update Changelog

Without this, we actually fail to build a library that includes the
bultin getentropy when compiling for 10.11 on 10.12.

.gitignore

@@ -58,7 +58,6 @@ tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
 tests/timingsafe*
-tests/tls_ext_alpn*
 tests/*test
 tests/tests.h
 tests/*test.c

CMakeLists.txt

@@ -49,7 +49,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	set(BUILD_NC false)
 endif()
 
-if(WIN32)
+if(MSVC)
 	set(BUILD_NC false)
 endif()
 
@@ -80,17 +80,14 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 
-if(WIN32)
+if(MSVC)
+	add_definitions(-Dinline=__inline)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
-endif()
-
-if(MSVC)
-	add_definitions(-Dinline=__inline)
 
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
@@ -146,7 +143,7 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 
-if(WIN32)
+if(MSVC)
 	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
@@ -240,7 +237,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
 endif()
 
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|MINGW|CYGWIN)" OR MSVC))
 	set(BUILD_SHARED true)
 endif()
 

ChangeLog

@@ -28,60 +28,41 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.5.0 - New APIs, bug fixes and improvements
+2.4.5  - Security and compatibility fixes
 
-	* libtls now supports ALPN and SNI
+	* Avoid a side-channel cache-timing attack that can leak the ECDSA
+	  private keys when signing. This is due to BN_mod_inverse() being
+	  used without the constant time flag being set.
 
-	* libtls adds a new callback interface for integrating custom IO
+	  This issue was reported by Cesar Pereida Garcia and Billy Brumley
-	  functions. Thanks to Tobias Pape.
+	  (Tampere University of Technology). The fix was developed by Cesar
+	  Pereida Garcia.
 
-	* libtls now handles 4 cipher suite groups:
+	* iOS and MacOS compatibility updates from Simone Basso and Jacob
-	    "secure" (TLSv1.2+AEAD+PFS)
+	  Berkman.
-	    "compat" (HIGH:!aNULL)
-	    "legacy" (HIGH:MEDIUM:!aNULL)
-	    "insecure" (ALL:!aNULL:!eNULL)
 
-	    This allows for flexibility and finer grained control, rather than
+2.4.4 - Reliability improvements
-	    having two extremes (an issue raised by Marko Kreen some time ago).
 
-	* Tightened error handling for tls_config_set_ciphers().
+	* Avoid continual processing of an unlimited number of TLS records,
+	  which can cause a denial-of-service condition.
 
-	* libtls now always loads CA, key and certificate files at the time the
+	* In X509_cmp_time(), pass asn1_time_parse() the tag of the field
-	  configuration function is called. This simplifies code and results in
+	  being parsed so that a malformed GeneralizedTime field is recognized as
-	  a single memory based code path being used to provide data to libssl.
+	  an error instead of potentially being interpreted as if it was a valid
+	  UTCTime.
 
-	* Add support for OCSP intermediate certificates.
+	* Improve ticket validity checking when tlsext_ticket_key_cb()
+	  callback chooses a different HMAC algorithm.
 
-	* Added functions used by stunnel and exim from BoringSSL - this
+	* Check for packets with a truncated DTLS cookie.
-	  brings in X509_check_host, X509_check_email, X509_check_ip, and
-	  X509_check_ip_asc.
 
-	* Added initial support for iOS, thanks to Jacob Berkman.
+	* Detect zero-length encrypted session data early, instead of when
+	  malloc(0) fails or the HMAC check fails.
 
-	* Improved behavior of arc4random on Windows when using memory leak
+	* Check for and handle failure of HMAC_{Update,Final} or
-	  analysis software.
+	  EVP_DecryptUpdate()
 
-	* Correctly handle an EOF that occurs prior to the TLS handshake
+2.4.3 - Bug fixes and reliability improvements
-	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
-	  Kreen.
-
-	* Limit the support of the "backward compatible" ssl2 handshake to
-	  only be used if TLS 1.0 is enabled.
-
-	* Fix incorrect results in certain cases on 64-bit systems when
-	  BN_mod_word() can return incorrect results. BN_mod_word() now can
-	  return an error condition. Thanks to Brian Smith.
-
-	* Added constant-time updates to address CVE-2016-0702
-
-	* Fixed undefined behavior in BN_GF2m_mod_arr()
-
-	* Removed unused Cryptographic Message Support (CMS)
-
-	* More conversions of long long idioms to time_t
-
-	* Improved compatibility by avoiding printing NULL strings with
-	  printf.
 
