update Changelog

Without this, we actually fail to build a library that includes the
bultin getentropy when compiling for 10.11 on 10.12.

CMakeLists.txt

@@ -49,6 +49,10 @@ if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	set(BUILD_NC false)
 endif()
 
+if(MSVC)
+	set(BUILD_NC false)
+endif()
+
 if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
 	if(CMAKE_C_COMPILER MATCHES "gcc")
 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
@@ -140,7 +144,7 @@ if(HAVE_STRNDUP)
 endif()
 
 if(MSVC)
-	set(HAVE_STRNLEN)
+	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)

ChangeLog

@@ -28,6 +28,92 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.4.5  - Security and compatibility fixes
+
+	* Avoid a side-channel cache-timing attack that can leak the ECDSA
+	  private keys when signing. This is due to BN_mod_inverse() being
+	  used without the constant time flag being set.
+
+	  This issue was reported by Cesar Pereida Garcia and Billy Brumley
+	  (Tampere University of Technology). The fix was developed by Cesar
+	  Pereida Garcia.
+
+	* iOS and MacOS compatibility updates from Simone Basso and Jacob
+	  Berkman.
+
+2.4.4 - Reliability improvements
+
+	* Avoid continual processing of an unlimited number of TLS records,
+	  which can cause a denial-of-service condition.
+
+	* In X509_cmp_time(), pass asn1_time_parse() the tag of the field
+	  being parsed so that a malformed GeneralizedTime field is recognized as
+	  an error instead of potentially being interpreted as if it was a valid
+	  UTCTime.
+
+	* Improve ticket validity checking when tlsext_ticket_key_cb()
+	  callback chooses a different HMAC algorithm.
+
+	* Check for packets with a truncated DTLS cookie.
+
+	* Detect zero-length encrypted session data early, instead of when
+	  malloc(0) fails or the HMAC check fails.
+
+	* Check for and handle failure of HMAC_{Update,Final} or
+	  EVP_DecryptUpdate()
+
+2.4.3 - Bug fixes and reliability improvements
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.4.2 - Bug fixes and improvements
+
+	* Fixed loading default certificate locations with openssl s_client.
+
+	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
+
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
 2.4.1 - Security fix
 
 	* Correct a problem that prevents the DSA signing algorithm from

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_0

crypto/CMakeLists.txt

@@ -752,6 +752,9 @@ if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	if (MSVC)
+		target_link_libraries(crypto-shared crypto Ws2_32.lib)
+	endif()
 	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})

m4/check-libc.m4

@@ -47,7 +47,52 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
 AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
-AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([explicit_bzero getauxval])
+
+AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <unistd.h>
+
+/*
+ * Explanation:
+ *
+ *   - iOS <= 10.1 fails because of missing sys/random.h
+ *
+ *   - in macOS 10.12 getentropy is not tagged as introduced in
+ *     10.12 so we cannot use it for target < 10.12
+ */
+#ifdef __APPLE__
+#  include <AvailabilityMacros.h>
+#  include <TargetConditionals.h>
+
+# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
+#  include <sys/random.h> /* Not available as of iOS <= 10.1 */
+# else
+
+#  include <sys/random.h> /* Pre 10.12 systems should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#  ifndef MAC_OS_X_VERSION_10_12
+#    define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
+#  endif
+#  if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#    if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#      error "Targeting on Mac OSX 10.11 or earlier"
+#    endif
+#  endif
+
+# endif
+#endif /* __APPLE__ */
+		]], [[
+	char buffer;
+	(void)getentropy(&buffer, sizeof (buffer));
+]])],
+	[ ac_cv_func_getentropy="yes" ],
+	[ ac_cv_func_getentropy="no"
+	])
+])
+
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
@@ -59,7 +104,7 @@ AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp"
 
