Update changelog

- To avoid ld warning on Solaris, use abs_top_builddir in Makefile.am

.gitignore

@@ -58,7 +58,6 @@ tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
 tests/timingsafe*
-tests/tls_ext_alpn*
 tests/*test
 tests/tests.h
 tests/*test.c

CMakeLists.txt

@@ -1,10 +1,9 @@
-cmake_minimum_required (VERSION 2.8.8)
+cmake_minimum_required (VERSION 2.8)
 include(CheckFunctionExists)
 include(CheckLibraryExists)
 include(CheckIncludeFiles)
-include(CheckTypeSize)
 
-project (LibreSSL C)
+project (LibreSSL)
 
 enable_testing()
 
@@ -23,17 +22,6 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
-option(ENABLE_ASM "Enable assembly" ON)
-option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
-option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
-set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
-
-set(BUILD_NC true)
-
-if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-	add_definitions(-fno-common)
-endif()
-
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
@@ -45,34 +33,9 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
 endif()
 
-if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
-	set(BUILD_NC false)
-endif()
-
-if(WIN32)
-	set(BUILD_NC false)
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-	if(CMAKE_C_COMPILER MATCHES "gcc")
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
-	else()
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
-	endif()
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
-endif()
-
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
+add_definitions(-DOPENSSL_NO_ASM)
 
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 
@@ -80,17 +43,14 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 
-if(WIN32)
+if(MSVC)
+	add_definitions(-Dinline=__inline)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
-endif()
-
-if(MSVC)
-	add_definitions(-Dinline=__inline)
 
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
@@ -146,8 +106,8 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 
-if(WIN32)
-	set(HAVE_STRNLEN true)
+if(MSVC)
+	set(HAVE_STRNLEN)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)
@@ -171,11 +131,6 @@ if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)
 endif()
 
-check_function_exists(arc4random_uniform HAVE_ARC4RANDOM_UNIFORM)
-if(HAVE_ARC4RANDOM_UNIFORM)
-	add_definitions(-DHAVE_ARC4RANDOM_UNIFORM)
-endif()
-
 check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
 if(HAVE_EXPLICIT_BZERO)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
@@ -201,28 +156,11 @@ if(HAVE_MEMCMP)
 	add_definitions(-DHAVE_MEMCMP)
 endif()
 
-check_function_exists(memmem HAVE_MEMMEM)
-if(HAVE_MEMMEM)
-	add_definitions(-DHAVE_MEMMEM)
-endif()
-
 check_include_files(err.h HAVE_ERR_H)
 if(HAVE_ERR_H)
 	add_definitions(-DHAVE_ERR_H)
 endif()
 
-if(ENABLE_ASM)
-	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
-		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
-			set(HOST_ASM_ELF_X86_64 true)
-		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
-			set(HOST_ASM_ELF_X86_64 true)
-		endif()
-	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
-		set(HOST_ASM_MACOSX_X86_64 true)
-	endif()
-endif()
-
 set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
@@ -233,25 +171,11 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
 	endif()
 endif()
-if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
-endif()
-if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
-	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
-endif()
 
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
 	set(BUILD_SHARED true)
 endif()
 
-check_type_size(time_t SIZEOF_TIME_T)
-if(SIZEOF_TIME_T STREQUAL "4")
-	set(SMALL_TIME_T true)
-	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
-	                " ** It will behave incorrectly when handling valid RFC5280 dates")
-endif()
-add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
-
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(apps)
@@ -261,11 +185,3 @@ if(NOT MSVC)
 	add_subdirectory(man)
 	add_subdirectory(tests)
 endif()
-
-configure_file(
-	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
-	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
-	IMMEDIATE @ONLY)
-
-add_custom_target(uninstall
-	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

