update release notes

pqueue.h was getting installed when it shouldn't.
pkgconfig files were not getting installed or generated.

.gitignore

@@ -45,6 +45,7 @@ Makefile.in
 # man pages
 *.1
 *.3
+*.5
 
 # tests
 test-driver
@@ -55,6 +56,7 @@ tests/arc4random_fork*
 tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*
+tests/freenull*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*

CMakeLists.txt

@@ -109,14 +109,20 @@ if(MSVC)
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
 		        	# indirection to slightly different base types from 'char [2]'
+			"C4018" # '>=': signed/unsigned mismatch
 			"C4100" # 'exarg' : unreferenced formal parameter
 			"C4127" # conditional expression is constant
+			"C4146" # unary minus operator applied to unsigned
+			        # type, result still unsigned
 			"C4242" # 'function' : conversion from 'int' to 'uint8_t',
 			        # possible loss of data
 			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
 			        # possible loss of data
+			"C4245" # 'initializing': conversion from 'long' to
+			        # 'unsigned long', signed/unsigned mismatch
 			"C4267" # conversion from 'size_t' to 'some type that is almost
 				# certainly safe to convert a size_t to'.
+			"C4389" # '!=': signed/unsigned mismatch
 			"C4706" # assignment within conditional expression
 			"C4820" # 'bytes' bytes padding added after construct 'member_name'
 			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
@@ -300,6 +306,7 @@ endif()
 check_type_size(time_t SIZEOF_TIME_T)
 if(SIZEOF_TIME_T STREQUAL "4")
 	set(SMALL_TIME_T true)
+	add_definitions(-DSMALL_TIME_T)
 	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
 	                " ** It will behave incorrectly when handling valid RFC5280 dates")
 endif()
@@ -317,6 +324,23 @@ if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()
 
+if(NOT MSVC)
+	# Create pkgconfig files.
+	set(prefix      ${CMAKE_INSTALL_PREFIX})
+	set(exec_prefix \${prefix})
+	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
+	set(includedir  \${prefix}/include)
+	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
+	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
+	foreach(file ${OPENSSL_PKGCONFIGS})
+		get_filename_component(filename ${file} NAME)
+		string(REPLACE ".in" "" new_file "${filename}")
+		configure_file(${filename} pkgconfig/${new_file} @ONLY)
+	endforeach()
+	install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig
+		DESTINATION ${CMAKE_INSTALL_LIBDIR})
+endif()
+
 configure_file(
 	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
 	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"

ChangeLog

@@ -28,6 +28,81 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.6.2 - Bug fixes
+
+	* Provide a useful error with libtls if there are no OCSP URLs in a
+	  peer certificate.
+
+	* Keep track of which keypair is in use by a TLS context, fixing a bug
+	  where a TLS server with SNI would only return the OCSP staple for the
+	  default keypair. Issue reported by William Graeber and confirmed by
+	  Andreas Bartelt.
+
+	* Fixed various issues in the OCSP extension parsing code.
+	  The original code incorrectly passes the pointer allocated via
+	  CBS_stow() (using malloc()) to a d2i_*() function and then calls
+	  free() on the now incremented pointer, most likely resulting in a
+	  crash. This issue was reported by Robert Swiecki who found the issue
+	  using honggfuzz.
+
+	* If tls_config_parse_protocols() is called with a NULL pointer,
+	  return the default protocols instead of crashing - this makes the
+	  behaviour more useful and mirrors what we already do in
+	  tls_config_set_ciphers() et al.
+
+2.6.1 - Code removal, rewrites
+
+	* Added a "-T tlscompat" option to nc(1), which enables the use of all
+	  TLS protocols and "compat" ciphers. This allows for TLS connections
+	  to TLS servers that are using less than ideal cipher suites, without
+	  having to resort to "-T tlsall" which enables all known cipher
+	  suites.  Diff from Kyle J. McKay.
+
+	* Added a new TLS extension handling framework, somewhat analogous to
+	  BoringSSL, and converted all TLS extensions to use it. Added new TLS
+	  extension regression tests.
+
+	* Improved and added many new manpages. Updated *check_private_key
+	  manpages with additional cautions regarding their use.
+
+	* Cleaned up the EC key/curve configuration handling.
+
+	* Added tls_config_set_ecdhecurves() to libtls, which allows the names
+	  of the eliptical curves that may be used during client and server
+	  key exchange to be specified.
+
+	* Converted more code paths to use CBB/CBS.
+
+	* Removed support for DSS/DSA, since we removed the cipher suites a
+	  while back.
+
+	* Removed NPN support. NPN was never standardised and the last draft
+	  expired in October 2012. ALPN was standardised in July 2014 and has
+	  been supported in LibreSSL since December 2014. NPN has also been
+	  removed from Chromium in May 2016.
+
+	* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
+	  CryptoPro clients.
+
+	* Removed support for the TLS padding extension, which was added as a
+	  workaround for an old bug in F5's TLS termination.
+
+	* Worked around another bug in F5's TLS termination handling of the
+	  elliptical curves extension. RFC 4492 only defines elliptic_curves
+	  for ClientHello. However, F5 is sending it in ServerHello.  We need
+	  to skip over it since our TLS extension parsing code is now more
+	  strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
+
+	* Added ability to clamp notafter valies in certificates for systems
+	  with 32-bit time_t. This is necessary to conform to RFC 5280
+	  4.1.2.5.
+
+	* Implemented the SSL_CTX_set_min_proto_version(3) API.
+
+	* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
+
+	* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
+
 2.6.0 - New APIs, bug fixes and improvements
 
 	* Added support for providing CRLs to libtls. Once a CRL is provided we
@@ -43,13 +118,10 @@ LibreSSL Portable Release Notes:
 	* Added definitions for three OIDs used in EV certificates.
 	  From Kyle J. McKay
 
-	* Plugged a memory leak in tls_ocsp_free.
+	* Added tls_peer_cert_chain_pem to libtls, useful in private
+	  certificate validation callbacks such as those in relayd.
 