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$USE_BUILTIN_ARC4RANDOM" != yes \
+	[test "x$USE_BUILTIN_ARC4RANDOM" != xyes \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
 # Check for getentropy fallback dependencies

m4/check-os-options.m4

@@ -17,10 +17,45 @@ case $host_os in
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		#
+		# Don't use arc4random on systems before 10.12 because of
 		# weak seed on failure to open /dev/random, based on latest
 		# public source:
 		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
-		USE_BUILTIN_ARC4RANDOM=yes
+		#
+		# We use the presence of getentropy() to detect 10.12. The
+		# following check take into account that:
+ 		#
+		#   - iOS <= 10.1 fails because of missing getentropy and
+		#     hence they miss sys/random.h
+		#
+		#   - in macOS 10.12 getentropy is not tagged as introduced in
+		#     10.12 so we cannot use it for target < 10.12
+		#
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <AvailabilityMacros.h>
+#include <unistd.h>
+#include <sys/random.h>  /* Systems without getentropy() should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#ifndef MAC_OS_X_VERSION_10_12
+#  define MAC_OS_X_VERSION_10_12 101200
+#endif
+#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#  if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#    error "Running on Mac OSX 10.11 or earlier"
+#  endif
+#endif
+                       ]], [[
+char buf[1]; getentropy(buf, 1);
+					   ]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
+		AC_MSG_CHECKING([whether to use builtin arc4random])
+		AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
+		# Not available on iOS
+		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd

patches/modes_lcl.h

@@ -0,0 +1,21 @@
+--- openbsd/src/lib/libssl/src/crypto/modes/modes_lcl.h	Sat Dec  6 17:15:50 2014
++++ crypto/modes/modes_lcl.h	Sun Jul 17 17:45:27 2016
+@@ -43,14 +43,16 @@
+ 			asm ("bswapl %0"		\
+ 			: "+r"(ret));	ret;		})
+ # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
+-#  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
++#  if (__ARM_ARCH >= 6)
++#   define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
+ 			asm ("rev %0,%0; rev %1,%1"	\
+ 			: "+r"(hi),"+r"(lo));		\
+ 			(u64)hi<<32|lo;			})
+-#  define BSWAP4(x) ({	u32 ret;			\
++#   define BSWAP4(x) ({	u32 ret;			\
+ 			asm ("rev %0,%1"		\
+ 			: "=r"(ret) : "r"((u32)(x)));	\
+ 			ret;				})
++#  endif
+ # endif
+ #endif
+ #endif

patches/netcat.c.patch

@@ -1,17 +1,6 @@
---- apps/nc/netcat.c.orig	Mon May 30 11:05:31 2016
-+++ apps/nc/netcat.c	Mon May 30 11:05:44 2016
-@@ -57,6 +57,10 @@
- #include <tls.h>
- #include "atomicio.h"
- 
-+#ifndef IPV6_TCLASS
-+#define IPV6_TCLASS -1
-+#endif
-+
- #define PORT_MAX	65535
- #define UNIX_DG_TMP_SOCKET_SIZE	19
- 
-@@ -65,7 +69,9 @@
+--- apps/nc/netcat.c.orig	Thu Jun 30 19:56:49 2016
++++ apps/nc/netcat.c	Thu Jun 30 19:59:09 2016
+@@ -65,7 +65,9 @@
  #define POLL_NETIN 2
  #define POLL_STDOUT 3
  #define BUFSIZE 16384
@@ -21,7 +10,7 @@
  
  #define TLS_LEGACY	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -92,9 +98,13 @@
+@@ -92,9 +94,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -35,7 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -150,7 +160,7 @@
+@@ -152,7 +158,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
@@ -44,7 +33,7 @@
  	const char *errstr, *proxyhost = "", *proxyport = NULL;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -251,12 +261,14 @@
+@@ -262,12 +268,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -59,7 +48,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -289,9 +301,11 @@
+@@ -300,9 +308,11 @@
  				errx(1, "TCP send window %s: %s",
  				    errstr, optarg);
  			break;
@@ -71,7 +60,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -315,9 +329,11 @@
+@@ -326,9 +336,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -83,7 +72,7 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -469,7 +485,10 @@
+@@ -480,7 +492,10 @@
  				errx(1, "-H and -T noverify may not be used"
  				    "together");
  			tls_config_insecure_noverifycert(tls_cfg);
@@ -95,19 +84,19 @@
  	}
  	if (lflag) {
  		struct tls *tls_cctx = NULL;
-@@ -817,7 +836,10 @@
+@@ -832,7 +847,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, error, on = 1;
-+	int s, error;
+-	int s, error, on = 1, save_errno;
++	int s, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
  	if ((error = getaddrinfo(host, port, &hints, &res)))
  		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -832,8 +854,10 @@
+@@ -847,8 +865,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -118,19 +107,19 @@
  			memset(&ahints, 0, sizeof(struct addrinfo));
  			ahints.ai_family = res0->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -902,7 +926,10 @@
+@@ -919,7 +939,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, ret, x = 1;
-+	int s;
+-	int s, ret, x = 1, save_errno;
++	int s, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -924,9 +951,11 @@
+@@ -941,9 +964,11 @@
  		    res0->ai_protocol)) < 0)
  			continue;
  