 	* Reverted change that cleans up the EVP cipher context in
 	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_0

apps/nc/Makefile.am

@@ -17,6 +17,11 @@ nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
 nc_LDADD += $(abs_top_builddir)/tls/libtls.la
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+if OPENSSLDIR_DEFINED
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
+else
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
+endif
 
 nc_SOURCES = atomicio.c
 nc_SOURCES += netcat.c

apps/openssl/CMakeLists.txt

@@ -10,6 +10,7 @@ set(
 	asn1pars.c
 	ca.c
 	ciphers.c
+	cms.c
 	crl.c
 	crl2p7.c
 	dgst.c

apps/openssl/Makefile.am

@@ -12,6 +12,7 @@ openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c

crypto/CMakeLists.txt

@@ -715,7 +715,7 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
@@ -752,12 +752,10 @@ if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	if (WIN32)
+	if (MSVC)
 		target_link_libraries(crypto-shared crypto Ws2_32.lib)
-		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
 	endif()
-	set_target_properties(crypto-shared PROPERTIES
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
-		OUTPUT_NAME crypto${CRYPTO_POSTFIX} ARCHIVE_OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
 	install(TARGETS crypto crypto-shared DESTINATION lib)

include/Makefile.am

@@ -29,6 +29,7 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
+noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h

include/compat/sys/cdefs.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/cdefs.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
+#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
+
+#ifdef _WIN32
+
+#define __warn_references(sym,msg)
+
+#else
+
+#include_next <sys/cdefs.h>
+
+#ifndef __warn_references
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+
+#endif /* _WIN32 */
+
+#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/types.h

@@ -44,25 +44,4 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif
 
-#ifdef _WIN32
-#define __warn_references(sym,msg)
-#else
-
-#ifndef __warn_references
-
-#ifndef __STRING
-#define __STRING(x) #x
-#endif
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-#endif /* _WIN32 */
-
 #endif

libtls-standalone/src/Makefile.am

@@ -8,7 +8,6 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 
 libtls_la_SOURCES = tls.c
-libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c

m4/check-libc.m4

@@ -47,7 +47,52 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
 AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
-AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([explicit_bzero getauxval])
+
+AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <unistd.h>
+
+/*
+ * Explanation:
+ *
+ *   - iOS <= 10.1 fails because of missing sys/random.h
+ *
+ *   - in macOS 10.12 getentropy is not tagged as introduced in
+ *     10.12 so we cannot use it for target < 10.12
+ */
+#ifdef __APPLE__
+#  include <AvailabilityMacros.h>
+#  include <TargetConditionals.h>
+
+# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
+#  include <sys/random.h> /* Not available as of iOS <= 10.1 */
+# else
+
+#  include <sys/random.h> /* Pre 10.12 systems should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#  ifndef MAC_OS_X_VERSION_10_12
+#    define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
+#  endif
+#  if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#    if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#      error "Targeting on Mac OSX 10.11 or earlier"
+#    endif
+#  endif
+
+# endif
+#endif /* __APPLE__ */
+		]], [[
+	char buffer;
+	(void)getentropy(&buffer, sizeof (buffer));
+]])],
+	[ ac_cv_func_getentropy="yes" ],
+	[ ac_cv_func_getentropy="no"
+	])
+])
+
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])

m4/check-os-options.m4

@@ -17,10 +17,43 @@ case $host_os in
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		#
+		# Don't use arc4random on systems before 10.12 because of
 		# weak seed on failure to open /dev/random, based on latest
 		# public source:
 		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
-		USE_BUILTIN_ARC4RANDOM=yes
+		#
+		# We use the presence of getentropy() to detect 10.12. The
+		# following check take into account that:
+ 		#
+		#   - iOS <= 10.1 fails because of missing getentropy and
+		#     hence they miss sys/random.h
+		#
+		#   - in macOS 10.12 getentropy is not tagged as introduced in
+		#     10.12 so we cannot use it for target < 10.12
+		#
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <AvailabilityMacros.h>
+#include <unistd.h>
+#include <sys/random.h>  /* Systems without getentropy() should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#ifndef MAC_OS_X_VERSION_10_12
+#  define MAC_OS_X_VERSION_10_12 101200
+#endif
+#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#  if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#    error "Running on Mac OSX 10.11 or earlier"
+#  endif
+#endif
+                       ]], [[
+char buf[1]; getentropy(buf, 1);
+					   ]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
+		AC_MSG_CHECKING([whether to use builtin arc4random])
+		AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
 		# Not available on iOS
 		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;

