update changelog for 2.3.8

Solaris 11 recently introduced a builtin arc4random in libc which fails the tests in "make check". Found USE_BUILTIN_ARC4RANDOM, but could not get it to work. Apparently, there is a typo in the configure logic rendering USE_BUILTIN_ARC4RANDOM ineffective.

CMakeLists.txt

@@ -1,10 +1,9 @@
-cmake_minimum_required (VERSION 2.8.8)
+cmake_minimum_required (VERSION 2.8)
 include(CheckFunctionExists)
 include(CheckLibraryExists)
 include(CheckIncludeFiles)
-include(CheckTypeSize)
 
-project (LibreSSL C)
+project (LibreSSL)
 
 enable_testing()
 
@@ -23,17 +22,6 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
-option(ENABLE_ASM "Enable assembly" ON)
-option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
-option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
-set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
-
-set(BUILD_NC true)
-
-if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-	add_definitions(-fno-common)
-endif()
-
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
@@ -45,34 +33,9 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
 endif()
 
-if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
-	set(BUILD_NC false)
-endif()
-
-if(MSVC)
-	set(BUILD_NC false)
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-	if(CMAKE_C_COMPILER MATCHES "gcc")
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
-	else()
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
-	endif()
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
-endif()
-
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
+add_definitions(-DOPENSSL_NO_ASM)
 
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 
@@ -168,11 +131,6 @@ if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)
 endif()
 
-check_function_exists(arc4random_uniform HAVE_ARC4RANDOM_UNIFORM)
-if(HAVE_ARC4RANDOM_UNIFORM)
-	add_definitions(-DHAVE_ARC4RANDOM_UNIFORM)
-endif()
-
 check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
 if(HAVE_EXPLICIT_BZERO)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
@@ -198,28 +156,11 @@ if(HAVE_MEMCMP)
 	add_definitions(-DHAVE_MEMCMP)
 endif()
 
-check_function_exists(memmem HAVE_MEMMEM)
-if(HAVE_MEMMEM)
-	add_definitions(-DHAVE_MEMMEM)
-endif()
-
 check_include_files(err.h HAVE_ERR_H)
 if(HAVE_ERR_H)
 	add_definitions(-DHAVE_ERR_H)
 endif()
 
-if(ENABLE_ASM)
-	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
-		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
-			set(HOST_ASM_ELF_X86_64 true)
-		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
-			set(HOST_ASM_ELF_X86_64 true)
-		endif()
-	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
-		set(HOST_ASM_MACOSX_X86_64 true)
-	endif()
-endif()
-
 set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
@@ -230,25 +171,11 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
 	endif()
 endif()
-if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
-endif()
-if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
-	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
-endif()
 
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|MINGW|CYGWIN)" OR MSVC))
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
 	set(BUILD_SHARED true)
 endif()
 
-check_type_size(time_t SIZEOF_TIME_T)
-if(SIZEOF_TIME_T STREQUAL "4")
-	set(SMALL_TIME_T true)
-	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
-	                " ** It will behave incorrectly when handling valid RFC5280 dates")
-endif()
-add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
-
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(apps)
@@ -258,11 +185,3 @@ if(NOT MSVC)
 	add_subdirectory(man)
 	add_subdirectory(tests)
 endif()
-
-configure_file(
-	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
-	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
-	IMMEDIATE @ONLY)
-
-add_custom_target(uninstall
-	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

ChangeLog

@@ -28,79 +28,34 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.4.2 - Bug fixes and improvements
+2.3.8 - Security and reliability fixes
 
-	* Fixed loading default certificate locations with openssl s_client.
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
 
-	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
-	  RFC6960. Also added fixes for OCSP to work with intermediate
-	  certificates provided in responses.
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
 
-	* Improved behavior of arc4random on Windows to not appear to leak
-	  memory in debug tools, reduced privileges of allocated memory.
+2.3.7 - OCSP fixes
 
-	* Fixed incorrect results from BN_mod_word() when the modulus is too
-	  large, thanks to Brian Smith from BoringSSL.
+	* Fix several issues in the OCSP code that could result in the
+	  incorrect generation and parsing of OCSP requests. This remediates a
+	  lack of error checking on time parsing in these functions, and
+	  ensures that only GENERALIZEDTIME formats are accepted for OCSP, as
+	  per RFC 6960.
 
