remove duplcate changelog entry

we currently do it at configure time, which makes this a generated
source, but generated sources should be cleaned up, which breaks
'make clean; make'

.gitignore

@@ -143,6 +143,7 @@ include/openssl/*.h
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
 !/crypto/compat/explicit_bzero_win.c
+!/crypto/compat/freezero.c
 !/crypto/compat/getpagesize.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c

CMakeLists.txt

@@ -4,8 +4,9 @@ include(CheckLibraryExists)
 include(CheckIncludeFiles)
 include(CheckTypeSize)
 
-set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
 include(cmake_export_symbol)
+include(GNUInstallDirs)
 
 project (LibreSSL C)
 
@@ -26,12 +27,18 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
+option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL})
 option(ENABLE_ASM "Enable assembly" ON)
 option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
 option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
 option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
 set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
 
+if(NOT LIBRESSL_SKIP_INSTALL)
+	set( ENABLE_LIBRESSL_INSTALL ON )
+endif(NOT LIBRESSL_SKIP_INSTALL)
+
+
 set(BUILD_NC true)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin")

ChangeLog

@@ -28,7 +28,103 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.5.2 - OpenBSD 6.1 Release
+2.6.0 - New APIs, bug fixes and improvements
+
+	* Added support for providing CRLs to libtls. Once a CRL is provided we
+	  enable CRL checking for the full certificate chain. Based on a diff
+	  from Jack Burton
+
+	* Allow non-compliant clients using IP literal addresses with SNI
+	  to connect to a server using libtls.
+
+	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
+	  Reported by Robert Swiecki, who found the issue using honggfuzz.
+
+	* Added definitions for three OIDs used in EV certificates.
+	  From Kyle J. McKay
+
+	* Plugged a memory leak in tls_ocsp_free.
+
+	* Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to
+	  libtls, useful in private certificate validation callbacks such as
+	  those in relayd.
+
+	* Converted explicit lear/free sequences to use freezero(3).
+
+	* Reworked TLS certificate name verification code to more strictly
+	  follow RFC 6125.
+
+	* Cleaned up and simplified server key exchange EC point handling.
+
+	* Added tls_keypair_clear_key for clearing key material.
+
+	* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
+	  simplified BIO_get_host_ip and BIO_accept.
+
+	* Fixed the openssl(1) ca command so that is generates certificates
+	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
+
+	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
+
+	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
+
+	* Added HKDF (HMAC Key Derivation Function) from BoringSSL
+
+	* Providea a tls_unload_file() function that frees the memory returned
+	  from a tls_load_file() call, ensuring that it the contents become
+	  inaccessible. This is specifically needed on platforms where the
+	  library allocators may be different from the application allocator.
+
+	* Perform reference counting for tls_config. This allows
+	  tls_config_free() to be called as soon as it has been passed to the
+	  final tls_configure() call, simplifying lifetime tracking for the
+	  application.
+
+	* Moved internal state of SSL and other structures to be opaque.
+
+	* Dropped cipher suites with DSS authentication.
+
+	* nc(1) improvements, including:
+	   nc -W to terminate nc after receiving a number of packets
+	   nc -Z for saving the peer certificate and chain in a pem file
+
+2.5.5 - Bug fixes
+
+	* Distinguish between self-issued certificates and self-signed
+	  certificates. The certificate verification code has special cases
+	  for self-signed certificates and without this change, self-issued
+	  certificates (which it seems are common place with
+	  openvpn/easyrsa) were also being included in this category.
+
+	* Added getpagesize fallback, needed for Android bionic libc.
+
+2.5.4 - Security Updates
+
+	* Revert a previous change that forced consistency between return
+	  value and error code when specifing a certificate verification
+	  callback, since this breaks the documented API. When a user supplied
+	  callback always returns 1, and later code checks the error code to
+	  potentially abort post verification, this will result in incorrect
+	  successul certificate verification.
+
+	* Switched Linux getrandom() usage to non-blocking mode, continuing to
+	  use fallback mechanims if unsuccessful. This works around a design
+	  flaw in Linux getrandom(2) where early boot usage in a library makes
+	  it impossible to recover if getrandom(2) is not yet initialized.
+
+	* Fixed a bug caused by the return value being set early to signal
+	  successful DTLS cookie validation. This can mask a later failure and
+	  result in a positive return value being returned from
+	  ssl3_get_client_hello(), when it should return a negative value to
+	  propagate the error.
+
+	* Fixed a build error on non-x86/x86_64 systems running Solaris.
+
+2.5.3 - OpenBSD 6.1 Release
+
+	* Documentation updates
+
+	* Improved ocspcheck(1) error handling
 