-	* Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to
-	  libtls, useful in private certificate validation callbacks such as
-	  those in relayd.
-
-	* Converted explicit lear/free sequences to use freezero(3).
+	* Converted explicit clear/free sequences to use freezero(3).
 
 	* Reworked TLS certificate name verification code to more strictly
 	  follow RFC 6125.
@@ -70,7 +142,7 @@ LibreSSL Portable Release Notes:
 
 	* Added HKDF (HMAC Key Derivation Function) from BoringSSL
 
-	* Providea a tls_unload_file() function that frees the memory returned
+	* Provided a tls_unload_file() function that frees the memory returned
 	  from a tls_load_file() call, ensuring that it the contents become
 	  inaccessible. This is specifically needed on platforms where the
 	  library allocators may be different from the application allocator.

README.md

@@ -56,20 +56,25 @@ or to the github
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.
 
-## Prerequisites when building from git ##
+# Building LibreSSL #
 
-If you have checked this source using Git, follow these initial steps to
-prepare the source tree for building:
+## Prerequisites when building from a Git checkout ##
+
+If you have checked this source using Git, or have downloaded a source tarball
+from Github, follow these initial steps to prepare the source tree for
+building. _Note: Your build will fail if you do not follow these instructions! If you cannot follow these instructions (e.g. Windows system using CMake) or cannot meet these prerequistes, please download an official release distribution from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official releases is strongly advised if you are not a developer._
 
 1. Ensure you have the following packages installed:
-   automake, autoconf, git, libtool, perl, pod2man
+   automake, autoconf, git, libtool, perl
 2. Run './autogen.sh' to prepare the source tree for building or
    run './dist.sh' to prepare a tarball.
 
-## Building LibreSSL ##
+## Steps that apply to all builds ##
 
-Once you have a source tree from Git or FTP, run these commands to build and
-install the package on most systems:
+Once you have a source tree, either by downloaded using git and having
+run the autogen.sh script above, or by downloading a release distribution from
+an OpenBSD mirror, run these commands to build and install the package on most
+systems:
 
 ```sh
 ./configure   # see ./configure --help for configuration options
@@ -119,9 +124,9 @@ should work. See README.windows for more information
 
 #### Windows - Visual Studio ####
 
-LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
-against older/newer targets as well. To generate a Visual Studio project,
-install CMake, enter the LibreSSL source directory and run:
+LibreSSL builds using the CMake target "Visual Studio 12 2013" and newer. To
+generate a Visual Studio project, install CMake, enter the LibreSSL source
+directory and run:
 