-	* Correctly handle an EOF prior to completing the TLS handshake in
-	  libtls.
+	  Issues reported, and fixes provided by  Kazuki Yamaguchi <k@rhe.jp>
+	  and Kinichiro Inoguchi <kinichiro.inoguchi@gmail.com>
 
-	* Improved libtls ceritificate loading and cipher string validation.
-
-	* Updated libtls cipher group suites into four categories:
-	    "secure"   (TLSv1.2+AEAD+PFS)
-	    "compat"   (HIGH:!aNULL)
-	    "legacy"   (HIGH:MEDIUM:!aNULL)
-	    "insecure" (ALL:!aNULL:!eNULL)
-	  This allows for flexibility and finer grained control, rather than
-	  having two extremes.
-
-	* Limited support for 'backward compatible' SSLv2 handshake packets to
-	  when TLS 1.0 is enabled, providing more restricted compatibility
-	  with TLS 1.0 clients.
-
-	* openssl(1) and other documentation improvements.
-
-	* Removed flags for disabling constant-time operations.
-	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
-	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
-	  all of these operations unconditionally constant-time.
-
-
-2.4.1 - Security fix
+2.3.6 - Security fix
 
 	* Correct a problem that prevents the DSA signing algorithm from
 	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
 	  This issue was reported by Cesar Pereida (Aalto University), Billy
 	  Brumley (Tampere University of Technology), and Yuval Yarom (The
 	  University of Adelaide and NICTA). The fix was developed by Cesar
-	  Pereida.
-
-2.4.0 - Build improvements, new features
-
-	* Many improvements to the CMake build infrastructure, including
-	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
-	  Inoguchi for this work.
-
-	* Added missing error handling around bn_wexpand() calls.
-
-	* Added explicit_bzero calls for freed ASN.1 objects.
-
-	* Fixed X509_*set_object functions to return 0 on allocation failure.
-
-	* Implemented the IETF ChaCha20-Poly1305 cipher suites.
-
-	* Changed default EVP_aead_chacha20_poly1305() implementation to the
-	  IETF version, which is now the default.
-
-	* Fixed password prompts from openssl(1) to properly handle ^C.
-
-	* Reworked error handling in libtls so that configuration errors are
-	  visible.
-
-	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
-
-	* Manpage fixes and updates
+	  Pereida. See OpenBSD 5.9 errata 11, June 6, 2016
 
 2.3.5 - Reliability fix
 

Makefile.am

@@ -5,7 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt cmake_uninstall.cmake.in
+EXTRA_DIST += CMakeLists.txt
 
 .PHONY: install_sw
 install_sw: install

OPENBSD_BRANCH

@@ -1 +1 @@
-OPENBSD_6_0
+OPENBSD_5_9

README.md

@@ -30,7 +30,7 @@ At the time of this writing, LibreSSL is know to build and work on:
 
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
-* NetBSD (7.0 or later recommended)
+* NetBSD (tested with 6.1.5)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)