@@ -142,7 +131,7 @@
  
  		set_common_sockopts(s, res0->ai_family);
  
-@@ -1366,11 +1395,13 @@
+@@ -1401,11 +1426,13 @@
  {
  	int x = 1;
  
@@ -156,7 +145,26 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1553,14 +1584,22 @@
+@@ -1442,13 +1469,17 @@
+ 	}
+ 
+ 	if (minttl != -1) {
++#ifdef IP_MINTTL
+ 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+ 		    IP_MINTTL, &minttl, sizeof(minttl)))
+ 			err(1, "set IP min TTL");
++#endif
+ 
+-		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
++#ifdef IPV6_MINHOPCOUNT
++		if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
+ 			err(1, "set IPv6 min hop count");
++#endif
+ 	}
+ }
+ 
+@@ -1605,14 +1636,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\

patches/ssl_txt.c.patch

@@ -0,0 +1,19 @@
+--- ssl/ssl_txt.orig	Sun Jul 17 17:26:59 2016
++++ ssl/ssl_txt.c	Sun Jul 17 17:35:44 2016
+@@ -82,6 +82,7 @@
+  * OTHERWISE.
+  */
+ 
++#include <inttypes.h>
+ #include <stdio.h>
+ 
+ #include <openssl/buffer.h>
+@@ -163,7 +164,7 @@
+ 	}
+ 
+ 	if (x->time != 0) {
+-		if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
++		if (BIO_printf(bp, "\n    Start Time: %"PRId64, (int64_t)x->time) <= 0)
+ 			goto err;
+ 	}
+ 	if (x->timeout != 0L) {

ssl/CMakeLists.txt

@@ -52,6 +52,9 @@ if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
+	if (MSVC)
+		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+	endif()
 	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})

tests/CMakeLists.txt

@@ -194,6 +194,19 @@ add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_LIBS})
 add_test(mont mont)
 
+# ocsp_test
+if(ENABLE_EXTRATESTS)
+	if(NOT "${OPENSSLDIR}" STREQUAL "")
+		add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+	else()
+		add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+	endif()
+	add_executable(ocsp_test ocsp_test.c)
+	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
+	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
+	set_tests_properties(ocsptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+endif()
+
 # optionstest
 add_executable(optionstest optionstest.c)
 target_link_libraries(optionstest ${OPENSSL_LIBS})

tests/Makefile.am

@@ -208,6 +208,14 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
+# ocsp_test
+if ENABLE_EXTRATESTS
+TESTS += ocsptest.sh
+check_PROGRAMS += ocsp_test
+ocsp_test_SOURCES = ocsp_test.c
+endif
+EXTRA_DIST += ocsptest.sh
+
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest

tests/ocsptest.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+TEST=./ocsp_test
+if [ -e ./ocsp_test.exe ]; then
+	TEST=./ocsp_test.exe
+fi
+$TEST www.amazon.com 443
+$TEST cloudflare.com 443

tls/CMakeLists.txt

@@ -31,6 +31,9 @@ if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
+	if (MSVC)
+		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+	endif()
 	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})

update.sh

@@ -13,6 +13,7 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
  git checkout $openbsd_branch
  git pull --rebase)