Update changelog

- To avoid ld warning on Solaris, use abs_top_builddir in Makefile.am

CMakeLists.txt

@@ -96,7 +96,7 @@ if(HAVE_STRLCAT)
 	add_definitions(-DHAVE_STRLCAT)
 endif()
 
-check_function_exists(strlcat HAVE_STRLCPY)
+check_function_exists(strlcpy HAVE_STRLCPY)
 if(HAVE_STRLCPY)
 	add_definitions(-DHAVE_STRLCPY)
 endif()

ChangeLog

@@ -28,6 +28,32 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.3.5 - Reliability fix
+
+	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
+
+2.3.4 - Security Update
+
+	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
+	From OpenSSL.
+
+	* Minor build fixes
+
+2.3.3 - OpenBSD 5.9 release branch tagged
+
+	* Reworked build scripts to better sync with OpenNTPD-portable
+
+	* Fixed broken manpage links
+
+	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
+
+	* Fixed HP-UX builds
+
+	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
+	  binary builds
+
+	* cert.pem has been reorganized and synced with Mozilla's certificate store
+
 2.3.2 - Compatibility and Reliability fixes
 
 	* Changed format of LIBRESSL_VERSION_NUMBER to match that of

Makefile.am

@@ -6,3 +6,6 @@ pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
 EXTRA_DIST += CMakeLists.txt
+
+.PHONY: install_sw
+install_sw: install

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_9

apps/nc/Makefile.am

@@ -11,9 +11,9 @@ endif
 EXTRA_DIST = nc.1
 
 nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(top_builddir)/crypto/libcrypto.la
-nc_LDADD += $(top_builddir)/ssl/libssl.la
-nc_LDADD += $(top_builddir)/tls/libtls.la
+nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
+nc_LDADD += $(abs_top_builddir)/tls/libtls.la
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
 if OPENSSLDIR_DEFINED

apps/openssl/Makefile.am

@@ -5,8 +5,8 @@ bin_PROGRAMS = openssl
 dist_man_MANS = openssl.1
 
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
 
 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c

crypto/Makefile.am

@@ -3,6 +3,7 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -128,6 +129,7 @@ libcrypto_la_SOURCES += mem_dbg.c
 libcrypto_la_SOURCES += o_init.c
 libcrypto_la_SOURCES += o_str.c
 libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h

dist-win.sh

@@ -22,7 +22,7 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST
+	CC=$HOST-gcc ./configure --host=$HOST --with-openssldir=c:/libressl/ssl
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check

include/compat/netinet/ip.h

@@ -3,6 +3,10 @@
  * netinet/ip.h compatibility shim
  */
 
+#if defined(__hpux)
+#include <netinet/in_systm.h>
+#endif
+
 #ifndef _WIN32
 #include_next <netinet/ip.h>
 #else

m4/check-libc.m4

@@ -46,9 +46,12 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
-AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
+AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_ARC4RANDOM_UNIFORM], [test "x$ac_cv_func_arc4random_uniform" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
@@ -61,8 +64,10 @@ AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
 
 # Check for getentropy fallback dependencies
 AC_CHECK_FUNC([getauxval])
-AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+AC_SEARCH_LIBS([clock_gettime],[rt posix4])
+AC_CHECK_FUNC([clock_gettime])
+AC_SEARCH_LIBS([dl_iterate_phdr],[dl])
+AC_CHECK_FUNC([dl_iterate_phdr])
 ])
 
 AC_DEFUN([CHECK_VA_COPY], [

m4/check-os-options.m4

@@ -1,10 +1,10 @@
 AC_DEFUN([CHECK_OS_OPTIONS], [
 
 CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
+BUILD_NC=yes
 
 case $host_os in
 	*aix*)
-		BUILD_NC=yes
 		HOST_OS=aix
 		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
 			CFLAGS="-qnoansialias $USER_CFLAGS"
@@ -12,24 +12,22 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
 		;;
 	*cygwin*)
-		BUILD_NC=yes
 		HOST_OS=cygwin
 		;;
 	*darwin*)
-		BUILD_NC=yes
-                # weak seed on failure to open /dev/random, based on latest public source
-                # http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
-                USE_BUILTIN_ARC4RANDOM=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		# weak seed on failure to open /dev/random, based on latest
+		# public source:
+		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
+		USE_BUILTIN_ARC4RANDOM=yes
 		;;
 	*freebsd*)
-		BUILD_NC=yes
-                # fork detection missing, weak seed on failure
-                # https://svnweb.freebsd.org/base/head/lib/libc/gen/arc4random.c?revision=268642&view=markup
-                USE_BUILTIN_ARC4RANDOM=yes
 		HOST_OS=freebsd
 		HOST_ABI=elf
+		# fork detection missing, weak seed on failure
+		# https://svnweb.freebsd.org/base/head/lib/libc/gen/arc4random.c?revision=268642&view=markup
+		USE_BUILTIN_ARC4RANDOM=yes
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
@@ -43,14 +41,14 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
-		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
-		BUILD_NC=yes
-               AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+		HOST_OS=netbsd
+		HOST_ABI=elf
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 #include <sys/param.h>
 #if __NetBSD_Version__ < 700000001
         undefined
@@ -58,19 +56,17 @@ case $host_os in
                        ]], [[]])],
                        [ USE_BUILTIN_ARC4RANDOM=no ],
                        [ USE_BUILTIN_ARC4RANDOM=yes ]
-               )
-
-		HOST_OS=netbsd
+		)
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
-		BUILD_NC=yes
 		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
+		BUILD_NC=no
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
@@ -80,7 +76,6 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
-		BUILD_NC=yes
 		HOST_OS=solaris
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"