apps/CMakeLists.txt

@@ -1,2 +1,80 @@
-add_subdirectory(openssl)
-add_subdirectory(nc)
+include_directories(
+	.
+	../include
+	../include/compat
+)
+
+set(
+	OPENSSL_SRC
+	openssl/apps.c
+	openssl/asn1pars.c
+	openssl/ca.c
+	openssl/ciphers.c
+	openssl/cms.c
+	openssl/crl.c
+	openssl/crl2p7.c
+	openssl/dgst.c
+	openssl/dh.c
+	openssl/dhparam.c
+	openssl/dsa.c
+	openssl/dsaparam.c
+	openssl/ec.c
+	openssl/ecparam.c
+	openssl/enc.c
+	openssl/errstr.c
+	openssl/gendh.c
+	openssl/gendsa.c
+	openssl/genpkey.c
+	openssl/genrsa.c
+	openssl/nseq.c
+	openssl/ocsp.c
+	openssl/openssl.c
+	openssl/passwd.c
+	openssl/pkcs12.c
+	openssl/pkcs7.c
+	openssl/pkcs8.c
+	openssl/pkey.c
+	openssl/pkeyparam.c
+	openssl/pkeyutl.c
+	openssl/prime.c
+	openssl/rand.c
+	openssl/req.c
+	openssl/rsa.c
+	openssl/rsautl.c
+	openssl/s_cb.c
+	openssl/s_client.c
+	openssl/s_server.c
+	openssl/s_socket.c
+	openssl/s_time.c
+	openssl/sess_id.c
+	openssl/smime.c
+	openssl/speed.c
+	openssl/spkac.c
+	openssl/ts.c
+	openssl/verify.c
+	openssl/version.c
+	openssl/x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)

apps/nc/CMakeLists.txt

@@ -1,60 +0,0 @@
-if(BUILD_NC)
-
-include_directories(
-	.
-	./compat
-	../../include
-	../../include/compat
-)
-
-set(
-	NC_SRC
-	atomicio.c
-	netcat.c
-	socks.c
-	compat/socket.c
-)
-
-check_function_exists(b64_ntop HAVE_B64_NTOP)
-if(HAVE_B64_NTOP)
-	add_definitions(-DHAVE_B64_NTOP)
-else()
-	set(NC_SRC ${NC_SRC} compat/base64.c)
-endif()
-
-check_function_exists(accept4 HAVE_ACCEPT4)
-if(HAVE_ACCEPT4)
-	add_definitions(-DHAVE_ACCEPT4)
-else()
-	set(NC_SRC ${NC_SRC} compat/accept4.c)
-endif()
-
-check_function_exists(readpassphrase HAVE_READPASSPHRASE)
-if(HAVE_READPASSPHRASE)
-	add_definitions(-DHAVE_READPASSPHRASE)
-else()
-	set(NC_SRC ${NC_SRC} compat/readpassphrase.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(NC_SRC ${NC_SRC} compat/strtonum.c)
-endif()
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
-else()
-	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
-endif()
-
-add_executable(nc ${NC_SRC})
-target_link_libraries(nc tls ${OPENSSL_LIBS})
-
-if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
-	install(FILES nc.1 DESTINATION share/man/man1)
-endif()
-
-endif()

apps/nc/Makefile.am

@@ -9,7 +9,6 @@ noinst_PROGRAMS = nc
 endif
 
 EXTRA_DIST = nc.1
-EXTRA_DIST += CMakeLists.txt
 
 nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la

apps/openssl/CMakeLists.txt

@@ -1,89 +0,0 @@
-include_directories(
-	.
-	../../include
-	../../include/compat
-)
-
-set(
-	OPENSSL_SRC
-	apps.c
-	asn1pars.c
-	ca.c
-	ciphers.c
-	cms.c
-	crl.c
-	crl2p7.c
-	dgst.c
-	dh.c
-	dhparam.c
-	dsa.c
-	dsaparam.c
-	ec.c
-	ecparam.c
-	enc.c
-	errstr.c
-	gendh.c
-	gendsa.c
-	genpkey.c
-	genrsa.c
-	nseq.c
-	ocsp.c
-	openssl.c
-	passwd.c
-	pkcs12.c
-	pkcs7.c
-	pkcs8.c
-	pkey.c
-	pkeyparam.c
-	pkeyutl.c
-	prime.c
-	rand.c
-	req.c
-	rsa.c
-	rsautl.c
-	s_cb.c
-	s_client.c
-	s_server.c
-	s_socket.c
-	s_time.c
-	sess_id.c
-	smime.c
-	speed.c
-	spkac.c
-	ts.c
-	verify.c
-	version.c
-	x509.c
-)
-
-if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
-endif()
-
-if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} compat/poll_win.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
-endif()
-
-add_executable(openssl ${OPENSSL_SRC})
-target_link_libraries(openssl ${OPENSSL_LIBS})
-
-install(TARGETS openssl DESTINATION bin)
-install(FILES openssl.1 DESTINATION share/man/man1)
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	set(CONF_DIR "${OPENSSLDIR}")
-else()
-	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
-endif()
-install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-install(DIRECTORY DESTINATION ${CONF_DIR}/cert)