 ```sh
  mkdir build-vs2013
@@ -129,13 +134,14 @@ install CMake, enter the LibreSSL source directory and run:
  cmake -G"Visual Studio 12 2013" ..
 ```
 
-This will generate a LibreSSL.sln file that you can incorporate into other
-projects or build by itself.
+Replace "Visual Studion 12 2013" with whatever version of Visual Studio you
+have installed. This will generate a LibreSSL.sln file that you can incorporate
+into other projects or build by itself.
 
 #### Cmake - Additional Options ####
 
-| Option Name | Default | Description 
-| ------------ | -----: | ------ 
+| Option Name | Default | Description
+| ------------ | -----: | ------
 |  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
 |  ENABLE_ASM | ON | builds assembly optimized rules. |
 |  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |

apps/openssl/compat/poll_win.c

@@ -253,7 +253,9 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	looptime_ms = timeout_ms > 100 ? 100 : timeout_ms;
 
 	do {
-		struct timeval tv = {0, looptime_ms * 1000};
+		struct timeval tv;
+		tv.tv_sec = 0;
+		tv.tv_usec = looptime_ms * 1000;
 		int handle_signaled = 0;
 
 		/*

check-release.sh

@@ -57,6 +57,7 @@ fi
 echo "differences between release and regenerated release tag:"
 diff -urN \
 	-x *.3 \
+	-x *.5 \
 	-x Makefile.in \
 	-x aclocal.m4 \
 	-x compile \

cmake_export_symbol.cmake

@@ -10,7 +10,13 @@ macro(export_symbol TARGET FILENAME)
 		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})
 
 	elseif(APPLE)
-		set(FLAG "-exported_symbols_list ${FILENAME}")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n_" SYMBOLS ${SYMBOLS})
+		string(REGEX REPLACE "(.)$" "\\1\\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".exp" EXP_FILENAME ${FILENAME})
+		file(WRITE ${EXP_FILENAME} "_${SYMBOLS}")
+		set(FLAG "-exported_symbols_list ${EXP_FILENAME}")
 		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
 
 	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")

configure.ac

@@ -134,6 +134,7 @@ AC_CONFIG_FILES([
 
 AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
 if test "$ac_cv_sizeof_time_t" = "4"; then
+    AC_DEFINE([SMALL_TIME_T])
     echo " ** Warning, this system is unable to represent times past 2038"
     echo " ** It will behave incorrectly when handling valid RFC5280 dates"
 

crypto/CMakeLists.txt

@@ -352,10 +352,6 @@ set(
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
-	ec/ecp_nistp224.c
-	ec/ecp_nistp256.c
-	ec/ecp_nistp521.c
-	ec/ecp_nistputil.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
@@ -563,7 +559,6 @@ set(
 	rsa/rsa_pss.c
 	rsa/rsa_saos.c
 	rsa/rsa_sign.c
-	rsa/rsa_ssl.c
 	rsa/rsa_x931.c
 	sha/sha1_one.c
 	sha/sha1dgst.c

crypto/Makefile.am

@@ -524,10 +524,6 @@ libcrypto_la_SOURCES += ec/ec_print.c
 libcrypto_la_SOURCES += ec/eck_prn.c
 libcrypto_la_SOURCES += ec/ecp_mont.c
 libcrypto_la_SOURCES += ec/ecp_nist.c
-libcrypto_la_SOURCES += ec/ecp_nistp224.c
-libcrypto_la_SOURCES += ec/ecp_nistp256.c
-libcrypto_la_SOURCES += ec/ecp_nistp521.c
-libcrypto_la_SOURCES += ec/ecp_nistputil.c
 libcrypto_la_SOURCES += ec/ecp_oct.c
 libcrypto_la_SOURCES += ec/ecp_smpl.c
 noinst_HEADERS += ec/ec_lcl.h
@@ -803,7 +799,6 @@ libcrypto_la_SOURCES += rsa/rsa_prn.c
 libcrypto_la_SOURCES += rsa/rsa_pss.c
 libcrypto_la_SOURCES += rsa/rsa_saos.c
 libcrypto_la_SOURCES += rsa/rsa_sign.c
-libcrypto_la_SOURCES += rsa/rsa_ssl.c
 libcrypto_la_SOURCES += rsa/rsa_x931.c
 noinst_HEADERS += rsa/rsa_locl.h
 

crypto/compat/posix_win.c

@@ -209,6 +209,7 @@ posix_setsockopt(int sockfd, int level, int optname,
 }
 
 #ifdef _MSC_VER
+struct timezone;
 int gettimeofday(struct timeval * tp, struct timezone * tzp)
 {
 	/*

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3 include/openssl/*.h
+rm -f man/*.[35] include/openssl/*.h
 ./autogen.sh
 ./configure
 make -j2 distcheck

include/CMakeLists.txt

@@ -3,5 +3,6 @@ if(ENABLE_LIBRESSL_INSTALL)
 	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
 	        PATTERN "CMakeLists.txt" EXCLUDE
 	        PATTERN "compat" EXCLUDE
+	        PATTERN "pqueue.h" EXCLUDE
 	        PATTERN "Makefile*" EXCLUDE)
 endif(ENABLE_LIBRESSL_INSTALL)

m4/check-os-options.m4

@@ -13,6 +13,7 @@ case $host_os in
 		;;
 	*cygwin*)
 		HOST_OS=cygwin
+		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
 		;;
 	*darwin*)
 		HOST_OS=darwin

man/CMakeLists.txt

@@ -5,7 +5,7 @@ if(ENABLE_LIBRESSL_INSTALL)
 	    )
 
 	install(DIRECTORY .
-	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
-	    FILES_MATCHING PATTERN "*.1"
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+	    FILES_MATCHING PATTERN "*.5"
 	    )
 endif(ENABLE_LIBRESSL_INSTALL)

man/links

@@ -3,6 +3,8 @@ ACCESS_DESCRIPTION_new.3,ACCESS_DESCRIPTION_free.3
 ACCESS_DESCRIPTION_new.3,AUTHORITY_INFO_ACCESS_free.3
 ACCESS_DESCRIPTION_new.3,AUTHORITY_INFO_ACCESS_new.3
 ASN1_OBJECT_new.3,ASN1_OBJECT_free.3
+ASN1_STRING_TABLE_add.3,ASN1_STRING_TABLE_cleanup.3
+ASN1_STRING_TABLE_add.3,ASN1_STRING_TABLE_get.3
 ASN1_STRING_length.3,ASN1_STRING_cmp.3
 ASN1_STRING_length.3,ASN1_STRING_data.3
 ASN1_STRING_length.3,ASN1_STRING_dup.3
@@ -50,10 +52,23 @@ ASN1_STRING_new.3,DISPLAYTEXT_free.3
 ASN1_STRING_new.3,DISPLAYTEXT_new.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print_ex_fp.3