man/links

@@ -941,6 +941,30 @@ SSL_want.3,SSL_want_nothing.3
 SSL_want.3,SSL_want_read.3
 SSL_want.3,SSL_want_write.3
 SSL_want.3,SSL_want_x509_lookup.3
+UI_new.3,ERR_load_UI_strings.3
+UI_new.3,UI_OpenSSL.3
+UI_new.3,UI_add_error_string.3
+UI_new.3,UI_add_info_string.3
+UI_new.3,UI_add_input_boolean.3
+UI_new.3,UI_add_input_string.3
+UI_new.3,UI_add_user_data.3
+UI_new.3,UI_add_verify_string.3
+UI_new.3,UI_construct_prompt.3
+UI_new.3,UI_ctrl.3
+UI_new.3,UI_dup_error_string.3
+UI_new.3,UI_dup_info_string.3
+UI_new.3,UI_dup_input_boolean.3
+UI_new.3,UI_dup_input_string.3
+UI_new.3,UI_dup_verify_string.3
+UI_new.3,UI_free.3
+UI_new.3,UI_get0_result.3
+UI_new.3,UI_get0_user_data.3
+UI_new.3,UI_get_default_method.3
+UI_new.3,UI_get_method.3
+UI_new.3,UI_new_method.3
+UI_new.3,UI_process.3
+UI_new.3,UI_set_default_method.3
+UI_new.3,UI_set_method.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_NID.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_OBJ.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_txt.3
@@ -1018,35 +1042,6 @@ bn_dump.3,bn_wexpand.3
 bn_dump.3,mul.3
 bn_dump.3,mul_add.3
 bn_dump.3,sqr.3
-bn_internal.3,bn_add_words.3
-bn_internal.3,bn_check_top.3
-bn_internal.3,bn_cmp_words.3
-bn_internal.3,bn_div_words.3
-bn_internal.3,bn_dump.3
-bn_internal.3,bn_expand.3
-bn_internal.3,bn_expand2.3
-bn_internal.3,bn_fix_top.3
-bn_internal.3,bn_mul_add_words.3
-bn_internal.3,bn_mul_comba4.3
-bn_internal.3,bn_mul_comba8.3
-bn_internal.3,bn_mul_high.3
-bn_internal.3,bn_mul_low_normal.3
-bn_internal.3,bn_mul_low_recursive.3
-bn_internal.3,bn_mul_normal.3
-bn_internal.3,bn_mul_part_recursive.3
-bn_internal.3,bn_mul_recursive.3
-bn_internal.3,bn_mul_words.3
-bn_internal.3,bn_print.3
-bn_internal.3,bn_set_high.3
-bn_internal.3,bn_set_low.3
-bn_internal.3,bn_set_max.3
-bn_internal.3,bn_sqr_comba4.3
-bn_internal.3,bn_sqr_comba8.3
-bn_internal.3,bn_sqr_normal.3
-bn_internal.3,bn_sqr_recursive.3
-bn_internal.3,bn_sqr_words.3
-bn_internal.3,bn_sub_words.3
-bn_internal.3,bn_wexpand.3
 crypto.3,crypto_dispatch.3
 crypto.3,crypto_done.3
 crypto.3,crypto_freereq.3
@@ -1074,12 +1069,6 @@ d2i_ECPKParameters.3,d2i_ECPKParameters_fp.3
 d2i_ECPKParameters.3,i2d_ECPKParameters.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_fp.3
 d2i_PKCS8PrivateKey_bio.3,d2i_PKCS8PrivateKey_fp.3
 d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_bio.3
 d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_fp.3
@@ -1114,18 +1103,6 @@ d2i_X509_SIG.3,i2d_X509_SIG.3
 des_read_pw.3,des_read_2passwords.3
 des_read_pw.3,des_read_password.3
 des_read_pw.3,des_read_pw_string.3
-ecdsa.3,ECDSA_SIG_free.3
-ecdsa.3,ECDSA_SIG_new.3
-ecdsa.3,ECDSA_do_sign.3
-ecdsa.3,ECDSA_do_sign_ex.3
-ecdsa.3,ECDSA_do_verify.3
-ecdsa.3,ECDSA_sign.3
-ecdsa.3,ECDSA_sign_ex.3
-ecdsa.3,ECDSA_sign_setup.3
-ecdsa.3,ECDSA_size.3
-ecdsa.3,ECDSA_verify.3
-ecdsa.3,d2i_ECDSA_SIG.3
-ecdsa.3,i2d_ECDSA_SIG.3
 engine.3,ENGINE_add.3