apps/openssl/Makefile.am

@@ -89,7 +89,6 @@ noinst_HEADERS += timeouts.h
 EXTRA_DIST = cert.pem
 EXTRA_DIST += openssl.cnf
 EXTRA_DIST += x509v3.cnf
-EXTRA_DIST += CMakeLists.txt
 
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \

cmake_uninstall.cmake.in

@@ -1,21 +0,0 @@
-if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
-	message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
-endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
-
-file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
-string(REGEX REPLACE "\n" ";" files "${files}")
-foreach(file ${files})
-	message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
-	if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
-		exec_program(
-			"@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
-			OUTPUT_VARIABLE rm_out
-			RETURN_VALUE rm_retval
-			)
-		if(NOT "${rm_retval}" STREQUAL 0)
-			message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
-		endif(NOT "${rm_retval}" STREQUAL 0)
-	else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
-		message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
-	endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
-endforeach(file)

crypto/CMakeLists.txt

@@ -8,94 +8,9 @@ include_directories(
 	modes
 )
 
-if(HOST_ASM_ELF_X86_64)
-	set(
-		ASM_X86_64_ELF_SRC
-		aes/aes-elf-x86_64.s
-		aes/bsaes-elf-x86_64.s
-		aes/vpaes-elf-x86_64.s
-		aes/aesni-elf-x86_64.s
-		aes/aesni-sha1-elf-x86_64.s
-		bn/modexp512-elf-x86_64.s
-		bn/mont-elf-x86_64.s
-		bn/mont5-elf-x86_64.s
-		bn/gf2m-elf-x86_64.s
-		camellia/cmll-elf-x86_64.s
-		md5/md5-elf-x86_64.s
-		modes/ghash-elf-x86_64.s
-		rc4/rc4-elf-x86_64.s
-		rc4/rc4-md5-elf-x86_64.s
-		sha/sha1-elf-x86_64.s
-		sha/sha256-elf-x86_64.S
-		sha/sha512-elf-x86_64.S
-		whrlpool/wp-elf-x86_64.s
-		cpuid-elf-x86_64.S
-	)
-	add_definitions(-DAES_ASM)
-	add_definitions(-DBSAES_ASM)
-	add_definitions(-DVPAES_ASM)
-	add_definitions(-DOPENSSL_IA32_SSE2)
-	add_definitions(-DOPENSSL_BN_ASM_MONT)
-	add_definitions(-DOPENSSL_BN_ASM_MONT5)
-	add_definitions(-DOPENSSL_BN_ASM_GF2m)
-	add_definitions(-DMD5_ASM)
-	add_definitions(-DGHASH_ASM)
-	add_definitions(-DRSA_ASM)
-	add_definitions(-DSHA1_ASM)
-	add_definitions(-DSHA256_ASM)
-	add_definitions(-DSHA512_ASM)
-	add_definitions(-DWHIRLPOOL_ASM)
-	add_definitions(-DOPENSSL_CPUID_OBJ)
-	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_ELF_SRC})
-	set_property(SOURCE ${ASM_X86_64_ELF_SRC} PROPERTY LANGUAGE C)
-endif()
-
-if(HOST_ASM_MACOSX_X86_64)
-	set(
-		ASM_X86_64_MACOSX_SRC
-		aes/aes-macosx-x86_64.s
-		aes/bsaes-macosx-x86_64.s
-		aes/vpaes-macosx-x86_64.s
-		aes/aesni-macosx-x86_64.s
-		aes/aesni-sha1-macosx-x86_64.s
-		bn/modexp512-macosx-x86_64.s
-		bn/mont-macosx-x86_64.s
-		bn/mont5-macosx-x86_64.s