ChangeLog

@@ -28,146 +28,6 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.5.0 - New APIs, bug fixes and improvements
-
-	* libtls now supports ALPN and SNI
-
-	* libtls adds a new callback interface for integrating custom IO
-	  functions. Thanks to Tobias Pape.
-
-	* libtls now handles 4 cipher suite groups:
-	    "secure" (TLSv1.2+AEAD+PFS)
-	    "compat" (HIGH:!aNULL)
-	    "legacy" (HIGH:MEDIUM:!aNULL)
-	    "insecure" (ALL:!aNULL:!eNULL)
-
-	    This allows for flexibility and finer grained control, rather than
-	    having two extremes (an issue raised by Marko Kreen some time ago).
-
-	* Tightened error handling for tls_config_set_ciphers().
-
-	* libtls now always loads CA, key and certificate files at the time the
-	  configuration function is called. This simplifies code and results in
-	  a single memory based code path being used to provide data to libssl.
-
-	* Add support for OCSP intermediate certificates.
-
-	* Added functions used by stunnel and exim from BoringSSL - this
-	  brings in X509_check_host, X509_check_email, X509_check_ip, and
-	  X509_check_ip_asc.
-
-	* Added initial support for iOS, thanks to Jacob Berkman.
-
-	* Improved behavior of arc4random on Windows when using memory leak
-	  analysis software.
-
-	* Correctly handle an EOF that occurs prior to the TLS handshake
-	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
-	  Kreen.
-
-	* Limit the support of the "backward compatible" ssl2 handshake to
-	  only be used if TLS 1.0 is enabled.
-
-	* Fix incorrect results in certain cases on 64-bit systems when
-	  BN_mod_word() can return incorrect results. BN_mod_word() now can
-	  return an error condition. Thanks to Brian Smith.
-
-	* Added constant-time updates to address CVE-2016-0702
-
-	* Fixed undefined behavior in BN_GF2m_mod_arr()
-
-	* Removed unused Cryptographic Message Support (CMS)
-
-	* More conversions of long long idioms to time_t
-
-	* Improved compatibility by avoiding printing NULL strings with
-	  printf.
-
-	* Reverted change that cleans up the EVP cipher context in
-	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
-	  previous behaviour.
-
-	* Avoid unbounded memory growth in libssl, which can be triggered by a
-	  TLS client repeatedly renegotiating and sending OCSP Status Request
-	  TLS extensions.
-
-	* Avoid falling back to a weak digest for (EC)DH when using SNI with
-	  libssl.
-
-2.4.2 - Bug fixes and improvements
-
-	* Fixed loading default certificate locations with openssl s_client.
-
-	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
-	  RFC6960. Also added fixes for OCSP to work with intermediate
-	  certificates provided in responses.
-
-	* Improved behavior of arc4random on Windows to not appear to leak
-	  memory in debug tools, reduced privileges of allocated memory.
-
-	* Fixed incorrect results from BN_mod_word() when the modulus is too
-	  large, thanks to Brian Smith from BoringSSL.
-
-	* Correctly handle an EOF prior to completing the TLS handshake in
-	  libtls.
-
-	* Improved libtls ceritificate loading and cipher string validation.
-
-	* Updated libtls cipher group suites into four categories:
-	    "secure"   (TLSv1.2+AEAD+PFS)
-	    "compat"   (HIGH:!aNULL)
-	    "legacy"   (HIGH:MEDIUM:!aNULL)
-	    "insecure" (ALL:!aNULL:!eNULL)
-	  This allows for flexibility and finer grained control, rather than
-	  having two extremes.
-
-	* Limited support for 'backward compatible' SSLv2 handshake packets to
-	  when TLS 1.0 is enabled, providing more restricted compatibility
-	  with TLS 1.0 clients.
-
-	* openssl(1) and other documentation improvements.
-
-	* Removed flags for disabling constant-time operations.
-	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
-	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
-	  all of these operations unconditionally constant-time.
-
-
-2.4.1 - Security fix
-
-	* Correct a problem that prevents the DSA signing algorithm from
-	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
-	  This issue was reported by Cesar Pereida (Aalto University), Billy
-	  Brumley (Tampere University of Technology), and Yuval Yarom (The
-	  University of Adelaide and NICTA). The fix was developed by Cesar
-	  Pereida.
-
-2.4.0 - Build improvements, new features
-
-	* Many improvements to the CMake build infrastructure, including
-	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
-	  Inoguchi for this work.
-
-	* Added missing error handling around bn_wexpand() calls.
-
-	* Added explicit_bzero calls for freed ASN.1 objects.
-
-	* Fixed X509_*set_object functions to return 0 on allocation failure.
-
-	* Implemented the IETF ChaCha20-Poly1305 cipher suites.
-
-	* Changed default EVP_aead_chacha20_poly1305() implementation to the
-	  IETF version, which is now the default.
-
-	* Fixed password prompts from openssl(1) to properly handle ^C.
-
-	* Reworked error handling in libtls so that configuration errors are
-	  visible.
-
-	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
-
-	* Manpage fixes and updates
-
 2.3.5 - Reliability fix
 
 	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.

Makefile.am

@@ -5,7 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt cmake_uninstall.cmake.in
+EXTRA_DIST += CMakeLists.txt
 
 .PHONY: install_sw
 install_sw: install

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_9

README.md

@@ -30,7 +30,7 @@ At the time of this writing, LibreSSL is know to build and work on:
 
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
-* NetBSD (7.0 or later recommended)
+* NetBSD (tested with 6.1.5)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)

apps/CMakeLists.txt

@@ -1,2 +1,80 @@
-add_subdirectory(openssl)
-add_subdirectory(nc)
+include_directories(
+	.
+	../include
+	../include/compat
+)
+
+set(
+	OPENSSL_SRC
+	openssl/apps.c
+	openssl/asn1pars.c
+	openssl/ca.c
+	openssl/ciphers.c
+	openssl/cms.c
+	openssl/crl.c
+	openssl/crl2p7.c
+	openssl/dgst.c
+	openssl/dh.c
+	openssl/dhparam.c
+	openssl/dsa.c
+	openssl/dsaparam.c
+	openssl/ec.c
+	openssl/ecparam.c
+	openssl/enc.c
+	openssl/errstr.c
+	openssl/gendh.c
+	openssl/gendsa.c
+	openssl/genpkey.c
+	openssl/genrsa.c
+	openssl/nseq.c
+	openssl/ocsp.c
+	openssl/openssl.c
+	openssl/passwd.c
+	openssl/pkcs12.c
+	openssl/pkcs7.c
+	openssl/pkcs8.c
+	openssl/pkey.c
+	openssl/pkeyparam.c
+	openssl/pkeyutl.c
+	openssl/prime.c
+	openssl/rand.c
+	openssl/req.c
+	openssl/rsa.c
+	openssl/rsautl.c
+	openssl/s_cb.c
+	openssl/s_client.c
+	openssl/s_server.c
+	openssl/s_socket.c
+	openssl/s_time.c
+	openssl/sess_id.c
+	openssl/smime.c
+	openssl/speed.c
+	openssl/spkac.c
+	openssl/ts.c
+	openssl/verify.c
+	openssl/version.c
+	openssl/x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)