 engine.3,ENGINE_by_id.3
 engine.3,ENGINE_finish.3
@@ -1153,14 +1130,6 @@ lh_stats.3,lh_node_stats_bio.3
 lh_stats.3,lh_node_usage_stats.3
 lh_stats.3,lh_node_usage_stats_bio.3
 lh_stats.3,lh_stats_bio.3
-lhash.3,lh_delete.3
-lhash.3,lh_doall.3
-lhash.3,lh_doall_arg.3
-lhash.3,lh_error.3
-lhash.3,lh_free.3
-lhash.3,lh_insert.3
-lhash.3,lh_new.3
-lhash.3,lh_retrieve.3
 tls_init.3,tls_accept_fds.3
 tls_init.3,tls_accept_socket.3
 tls_init.3,tls_client.3
@@ -1211,56 +1180,3 @@ tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3
 tls_init.3,tls_write.3
-ui.3,ERR_load_UI_strings.3
-ui.3,UI_OpenSSL.3
-ui.3,UI_add_error_string.3
-ui.3,UI_add_info_string.3
-ui.3,UI_add_input_boolean.3
-ui.3,UI_add_input_string.3
-ui.3,UI_add_user_data.3
-ui.3,UI_add_verify_string.3
-ui.3,UI_construct_prompt.3
-ui.3,UI_ctrl.3
-ui.3,UI_dup_error_string.3
-ui.3,UI_dup_info_string.3
-ui.3,UI_dup_input_boolean.3
-ui.3,UI_dup_input_string.3
-ui.3,UI_dup_verify_string.3
-ui.3,UI_free.3
-ui.3,UI_get0_result.3
-ui.3,UI_get0_user_data.3
-ui.3,UI_get_default_method.3
-ui.3,UI_get_method.3
-ui.3,UI_new.3
-ui.3,UI_new_method.3
-ui.3,UI_process.3
-ui.3,UI_set_default_method.3
-ui.3,UI_set_method.3
-ui_compat.3,des_read_2passwords.3
-ui_compat.3,des_read_password.3
-ui_compat.3,des_read_pw.3
-ui_compat.3,des_read_pw_string.3
-ui_new.3,ERR_load_UI_strings.3
-ui_new.3,UI_OpenSSL.3
-ui_new.3,UI_add_error_string.3
-ui_new.3,UI_add_info_string.3
-ui_new.3,UI_add_input_boolean.3
-ui_new.3,UI_add_input_string.3
-ui_new.3,UI_add_user_data.3
-ui_new.3,UI_add_verify_string.3
-ui_new.3,UI_construct_prompt.3
-ui_new.3,UI_ctrl.3
-ui_new.3,UI_dup_error_string.3
-ui_new.3,UI_dup_info_string.3
-ui_new.3,UI_dup_input_boolean.3
-ui_new.3,UI_dup_input_string.3
-ui_new.3,UI_dup_verify_string.3
-ui_new.3,UI_free.3
-ui_new.3,UI_get0_result.3
-ui_new.3,UI_get0_user_data.3
-ui_new.3,UI_get_default_method.3
-ui_new.3,UI_get_method.3
-ui_new.3,UI_new_method.3
-ui_new.3,UI_process.3
-ui_new.3,UI_set_default_method.3
-ui_new.3,UI_set_method.3

ssl/Makefile.am

@@ -6,7 +6,7 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
-libssl_la_LIBADD = ../crypto/libcrypto.la
+libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
 libssl_la_SOURCES += bs_ber.c

tests/Makefile.am

@@ -7,9 +7,9 @@ AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(top_builddir)/ssl/libssl.la
-LDADD += $(top_builddir)/crypto/libcrypto.la
-LDADD += $(top_builddir)/tls/libtls.la
+LDADD += $(abs_top_builddir)/ssl/libssl.la
+LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+LDADD += $(abs_top_builddir)/tls/libtls.la
 
 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 

tls/Makefile.am

@@ -6,7 +6,9 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
+libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
+libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
+libtls_la_LIBADD += $(PLATFORM_LDADD)
 
 libtls_la_CPPFLAGS = $(AM_CPPFLAGS)
 if OPENSSLDIR_DEFINED