-		bn/gf2m-macosx-x86_64.s
-		camellia/cmll-macosx-x86_64.s
-		md5/md5-macosx-x86_64.s
-		modes/ghash-macosx-x86_64.s
-		rc4/rc4-macosx-x86_64.s
-		rc4/rc4-md5-macosx-x86_64.s
-		sha/sha1-macosx-x86_64.s
-		sha/sha256-macosx-x86_64.S
-		sha/sha512-macosx-x86_64.S
-		whrlpool/wp-macosx-x86_64.s
-		cpuid-macosx-x86_64.S
-	)
-	add_definitions(-DAES_ASM)
-	add_definitions(-DBSAES_ASM)
-	add_definitions(-DVPAES_ASM)
-	add_definitions(-DOPENSSL_IA32_SSE2)
-	add_definitions(-DOPENSSL_BN_ASM_MONT)
-	add_definitions(-DOPENSSL_BN_ASM_MONT5)
-	add_definitions(-DOPENSSL_BN_ASM_GF2m)
-	add_definitions(-DMD5_ASM)
-	add_definitions(-DGHASH_ASM)
-	add_definitions(-DRSA_ASM)
-	add_definitions(-DSHA1_ASM)
-	add_definitions(-DSHA256_ASM)
-	add_definitions(-DSHA512_ASM)
-	add_definitions(-DWHIRLPOOL_ASM)
-	add_definitions(-DOPENSSL_CPUID_OBJ)
-	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
-	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)
-endif()
-
-if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
 set(
 	CRYPTO_SRC
-		${CRYPTO_SRC}
+
 	aes/aes_cbc.c
 	aes/aes_core.c
 	camellia/camellia.c
@@ -103,12 +18,6 @@ if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
 	rc4/rc4_enc.c
 	rc4/rc4_skey.c
 	whrlpool/wp_block.c
-	)
-endif()
-
-set(
-	CRYPTO_SRC
-	${CRYPTO_SRC}
 	cpt_err.c
 	cryptlib.c
 	cversion.c
@@ -708,8 +617,6 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
-		elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_hpux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
@@ -722,10 +629,6 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 	endif()
 endif()
 
-if(NOT HAVE_ARC4RANDOM_UNIFORM)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
-endif()
-
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
 endif()
@@ -734,20 +637,6 @@ if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
 endif()
 
-if(NOT ENABLE_ASM)
-	add_definitions(-DOPENSSL_NO_ASM)
-else()
-	if(CMAKE_HOST_WIN32)
-		add_definitions(-DOPENSSL_NO_ASM)
-	endif()
-endif()
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\")
-else()
-	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
-endif()
-
 if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)

include/CMakeLists.txt

@@ -2,4 +2,4 @@ install(DIRECTORY .
         DESTINATION include
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
-        PATTERN "Makefile*" EXCLUDE)
+        PATTERN "Makefile.*" EXCLUDE)

libcrypto.pc.in

@@ -11,5 +11,5 @@ Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
-Libs.private: @LIBS@ @PLATFORM_LDADD@
+Libs.private: @LIBS@
 Cflags: -I${includedir}

libssl.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto
 Conflicts:
 Libs: -L${libdir} -lssl
-Libs.private: @LIBS@ -lcrypto @PLATFORM_LDADD@
+Libs.private: @LIBS@ -lcrypto
 Cflags: -I${includedir}