apps/nc/CMakeLists.txt

@@ -1,60 +0,0 @@
-if(BUILD_NC)
-
-include_directories(
-	.
-	./compat
-	../../include
-	../../include/compat
-)
-
-set(
-	NC_SRC
-	atomicio.c
-	netcat.c
-	socks.c
-	compat/socket.c
-)
-
-check_function_exists(b64_ntop HAVE_B64_NTOP)
-if(HAVE_B64_NTOP)
-	add_definitions(-DHAVE_B64_NTOP)
-else()
-	set(NC_SRC ${NC_SRC} compat/base64.c)
-endif()
-
-check_function_exists(accept4 HAVE_ACCEPT4)
-if(HAVE_ACCEPT4)
-	add_definitions(-DHAVE_ACCEPT4)
-else()
-	set(NC_SRC ${NC_SRC} compat/accept4.c)
-endif()
-
-check_function_exists(readpassphrase HAVE_READPASSPHRASE)
-if(HAVE_READPASSPHRASE)
-	add_definitions(-DHAVE_READPASSPHRASE)
-else()
-	set(NC_SRC ${NC_SRC} compat/readpassphrase.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(NC_SRC ${NC_SRC} compat/strtonum.c)
-endif()
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
-else()
-	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
-endif()
-
-add_executable(nc ${NC_SRC})
-target_link_libraries(nc tls ${OPENSSL_LIBS})
-
-if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
-	install(FILES nc.1 DESTINATION share/man/man1)
-endif()
-
-endif()

apps/nc/Makefile.am

@@ -9,7 +9,6 @@ noinst_PROGRAMS = nc
 endif
 
 EXTRA_DIST = nc.1
-EXTRA_DIST += CMakeLists.txt
 
 nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
@@ -17,6 +16,11 @@ nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
 nc_LDADD += $(abs_top_builddir)/tls/libtls.la
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+if OPENSSLDIR_DEFINED
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
+else
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
+endif
 
 nc_SOURCES = atomicio.c
 nc_SOURCES += netcat.c

apps/openssl/CMakeLists.txt

@@ -1,88 +0,0 @@
-include_directories(
-	.
-	../../include
-	../../include/compat
-)
-
-set(
-	OPENSSL_SRC
-	apps.c
-	asn1pars.c
-	ca.c
-	ciphers.c
-	crl.c
-	crl2p7.c
-	dgst.c
-	dh.c
-	dhparam.c
-	dsa.c
-	dsaparam.c
-	ec.c
-	ecparam.c
-	enc.c
-	errstr.c
-	gendh.c
-	gendsa.c
-	genpkey.c
-	genrsa.c
-	nseq.c
-	ocsp.c
-	openssl.c
-	passwd.c
-	pkcs12.c
-	pkcs7.c
-	pkcs8.c
-	pkey.c
-	pkeyparam.c
-	pkeyutl.c
-	prime.c
-	rand.c
-	req.c
-	rsa.c
-	rsautl.c
-	s_cb.c
-	s_client.c
-	s_server.c
-	s_socket.c
-	s_time.c
-	sess_id.c
-	smime.c
-	speed.c
-	spkac.c
-	ts.c
-	verify.c
-	version.c
-	x509.c
-)
-
-if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
-endif()
-
-if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} compat/poll_win.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
-endif()
-
-add_executable(openssl ${OPENSSL_SRC})
-target_link_libraries(openssl ${OPENSSL_LIBS})
-
-install(TARGETS openssl DESTINATION bin)
-install(FILES openssl.1 DESTINATION share/man/man1)
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	set(CONF_DIR "${OPENSSLDIR}")
-else()
-	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
-endif()
-install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-install(DIRECTORY DESTINATION ${CONF_DIR}/cert)

apps/openssl/Makefile.am

@@ -12,6 +12,7 @@ openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c
@@ -88,7 +89,6 @@ noinst_HEADERS += timeouts.h
 EXTRA_DIST = cert.pem
 EXTRA_DIST += openssl.cnf
 EXTRA_DIST += x509v3.cnf
-EXTRA_DIST += CMakeLists.txt
 
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \

cmake_uninstall.cmake.in

@@ -1,21 +0,0 @@
-if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
-	message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
-endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
-
-file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
-string(REGEX REPLACE "\n" ";" files "${files}")
-foreach(file ${files})
-	message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
-	if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
-		exec_program(
-			"@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
-			OUTPUT_VARIABLE rm_out
-			RETURN_VALUE rm_retval
-			)
-		if(NOT "${rm_retval}" STREQUAL 0)
-			message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
-		endif(NOT "${rm_retval}" STREQUAL 0)
-	else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
-		message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
-	endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
-endforeach(file)

crypto/CMakeLists.txt

@@ -8,107 +8,16 @@ include_directories(
 	modes
 )
 