 2.5.2 - Security features and bugfixes
 

README.md

@@ -131,3 +131,15 @@ install CMake, enter the LibreSSL source directory and run:
 
 This will generate a LibreSSL.sln file that you can incorporate into other
 projects or build by itself.
+
+#### Cmake - Additional Options ####
+
+| Option Name | Default | Description 
+| ------------ | -----: | ------ 
+|  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
+|  ENABLE_ASM | ON | builds assembly optimized rules. |
+|  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
+|  ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) |
+|  ENABLE_VSTEST | OFF | Enable test on Visual Studio |
+|  OPENSSLDIR | Blank | Set the default openssl directory.  Can be specified from command line using <br>```-DOPENSSLDIR=<dirname>``` |
+

apps/nc/CMakeLists.txt

@@ -53,8 +53,10 @@ add_executable(nc ${NC_SRC})
 target_link_libraries(nc tls ${OPENSSL_LIBS})
 
 if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
+	if(ENABLE_LIBRESSL_INSTALL)
-	install(FILES nc.1 DESTINATION share/man/man1)
+		install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
+		install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 
 endif()

apps/nc/Makefile.am

@@ -4,6 +4,7 @@ if BUILD_NC
 
 if ENABLE_NC
 bin_PROGRAMS = nc
+dist_man_MANS = nc.1
 else
 noinst_PROGRAMS = nc
 endif

apps/ocspcheck/CMakeLists.txt

@@ -36,7 +36,10 @@ endif()
 add_executable(ocspcheck ${OCSPCHECK_SRC})
 target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
 
-install(TARGETS ocspcheck DESTINATION bin)
+if(ENABLE_LIBRESSL_INSTALL)
-install(FILES ocspcheck.8 DESTINATION share/man/man8)
+	install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
+
+endif(ENABLE_LIBRESSL_INSTALL)
 
 endif()

apps/openssl/CMakeLists.txt

@@ -76,13 +76,17 @@ endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
 
-install(TARGETS openssl DESTINATION bin)
+if(ENABLE_LIBRESSL_INSTALL)
-install(FILES openssl.1 DESTINATION share/man/man1)
+	install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+endif(ENABLE_LIBRESSL_INSTALL)
 
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")
 else()
 	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
 endif()
+if(ENABLE_LIBRESSL_INSTALL)
 	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
 	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+endif(ENABLE_LIBRESSL_INSTALL)

configure.ac

@@ -54,8 +54,6 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP
 
-GENERATE_CRYPTO_PORTABLE_SYM
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -80,19 +78,15 @@ AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       BSWAP4=no)
 CFLAGS="$old_cflags"
 