libtls.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@
+Libs.private: @LIBS@ -lcrypto -lssl
 Cflags: -I${includedir}

patches/netcat.c.patch

@@ -1,6 +1,17 @@
---- apps/nc/netcat.c.orig	Thu Jun 30 19:56:49 2016
-+++ apps/nc/netcat.c	Thu Jun 30 19:59:09 2016
-@@ -65,7 +65,9 @@
+--- apps/nc/netcat.c.orig	Mon Dec 28 08:46:10 2015
++++ apps/nc/netcat.c	Mon Dec 28 08:46:19 2015
+@@ -57,6 +57,10 @@
+ #include <tls.h>
+ #include "atomicio.h"
+ 
++#ifndef IPV6_TCLASS
++#define IPV6_TCLASS -1
++#endif
++
+ #define PORT_MAX	65535
+ #define UNIX_DG_TMP_SOCKET_SIZE	19
+ 
+@@ -65,7 +69,9 @@
  #define POLL_NETIN 2
  #define POLL_STDOUT 3
  #define BUFSIZE 16384
@@ -10,7 +21,7 @@
  
  #define TLS_LEGACY	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -92,9 +94,13 @@
+@@ -92,9 +98,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -24,7 +35,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -152,7 +158,7 @@
+@@ -150,7 +160,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
@@ -33,7 +44,7 @@
  	const char *errstr, *proxyhost = "", *proxyport = NULL;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -262,12 +268,14 @@
+@@ -251,12 +261,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -48,7 +59,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -300,9 +308,11 @@
+@@ -289,9 +301,11 @@
  				errx(1, "TCP send window %s: %s",
  				    errstr, optarg);
  			break;
@@ -60,7 +71,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -326,9 +336,11 @@
+@@ -315,9 +329,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -72,7 +83,7 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -480,7 +492,10 @@
+@@ -460,7 +476,10 @@
  				errx(1, "-H and -T noverify may not be used"
  				    "together");
  			tls_config_insecure_noverifycert(tls_cfg);
@@ -84,19 +95,19 @@
  	}
  	if (lflag) {
  		struct tls *tls_cctx = NULL;
-@@ -832,7 +847,10 @@
+@@ -807,7 +826,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, error, on = 1, save_errno;
-+	int s, error, save_errno;
+-	int s, error, on = 1;
++	int s, error;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
  	if ((error = getaddrinfo(host, port, &hints, &res)))
  		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -847,8 +865,10 @@
+@@ -822,8 +844,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -107,19 +118,19 @@
  			memset(&ahints, 0, sizeof(struct addrinfo));
  			ahints.ai_family = res0->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -919,7 +939,10 @@
+@@ -892,7 +916,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, ret, x = 1, save_errno;
-+	int s, save_errno;
+-	int s, ret, x = 1;
++	int s;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -941,9 +964,11 @@
+@@ -914,9 +941,11 @@
  		    res0->ai_protocol)) < 0)
  			continue;
  
@@ -131,7 +142,7 @@
  
  		set_common_sockopts(s, res0->ai_family);
  
-@@ -1401,11 +1426,13 @@
+@@ -1356,11 +1385,13 @@
  {
  	int x = 1;
  
@@ -145,26 +156,7 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1442,13 +1469,17 @@
- 	}
- 
- 	if (minttl != -1) {
-+#ifdef IP_MINTTL
- 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
- 		    IP_MINTTL, &minttl, sizeof(minttl)))
- 			err(1, "set IP min TTL");
-+#endif
- 
--		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
-+#ifdef IPV6_MINHOPCOUNT
-+		if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
- 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
- 			err(1, "set IPv6 min hop count");
-+#endif
- 	}
- }
- 
-@@ -1605,14 +1636,22 @@
+@@ -1538,14 +1569,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\

tests/CMakeLists.txt

@@ -9,11 +9,14 @@ include_directories(
 	../apps/openssl/compat
 )
 
