Update changelog

Set _PATH_SSL_CA_FILE to either CMAKE_INSTALL_PREFIX or OPENSSLDIR for the OCSP tests so that OCSP tests can be executed on a system without /etc/ssl/cert.pem
update changelog for 2.4.2
2016-09-23 05:40:01 -05:00 · 2016-08-02 11:02:48 -05:00 · 2016-07-31 17:55:50 -05:00 · 2016-07-31 17:12:35 -05:00 · 2016-07-31 17:12:35 -05:00 · 2016-07-29 07:51:02 -05:00
8 changed files with 69 additions and 2 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -144,7 +144,7 @@ if(HAVE_STRNDUP)
 endif()

 if(MSVC)
-	set(HAVE_STRNLEN)
+	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)
--- a/52
+++ b/52
@@ -28,6 +28,58 @@ history is also available from Git.

 LibreSSL Portable Release Notes:

+2.4.3 - Bug fixes and reliability improvements
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.4.2 - Bug fixes and improvements
+
+	* Fixed loading default certificate locations with openssl s_client.
+
+	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
+
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
 2.4.1 - Security fix

 	* Correct a problem that prevents the DSA signing algorithm from
--- a/2
+++ b/2
@@ -1 +1 @@
-master
+OPENBSD_6_0
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -752,6 +752,9 @@ if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	if (MSVC)
+		target_link_libraries(crypto-shared crypto Ws2_32.lib)
+	endif()
 	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -52,6 +52,9 @@ if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
+	if (MSVC)
+		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+	endif()
 	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -196,6 +196,11 @@ add_test(mont mont)

 # ocsp_test
 if(ENABLE_EXTRATESTS)
+	if(NOT "${OPENSSLDIR}" STREQUAL "")
+		add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+	else()
+		add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+	endif()
 	add_executable(ocsp_test ocsp_test.c)
 	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
 	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
--- a/tls/CMakeLists.txt
+++ b/tls/CMakeLists.txt
@@ -31,6 +31,9 @@ if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
+	if (MSVC)
+		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+	endif()
 	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
--- a/update.sh
+++ b/update.sh
@@ -13,6 +13,7 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
 git checkout $openbsd_branch
 git pull --rebase)
Author	SHA1	Message	Date
Brent Cook	c4ebe2518c	Update changelog	2016-09-23 05:40:01 -05:00
Geoff Beier	1d36474726	Set _PATH_SSL_CA_FILE to either CMAKE_INSTALL_PREFIX or OPENSSLDIR for the OCSP tests so that OCSP tests can be executed on a system without /etc/ssl/cert.pem	2016-08-02 11:02:48 -05:00
Brent Cook	48ecc2d05d	update changelog for 2.4.2	2016-07-31 17:55:50 -05:00
Brent Cook	7f322bfe7e	set link library dependencies with MSVC, fixes #221	2016-07-31 17:12:35 -05:00
Brent Cook	47d4f7109f	properly enable strnlen checks for MSVC	2016-07-31 17:12:35 -05:00
Brent Cook	12348e6f64	create OPENBSD_6_0 branch	2016-07-29 07:51:02 -05:00