+ASN1_STRING_print_ex.3,ASN1_tag2str.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_adj.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_check.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_print.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_set.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_set_string.3
 ASN1_TIME_set.3,ASN1_TIME_adj.3
 ASN1_TIME_set.3,ASN1_TIME_check.3
 ASN1_TIME_set.3,ASN1_TIME_print.3
 ASN1_TIME_set.3,ASN1_TIME_set_string.3
+ASN1_TIME_set.3,ASN1_TIME_to_generalizedtime.3
+ASN1_TIME_set.3,ASN1_UTCTIME_adj.3
+ASN1_TIME_set.3,ASN1_UTCTIME_check.3
+ASN1_TIME_set.3,ASN1_UTCTIME_cmp_time_t.3
+ASN1_TIME_set.3,ASN1_UTCTIME_print.3
+ASN1_TIME_set.3,ASN1_UTCTIME_set.3
+ASN1_TIME_set.3,ASN1_UTCTIME_set_string.3
 ASN1_TYPE_get.3,ASN1_TYPE_cmp.3
 ASN1_TYPE_get.3,ASN1_TYPE_free.3
 ASN1_TYPE_get.3,ASN1_TYPE_new.3
@@ -70,6 +85,7 @@ ASN1_item_d2i.3,ASN1_item_print.3
 ASN1_item_d2i.3,d2i_ASN1_TYPE.3
 ASN1_item_d2i.3,i2d_ASN1_TYPE.3
 ASN1_item_new.3,ASN1_item_free.3
+ASN1_time_parse.3,ASN1_TIME_set_tm.3
 ASN1_time_parse.3,ASN1_time_tm_cmp.3
 AUTHORITY_KEYID_new.3,AUTHORITY_KEYID_free.3
 BASIC_CONSTRAINTS_new.3,BASIC_CONSTRAINTS_free.3
@@ -146,6 +162,9 @@ BIO_new.3,BIO_free.3
 BIO_new.3,BIO_free_all.3
 BIO_new.3,BIO_set.3
 BIO_new.3,BIO_vfree.3
+BIO_printf.3,BIO_snprintf.3
+BIO_printf.3,BIO_vprintf.3
+BIO_printf.3,BIO_vsnprintf.3
 BIO_push.3,BIO_pop.3
 BIO_read.3,BIO_gets.3
 BIO_read.3,BIO_puts.3
@@ -298,6 +317,7 @@ BN_set_bit.3,BN_lshift1.3
 BN_set_bit.3,BN_mask_bits.3
 BN_set_bit.3,BN_rshift.3
 BN_set_bit.3,BN_rshift1.3
+BN_set_flags.3,BN_get_flags.3
 BN_set_negative.3,BN_is_negative.3
 BN_zero.3,BN_get_word.3
 BN_zero.3,BN_one.3
@@ -311,8 +331,10 @@ BUF_MEM_new.3,BUF_strdup.3
 CONF_modules_free.3,CONF_modules_finish.3
 CONF_modules_free.3,CONF_modules_unload.3
 CONF_modules_load_file.3,CONF_modules_load.3
+CRYPTO_get_mem_functions.3,CRYPTO_MEM_LEAK_CB.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_ctrl.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks.3
+CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks_cb.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks_fp.3
 CRYPTO_get_mem_functions.3,CRYPTO_set_mem_functions.3
 CRYPTO_set_ex_data.3,CRYPTO_EX_dup.3
@@ -555,7 +577,6 @@ EVP_AEAD_CTX_init.3,EVP_AEAD_nonce_length.3
 EVP_AEAD_CTX_init.3,EVP_aead_aes_128_gcm.3
 EVP_AEAD_CTX_init.3,EVP_aead_aes_256_gcm.3
 EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305.3
-EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305_ietf.3
 EVP_DigestInit.3,EVP_DigestFinal.3
 EVP_DigestInit.3,EVP_DigestFinal_ex.3
 EVP_DigestInit.3,EVP_DigestInit_ex.3
@@ -566,6 +587,7 @@ EVP_DigestInit.3,EVP_MD_CTX_cleanup.3
 EVP_DigestInit.3,EVP_MD_CTX_copy.3
 EVP_DigestInit.3,EVP_MD_CTX_copy_ex.3
 EVP_DigestInit.3,EVP_MD_CTX_create.3
+EVP_DigestInit.3,EVP_MD_CTX_ctrl.3
 EVP_DigestInit.3,EVP_MD_CTX_destroy.3
 EVP_DigestInit.3,EVP_MD_CTX_init.3
 EVP_DigestInit.3,EVP_MD_CTX_md.3
@@ -582,6 +604,7 @@ EVP_DigestInit.3,EVP_get_digestbynid.3
 EVP_DigestInit.3,EVP_get_digestbyobj.3
 EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
+EVP_DigestInit.3,EVP_md5_sha1.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
 EVP_DigestInit.3,EVP_sha1.3
@@ -641,6 +664,7 @@ EVP_EncryptInit.3,EVP_EncryptFinal_ex.3
 EVP_EncryptInit.3,EVP_EncryptInit_ex.3
 EVP_EncryptInit.3,EVP_EncryptUpdate.3
 EVP_EncryptInit.3,EVP_aes_128_cbc.3
+EVP_EncryptInit.3,EVP_aes_128_cbc_hmac_sha1.3
 EVP_EncryptInit.3,EVP_aes_128_ccm.3
 EVP_EncryptInit.3,EVP_aes_128_cfb.3
 EVP_EncryptInit.3,EVP_aes_128_ecb.3
@@ -653,6 +677,7 @@ EVP_EncryptInit.3,EVP_aes_192_ecb.3
 EVP_EncryptInit.3,EVP_aes_192_gcm.3
 EVP_EncryptInit.3,EVP_aes_192_ofb.3
 EVP_EncryptInit.3,EVP_aes_256_cbc.3
+EVP_EncryptInit.3,EVP_aes_256_cbc_hmac_sha1.3
 EVP_EncryptInit.3,EVP_aes_256_ccm.3
 EVP_EncryptInit.3,EVP_aes_256_cfb.3
 EVP_EncryptInit.3,EVP_aes_256_ecb.3
@@ -696,6 +721,7 @@ EVP_EncryptInit.3,EVP_rc2_ecb.3
 EVP_EncryptInit.3,EVP_rc2_ofb.3
 EVP_EncryptInit.3,EVP_rc4.3
 EVP_EncryptInit.3,EVP_rc4_40.3
+EVP_EncryptInit.3,EVP_rc4_hmac_md5.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_cbc.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_cfb.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_ecb.3
@@ -707,10 +733,10 @@ EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_generator.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_prime_len.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dsa_paramgen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3
+EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_keygen_pubexp.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_padding.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_pss_saltlen.3
-EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_signature_md.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_dup.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_free.3
@@ -1034,12 +1060,10 @@ RSA_get_ex_new_index.3,RSA_set_ex_data.3
 RSA_new.3,RSA_free.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_PKCS1_OAEP.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_PKCS1_type_2.3
-RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_SSLv23.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_none.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_OAEP.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_type_1.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_type_2.3
-RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_SSLv23.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_none.3
 RSA_print.3,DHparams_print.3
 RSA_print.3,DHparams_print_fp.3
@@ -1086,12 +1110,9 @@ SSL_CIPHER_get_name.3,SSL_CIPHER_get_version.3
 SSL_COMP_add_compression_method.3,SSL_COMP_get_compression_methods.3
 SSL_CTX_add_extra_chain_cert.3,SSL_CTX_clear_extra_chain_certs.3
 SSL_CTX_add_session.3,SSL_CTX_remove_session.3
-SSL_CTX_add_session.3,SSL_add_session.3
-SSL_CTX_add_session.3,SSL_remove_session.3
 SSL_CTX_ctrl.3,SSL_CTX_callback_ctrl.3
 SSL_CTX_ctrl.3,SSL_callback_ctrl.3
 SSL_CTX_ctrl.3,SSL_ctrl.3
-SSL_CTX_flush_sessions.3,SSL_flush_sessions.3
 SSL_CTX_get_ex_new_index.3,SSL_CTX_get_ex_data.3
 SSL_CTX_get_ex_new_index.3,SSL_CTX_set_ex_data.3
 SSL_CTX_get_verify_mode.3,SSL_CTX_get_verify_callback.3
@@ -1138,6 +1159,13 @@ SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove_cb.3
 SSL_CTX_sess_set_get_cb.3,get_session_cb.3
 SSL_CTX_sess_set_get_cb.3,new_session_cb.3
 SSL_CTX_sess_set_get_cb.3,remove_session_cb.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_curves.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_curves_list.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_groups_list.3
+SSL_CTX_set1_groups.3,SSL_set1_curves.3
+SSL_CTX_set1_groups.3,SSL_set1_curves_list.3
+SSL_CTX_set1_groups.3,SSL_set1_groups.3
+SSL_CTX_set1_groups.3,SSL_set1_groups_list.3
 SSL_CTX_set_alpn_select_cb.3,SSL_CTX_set_alpn_protos.3
 SSL_CTX_set_alpn_select_cb.3,SSL_get0_alpn_selected.3
 SSL_CTX_set_alpn_select_cb.3,SSL_select_next_proto.3
@@ -1160,6 +1188,9 @@ SSL_CTX_set_info_callback.3,SSL_set_info_callback.3
 SSL_CTX_set_max_cert_list.3,SSL_CTX_get_max_cert_list.3
 SSL_CTX_set_max_cert_list.3,SSL_get_max_cert_list.3
 SSL_CTX_set_max_cert_list.3,SSL_set_max_cert_list.3
+SSL_CTX_set_min_proto_version.3,SSL_CTX_set_max_proto_version.3
+SSL_CTX_set_min_proto_version.3,SSL_set_max_proto_version.3
+SSL_CTX_set_min_proto_version.3,SSL_set_min_proto_version.3
 SSL_CTX_set_mode.3,SSL_CTX_get_mode.3
 SSL_CTX_set_mode.3,SSL_get_mode.3
 SSL_CTX_set_mode.3,SSL_set_mode.3
@@ -1184,6 +1215,10 @@ SSL_CTX_set_session_id_context.3,SSL_set_session_id_context.3
 SSL_CTX_set_ssl_version.3,SSL_get_ssl_method.3
 SSL_CTX_set_ssl_version.3,SSL_set_ssl_method.3
 SSL_CTX_set_timeout.3,SSL_CTX_get_timeout.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_CTX_set_tlsext_servername_arg.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_get_servername.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_get_servername_type.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_set_tlsext_host_name.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_CTX_set_tlsext_status_arg.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_get_tlsext_status_ocsp_resp.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_set_tlsext_status_ocsp_resp.3
@@ -1196,7 +1231,6 @@ SSL_CTX_set_tmp_rsa_callback.3,SSL_CTX_set_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_need_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa_callback.3
-SSL_CTX_set_tmp_rsa_callback.3,tmp_rsa_callback.3
 SSL_CTX_set_verify.3,SSL_CTX_set_verify_depth.3
 SSL_CTX_set_verify.3,SSL_set_verify.3
 SSL_CTX_set_verify.3,SSL_set_verify_depth.3
@@ -1263,6 +1297,8 @@ SSL_load_client_CA_file.3,SSL_add_file_cert_subjects_to_stack.3
 SSL_num_renegotiations.3,SSL_clear_num_renegotiations.3
 SSL_num_renegotiations.3,SSL_total_renegotiations.3
 SSL_read.3,SSL_peek.3
+SSL_renegotiate.3,SSL_renegotiate_abbreviated.3
+SSL_renegotiate.3,SSL_renegotiate_pending.3
 SSL_rstate_string.3,SSL_rstate_string_long.3
 SSL_set1_param.3,SSL_CTX_set1_param.3
 SSL_set_connect_state.3,SSL_set_accept_state.3
@@ -1270,6 +1306,11 @@ SSL_set_fd.3,SSL_set_rfd.3
 SSL_set_fd.3,SSL_set_wfd.3
 SSL_set_max_send_fragment.3,SSL_CTX_set_max_send_fragment.3
 SSL_set_shutdown.3,SSL_get_shutdown.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_ecdh_auto.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_tmp_ecdh.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_tmp_ecdh_callback.3
+SSL_set_tmp_ecdh.3,SSL_set_ecdh_auto.3
+SSL_set_tmp_ecdh.3,SSL_set_tmp_ecdh_callback.3
 SSL_state_string.3,SSL_state_string_long.3
 SSL_want.3,SSL_want_nothing.3
 SSL_want.3,SSL_want_read.3
@@ -1293,6 +1334,28 @@ TS_REQ_new.3,TS_STATUS_INFO_free.3
 TS_REQ_new.3,TS_STATUS_INFO_new.3
 TS_REQ_new.3,TS_TST_INFO_free.3
 TS_REQ_new.3,TS_TST_INFO_new.3
+UI_UTIL_read_pw.3,UI_UTIL_read_pw_string.3
+UI_create_method.3,UI_destroy_method.3
+UI_create_method.3,UI_method_get_closer.3
+UI_create_method.3,UI_method_get_flusher.3
+UI_create_method.3,UI_method_get_opener.3
+UI_create_method.3,UI_method_get_prompt_constructor.3
+UI_create_method.3,UI_method_get_reader.3
+UI_create_method.3,UI_method_get_writer.3
+UI_create_method.3,UI_method_set_closer.3
+UI_create_method.3,UI_method_set_flusher.3
+UI_create_method.3,UI_method_set_opener.3
+UI_create_method.3,UI_method_set_prompt_constructor.3
+UI_create_method.3,UI_method_set_reader.3
+UI_create_method.3,UI_method_set_writer.3
+UI_get_string_type.3,UI_get0_action_string.3