-if(HOST_ASM_ELF_X86_64)
-	set(
-		ASM_X86_64_ELF_SRC
-		aes/aes-elf-x86_64.s
-		aes/bsaes-elf-x86_64.s
-		aes/vpaes-elf-x86_64.s
-		aes/aesni-elf-x86_64.s
-		aes/aesni-sha1-elf-x86_64.s
-		bn/modexp512-elf-x86_64.s
-		bn/mont-elf-x86_64.s
-		bn/mont5-elf-x86_64.s
-		bn/gf2m-elf-x86_64.s
-		camellia/cmll-elf-x86_64.s
-		md5/md5-elf-x86_64.s
-		modes/ghash-elf-x86_64.s
-		rc4/rc4-elf-x86_64.s
-		rc4/rc4-md5-elf-x86_64.s
-		sha/sha1-elf-x86_64.s
-		sha/sha256-elf-x86_64.S
-		sha/sha512-elf-x86_64.S
-		whrlpool/wp-elf-x86_64.s
-		cpuid-elf-x86_64.S
-	)
-	add_definitions(-DAES_ASM)
-	add_definitions(-DBSAES_ASM)
-	add_definitions(-DVPAES_ASM)
-	add_definitions(-DOPENSSL_IA32_SSE2)
-	add_definitions(-DOPENSSL_BN_ASM_MONT)
-	add_definitions(-DOPENSSL_BN_ASM_MONT5)
-	add_definitions(-DOPENSSL_BN_ASM_GF2m)
-	add_definitions(-DMD5_ASM)
-	add_definitions(-DGHASH_ASM)
-	add_definitions(-DRSA_ASM)
-	add_definitions(-DSHA1_ASM)
-	add_definitions(-DSHA256_ASM)
-	add_definitions(-DSHA512_ASM)
-	add_definitions(-DWHIRLPOOL_ASM)
-	add_definitions(-DOPENSSL_CPUID_OBJ)
-	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_ELF_SRC})
-	set_property(SOURCE ${ASM_X86_64_ELF_SRC} PROPERTY LANGUAGE C)
-endif()
-
-if(HOST_ASM_MACOSX_X86_64)
-	set(
-		ASM_X86_64_MACOSX_SRC
-		aes/aes-macosx-x86_64.s
-		aes/bsaes-macosx-x86_64.s
-		aes/vpaes-macosx-x86_64.s
-		aes/aesni-macosx-x86_64.s
-		aes/aesni-sha1-macosx-x86_64.s
-		bn/modexp512-macosx-x86_64.s
-		bn/mont-macosx-x86_64.s
-		bn/mont5-macosx-x86_64.s
-		bn/gf2m-macosx-x86_64.s
-		camellia/cmll-macosx-x86_64.s
-		md5/md5-macosx-x86_64.s
-		modes/ghash-macosx-x86_64.s
-		rc4/rc4-macosx-x86_64.s
-		rc4/rc4-md5-macosx-x86_64.s
-		sha/sha1-macosx-x86_64.s
-		sha/sha256-macosx-x86_64.S
-		sha/sha512-macosx-x86_64.S
-		whrlpool/wp-macosx-x86_64.s
-		cpuid-macosx-x86_64.S
-	)
-	add_definitions(-DAES_ASM)
-	add_definitions(-DBSAES_ASM)
-	add_definitions(-DVPAES_ASM)
-	add_definitions(-DOPENSSL_IA32_SSE2)
-	add_definitions(-DOPENSSL_BN_ASM_MONT)
-	add_definitions(-DOPENSSL_BN_ASM_MONT5)
-	add_definitions(-DOPENSSL_BN_ASM_GF2m)
-	add_definitions(-DMD5_ASM)
-	add_definitions(-DGHASH_ASM)
-	add_definitions(-DRSA_ASM)
-	add_definitions(-DSHA1_ASM)
-	add_definitions(-DSHA256_ASM)
-	add_definitions(-DSHA512_ASM)
-	add_definitions(-DWHIRLPOOL_ASM)
-	add_definitions(-DOPENSSL_CPUID_OBJ)
-	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
-	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)
-endif()
-
-if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
-	set(
-		CRYPTO_SRC
-		${CRYPTO_SRC}
-		aes/aes_cbc.c
-		aes/aes_core.c
-		camellia/camellia.c
-		camellia/cmll_cbc.c
-		rc4/rc4_enc.c
-		rc4/rc4_skey.c
-		whrlpool/wp_block.c
-	)
-endif()
-
 set(
 	CRYPTO_SRC
-	${CRYPTO_SRC}
+
+	aes/aes_cbc.c
+	aes/aes_core.c
+	camellia/camellia.c
+	camellia/cmll_cbc.c
+	rc4/rc4_enc.c
+	rc4/rc4_skey.c
+	whrlpool/wp_block.c
 	cpt_err.c
 	cryptlib.c
 	cversion.c
@@ -708,24 +617,18 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
-		elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_hpux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
 	endif()
 endif()
 