-case $host_cpu in
+AS_CASE([$host_cpu],
-	*sparc*)
+	[*sparc*], [CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"],
-		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
+	[*arm*], AS_IF([test "x$BSWAP4" = "xyes"],,
-		;;
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"),
-	*arm*)
+	[*amd64*], [host_cpu=x86_64, HOSTARCH=intel],
-		AS_IF([test "x$BSWAP4" = "xyes"],,
+	[i?86], [HOSTARCH=intel],
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
+	[x86_64], [HOSTARCH=intel]
-		;;
+)
-	*amd64*)
+AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"])
-		host_cpu=x86_64
-		;;
-
-esac
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[

crypto/CMakeLists.txt

@@ -463,6 +463,7 @@ set(
 	gost/gostr341001_pmeth.c
 	gost/gostr341194.c
 	gost/streebog.c
+	hkdf/hkdf.c
 	hmac/hm_ameth.c
 	hmac/hm_pmeth.c
 	hmac/hmac.c
@@ -681,6 +682,11 @@ if(NOT HAVE_ASPRINTF)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
 endif()
 
+if(NOT HAVE_FREEZERO)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/freezero.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} freezero)
+endif()
+
 if(NOT HAVE_GETPAGESIZE)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c)
 endif()
@@ -823,9 +829,13 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	install(TARGETS crypto crypto-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
-	install(TARGETS crypto DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

crypto/Makefile.am

@@ -15,7 +15,84 @@ EXTRA_DIST += crypto.sym
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols $(top_srcdir)/crypto/crypto_portable.sym
+BUILT_SOURCES = crypto_portable.sym
+CLEANFILES = crypto_portable.sym
+
+crypto_portable.sym:
+	-echo "generating crypto_portable.sym ..."
+	-cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym
+	-chmod u+w crypto_portable.sym
+if !HAVE_ARC4RANDOM_BUF
+	-echo arc4random >> crypto_portable.sym
+	-echo arc4random_buf >> crypto_portable.sym
+	-echo arc4random_uniform >> crypto_portable.sym
+if !HAVE_GETENTROPY
+	-echo getentropy >> crypto_portable.sym
+endif
+endif
+if !HAVE_ASPRINTF
+	-echo asprintf >> crypto_portable.sym
+	-echo vasprintf >> crypto_portable.sym
+endif
+if !HAVE_EXPLICIT_BZERO
+	-echo explicit_bzero >> crypto_portable.sym
+endif
+if !HAVE_FREEZERO
+	-echo freezero >> crypto_portable.sym
+endif
+if !HAVE_INET_PTON
+	-echo inet_pton >> crypto_portable.sym
+endif
+if !HAVE_REALLOCARRAY
+	-echo reallocarray >> crypto_portable.sym
+endif
+if !HAVE_RECALLOCARRAY
+	-echo recallocarray >> crypto_portable.sym
+endif
+if !HAVE_STRLCAT
+	-echo strlcat >> crypto_portable.sym
+endif
+if !HAVE_STRLCPY
+	-echo strlcpy >> crypto_portable.sym
+endif
+if !HAVE_STRNDUP
+	-echo strndup >> crypto_portable.sym
+endif
+if !HAVE_STRNLEN
+	-echo strnlen >> crypto_portable.sym
+endif
+if !HAVE_STRSEP
+	-echo strsep >> crypto_portable.sym
+endif
+if !HAVE_TIMEGM
+	-echo timegm >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_BCMP
+	-echo timingsafe_bcmp >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_MEMCMP
+	-echo timingsafe_memcmp >> crypto_portable.sym
+endif
+if HOST_CPU_IS_INTEL
+	-echo OPENSSL_ia32cap_P >> crypto_portable.sym
+endif
+if HOST_WIN
+	-echo posix_perror >> crypto_portable.sym
+	-echo posix_fopen >> crypto_portable.sym
+	-echo posix_fgets >> crypto_portable.sym
+	-echo posix_open >> crypto_portable.sym
+	-echo posix_rename >> crypto_portable.sym
+	-echo posix_connect >> crypto_portable.sym
+	-echo posix_close >> crypto_portable.sym
+	-echo posix_read >> crypto_portable.sym
+	-echo posix_write >> crypto_portable.sym
+	-echo posix_getsockopt >> crypto_portable.sym
+	-echo posix_setsockopt >> crypto_portable.sym
+	-grep -v BIO_s_log crypto_portable.sym > crypto_portable.sym.tmp
+	-mv crypto_portable.sym.tmp crypto_portable.sym
+endif
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
@@ -81,6 +158,10 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
+if !HAVE_FREEZERO
+libcompat_la_SOURCES += compat/freezero.c
+endif
+
 if !HAVE_GETPAGESIZE
 libcompat_la_SOURCES += compat/getpagesize.c
 endif
@@ -576,6 +657,9 @@ noinst_HEADERS += gost/gost.h
 noinst_HEADERS += gost/gost_asn1.h
 noinst_HEADERS += gost/gost_locl.h
 