+UI_get_string_type.3,UI_get0_output_string.3
+UI_get_string_type.3,UI_get0_result_string.3
+UI_get_string_type.3,UI_get0_test_string.3
+UI_get_string_type.3,UI_get_input_flags.3
+UI_get_string_type.3,UI_get_result_maxsize.3
+UI_get_string_type.3,UI_get_result_minsize.3
+UI_get_string_type.3,UI_set_result.3
 UI_new.3,UI_OpenSSL.3
 UI_new.3,UI_add_error_string.3
 UI_new.3,UI_add_info_string.3
@@ -1427,6 +1490,15 @@ X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
 X509_check_host.3,X509_check_email.3
 X509_check_host.3,X509_check_ip.3
 X509_check_host.3,X509_check_ip_asc.3
+X509_check_private_key.3,X509_REQ_check_private_key.3
+X509_cmp_time.3,X509_cmp_current_time.3
+X509_cmp_time.3,X509_time_adj.3
+X509_cmp_time.3,X509_time_adj_ex.3
+X509_digest.3,PKCS7_ISSUER_AND_SERIAL_digest.3
+X509_digest.3,X509_CRL_digest.3
+X509_digest.3,X509_NAME_digest.3
+X509_digest.3,X509_REQ_digest.3
+X509_digest.3,X509_pubkey_digest.3
 X509_get_pubkey.3,X509_REQ_get_pubkey.3
 X509_get_pubkey.3,X509_REQ_set_pubkey.3
 X509_get_pubkey.3,X509_get_X509_PUBKEY.3
@@ -1525,7 +1597,6 @@ d2i_ASN1_OCTET_STRING.3,d2i_ASN1_PRINTABLE.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_PRINTABLESTRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_T61STRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_TIME.3
-d2i_ASN1_OCTET_STRING.3,d2i_ASN1_TIME_new.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UINTEGER.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UNIVERSALSTRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UTCTIME.3
@@ -1545,7 +1616,6 @@ d2i_ASN1_OCTET_STRING.3,i2d_ASN1_PRINTABLE.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_PRINTABLESTRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_T61STRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_TIME.3
-d2i_ASN1_OCTET_STRING.3,i2d_ASN1_TIME_new.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UNIVERSALSTRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UTCTIME.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UTF8STRING.3
@@ -1606,8 +1676,6 @@ d2i_ECPKParameters.3,d2i_EC_PUBKEY_fp.3
 d2i_ECPKParameters.3,i2d_ECPKParameters.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_ECPKParameters.3,i2d_ECPKPrivateKey_fp.3
-d2i_ECPKParameters.3,i2d_ECPK_PUBKEY_fp.3
 d2i_ECPKParameters.3,i2d_ECParameters.3
 d2i_ECPKParameters.3,i2d_ECPrivateKey.3
 d2i_ECPKParameters.3,i2d_ECPrivateKey_bio.3
@@ -1931,6 +1999,13 @@ engine.3,ENGINE_unregister_STORE.3
 engine.3,ENGINE_unregister_ciphers.3
 engine.3,ENGINE_unregister_digests.3
 engine.3,ENGINE_up_ref.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_1024.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_768.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_1536.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_2048.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_3072.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_4096.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_6144.3
 lh_new.3,DECLARE_LHASH_OF.3
 lh_new.3,LHASH_COMP_FN_TYPE.3
 lh_new.3,LHASH_DOALL_ARG_FN_TYPE.3
@@ -1960,16 +2035,15 @@ tls_accept_socket.3,tls_accept_cbs.3
 tls_accept_socket.3,tls_accept_fds.3
 tls_client.3,tls_configure.3
 tls_client.3,tls_free.3
+tls_client.3,tls_reset.3
 tls_client.3,tls_server.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_file.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_mem.3
 tls_config_set_protocols.3,tls_config_parse_protocols.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_client.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_server.3
 tls_config_set_protocols.3,tls_config_set_alpn.3
 tls_config_set_protocols.3,tls_config_set_ciphers.3
 tls_config_set_protocols.3,tls_config_set_dheparams.3
-tls_config_set_protocols.3,tls_config_set_ecdhecurve.3
+tls_config_set_protocols.3,tls_config_set_ecdhecurves.3
 tls_config_set_session_id.3,tls_config_add_ticket_key.3
 tls_config_set_session_id.3,tls_config_set_session_lifetime.3
 tls_config_verify.3,tls_config_insecure_noverifycert.3
@@ -1994,19 +2068,28 @@ tls_init.3,tls_config_free.3
 tls_init.3,tls_config_new.3
 tls_load_file.3,tls_config_add_keypair_file.3
 tls_load_file.3,tls_config_add_keypair_mem.3
+tls_load_file.3,tls_config_add_keypair_ocsp_file.3
+tls_load_file.3,tls_config_add_keypair_ocsp_mem.3
 tls_load_file.3,tls_config_clear_keys.3
 tls_load_file.3,tls_config_set_ca_file.3
 tls_load_file.3,tls_config_set_ca_mem.3
 tls_load_file.3,tls_config_set_ca_path.3
 tls_load_file.3,tls_config_set_cert_file.3
 tls_load_file.3,tls_config_set_cert_mem.3
+tls_load_file.3,tls_config_set_crl_file.3
+tls_load_file.3,tls_config_set_crl_mem.3
 tls_load_file.3,tls_config_set_key_file.3
 tls_load_file.3,tls_config_set_key_mem.3
 tls_load_file.3,tls_config_set_keypair_file.3
 tls_load_file.3,tls_config_set_keypair_mem.3
+tls_load_file.3,tls_config_set_keypair_ocsp_file.3
+tls_load_file.3,tls_config_set_keypair_ocsp_mem.3
+tls_load_file.3,tls_config_set_ocsp_staple_file.3
+tls_load_file.3,tls_config_set_ocsp_staple_mem.3
 tls_load_file.3,tls_config_set_verify_depth.3
 tls_load_file.3,tls_config_verify_client.3
 tls_load_file.3,tls_config_verify_client_optional.3
+tls_load_file.3,tls_unload_file.3
 tls_ocsp_process_response.3,tls_peer_ocsp_cert_status.3
