la
-LDADD += $(top_builddir)/crypto/libcrypto.la
-LDADD += $(top_builddir)/tls/libtls.la
+LDADD += $(abs_top_builddir)/ssl/libssl.la
+LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+LDADD += $(abs_top_builddir)/tls/libtls.la
 
 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 

tls/CMakeLists.txt

@@ -25,6 +25,9 @@ if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
+	if (MSVC)
+		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+	endif()
 	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})

tls/Makefile.am

@@ -6,7 +6,9 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
+libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
+libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
+libtls_la_LIBADD += $(PLATFORM_LDADD)
 
 libtls_la_CPPFLAGS = $(AM_CPPFLAGS)
 if OPENSSLDIR_DEFINED