-if(NOT HAVE_ARC4RANDOM_UNIFORM)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
-endif()
-
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
 endif()
@@ -734,30 +637,11 @@ if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
 endif()
 
-if(NOT ENABLE_ASM)
-	add_definitions(-DOPENSSL_NO_ASM)
-else()
-	if(CMAKE_HOST_WIN32)
-		add_definitions(-DOPENSSL_NO_ASM)
-	endif()
-endif()
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\")
-else()
-	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
-endif()
-
 if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	if (WIN32)
-		target_link_libraries(crypto-shared crypto Ws2_32.lib)
-		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
-	endif()
-	set_target_properties(crypto-shared PROPERTIES
-		OUTPUT_NAME crypto${CRYPTO_POSTFIX} ARCHIVE_OUTPUT_NAME crypto)
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
 	install(TARGETS crypto crypto-shared DESTINATION lib)

include/CMakeLists.txt

@@ -2,4 +2,4 @@ install(DIRECTORY .
         DESTINATION include
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
-        PATTERN "Makefile*" EXCLUDE)
+        PATTERN "Makefile.*" EXCLUDE)

include/Makefile.am

@@ -29,6 +29,7 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
+noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h

include/compat/sys/cdefs.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/cdefs.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
+#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
+
+#ifdef _WIN32
+
+#define __warn_references(sym,msg)
+
+#else
+
+#include_next <sys/cdefs.h>
+
+#ifndef __warn_references
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+
+#endif /* _WIN32 */
+
+#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/types.h

@@ -44,25 +44,4 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif
 
-#ifdef _WIN32
-#define __warn_references(sym,msg)
-#else
-
-#ifndef __warn_references
-
-#ifndef __STRING
-#define __STRING(x) #x
-#endif
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-#endif /* _WIN32 */
-
 #endif

libcrypto.pc.in

@@ -11,5 +11,5 @@ Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
-Libs.private: @LIBS@ @PLATFORM_LDADD@
+Libs.private: @LIBS@
 Cflags: -I${includedir}

libssl.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto
 Conflicts:
 Libs: -L${libdir} -lssl
-Libs.private: @LIBS@ -lcrypto @PLATFORM_LDADD@
+Libs.private: @LIBS@ -lcrypto
 Cflags: -I${includedir}

libtls-standalone/src/Makefile.am

@@ -8,7 +8,6 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 
 libtls_la_SOURCES = tls.c
-libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c

libtls.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@
+Libs.private: @LIBS@ -lcrypto -lssl
 Cflags: -I${includedir}

m4/check-libc.m4

@@ -59,7 +59,7 @@ AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp"
 
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$USE_BUILTIN_ARC4RANDOM" != xyes \
+	[test "x$USE_BUILTIN_ARC4RANDOM" != yes \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
 # Check for getentropy fallback dependencies

m4/check-os-options.m4

@@ -21,8 +21,6 @@ case $host_os in
 		# public source:
 		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
 		USE_BUILTIN_ARC4RANDOM=yes
-		# Not available on iOS
-		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd

patches/modes_lcl.h

@@ -1,21 +0,0 @@
---- openbsd/src/lib/libssl/src/crypto/modes/modes_lcl.h	Sat Dec  6 17:15:50 2014
-+++ crypto/modes/modes_lcl.h	Sun Jul 17 17:45:27 2016
-@@ -43,14 +43,16 @@
- 			asm ("bswapl %0"		\
- 			: "+r"(ret));	ret;		})
- # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
--#  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
-+#  if (__ARM_ARCH >= 6)
-+#   define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
- 			asm ("rev %0,%0; rev %1,%1"	\
- 			: "+r"(hi),"+r"(lo));		\
- 			(u64)hi<<32|lo;			})
--#  define BSWAP4(x) ({	u32 ret;			\
-+#   define BSWAP4(x) ({	u32 ret;			\
- 			asm ("rev %0,%1"		\
- 			: "=r"(ret) : "r"((u32)(x)));	\
- 			ret;				})
-+#  endif
- # endif
- #endif
- #endif