 tls_ocsp_process_response.3,tls_peer_ocsp_crl_reason.3
 tls_ocsp_process_response.3,tls_peer_ocsp_next_update.3

patches/netcat.c.patch

@@ -1,5 +1,5 @@
---- apps/nc/netcat.c.orig	2017-07-07 00:10:09.009409624 +0900
-+++ apps/nc/netcat.c	2017-07-07 00:30:32.380088772 +0900
+--- apps/nc/netcat.c.orig	Mon Jul 17 06:06:51 2017
++++ apps/nc/netcat.c	Mon Jul 17 06:11:24 2017
 @@ -66,7 +66,9 @@
  #define POLL_NETIN	2
  #define POLL_STDOUT	3
@@ -10,7 +10,7 @@
  
  #define TLS_ALL	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -94,9 +96,13 @@ int	zflag;					/* Port Scan Flag */
+@@ -95,9 +97,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -24,7 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -265,12 +271,14 @@ main(int argc, char *argv[])
+@@ -266,12 +272,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -39,7 +39,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -317,9 +325,11 @@ main(int argc, char *argv[])
+@@ -318,9 +326,11 @@
  		case 'o':
  			oflag = optarg;
  			break;
@@ -51,7 +51,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -343,9 +353,11 @@ main(int argc, char *argv[])
+@@ -344,9 +354,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -63,7 +63,7 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -888,7 +900,10 @@ int
+@@ -892,7 +904,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -75,7 +75,7 @@
  
  	if ((error = getaddrinfo(host, port, &hints, &res0)))
  		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
-@@ -903,8 +918,10 @@ remote_connect(const char *host, const c
+@@ -907,8 +922,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -86,7 +86,7 @@
  			memset(&ahints, 0, sizeof(struct addrinfo));
  			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -975,7 +992,10 @@ int
+@@ -979,7 +996,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -98,7 +98,7 @@
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -996,9 +1016,11 @@ local_listen(char *host, char *port, str
+@@ -1000,9 +1020,11 @@
  		    res->ai_protocol)) < 0)
  			continue;
  
@@ -110,7 +110,7 @@
  
  		set_common_sockopts(s, res->ai_family);
  
-@@ -1454,11 +1476,13 @@ set_common_sockopts(int s, int af)
+@@ -1458,11 +1480,13 @@
  {
  	int x = 1;
  
@@ -124,7 +124,7 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1469,9 +1493,16 @@ set_common_sockopts(int s, int af)
+@@ -1473,9 +1497,16 @@
  		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
  			err(1, "set IP ToS");
  
@@ -141,7 +141,7 @@
  	}
  	if (Iflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
-@@ -1495,13 +1526,17 @@ set_common_sockopts(int s, int af)
+@@ -1499,13 +1530,17 @@
  	}
  
  	if (minttl != -1) {
@@ -160,7 +160,7 @@
  	}
  }
  
-@@ -1709,14 +1744,22 @@ help(void)
+@@ -1714,14 +1749,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\

patches/tls_internal.h.patch

@@ -1,12 +1,12 @@
---- ./openbsd/src/lib/libtls/tls_internal.h	Thu Oct 15 16:12:24 2015
-+++ ./tls/tls_internal.h	Sun Dec  6 20:18:17 2015
-@@ -24,7 +24,9 @@
+--- tls/tls_internal.h.orig	Sun Jul  9 06:16:17 2017
++++ tls/tls_internal.h	Mon Jul 17 06:10:01 2017
+@@ -26,7 +26,9 @@
  
- #include <openssl/ssl.h>
+ __BEGIN_HIDDEN_DECLS
  
 +#ifndef _PATH_SSL_CA_FILE
  #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
 +#endif
  
- #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
  #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+ #define TLS_CIPHERS_COMPAT	"HIGH:!aNULL"

patches/tlsexttest.c.patch

@@ -0,0 +1,41 @@
+--- tests/tlsexttest.c.orig	Sun Sep  3 00:44:51 2017
++++ tests/tlsexttest.c	Sun Sep  3 00:47:06 2017
+@@ -1676,7 +1676,9 @@ static unsigned char tlsext_sni_clienthello[] = {
+ };
+ 
+ static unsigned char tlsext_sni_serverhello[] = {
++	0x00
+ };
++const size_t sizeof_tlsext_sni_serverhello = 0;
+ 
+ static int
+ test_tlsext_sni_clienthello(void)
+@@ -1839,9 +1841,9 @@ test_tlsext_sni_serverhello(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_sni_serverhello)) {
++	if (dlen != sizeof_tlsext_sni_serverhello) {
+ 		FAIL("got serverhello SNI with length %zu, "
+-		    "want length %zu\n", dlen, sizeof(tlsext_sni_serverhello));
++		    "want length %zu\n", dlen, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+@@ -1850,14 +1852,14 @@ test_tlsext_sni_serverhello(void)
+ 		fprintf(stderr, "received:\n");
+ 		hexdump(data, dlen);
+ 		fprintf(stderr, "test data:\n");
+-		hexdump(tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
++		hexdump(tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+ 	free(ssl->session->tlsext_hostname);
+ 	ssl->session->tlsext_hostname = NULL;
+ 
+-	CBS_init(&cbs, tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
++	CBS_init(&cbs, tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 	if (!tlsext_sni_serverhello_parse(ssl, &cbs, &alert)) {
+ 		FAIL("failed to parse serverhello SNI\n");
+ 		goto err;

patches/windows_headers.patch

@@ -4,36 +4,35 @@ diff -u include/openssl.orig/dtls1.h include/openssl/dtls1.h
 @@ -60,7 +60,11 @@
  #ifndef HEADER_DTLS1_H
  #define HEADER_DTLS1_H
- 
+
 +#if defined(_WIN32)
 +#include <winsock2.h>
 +#else
  #include <sys/time.h>
 +#endif
- 
+
  #include <stdio.h>
  #include <stdlib.h>
-diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
---- include/openssl.orig/opensslconf.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/opensslconf.h	Mon Dec  7 07:56:14 2015