patches/netcat.c.patch

@@ -1,6 +1,16 @@
---- apps/nc/netcat.c.orig	Sun Sep  4 05:37:35 2016
+--- apps/nc/netcat.c.orig	Thu Jun 30 19:56:49 2016
-+++ apps/nc/netcat.c	Sun Sep  4 05:40:24 2016
++++ apps/nc/netcat.c	Thu Jun 30 19:59:09 2016
-@@ -92,9 +92,13 @@
+@@ -65,7 +65,9 @@
+ #define POLL_NETIN 2
+ #define POLL_STDOUT 3
+ #define BUFSIZE 16384
++#ifndef DEFAULT_CA_FILE
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ #define TLS_LEGACY	(1 << 1)
+ #define TLS_NOVERIFY	(1 << 2)
+@@ -92,9 +94,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -14,7 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -146,7 +150,7 @@
+@@ -152,7 +158,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
@@ -23,7 +33,7 @@
  	const char *errstr, *proxyhost = "", *proxyport = NULL;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -256,12 +260,14 @@
+@@ -262,12 +268,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -38,7 +48,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -294,9 +300,11 @@
+@@ -300,9 +308,11 @@
  				errx(1, "TCP send window %s: %s",
  				    errstr, optarg);
  			break;
@@ -50,7 +60,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -320,9 +328,11 @@
+@@ -326,9 +336,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -62,19 +72,31 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -825,7 +835,10 @@
+@@ -480,7 +492,10 @@
+ 				errx(1, "-H and -T noverify may not be used"
+ 				    "together");
+ 			tls_config_insecure_noverifycert(tls_cfg);
+-		}
++		} else {
++                        if (Rflag && access(Rflag, R_OK) == -1)
++                                errx(1, "unable to find root CA file %s", Rflag);
++                }
+ 	}
+ 	if (lflag) {
+ 		struct tls *tls_cctx = NULL;
+@@ -832,7 +847,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s = -1, error, on = 1, save_errno;
+-	int s, error, on = 1, save_errno;
-+	int s = -1, error, save_errno;
++	int s, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
- 	if ((error = getaddrinfo(host, port, &hints, &res0)))
+ 	if ((error = getaddrinfo(host, port, &hints, &res)))
  		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -839,8 +852,10 @@
+@@ -847,8 +865,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -83,22 +105,22 @@
  			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
  			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res->ai_family;
+ 			ahints.ai_family = res0->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -911,7 +926,10 @@
+@@ -919,7 +939,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s = -1, ret, x = 1, save_errno;
+-	int s, ret, x = 1, save_errno;
-+	int s = -1, save_errno;
++	int s, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -932,9 +950,11 @@
+@@ -941,9 +964,11 @@
- 		    res->ai_protocol)) < 0)
+ 		    res0->ai_protocol)) < 0)
  			continue;
  
 +#ifdef SO_REUSEPORT
@@ -107,9 +129,9 @@
  			err(1, NULL);
 +#endif
  
- 		set_common_sockopts(s, res->ai_family);
+ 		set_common_sockopts(s, res0->ai_family);
  
-@@ -1392,11 +1412,13 @@
+@@ -1401,11 +1426,13 @@
  {
  	int x = 1;
  
@@ -123,7 +145,7 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1433,13 +1455,17 @@
+@@ -1442,13 +1469,17 @@
  	}
  
  	if (minttl != -1) {
@@ -142,7 +164,7 @@
  	}
  }
  
-@@ -1596,14 +1622,22 @@
+@@ -1605,14 +1636,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\

ssl/CMakeLists.txt

@@ -52,12 +52,10 @@ if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	if (WIN32)
+	if (MSVC)
 		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
-		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
 	endif()
-	set_target_properties(ssl-shared PROPERTIES
+	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
-		OUTPUT_NAME ssl${SSL_POSTFIX} ARCHIVE_OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
 	install(TARGETS ssl ssl-shared DESTINATION lib)

tests/CMakeLists.txt

@@ -9,8 +9,6 @@ include_directories(
 	../apps/openssl/compat
 )
 