patches/netcat.c.patch

@@ -1,6 +1,27 @@
---- apps/nc/netcat.c.orig	Sun Sep  4 05:37:35 2016
-+++ apps/nc/netcat.c	Sun Sep  4 05:40:24 2016
-@@ -92,9 +92,13 @@
+--- apps/nc/netcat.c.orig	Mon Dec 28 08:46:10 2015
++++ apps/nc/netcat.c	Mon Dec 28 08:46:19 2015
+@@ -57,6 +57,10 @@
+ #include <tls.h>
+ #include "atomicio.h"
+ 
++#ifndef IPV6_TCLASS
++#define IPV6_TCLASS -1
++#endif
++
+ #define PORT_MAX	65535
+ #define UNIX_DG_TMP_SOCKET_SIZE	19
+ 
+@@ -65,7 +69,9 @@
+ #define POLL_NETIN 2
+ #define POLL_STDOUT 3
+ #define BUFSIZE 16384
++#ifndef DEFAULT_CA_FILE
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ #define TLS_LEGACY	(1 << 1)
+ #define TLS_NOVERIFY	(1 << 2)
+@@ -92,9 +98,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -14,7 +35,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -146,7 +150,7 @@
+@@ -150,7 +160,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
@@ -23,7 +44,7 @@
  	const char *errstr, *proxyhost = "", *proxyport = NULL;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -256,12 +260,14 @@
+@@ -251,12 +261,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -38,7 +59,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -294,9 +300,11 @@
+@@ -289,9 +301,11 @@
  				errx(1, "TCP send window %s: %s",
  				    errstr, optarg);
  			break;
@@ -50,7 +71,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -320,9 +328,11 @@
+@@ -315,9 +329,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -62,19 +83,31 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -825,7 +835,10 @@
+@@ -460,7 +476,10 @@
+ 				errx(1, "-H and -T noverify may not be used"
+ 				    "together");
+ 			tls_config_insecure_noverifycert(tls_cfg);
+-		}
++		} else {
++                        if (Rflag && access(Rflag, R_OK) == -1)
++                                errx(1, "unable to find root CA file %s", Rflag);
++                }
+ 	}
+ 	if (lflag) {
+ 		struct tls *tls_cctx = NULL;
+@@ -807,7 +826,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s = -1, error, on = 1, save_errno;
-+	int s = -1, error, save_errno;
+-	int s, error, on = 1;
++	int s, error;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
- 	if ((error = getaddrinfo(host, port, &hints, &res0)))
+ 	if ((error = getaddrinfo(host, port, &hints, &res)))
  		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -839,8 +852,10 @@
+@@ -822,8 +844,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -83,22 +116,22 @@
  			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
  			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res->ai_family;
+ 			ahints.ai_family = res0->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -911,7 +926,10 @@
+@@ -892,7 +916,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s = -1, ret, x = 1, save_errno;
-+	int s = -1, save_errno;
+-	int s, ret, x = 1;
++	int s;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -932,9 +950,11 @@
- 		    res->ai_protocol)) < 0)
+@@ -914,9 +941,11 @@
+ 		    res0->ai_protocol)) < 0)
  			continue;
  
 +#ifdef SO_REUSEPORT
@@ -107,9 +140,9 @@
  			err(1, NULL);
 +#endif
  
- 		set_common_sockopts(s, res->ai_family);
+ 		set_common_sockopts(s, res0->ai_family);
  
-@@ -1392,11 +1412,13 @@
+@@ -1356,11 +1385,13 @@
  {
  	int x = 1;
  
@@ -123,26 +156,7 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1433,13 +1455,17 @@
- 	}
- 
- 	if (minttl != -1) {
-+#ifdef IP_MINTTL
- 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
- 		    IP_MINTTL, &minttl, sizeof(minttl)))
- 			err(1, "set IP min TTL");
-+#endif
- 
--		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
-+#ifdef IPV6_MINHOPCOUNT
-+		if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
- 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
- 			err(1, "set IPv6 min hop count");
-+#endif
- 	}
- }
- 
-@@ -1596,14 +1622,22 @@
+@@ -1538,14 +1569,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\

patches/ssl_txt.c.patch

@@ -1,19 +0,0 @@
---- ssl/ssl_txt.orig	Sun Jul 17 17:26:59 2016
-+++ ssl/ssl_txt.c	Sun Jul 17 17:35:44 2016
-@@ -82,6 +82,7 @@
-  * OTHERWISE.
-  */
- 
-+#include <inttypes.h>
- #include <stdio.h>
- 
- #include <openssl/buffer.h>
-@@ -163,7 +164,7 @@
- 	}
- 
- 	if (x->time != 0) {
--		if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
-+		if (BIO_printf(bp, "\n    Start Time: %"PRId64, (int64_t)x->time) <= 0)
- 			goto err;
- 	}
- 	if (x->timeout != 0L) {

ssl/CMakeLists.txt

@@ -52,12 +52,7 @@ if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	if (WIN32)
-		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
-		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
-	endif()
-	set_target_properties(ssl-shared PROPERTIES
-		OUTPUT_NAME ssl${SSL_POSTFIX} ARCHIVE_OUTPUT_NAME ssl)
+	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
 	install(TARGETS ssl ssl-shared DESTINATION lib)

tests/CMakeLists.txt

@@ -9,13 +9,14 @@ include_directories(
 	../apps/openssl/compat
 )
 
-add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
+set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
 
 # aeadtest
-add_executable(aeadtest aeadtest.c)
-target_link_libraries(aeadtest ${OPENSSL_LIBS})
-add_test(aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtest.sh)
-set_tests_properties(aeadtest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(aeadtest aeadtest.c)
+#target_link_libraries(aeadtest ${OPENSSL_LIBS})
+#add_test(aeadtest aeadtest.sh)
+#configure_file(aeadtests.txt aeadtests.txt COPYONLY)
+#configure_file(aeadtest.sh aeadtest.sh COPYONLY)
 
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
@@ -24,7 +25,7 @@ add_test(aes_wrap aes_wrap)
 
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
-if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
+if(NOT CMAKE_HOST_WIN32)
 add_executable(arc4randomforktest arc4randomforktest.c)
 target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
 add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
@@ -50,14 +51,6 @@ add_executable(bftest bftest.c)
 target_link_libraries(bftest ${OPENSSL_LIBS})
 add_test(bftest bftest)
 