+set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
+
 # aeadtest
-add_executable(aeadtest aeadtest.c)
-target_link_libraries(aeadtest ${OPENSSL_LIBS})
-add_test(aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtest.sh)
-set_tests_properties(aeadtest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(aeadtest aeadtest.c)
+#target_link_libraries(aeadtest ${OPENSSL_LIBS})
+#add_test(aeadtest aeadtest.sh)
+#configure_file(aeadtests.txt aeadtests.txt COPYONLY)
+#configure_file(aeadtest.sh aeadtest.sh COPYONLY)
 
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
@@ -22,7 +25,7 @@ add_test(aes_wrap aes_wrap)
 
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
-if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
+if(NOT CMAKE_HOST_WIN32)
 add_executable(arc4randomforktest arc4randomforktest.c)
 target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
 add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
@@ -48,14 +51,6 @@ add_executable(bftest bftest.c)
 target_link_libraries(bftest ${OPENSSL_LIBS})
 add_test(bftest bftest)
 
-# biotest
-# the BIO tests rely on resolver results that are OS and environment-specific
-if(ENABLE_EXTRATESTS)
-	add_executable(biotest biotest.c)
-	target_link_libraries(biotest ${OPENSSL_LIBS})
-	add_test(biotest biotest)
-endif()
-
 # bntest
 add_executable(bntest bntest.c)
 target_link_libraries(bntest ${OPENSSL_LIBS})
@@ -132,21 +127,19 @@ target_link_libraries(enginetest ${OPENSSL_LIBS})
 add_test(enginetest enginetest)
 
 # evptest
-add_executable(evptest evptest.c)
-target_link_libraries(evptest ${OPENSSL_LIBS})
-add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
-set_tests_properties(evptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(evptest evptest.c)
+#target_link_libraries(evptest ${OPENSSL_LIBS})
+#add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
 
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if(NOT CMAKE_HOST_WIN32)
-if(HAVE_MEMMEM)
 add_executable(explicit_bzero explicit_bzero.c)
-else()
-	add_executable(explicit_bzero explicit_bzero.c memmem.c)
-endif()
 target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
 add_test(explicit_bzero explicit_bzero)
+#if !HAVE_MEMMEM
+#explicit_bzero_SOURCES += memmem.c
+#endif
 endif()
 
 # exptest
@@ -194,14 +187,6 @@ add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_LIBS})
 add_test(mont mont)
 
-# ocsp_test
-if(ENABLE_EXTRATESTS)
-	add_executable(ocsp_test ocsp_test.c)
-	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
-	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
-	set_tests_properties(ocsptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
-endif()
-
 # optionstest
 add_executable(optionstest optionstest.c)
 target_link_libraries(optionstest ${OPENSSL_LIBS})
@@ -212,15 +197,6 @@ add_executable(pbkdf2 pbkdf2.c)
 target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
 add_test(pbkdf2 pbkdf2)
 
-# pidwraptest
-# pidwraptest relies on an OS-specific way to give out pids and is generally
-# awkward on systems with slow fork
-if(ENABLE_EXTRATESTS)
-	add_executable(pidwraptest pidwraptest.c)
-	target_link_libraries(pidwraptest ${OPENSSL_LIBS})
-	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
-endif()
-
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
 target_link_libraries(pkcs7test ${OPENSSL_LIBS})
@@ -232,10 +208,9 @@ target_link_libraries(poly1305test ${OPENSSL_LIBS})
 add_test(poly1305test poly1305test)
 
 # pq_test
-add_executable(pq_test pq_test.c)
-target_link_libraries(pq_test ${OPENSSL_LIBS})
-add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
-set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(pq_test pq_test.c)
+#target_link_libraries(pq_test ${OPENSSL_LIBS})
+#add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
 