-add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
-
 # aeadtest
 add_executable(aeadtest aeadtest.c)
 target_link_libraries(aeadtest ${OPENSSL_LIBS})
@@ -198,9 +196,15 @@ add_test(mont mont)
 
 # ocsp_test
 if(ENABLE_EXTRATESTS)
+	if(NOT "${OPENSSLDIR}" STREQUAL "")
+		add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+	else()
+		add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+	endif()
 	add_executable(ocsp_test ocsp_test.c)
 	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
 	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
+	set_tests_properties(ocsptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 endif()
 
 # optionstest
@@ -305,11 +309,6 @@ add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${OPENSSL_LIBS})
 add_test(timingsafe timingsafe)
 
-# tls_ext_alpn
-add_executable(tls_ext_alpn tls_ext_alpn.c)
-target_link_libraries(tls_ext_alpn ${OPENSSL_LIBS})
-add_test(tls_ext_alpn tls_ext_alpn)
-
 # utf8test
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})

tests/Makefile.am

@@ -5,7 +5,6 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
-AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(abs_top_builddir)/ssl/libssl.la
@@ -324,11 +323,6 @@ TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
-# tls_ext_alpn
-TESTS += tls_ext_alpn
-check_PROGRAMS += tls_ext_alpn
-tls_ext_alpn_SOURCES = tls_ext_alpn.c
-
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test

tls/CMakeLists.txt

@@ -7,7 +7,6 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
-	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
@@ -32,12 +31,10 @@ if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	if (WIN32)
+	if (MSVC)
 		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
-		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
 	endif()
-	set_target_properties(tls-shared PROPERTIES
+	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
-		OUTPUT_NAME tls${TLS_POSTFIX} ARCHIVE_OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
 	install(TARGETS tls tls-shared DESTINATION lib)

tls/Makefile.am

@@ -19,7 +19,6 @@ endif
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
-libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c

update.sh

@@ -13,6 +13,7 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
  git checkout $openbsd_branch
  git pull --rebase)
 
@@ -29,12 +30,12 @@ libtls_regress=$CWD/openbsd/src/regress/lib/libtls
 app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
-. $libcrypto_src/shlib_version
+. $libcrypto_src/crypto/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-. $libssl_src/shlib_version
+. $libssl_src/ssl/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -62,11 +63,11 @@ CP_LIBC='do_cp_libc'
 
 CP='cp -p'
 
-$CP $libssl_src/LICENSE COPYING
+$CP $libssl_src/src/LICENSE COPYING
 
-$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
+$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
-$CP $libcrypto_src/opensslfeatures.h include/openssl
+$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/pqueue.h include
+$CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
@@ -84,8 +85,8 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/string/strnlen.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/arc4random/getentropy_*.c \
+	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/arc4random/arc4random_*.h; do
+	    $libcrypto_src/crypto/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -99,20 +100,20 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 
-(cd $libcrypto_src/objects/;
+(cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
 copy_hdrs() {
 	for file in $2; do
-		$CP $1/$file include/openssl
+		$CP $libssl_src/src/$1/$file include/openssl
 	done
 }
 
-copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
@@ -120,15 +121,15 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
 	gost/gost.h"
 
-copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-$CP $libcrypto_src/opensslv.h include/openssl
+$CP $libssl_src/src/crypto/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"
 
@@ -139,8 +140,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libcrypto_src/$i ]; then
+		if [ -e $libssl_src/src/crypto/$i ]; then
-			$CP $libcrypto_src/$i crypto/$i
+			$CP $libssl_src/src/crypto/$i crypto/$i
 		fi
 	fi
 done
@@ -148,7 +149,7 @@ $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 
 # generate assembly crypto algorithms
-asm_src=$libcrypto_src
+asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -238,7 +239,7 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/$i ssl
+	$CP $libssl_src/src/ssl/$i ssl
 done
 
 # copy libcrypto tests
@@ -320,7 +321,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 
 (cd man
 	# update new-style manpages
-	for i in `ls -1 $libssl_src/doc/*.3 | sort`; do
+	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
@@ -333,7 +334,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 	done
 
 	# convert remaining POD manpages
-	for i in `ls -1 $libcrypto_src/doc/*.pod | sort`; do
+	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
 		BASE=`echo $i|sed -e "s/\.pod//"`
 		NAME=`basename "$BASE"`
 		# reformat file if new