-# biotest
-# the BIO tests rely on resolver results that are OS and environment-specific
-if(ENABLE_EXTRATESTS)
-	add_executable(biotest biotest.c)
-	target_link_libraries(biotest ${OPENSSL_LIBS})
-	add_test(biotest biotest)
-endif()
-
 # bntest
 add_executable(bntest bntest.c)
 target_link_libraries(bntest ${OPENSSL_LIBS})
@@ -134,21 +127,19 @@ target_link_libraries(enginetest ${OPENSSL_LIBS})
 add_test(enginetest enginetest)
 
 # evptest
-add_executable(evptest evptest.c)
-target_link_libraries(evptest ${OPENSSL_LIBS})
-add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
-set_tests_properties(evptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(evptest evptest.c)
+#target_link_libraries(evptest ${OPENSSL_LIBS})
+#add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
 
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if(NOT CMAKE_HOST_WIN32)
-if(HAVE_MEMMEM)
-	add_executable(explicit_bzero explicit_bzero.c)
-else()
-	add_executable(explicit_bzero explicit_bzero.c memmem.c)
-endif()
+add_executable(explicit_bzero explicit_bzero.c)
 target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
 add_test(explicit_bzero explicit_bzero)
+#if !HAVE_MEMMEM
+#explicit_bzero_SOURCES += memmem.c
+#endif
 endif()
 
 # exptest
@@ -196,13 +187,6 @@ add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_LIBS})
 add_test(mont mont)
 
-# ocsp_test
-if(ENABLE_EXTRATESTS)
-	add_executable(ocsp_test ocsp_test.c)
-	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
-	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
-endif()
-
 # optionstest
 add_executable(optionstest optionstest.c)
 target_link_libraries(optionstest ${OPENSSL_LIBS})
@@ -213,15 +197,6 @@ add_executable(pbkdf2 pbkdf2.c)
 target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
 add_test(pbkdf2 pbkdf2)
 
-# pidwraptest
-# pidwraptest relies on an OS-specific way to give out pids and is generally
-# awkward on systems with slow fork
-if(ENABLE_EXTRATESTS)
-	add_executable(pidwraptest pidwraptest.c)
-	target_link_libraries(pidwraptest ${OPENSSL_LIBS})
-	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
-endif()
-
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
 target_link_libraries(pkcs7test ${OPENSSL_LIBS})
@@ -233,10 +208,9 @@ target_link_libraries(poly1305test ${OPENSSL_LIBS})
 add_test(poly1305test poly1305test)
 
 # pq_test
-add_executable(pq_test pq_test.c)
-target_link_libraries(pq_test ${OPENSSL_LIBS})
-add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
-set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(pq_test pq_test.c)
+#target_link_libraries(pq_test ${OPENSSL_LIBS})
+#add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
 
 # randtest
 add_executable(randtest randtest.c)
@@ -256,11 +230,7 @@ add_test(rc4test rc4test)
 # rfc5280time
 add_executable(rfc5280time rfc5280time.c)
 target_link_libraries(rfc5280time ${OPENSSL_LIBS})
-if(SMALL_TIME_T)
-	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
-else()
-	add_test(rfc5280time rfc5280time)
-endif()
+add_test(rfc5280time rfc5280time)
 
 # rmdtest
 add_executable(rmdtest rmdtest.c)
@@ -283,33 +253,24 @@ target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
 # ssltest
-add_executable(ssltest ssltest.c)
-target_link_libraries(ssltest ${OPENSSL_LIBS})
-add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
-set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_executable(ssltest ssltest.c)
+#target_link_libraries(ssltest ${OPENSSL_LIBS})
+#add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
 
 # testdsa
-add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
-set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
 
 # testenc
 add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
-set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testrsa
-add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
-set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+#add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
 
 # timingsafe
 add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${OPENSSL_LIBS})
 add_test(timingsafe timingsafe)
 
-# tls_ext_alpn
-add_executable(tls_ext_alpn tls_ext_alpn.c)
-target_link_libraries(tls_ext_alpn ${OPENSSL_LIBS})
-add_test(tls_ext_alpn tls_ext_alpn)
-
 # utf8test
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})

tests/Makefile.am

@@ -5,7 +5,6 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
-AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(abs_top_builddir)/ssl/libssl.la
@@ -209,14 +208,6 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
-# ocsp_test
-if ENABLE_EXTRATESTS
-TESTS += ocsptest.sh
-check_PROGRAMS += ocsp_test
-ocsp_test_SOURCES = ocsp_test.c
-endif
-EXTRA_DIST += ocsptest.sh
-
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest
@@ -324,11 +315,6 @@ TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
-# tls_ext_alpn
-TESTS += tls_ext_alpn
-check_PROGRAMS += tls_ext_alpn
-tls_ext_alpn_SOURCES = tls_ext_alpn.c
-
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test

tests/ocsptest.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-TEST=./ocsp_test
-if [ -e ./ocsp_test.exe ]; then
-	TEST=./ocsp_test.exe
-fi
-$TEST www.amazon.com 443
-$TEST cloudflare.com 443

tests/ssltest.sh

@@ -6,16 +6,9 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-if [ -d ../apps/openssl ]; then
-	openssl_bin=../apps/openssl/openssl
-	if [ -e ../apps/openssl/openssl.exe ]; then
-		openssl_bin=../apps/openssl/openssl.exe
-	fi
-else
-	openssl_bin=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		openssl_bin=../apps/openssl.exe
-	fi
+openssl_bin=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	openssl_bin=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,16 +4,9 @@
 