 # randtest
 add_executable(randtest randtest.c)
@@ -255,11 +230,7 @@ add_test(rc4test rc4test)
 # rfc5280time
 add_executable(rfc5280time rfc5280time.c)
 target_link_libraries(rfc5280time ${OPENSSL_LIBS})
-if(SMALL_TIME_T)
-	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
-else()
 add_test(rfc5280time rfc5280time)
-endif()
 
 # rmdtest
 add_executable(rmdtest rmdtest.c)
@@ -282,22 +253,18 @@ target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
 # ssltest
-add_executable(ssltest ssltest.c)
-target_link_libraries(ssltest ${OPENSSL_LIBS})
-add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
-set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(ssltest ssltest.c)
+#target_link_libraries(ssltest ${OPENSSL_LIBS})
+#add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
 
 # testdsa
-add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
-set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
 
 # testenc
 add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
-set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testrsa
-add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
-set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
 
 # timingsafe
 add_executable(timingsafe timingsafe.c)

tests/Makefile.am

@@ -208,14 +208,6 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
-# ocsp_test
-if ENABLE_EXTRATESTS
-TESTS += ocsptest.sh
-check_PROGRAMS += ocsp_test
-ocsp_test_SOURCES = ocsp_test.c
-endif
-EXTRA_DIST += ocsptest.sh
-
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest

tests/ocsptest.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-TEST=./ocsp_test
-if [ -e ./ocsp_test.exe ]; then
-	TEST=./ocsp_test.exe
-fi
-$TEST www.amazon.com 443
-$TEST cloudflare.com 443

tests/ssltest.sh

@@ -6,17 +6,10 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-if [ -d ../apps/openssl ]; then
 openssl_bin=../apps/openssl/openssl
 if [ -e ../apps/openssl/openssl.exe ]; then
 	openssl_bin=../apps/openssl/openssl.exe
 fi
-else
-	openssl_bin=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		openssl_bin=../apps/openssl.exe
-	fi
-fi
 
 if [ -z $srcdir ]; then
 	srcdir=.

tests/testdsa.sh

@@ -4,17 +4,10 @@
 
 #Test DSA certificate generation of openssl
 
-if [ -d ../apps/openssl ]; then
 cmd=../apps/openssl/openssl
 if [ -e ../apps/openssl/openssl.exe ]; then
 	cmd=../apps/openssl/openssl.exe
 fi
-else
-	cmd=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		cmd=../apps/openssl.exe
-	fi
-fi
 
 if [ -z $srcdir ]; then
 	srcdir=.

tests/testenc.sh

@@ -2,23 +2,12 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-if [ -d ../apps/openssl ]; then
 cmd=../apps/openssl/openssl
 if [ -e ../apps/openssl/openssl.exe ]; then
 	cmd=../apps/openssl/openssl.exe
 fi
-else
-	cmd=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		cmd=../apps/openssl.exe
-	fi
-fi
 
-if [ -z $srcdir ]; then
-	srcdir=.
-fi
-
-cat $srcdir/openssl.cnf >$test;
+cat openssl.cnf >$test;
 
 echo cat
 $cmd enc < $test > $test.cipher

tests/testrsa.sh

@@ -4,17 +4,10 @@
 
 #Test RSA certificate generation of openssl
 
-if [ -d ../apps/openssl ]; then
 cmd=../apps/openssl/openssl
 if [ -e ../apps/openssl/openssl.exe ]; then
 	cmd=../apps/openssl/openssl.exe
 fi
-else
-	cmd=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		cmd=../apps/openssl.exe
-	fi
-fi
 
 if [ -z $srcdir ]; then
 	srcdir=.

tls/CMakeLists.txt

@@ -17,16 +17,10 @@ set(
 )
 
 
-if(NOT HAVE_STRSEP)
+if(NOT HAVE_STRCASECMP)
 	set(TLS_SRC ${TLS_SRC} strsep.c)
 endif()
 
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
-else()
-	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
-endif()
-
 if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)

update.sh

@@ -13,7 +13,6 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
- git fetch
  git checkout $openbsd_branch
  git pull --rebase)