+# hkdf
+libcrypto_la_SOURCES += hkdf/hkdf.c
+
 # hmac
 libcrypto_la_SOURCES += hmac/hm_ameth.c
 libcrypto_la_SOURCES += hmac/hm_pmeth.c

crypto/compat/freezero.c

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
+ * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
+ * Copyright (c) 2008 Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+void
+freezero(void *ptr, size_t sz)
+{
+	/* This is legal. */
+	if (ptr == NULL)
+		return;
+
+	explicit_bzero(ptr, sz);
+	free(ptr);
+}

crypto/compat/getpagesize.c

@@ -1,12 +1,18 @@
 /* $OpenBSD$ */
 
 #include <unistd.h>
+
+#ifdef _MSC_VER
 #include <windows.h>
+#endif
 
 int
-getpagesize(void)
+getpagesize(void) {
-{
+#ifdef _MSC_VER
 	SYSTEM_INFO system_info;
 	GetSystemInfo(&system_info);
 	return system_info.dwPageSize;
+#else
+	return sysconf(_SC_PAGESIZE);
+#endif
 }

dist.sh

@@ -4,4 +4,4 @@ set -e
 rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
-make distcheck
+make -j2 distcheck

include/CMakeLists.txt

@@ -1,5 +1,7 @@
+if(ENABLE_LIBRESSL_INSTALL)
 	install(DIRECTORY .
-        DESTINATION include
+	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
 	        PATTERN "CMakeLists.txt" EXCLUDE
 	        PATTERN "compat" EXCLUDE
 	        PATTERN "Makefile*" EXCLUDE)
+endif(ENABLE_LIBRESSL_INSTALL)

include/compat/stdlib.h

@@ -25,6 +25,10 @@ void arc4random_buf(void *_buf, size_t n);
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
+#ifndef HAVE_FREEZERO
+void freezero(void *ptr, size_t sz);
+#endif
+
 #ifndef HAVE_REALLOCARRAY
 void *reallocarray(void *, size_t, size_t);
 #endif

include/compat/sys/types.h

@@ -20,12 +20,14 @@
 
 #ifdef __MINGW32__
 #include <_bsd_types.h>
+typedef uint32_t        in_addr_t;
 #endif
 
 #ifdef _MSC_VER
 typedef unsigned char   u_char;
 typedef unsigned short  u_short;
 typedef unsigned int    u_int;
+typedef uint32_t        in_addr_t;
 
 #include <basetsd.h>
 typedef SSIZE_T ssize_t;

libcrypto.pc.in

@@ -5,8 +5,8 @@ exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 
-Name: LibreSSL-libssl
+Name: LibreSSL-libcrypto
-Description: Secure Sockets Layer and cryptography libraries
+Description: LibreSSL cryptography library
 Version: @VERSION@
 Requires:
 Conflicts:

m4/check-libc.m4

@@ -2,11 +2,12 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf getpagesize inet_ntop inet_pton memmem readpassphrase])
+AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
-AC_CHECK_FUNCS([reallocarray recallocarray])
+AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
 AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
 AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
@@ -147,76 +148,3 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
-
-AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
-crypto_sym=$srcdir/crypto/crypto.sym
-crypto_p_sym=$srcdir/crypto/crypto_portable.sym
-echo "generating $crypto_p_sym ..."
-chmod u+w $srcdir/crypto
-cp $crypto_sym $crypto_p_sym
-chmod u+w $crypto_p_sym
-if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
-	echo arc4random >> $crypto_p_sym
-	echo arc4random_buf >> $crypto_p_sym
-	echo arc4random_uniform >> $crypto_p_sym
-	if test "x$ac_cv_func_getentropy" = "xno" ; then
-		echo getentropy >> $crypto_p_sym
-	fi
-fi
-if test "x$ac_cv_func_asprintf" = "xno" ; then
-	echo asprintf >> $crypto_p_sym
-	echo vasprintf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
-	echo explicit_bzero >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_inet_pton" = "xno" ; then
-	echo inet_pton >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_reallocarray" = "xno" ; then
-	echo reallocarray >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_recallocarray" = "xno" ; then
-	echo recallocarray >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcat" = "xno" ; then
-	echo strlcat >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcpy" = "xno" ; then
-	echo strlcpy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strndup" = "xno" ; then
-	echo strndup >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strnlen" = "xno" ; then
-	echo strnlen >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strsep" = "xno" ; then
-	echo strsep >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timegm" = "xno" ; then
-	echo timegm >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
-	echo timingsafe_bcmp >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
-	echo timingsafe_memcmp >> $crypto_p_sym
-fi
-if test "x$HOST_OS" = "xwin" ; then
-	echo posix_perror >> $crypto_p_sym
-	echo posix_fopen >> $crypto_p_sym
-	echo posix_fgets >> $crypto_p_sym
-	echo posix_open >> $crypto_p_sym
-	echo posix_rename >> $crypto_p_sym
-	echo posix_connect >> $crypto_p_sym
-	echo posix_close >> $crypto_p_sym
-	echo posix_read >> $crypto_p_sym
-	echo posix_write >> $crypto_p_sym
-	echo posix_getsockopt >> $crypto_p_sym
-	echo posix_setsockopt >> $crypto_p_sym
-
-	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
-	mv $crypto_p_sym.tmp $crypto_p_sym
-fi
-])

m4/check-os-options.m4

@@ -106,13 +106,12 @@ char buf[1]; getentropy(buf, 1);
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
+		CFLAGS="$CFLAGS -m64"
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;

man/CMakeLists.txt

@@ -1,9 +1,11 @@
+if(ENABLE_LIBRESSL_INSTALL)
 	install(DIRECTORY .
-    DESTINATION share/man/man3
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
 	    FILES_MATCHING PATTERN "*.3"
 	    )
 
 	install(DIRECTORY .
-    DESTINATION share/man/man1
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
 	    FILES_MATCHING PATTERN "*.1"
 	    )
+endif(ENABLE_LIBRESSL_INSTALL)

patches/http.c.patch

@@ -0,0 +1,12 @@
+--- apps/ocspcheck/http.c.orig	Sun Jun  4 00:45:29 2017
++++ apps/ocspcheck/http.c	Sun Jun  4 00:45:57 2017
+@@ -35,7 +35,9 @@
+ #include "http.h"
+ #include <tls.h>
+ 
++#ifndef DEFAULT_CA_FILE
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ /*
+  * A buffer for transferring HTTP/S data.

patches/netcat.c.patch

@@ -1,6 +1,6 @@
---- apps/nc/netcat.c.orig	Thu Mar 16 19:26:06 2017
+--- apps/nc/netcat.c.orig	2017-07-07 00:10:09.009409624 +0900
-+++ apps/nc/netcat.c	Sat Mar 25 11:17:36 2017
++++ apps/nc/netcat.c	2017-07-07 00:30:32.380088772 +0900
-@@ -65,7 +65,9 @@
+@@ -66,7 +66,9 @@
  #define POLL_NETIN	2
  #define POLL_STDOUT	3
  #define BUFSIZE		16384
@@ -10,7 +10,7 @@
  