 #Test DSA certificate generation of openssl
 
-if [ -d ../apps/openssl ]; then
-	cmd=../apps/openssl/openssl
-	if [ -e ../apps/openssl/openssl.exe ]; then
-		cmd=../apps/openssl/openssl.exe
-	fi
-else
-	cmd=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		cmd=../apps/openssl.exe
-	fi
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,23 +2,12 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-if [ -d ../apps/openssl ]; then
-	cmd=../apps/openssl/openssl
-	if [ -e ../apps/openssl/openssl.exe ]; then
-		cmd=../apps/openssl/openssl.exe
-	fi
-else
-	cmd=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		cmd=../apps/openssl.exe
-	fi
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
-if [ -z $srcdir ]; then
-	srcdir=.
-fi
-
-cat $srcdir/openssl.cnf >$test;
+cat openssl.cnf >$test;
 
 echo cat
 $cmd enc < $test > $test.cipher

tests/testrsa.sh

@@ -4,16 +4,9 @@
 
 #Test RSA certificate generation of openssl
 
-if [ -d ../apps/openssl ]; then
-	cmd=../apps/openssl/openssl
-	if [ -e ../apps/openssl/openssl.exe ]; then
-		cmd=../apps/openssl/openssl.exe
-	fi
-else
-	cmd=../apps/openssl
-	if [ -e ../apps/openssl.exe ]; then
-		cmd=../apps/openssl.exe
-	fi
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -7,7 +7,6 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
-	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
@@ -18,26 +17,15 @@ set(
 )
 
 
-if(NOT HAVE_STRSEP)
+if(NOT HAVE_STRCASECMP)
 	set(TLS_SRC ${TLS_SRC} strsep.c)
 endif()
 
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
-else()
-	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
-endif()
-
 if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	if (WIN32)
-		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
-		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
-	endif()
-	set_target_properties(tls-shared PROPERTIES
-		OUTPUT_NAME tls${TLS_POSTFIX} ARCHIVE_OUTPUT_NAME tls)
+	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
 	install(TARGETS tls tls-shared DESTINATION lib)

tls/Makefile.am

@@ -19,7 +19,6 @@ endif
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
-libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c

update.sh

@@ -29,12 +29,12 @@ libtls_regress=$CWD/openbsd/src/regress/lib/libtls
 app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
-. $libcrypto_src/shlib_version
+. $libcrypto_src/crypto/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-. $libssl_src/shlib_version
+. $libssl_src/ssl/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -62,11 +62,11 @@ CP_LIBC='do_cp_libc'
 
 CP='cp -p'
 
-$CP $libssl_src/LICENSE COPYING
+$CP $libssl_src/src/LICENSE COPYING
 
-$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
-$CP $libcrypto_src/opensslfeatures.h include/openssl
-$CP $libssl_src/pqueue.h include
+$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
+$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
+$CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
@@ -84,8 +84,8 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/string/strnlen.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/arc4random/getentropy_*.c \
-	    $libcrypto_src/arc4random/arc4random_*.h; do
+	    $libcrypto_src/crypto/getentropy_*.c \
+	    $libcrypto_src/crypto/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -99,20 +99,20 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 
-(cd $libcrypto_src/objects/;
+(cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
 copy_hdrs() {
 	for file in $2; do
-		$CP $1/$file include/openssl
+		$CP $libssl_src/src/$1/$file include/openssl
 	done
 }
 
-copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
@@ -120,15 +120,15 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
 	gost/gost.h"
 
-copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-$CP $libcrypto_src/opensslv.h include/openssl
+$CP $libssl_src/src/crypto/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"
 
@@ -139,8 +139,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libcrypto_src/$i ]; then
-			$CP $libcrypto_src/$i crypto/$i
+		if [ -e $libssl_src/src/crypto/$i ]; then
+			$CP $libssl_src/src/crypto/$i crypto/$i
 		fi
 	fi
 done
@@ -148,7 +148,7 @@ $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 
 # generate assembly crypto algorithms
-asm_src=$libcrypto_src
+asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -238,7 +238,7 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/$i ssl
+	$CP $libssl_src/src/ssl/$i ssl
 done
 
 # copy libcrypto tests
@@ -320,7 +320,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 
 (cd man
 	# update new-style manpages
-	for i in `ls -1 $libssl_src/doc/*.3 | sort`; do
+	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
@@ -333,7 +333,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 	done
 
 	# convert remaining POD manpages
-	for i in `ls -1 $libcrypto_src/doc/*.pod | sort`; do
+	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
 		BASE=`echo $i|sed -e "s/\.pod//"`
 		NAME=`basename "$BASE"`
 		# reformat file if new