+--- include/openssl/opensslconf.h.orig	Sat Nov  5 08:36:25 2016
++++ include/openssl/opensslconf.h	Mon Jul 17 06:06:58 2017
 @@ -1,6 +1,10 @@
  #include <openssl/opensslfeatures.h>
  /* crypto/opensslconf.h.in */
- 
+
 +#if defined(_MSC_VER) && !defined(__attribute__)
 +#define __attribute__(a)
 +#endif
 +
  #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
  #define OPENSSLDIR "/etc/ssl"
-
+ #endif
 diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
 --- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
 +++ include/openssl/ossl_typ.h	Mon Dec  7 07:56:14 2015
 @@ -80,6 +80,22 @@
  typedef struct ASN1_ITEM_st ASN1_ITEM;
  typedef struct asn1_pctx_st ASN1_PCTX;
- 
+
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
@@ -59,7 +58,7 @@ diff -u include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
 @@ -69,6 +69,18 @@
  extern "C" {
  #endif
- 
+
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
@@ -81,7 +80,7 @@ diff -u include/openssl.orig/x509.h include/openssl/x509.h
 @@ -112,6 +112,19 @@
  extern "C" {
  #endif
- 
+
 +#if defined(_WIN32)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER

ssl/CMakeLists.txt

@@ -35,6 +35,7 @@ set(
 	ssl_sess.c
 	ssl_srvr.c
 	ssl_stat.c
+	ssl_tlsext.c
 	ssl_txt.c
 	ssl_versions.c
 	t1_clnt.c
@@ -42,7 +43,6 @@ set(
 	t1_hash.c
 	t1_lib.c
 	t1_meth.c
-	t1_reneg.c
 	t1_srvr.c
 )
 
@@ -51,8 +51,9 @@ if (BUILD_SHARED)
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
 	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+	target_link_libraries(ssl-shared crypto-shared)
 	if (WIN32)
-		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+		target_link_libraries(ssl-shared Ws2_32.lib)
 		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
 	endif()
 	set_target_properties(ssl-shared PROPERTIES

ssl/Makefile.am

@@ -38,6 +38,7 @@ libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
 libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
+libssl_la_SOURCES += ssl_tlsext.c
 libssl_la_SOURCES += ssl_txt.c
 libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
@@ -45,9 +46,9 @@ libssl_la_SOURCES += t1_enc.c
 libssl_la_SOURCES += t1_hash.c
 libssl_la_SOURCES += t1_lib.c
 libssl_la_SOURCES += t1_meth.c
-libssl_la_SOURCES += t1_reneg.c
 libssl_la_SOURCES += t1_srvr.c
 
 noinst_HEADERS = srtp.h
 noinst_HEADERS += ssl_locl.h
+noinst_HEADERS += ssl_tlsext.h
 noinst_HEADERS += bytestring.h

tap-driver.sh

@@ -1,5 +1,5 @@
 #! /bin/sh
-# Copyright (C) 2011-2014 Free Software Foundation, Inc.
+# Copyright (C) 2011-2017 Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -646,6 +646,6 @@ test $? -eq 0 || fatal "I/O or internal error"
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
+# time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:

tests/CMakeLists.txt

@@ -168,6 +168,11 @@ set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERN
 target_link_libraries(exptest ${TESTS_LIBS})
 add_test(exptest exptest)
 
+# freenull
+add_executable(freenull freenull.c)
+target_link_libraries(freenull ${TESTS_LIBS})
+add_test(freenull freenull)
+
 # gcm128test
 add_executable(gcm128test gcm128test.c)
 target_link_libraries(gcm128test ${TESTS_LIBS})
@@ -366,6 +371,11 @@ add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${TESTS_LIBS})
 add_test(timingsafe timingsafe)
 
+# tlsexttest
+add_executable(tlsexttest tlsexttest.c)
+target_link_libraries(tlsexttest ${TESTS_LIBS})
+add_test(tlsexttest tlsexttest)
+
 # tlstest
 set(TLSTEST_SRC tlstest.c)
 check_function_exists(pipe2 HAVE_PIPE2)

tests/Makefile.am

@@ -174,6 +174,12 @@ check_PROGRAMS += exptest
 exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c
 
+# freenull
+TESTS += freenull
+check_PROGRAMS += freenull
+freenull_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
+freenull_SOURCES = freenull.c
+
 # gcm128test
 TESTS += gcm128test
 check_PROGRAMS += gcm128test
@@ -350,6 +356,12 @@ TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
+# tlsexttest
+TESTS += tlsexttest
+check_PROGRAMS += tlsexttest
+tlsexttest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
+tlsexttest_SOURCES = tlsexttest.c
+
 # tlstest
 TESTS += tlstest.sh
 check_PROGRAMS += tlstest

tests/testssl.bat

@@ -123,18 +123,6 @@ for %%p in ( SSLv3 ) do (
   )
 )
 
-REM #
-REM # Next Protocol Negotiation tests
-REM #
-echo "Testing NPN..."
-%ssltest% -bio_pair -tls1 -npn_client & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 -reuse & if !errorlevel! neq 0 exit /b 1
-
 REM #
 REM # ALPN tests
 REM #

tls/CMakeLists.txt

@@ -30,8 +30,9 @@ if (BUILD_SHARED)
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
 	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
+	target_link_libraries(tls-shared ssl-shared crypto-shared)
 	if (WIN32)
-		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+		target_link_libraries(tls-shared Ws2_32.lib)
 		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
 	endif()
 	set_target_properties(tls-shared PROPERTIES

update.sh

@@ -347,7 +347,7 @@ echo dist_man_MANS = >> man/Makefile.am
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
 
-	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
+	for i in `ls -1 $libcrypto_src/man/*.[35] | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am