  #define TLS_ALL	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -93,9 +95,13 @@
+@@ -94,9 +96,13 @@ int	zflag;					/* Port Scan Flag */
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -24,16 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -149,7 +155,7 @@
+@@ -265,12 +271,14 @@ main(int argc, char *argv[])
- 	struct servent *sv;
- 	socklen_t len;
- 	struct sockaddr_storage cliaddr;
--	char *proxy, *proxyport = NULL;
-+	char *proxy = NULL, *proxyport = NULL;
- 	const char *errstr;
- 	struct addrinfo proxyhints;
- 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -259,12 +265,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -48,7 +39,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -300,9 +308,11 @@
+@@ -317,9 +325,11 @@ main(int argc, char *argv[])
  		case 'o':
  			oflag = optarg;
  			break;
@@ -60,7 +51,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -326,9 +336,11 @@
+@@ -343,9 +353,11 @@ main(int argc, char *argv[])
  	argc -= optind;
  	argv += optind;
  
@@ -72,7 +63,7 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -865,7 +877,10 @@
+@@ -888,7 +900,10 @@ int
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -84,7 +75,7 @@
  
  	if ((error = getaddrinfo(host, port, &hints, &res0)))
  		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
-@@ -880,8 +895,10 @@
+@@ -903,8 +918,10 @@ remote_connect(const char *host, const c
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -95,7 +86,7 @@
  			memset(&ahints, 0, sizeof(struct addrinfo));
  			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -952,7 +969,10 @@
+@@ -975,7 +992,10 @@ int
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -107,7 +98,7 @@
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -973,9 +993,11 @@
+@@ -996,9 +1016,11 @@ local_listen(char *host, char *port, str
  		    res->ai_protocol)) < 0)
  			continue;
  
@@ -119,7 +110,7 @@
  
  		set_common_sockopts(s, res->ai_family);
  
-@@ -1425,11 +1447,13 @@
+@@ -1454,11 +1476,13 @@ set_common_sockopts(int s, int af)
  {
  	int x = 1;
  
@@ -133,7 +124,24 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1466,13 +1490,17 @@
+@@ -1469,9 +1493,16 @@ set_common_sockopts(int s, int af)
+ 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IP ToS");
+ 
++#ifdef IPV6_TCLASS
+ 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IPv6 traffic class");
++#else
++		else if (af == AF_INET6) {
++			errno = ENOPROTOOPT
++			err(1, "set IPv6 traffic class not supported");
++		}
++#endif
+ 	}
+ 	if (Iflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
+@@ -1495,13 +1526,17 @@ set_common_sockopts(int s, int af)
  	}
  
  	if (minttl != -1) {
@@ -152,7 +160,7 @@
  	}
  }
  
-@@ -1666,14 +1694,22 @@
+@@ -1709,14 +1744,22 @@ help(void)
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\
@@ -177,5 +185,5 @@
 +#endif
 +	"\
  	\t-v		Verbose\n\
+ 	\t-W recvlimit	Terminate after receiving a number of packets\n\
  	\t-w timeout	Timeout for connects and final net reads\n\
- 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\

ssl/CMakeLists.txt

@@ -60,8 +60,12 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	install(TARGETS ssl ssl-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	install(TARGETS ssl DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

tests/CMakeLists.txt

@@ -178,6 +178,11 @@ add_executable(gost2814789t gost2814789t.c)
 target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)
 
+# hkdf_test
+add_executable(hkdf_test hkdf_test.c)
+target_link_libraries(hkdf_test ${TESTS_LIBS})
+add_test(hkdf_test hkdf_test)
+
 # hmactest
 add_executable(hmactest hmactest.c)
 target_link_libraries(hmactest ${TESTS_LIBS})

tests/Makefile.am

@@ -184,6 +184,11 @@ TESTS += gost2814789t
 check_PROGRAMS += gost2814789t
 gost2814789t_SOURCES = gost2814789t.c
 
+# hkdf_test
+TESTS += hkdftest
+check_PROGRAMS += hkdftest
+hkdftest_SOURCES = hkdf_test.c
+
 # hmactest
 TESTS += hmactest
 check_PROGRAMS += hmactest

tests/tlstest.bat

@@ -9,7 +9,7 @@ if "%srcdir%"=="" (
 	set srcdir=.
 )
 
-%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+%tlstest_bin% %srcdir%\ca.pem %srcdir%\server.pem %srcdir%\server.pem
 if !errorlevel! neq 0 (
 	exit /b 1
 )

tests/tlstest.sh

@@ -10,4 +10,4 @@ if [ -z $srcdir ]; then
 	srcdir=.
 fi
 
-$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem
+$tlstest_bin $srcdir/ca.pem $srcdir/server.pem $srcdir/server.pem

tls/CMakeLists.txt

@@ -39,9 +39,13 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	install(TARGETS tls tls-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	install(TARGETS tls DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

update.sh

@@ -18,16 +18,17 @@ fi
 
 # setup source paths
 CWD=`pwd`
-libc_src=$CWD/openbsd/src/lib/libc
+OPENBSD_SRC=$CWD/openbsd/src
-libc_regress=$CWD/openbsd/src/regress/lib/libc
+libc_src=$OPENBSD_SRC/lib/libc
-libcrypto_src=$CWD/openbsd/src/lib/libcrypto
+libc_regress=$OPENBSD_SRC/regress/lib/libc
-libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
+libcrypto_src=$OPENBSD_SRC/lib/libcrypto
-libssl_src=$CWD/openbsd/src/lib/libssl
+libcrypto_regress=$OPENBSD_SRC/regress/lib/libcrypto
-libssl_regress=$CWD/openbsd/src/regress/lib/libssl
+libssl_src=$OPENBSD_SRC/lib/libssl
-libtls_src=$CWD/openbsd/src/lib/libtls
+libssl_regress=$OPENBSD_SRC/regress/lib/libssl
-libtls_regress=$CWD/openbsd/src/regress/lib/libtls
+libtls_src=$OPENBSD_SRC/lib/libtls
-bin_src=$CWD/openbsd/src/usr.bin
+libtls_regress=$OPENBSD_SRC/regress/lib/libtls
-sbin_src=$CWD/openbsd/src/usr.sbin
+bin_src=$OPENBSD_SRC/usr.bin
+sbin_src=$OPENBSD_SRC/usr.sbin
 
 # load library versions
 . $libcrypto_src/shlib_version
@@ -62,6 +63,10 @@ do_cp_libc() {
 CP_LIBC='do_cp_libc'
 
 CP='cp -p'
+GREP='grep'
+if [ -x /opt/csw/bin/ggrep ]; then
+	GREP='/opt/csw/bin/ggrep'
+fi
 
 $CP $libssl_src/LICENSE COPYING
 
@@ -120,7 +125,7 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
-	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
+	pem/pem2.h hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h
 	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
@@ -151,7 +156,7 @@ done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 # add the libcrypto symbol export list
-grep '^[[:alpha:]]' < $libcrypto_src/Symbols.list > crypto/crypto.sym
+$GREP -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | $GREP '^[[:alpha:]]' > crypto/crypto.sym
 
 # generate assembly crypto algorithms
 asm_src=$libcrypto_src
@@ -206,7 +211,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	fi
 done
 # add the libtls symbol export list
-grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
+$GREP '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
 
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -259,7 +264,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
 	$CP $libssl_src/$i ssl
 done
 # add the libssl symbol export list
-grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
+$GREP '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
 
 # copy libcrypto tests
 echo "copying tests"
@@ -304,7 +309,7 @@ add_man_links() {
 	filter=$1
 	dest=$2
 	echo "install-data-hook:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
@@ -312,7 +317,7 @@ add_man_links() {
 	done
 	echo "" >> $dest
 	echo "uninstall-local:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest