remove duplicate entry

Primarily this is to select whether 'lib64' or 'lib' is used on linux type systems.

.gitignore

@@ -143,7 +143,6 @@ include/openssl/*.h
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
 !/crypto/compat/explicit_bzero_win.c
-!/crypto/compat/freezero.c
 !/crypto/compat/getpagesize.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c

CMakeLists.txt

@@ -27,18 +27,12 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
-option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL})
 option(ENABLE_ASM "Enable assembly" ON)
 option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
 option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
 option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
 set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
 
-if(NOT LIBRESSL_SKIP_INSTALL)
-	set( ENABLE_LIBRESSL_INSTALL ON )
-endif(NOT LIBRESSL_SKIP_INSTALL)
-
-
 set(BUILD_NC true)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin")

ChangeLog

@@ -28,66 +28,6 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.6.0 - New APIs, bug fixes and improvements
-
-	* Added support for providing CRLs to libtls. Once a CRL is provided we
-	  enable CRL checking for the full certificate chain. Based on a diff
-	  from Jack Burton
-
-	* Allow non-compliant clients using IP literal addresses with SNI
-	  to connect to a server using libtls.
-
-	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
-	  Reported by Robert Swiecki, who found the issue using honggfuzz.
-
-	* Added definitions for three OIDs used in EV certificates.
-	  From Kyle J. McKay
-
-	* Plugged a memory leak in tls_ocsp_free.
-
-	* Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to
-	  libtls, useful in private certificate validation callbacks such as
-	  those in relayd.
-
-	* Converted explicit lear/free sequences to use freezero(3).
-
-	* Reworked TLS certificate name verification code to more strictly
-	  follow RFC 6125.
-
-	* Cleaned up and simplified server key exchange EC point handling.
-
-	* Added tls_keypair_clear_key for clearing key material.
-
-	* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
-	  simplified BIO_get_host_ip and BIO_accept.
-
-	* Fixed the openssl(1) ca command so that is generates certificates
-	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
-
-	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
-
-	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
-
-	* Added HKDF (HMAC Key Derivation Function) from BoringSSL
-
-	* Providea a tls_unload_file() function that frees the memory returned
-	  from a tls_load_file() call, ensuring that it the contents become
-	  inaccessible. This is specifically needed on platforms where the
-	  library allocators may be different from the application allocator.
-
-	* Perform reference counting for tls_config. This allows
-	  tls_config_free() to be called as soon as it has been passed to the
-	  final tls_configure() call, simplifying lifetime tracking for the
-	  application.
-
-	* Moved internal state of SSL and other structures to be opaque.
-
-	* Dropped cipher suites with DSS authentication.
-
-	* nc(1) improvements, including:
-	   nc -W to terminate nc after receiving a number of packets
-	   nc -Z for saving the peer certificate and chain in a pem file
-
 2.5.5 - Bug fixes
 
 	* Distinguish between self-issued certificates and self-signed

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_1

README.md

@@ -131,15 +131,3 @@ install CMake, enter the LibreSSL source directory and run:
 
 This will generate a LibreSSL.sln file that you can incorporate into other
 projects or build by itself.
-
-#### Cmake - Additional Options ####
-
-| Option Name | Default | Description 
-| ------------ | -----: | ------ 
-|  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
-|  ENABLE_ASM | ON | builds assembly optimized rules. |
-|  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
-|  ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) |
-|  ENABLE_VSTEST | OFF | Enable test on Visual Studio |
-|  OPENSSLDIR | Blank | Set the default openssl directory.  Can be specified from command line using <br>```-DOPENSSLDIR=<dirname>``` |
-

apps/nc/CMakeLists.txt

@@ -53,10 +53,8 @@ add_executable(nc ${NC_SRC})
 target_link_libraries(nc tls ${OPENSSL_LIBS})
 
 if(ENABLE_NC)
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
 	install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
-	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 
 endif()

apps/ocspcheck/CMakeLists.txt

@@ -36,10 +36,7 @@ endif()
 add_executable(ocspcheck ${OCSPCHECK_SRC})
 target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
 
-if(ENABLE_LIBRESSL_INSTALL)
+install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
-	install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
-	install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
-
-endif(ENABLE_LIBRESSL_INSTALL)
 
 endif()

apps/openssl/CMakeLists.txt

@@ -76,17 +76,13 @@ endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
 
-if(ENABLE_LIBRESSL_INSTALL)
+install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
-	install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
-	install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
-endif(ENABLE_LIBRESSL_INSTALL)
 
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")
 else()
 	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
 endif()
-if(ENABLE_LIBRESSL_INSTALL)
+install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
-	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
-endif(ENABLE_LIBRESSL_INSTALL)

configure.ac

@@ -54,6 +54,8 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP
 
+GENERATE_CRYPTO_PORTABLE_SYM
+
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -78,15 +80,19 @@ AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       BSWAP4=no)
 CFLAGS="$old_cflags"
 
-AS_CASE([$host_cpu],
+case $host_cpu in
-	[*sparc*], [CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"],
+	*sparc*)
-	[*arm*], AS_IF([test "x$BSWAP4" = "xyes"],,
+		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"),
+		;;
-	[*amd64*], [host_cpu=x86_64, HOSTARCH=intel],
+	*arm*)
-	[i?86], [HOSTARCH=intel],
+		AS_IF([test "x$BSWAP4" = "xyes"],,
-	[x86_64], [HOSTARCH=intel]
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
-)
+		;;
-AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"])
+	*amd64*)
+		host_cpu=x86_64
+		;;
+
+esac
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[

crypto/CMakeLists.txt

@@ -463,7 +463,6 @@ set(
 	gost/gostr341001_pmeth.c
 	gost/gostr341194.c
 	gost/streebog.c
-	hkdf/hkdf.c
 	hmac/hm_ameth.c
 	hmac/hm_pmeth.c
 	hmac/hmac.c
@@ -682,11 +681,6 @@ if(NOT HAVE_ASPRINTF)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
 endif()
 
-if(NOT HAVE_FREEZERO)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/freezero.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} freezero)
-endif()
-
 if(NOT HAVE_GETPAGESIZE)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c)
 endif()
@@ -829,13 +823,9 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
-	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
-	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

crypto/Makefile.am

@@ -18,80 +18,6 @@ EXTRA_DIST += compat/strcasecmp.c
 BUILT_SOURCES = crypto_portable.sym
 CLEANFILES = crypto_portable.sym
 
-crypto_portable.sym:
-	-echo "generating crypto_portable.sym ..."
-	-cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym
-	-chmod u+w crypto_portable.sym
-if !HAVE_ARC4RANDOM_BUF
-	-echo arc4random >> crypto_portable.sym
-	-echo arc4random_buf >> crypto_portable.sym
-	-echo arc4random_uniform >> crypto_portable.sym
-if !HAVE_GETENTROPY
-	-echo getentropy >> crypto_portable.sym
-endif
-endif
-if !HAVE_ASPRINTF
-	-echo asprintf >> crypto_portable.sym
-	-echo vasprintf >> crypto_portable.sym
-endif
-if !HAVE_EXPLICIT_BZERO
-	-echo explicit_bzero >> crypto_portable.sym
-endif
-if !HAVE_FREEZERO
-	-echo freezero >> crypto_portable.sym
-endif
-if !HAVE_INET_PTON
-	-echo inet_pton >> crypto_portable.sym
-endif
-if !HAVE_REALLOCARRAY
-	-echo reallocarray >> crypto_portable.sym
-endif
-if !HAVE_RECALLOCARRAY
-	-echo recallocarray >> crypto_portable.sym
-endif
-if !HAVE_STRLCAT
-	-echo strlcat >> crypto_portable.sym
-endif
-if !HAVE_STRLCPY
-	-echo strlcpy >> crypto_portable.sym
-endif
-if !HAVE_STRNDUP
-	-echo strndup >> crypto_portable.sym
-endif
-if !HAVE_STRNLEN
-	-echo strnlen >> crypto_portable.sym
-endif
-if !HAVE_STRSEP
-	-echo strsep >> crypto_portable.sym
-endif
-if !HAVE_TIMEGM
-	-echo timegm >> crypto_portable.sym
-endif
-if !HAVE_TIMINGSAFE_BCMP
-	-echo timingsafe_bcmp >> crypto_portable.sym
-endif
-if !HAVE_TIMINGSAFE_MEMCMP
-	-echo timingsafe_memcmp >> crypto_portable.sym
-endif
-if HOST_CPU_IS_INTEL
-	-echo OPENSSL_ia32cap_P >> crypto_portable.sym
-endif
-if HOST_WIN
-	-echo posix_perror >> crypto_portable.sym
-	-echo posix_fopen >> crypto_portable.sym
-	-echo posix_fgets >> crypto_portable.sym
-	-echo posix_open >> crypto_portable.sym
-	-echo posix_rename >> crypto_portable.sym
-	-echo posix_connect >> crypto_portable.sym
-	-echo posix_close >> crypto_portable.sym
-	-echo posix_read >> crypto_portable.sym
-	-echo posix_write >> crypto_portable.sym
-	-echo posix_getsockopt >> crypto_portable.sym
-	-echo posix_setsockopt >> crypto_portable.sym
-	-grep -v BIO_s_log crypto_portable.sym > crypto_portable.sym.tmp
-	-mv crypto_portable.sym.tmp crypto_portable.sym
-endif
-
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
@@ -158,10 +84,6 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
-if !HAVE_FREEZERO
-libcompat_la_SOURCES += compat/freezero.c
-endif
-
 if !HAVE_GETPAGESIZE
 libcompat_la_SOURCES += compat/getpagesize.c
 endif
@@ -657,9 +579,6 @@ noinst_HEADERS += gost/gost.h
 noinst_HEADERS += gost/gost_asn1.h
 noinst_HEADERS += gost/gost_locl.h
 
-# hkdf
-libcrypto_la_SOURCES += hkdf/hkdf.c
-
 # hmac
 libcrypto_la_SOURCES += hmac/hm_ameth.c
 libcrypto_la_SOURCES += hmac/hm_pmeth.c

crypto/compat/freezero.c

@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
- * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
- * Copyright (c) 2008 Damien Miller <djm@openbsd.org>
- * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <string.h>
-#include <stdlib.h>
-
-void
-freezero(void *ptr, size_t sz)
-{
-	/* This is legal. */
-	if (ptr == NULL)
-		return;
-
-	explicit_bzero(ptr, sz);
-	free(ptr);
-}

include/CMakeLists.txt

@@ -1,7 +1,5 @@
-if(ENABLE_LIBRESSL_INSTALL)
+install(DIRECTORY .
-	install(DIRECTORY .
         DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
         PATTERN "Makefile*" EXCLUDE)
-endif(ENABLE_LIBRESSL_INSTALL)

include/compat/stdlib.h

@@ -25,10 +25,6 @@ void arc4random_buf(void *_buf, size_t n);
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
-#ifndef HAVE_FREEZERO
-void freezero(void *ptr, size_t sz);
-#endif
-
 #ifndef HAVE_REALLOCARRAY
 void *reallocarray(void *, size_t, size_t);
 #endif

include/compat/sys/types.h

@@ -20,14 +20,12 @@
 
 #ifdef __MINGW32__
 #include <_bsd_types.h>
-typedef uint32_t        in_addr_t;
 #endif
 
 #ifdef _MSC_VER
 typedef unsigned char   u_char;
 typedef unsigned short  u_short;
 typedef unsigned int    u_int;
-typedef uint32_t        in_addr_t;
 
 #include <basetsd.h>
 typedef SSIZE_T ssize_t;

m4/check-libc.m4

@@ -2,12 +2,11 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([asprintf getpagesize inet_ntop inet_pton memmem readpassphrase])
-AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
+AC_CHECK_FUNCS([reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
-AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
 AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
 AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
@@ -148,3 +147,85 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
+
+AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
+AS_CASE([$host_cpu],
+	[i?86], [HOSTARCH=intel],
+	[x86_64], [HOSTARCH=intel],
+	[amd64], [HOSTARCH=intel],
+)
+AC_SUBST([HOSTARCH])
+crypto_sym=$srcdir/crypto/crypto.sym
+crypto_p_sym=./crypto/crypto_portable.sym
+echo "generating $crypto_p_sym ..."
+mkdir -p ./crypto
+cp $crypto_sym $crypto_p_sym
+chmod u+w $crypto_p_sym
+if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
+	echo arc4random >> $crypto_p_sym
+	echo arc4random_buf >> $crypto_p_sym
+	echo arc4random_uniform >> $crypto_p_sym
+	if test "x$ac_cv_func_getentropy" = "xno" ; then
+		echo getentropy >> $crypto_p_sym
+	fi
+fi
+if test "x$ac_cv_func_asprintf" = "xno" ; then
+	echo asprintf >> $crypto_p_sym
+	echo vasprintf >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
+	echo explicit_bzero >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_inet_pton" = "xno" ; then
+	echo inet_pton >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_reallocarray" = "xno" ; then
+	echo reallocarray >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_recallocarray" = "xno" ; then
+	echo recallocarray >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strlcat" = "xno" ; then
+	echo strlcat >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strlcpy" = "xno" ; then
+	echo strlcpy >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strndup" = "xno" ; then
+	echo strndup >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strnlen" = "xno" ; then
+	echo strnlen >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strsep" = "xno" ; then
+	echo strsep >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timegm" = "xno" ; then
+	echo timegm >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
+	echo timingsafe_bcmp >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
+	echo timingsafe_memcmp >> $crypto_p_sym
+fi
+if test "x$HOSTARCH" = "xintel" ; then
+	echo OPENSSL_ia32cap_P >> $crypto_p_sym
+fi
+if test "x$HOST_OS" = "xwin" ; then
+	echo posix_perror >> $crypto_p_sym
+	echo posix_fopen >> $crypto_p_sym
+	echo posix_fgets >> $crypto_p_sym
+	echo posix_open >> $crypto_p_sym
+	echo posix_rename >> $crypto_p_sym
+	echo posix_connect >> $crypto_p_sym
+	echo posix_close >> $crypto_p_sym
+	echo posix_read >> $crypto_p_sym
+	echo posix_write >> $crypto_p_sym
+	echo posix_getsockopt >> $crypto_p_sym
+	echo posix_setsockopt >> $crypto_p_sym
+
+	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
+	mv $crypto_p_sym.tmp $crypto_p_sym
+fi
+])

m4/check-os-options.m4

@@ -111,7 +111,6 @@ char buf[1]; getentropy(buf, 1);
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
-		CFLAGS="$CFLAGS -m64"
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;

man/CMakeLists.txt

@@ -1,11 +1,9 @@
-if(ENABLE_LIBRESSL_INSTALL)
+install(DIRECTORY .
-	install(DIRECTORY .
     DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
     FILES_MATCHING PATTERN "*.3"
     )
 
-	install(DIRECTORY .
+install(DIRECTORY .
     DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
     FILES_MATCHING PATTERN "*.1"
     )
-endif(ENABLE_LIBRESSL_INSTALL)

man/links

@@ -50,6 +50,7 @@ ASN1_STRING_new.3,DISPLAYTEXT_free.3
 ASN1_STRING_new.3,DISPLAYTEXT_new.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print_ex_fp.3
+ASN1_STRING_print_ex.3,ASN1_tag2str.3
 ASN1_TIME_set.3,ASN1_TIME_adj.3
 ASN1_TIME_set.3,ASN1_TIME_check.3
 ASN1_TIME_set.3,ASN1_TIME_print.3
@@ -146,6 +147,9 @@ BIO_new.3,BIO_free.3
 BIO_new.3,BIO_free_all.3
 BIO_new.3,BIO_set.3
 BIO_new.3,BIO_vfree.3
+BIO_printf.3,BIO_snprintf.3
+BIO_printf.3,BIO_vprintf.3
+BIO_printf.3,BIO_vsnprintf.3
 BIO_push.3,BIO_pop.3
 BIO_read.3,BIO_gets.3
 BIO_read.3,BIO_puts.3
@@ -298,6 +302,7 @@ BN_set_bit.3,BN_lshift1.3
 BN_set_bit.3,BN_mask_bits.3
 BN_set_bit.3,BN_rshift.3
 BN_set_bit.3,BN_rshift1.3
+BN_set_flags.3,BN_get_flags.3
 BN_set_negative.3,BN_is_negative.3
 BN_zero.3,BN_get_word.3
 BN_zero.3,BN_one.3
@@ -566,6 +571,7 @@ EVP_DigestInit.3,EVP_MD_CTX_cleanup.3
 EVP_DigestInit.3,EVP_MD_CTX_copy.3
 EVP_DigestInit.3,EVP_MD_CTX_copy_ex.3
 EVP_DigestInit.3,EVP_MD_CTX_create.3
+EVP_DigestInit.3,EVP_MD_CTX_ctrl.3
 EVP_DigestInit.3,EVP_MD_CTX_destroy.3
 EVP_DigestInit.3,EVP_MD_CTX_init.3
 EVP_DigestInit.3,EVP_MD_CTX_md.3
@@ -582,6 +588,7 @@ EVP_DigestInit.3,EVP_get_digestbynid.3
 EVP_DigestInit.3,EVP_get_digestbyobj.3
 EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
+EVP_DigestInit.3,EVP_md5_sha1.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
 EVP_DigestInit.3,EVP_sha1.3
@@ -1263,6 +1270,8 @@ SSL_load_client_CA_file.3,SSL_add_file_cert_subjects_to_stack.3
 SSL_num_renegotiations.3,SSL_clear_num_renegotiations.3
 SSL_num_renegotiations.3,SSL_total_renegotiations.3
 SSL_read.3,SSL_peek.3
+SSL_renegotiate.3,SSL_renegotiate_abbreviated.3
+SSL_renegotiate.3,SSL_renegotiate_pending.3
 SSL_rstate_string.3,SSL_rstate_string_long.3
 SSL_set1_param.3,SSL_CTX_set1_param.3
 SSL_set_connect_state.3,SSL_set_accept_state.3
@@ -1293,6 +1302,28 @@ TS_REQ_new.3,TS_STATUS_INFO_free.3
 TS_REQ_new.3,TS_STATUS_INFO_new.3
 TS_REQ_new.3,TS_TST_INFO_free.3
 TS_REQ_new.3,TS_TST_INFO_new.3
+UI_UTIL_read_pw.3,UI_UTIL_read_pw_string.3
+UI_create_method.3,UI_destroy_method.3
+UI_create_method.3,UI_method_get_closer.3
+UI_create_method.3,UI_method_get_flusher.3
+UI_create_method.3,UI_method_get_opener.3
+UI_create_method.3,UI_method_get_prompt_constructor.3
+UI_create_method.3,UI_method_get_reader.3
+UI_create_method.3,UI_method_get_writer.3
+UI_create_method.3,UI_method_set_closer.3
+UI_create_method.3,UI_method_set_flusher.3
+UI_create_method.3,UI_method_set_opener.3
+UI_create_method.3,UI_method_set_prompt_constructor.3
+UI_create_method.3,UI_method_set_reader.3
+UI_create_method.3,UI_method_set_writer.3
+UI_get_string_type.3,UI_get0_action_string.3
+UI_get_string_type.3,UI_get0_output_string.3
+UI_get_string_type.3,UI_get0_result_string.3
+UI_get_string_type.3,UI_get0_test_string.3
+UI_get_string_type.3,UI_get_input_flags.3
+UI_get_string_type.3,UI_get_result_maxsize.3
+UI_get_string_type.3,UI_get_result_minsize.3
+UI_get_string_type.3,UI_set_result.3
 UI_new.3,UI_OpenSSL.3
 UI_new.3,UI_add_error_string.3
 UI_new.3,UI_add_info_string.3
@@ -1427,6 +1458,11 @@ X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
 X509_check_host.3,X509_check_email.3
 X509_check_host.3,X509_check_ip.3
 X509_check_host.3,X509_check_ip_asc.3
+X509_digest.3,PKCS7_ISSUER_AND_SERIAL_digest.3
+X509_digest.3,X509_CRL_digest.3
+X509_digest.3,X509_NAME_digest.3
+X509_digest.3,X509_REQ_digest.3
+X509_digest.3,X509_pubkey_digest.3
 X509_get_pubkey.3,X509_REQ_get_pubkey.3
 X509_get_pubkey.3,X509_REQ_set_pubkey.3
 X509_get_pubkey.3,X509_get_X509_PUBKEY.3
@@ -1931,6 +1967,13 @@ engine.3,ENGINE_unregister_STORE.3
 engine.3,ENGINE_unregister_ciphers.3
 engine.3,ENGINE_unregister_digests.3
 engine.3,ENGINE_up_ref.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_1024.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_768.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_1536.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_2048.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_3072.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_4096.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_6144.3
 lh_new.3,DECLARE_LHASH_OF.3
 lh_new.3,LHASH_COMP_FN_TYPE.3
 lh_new.3,LHASH_DOALL_ARG_FN_TYPE.3
@@ -1961,8 +2004,6 @@ tls_accept_socket.3,tls_accept_fds.3
 tls_client.3,tls_configure.3
 tls_client.3,tls_free.3
 tls_client.3,tls_server.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_file.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_mem.3
 tls_config_set_protocols.3,tls_config_parse_protocols.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_client.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_server.3
@@ -1994,6 +2035,8 @@ tls_init.3,tls_config_free.3
 tls_init.3,tls_config_new.3
 tls_load_file.3,tls_config_add_keypair_file.3
 tls_load_file.3,tls_config_add_keypair_mem.3
+tls_load_file.3,tls_config_add_keypair_ocsp_file.3
+tls_load_file.3,tls_config_add_keypair_ocsp_mem.3
 tls_load_file.3,tls_config_clear_keys.3
 tls_load_file.3,tls_config_set_ca_file.3
 tls_load_file.3,tls_config_set_ca_mem.3
@@ -2004,6 +2047,10 @@ tls_load_file.3,tls_config_set_key_file.3
 tls_load_file.3,tls_config_set_key_mem.3
 tls_load_file.3,tls_config_set_keypair_file.3
 tls_load_file.3,tls_config_set_keypair_mem.3
+tls_load_file.3,tls_config_set_keypair_ocsp_file.3
+tls_load_file.3,tls_config_set_keypair_ocsp_mem.3
+tls_load_file.3,tls_config_set_ocsp_staple_file.3
+tls_load_file.3,tls_config_set_ocsp_staple_mem.3
 tls_load_file.3,tls_config_set_verify_depth.3
 tls_load_file.3,tls_config_verify_client.3
 tls_load_file.3,tls_config_verify_client_optional.3

patches/http.c.patch

@@ -1,12 +0,0 @@
---- apps/ocspcheck/http.c.orig	Sun Jun  4 00:45:29 2017
-+++ apps/ocspcheck/http.c	Sun Jun  4 00:45:57 2017
-@@ -35,7 +35,9 @@
- #include "http.h"
- #include <tls.h>
- 
-+#ifndef DEFAULT_CA_FILE
- #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
-+#endif
- 
- /*
-  * A buffer for transferring HTTP/S data.

patches/netcat.c.patch

@@ -1,6 +1,6 @@
---- apps/nc/netcat.c.orig	2017-07-07 00:10:09.009409624 +0900
+--- apps/nc/netcat.c.orig	Thu Mar 16 19:26:06 2017
-+++ apps/nc/netcat.c	2017-07-07 00:30:32.380088772 +0900
++++ apps/nc/netcat.c	Sat Mar 25 11:17:36 2017
-@@ -66,7 +66,9 @@
+@@ -65,7 +65,9 @@
  #define POLL_NETIN 2
  #define POLL_STDOUT 3
  #define BUFSIZE 16384
@@ -10,7 +10,7 @@
  
  #define TLS_ALL	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -94,9 +96,13 @@ int	zflag;					/* Port Scan Flag */
+@@ -93,9 +95,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -24,7 +24,16 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -265,12 +271,14 @@ main(int argc, char *argv[])
+@@ -149,7 +155,7 @@
+ 	struct servent *sv;
+ 	socklen_t len;
+ 	struct sockaddr_storage cliaddr;
+-	char *proxy, *proxyport = NULL;
++	char *proxy = NULL, *proxyport = NULL;
+ 	const char *errstr;
+ 	struct addrinfo proxyhints;
+ 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
+@@ -259,12 +265,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -39,7 +48,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -317,9 +325,11 @@ main(int argc, char *argv[])
+@@ -300,9 +308,11 @@
  		case 'o':
  			oflag = optarg;
  			break;
@@ -51,7 +60,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -343,9 +353,11 @@ main(int argc, char *argv[])
+@@ -326,9 +336,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -63,7 +72,7 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -888,7 +900,10 @@ int
+@@ -865,7 +877,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -75,7 +84,7 @@
  
  	if ((error = getaddrinfo(host, port, &hints, &res0)))
  		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
-@@ -903,8 +918,10 @@ remote_connect(const char *host, const c
+@@ -880,8 +895,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -86,7 +95,7 @@
  			memset(&ahints, 0, sizeof(struct addrinfo));
  			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -975,7 +992,10 @@ int
+@@ -952,7 +969,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -98,7 +107,7 @@
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -996,9 +1016,11 @@ local_listen(char *host, char *port, str
+@@ -973,9 +993,11 @@
  		    res->ai_protocol)) < 0)
  			continue;
  
@@ -110,7 +119,7 @@
  
  		set_common_sockopts(s, res->ai_family);
  
-@@ -1454,11 +1476,13 @@ set_common_sockopts(int s, int af)
+@@ -1425,11 +1447,13 @@
  {
  	int x = 1;
  
@@ -124,24 +133,7 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1469,9 +1493,16 @@ set_common_sockopts(int s, int af)
+@@ -1466,13 +1490,17 @@
- 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
- 			err(1, "set IP ToS");
- 
-+#ifdef IPV6_TCLASS
- 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
- 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
- 			err(1, "set IPv6 traffic class");
-+#else
-+		else if (af == AF_INET6) {
-+			errno = ENOPROTOOPT
-+			err(1, "set IPv6 traffic class not supported");
-+		}
-+#endif
- 	}
- 	if (Iflag) {
- 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
-@@ -1495,13 +1526,17 @@ set_common_sockopts(int s, int af)
  	}
  
  	if (minttl != -1) {
@@ -160,7 +152,7 @@
  	}
  }
  
-@@ -1709,14 +1744,22 @@ help(void)
+@@ -1666,14 +1694,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\
@@ -185,5 +177,5 @@
 +#endif
 +	"\
  	\t-v		Verbose\n\
- 	\t-W recvlimit	Terminate after receiving a number of packets\n\
  	\t-w timeout	Timeout for connects and final net reads\n\
+ 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\

ssl/CMakeLists.txt

@@ -60,12 +60,8 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
-	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
-	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

tests/CMakeLists.txt

@@ -178,11 +178,6 @@ add_executable(gost2814789t gost2814789t.c)
 target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)
 
-# hkdf_test
-add_executable(hkdf_test hkdf_test.c)
-target_link_libraries(hkdf_test ${TESTS_LIBS})
-add_test(hkdf_test hkdf_test)
-
 # hmactest
 add_executable(hmactest hmactest.c)
 target_link_libraries(hmactest ${TESTS_LIBS})

tests/Makefile.am

@@ -184,11 +184,6 @@ TESTS += gost2814789t
 check_PROGRAMS += gost2814789t
 gost2814789t_SOURCES = gost2814789t.c
 
-# hkdf_test
-TESTS += hkdftest
-check_PROGRAMS += hkdftest
-hkdftest_SOURCES = hkdf_test.c
-
 # hmactest
 TESTS += hmactest
 check_PROGRAMS += hmactest

tests/tlstest.bat

@@ -9,7 +9,7 @@ if "%srcdir%"=="" (
 	set srcdir=.
 )
 
-%tlstest_bin% %srcdir%\ca.pem %srcdir%\server.pem %srcdir%\server.pem
+%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
 if !errorlevel! neq 0 (
 	exit /b 1
 )

tests/tlstest.sh

@@ -10,4 +10,4 @@ if [ -z $srcdir ]; then
 	srcdir=.
 fi
 
-$tlstest_bin $srcdir/ca.pem $srcdir/server.pem $srcdir/server.pem
+$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem

tls/CMakeLists.txt

@@ -39,13 +39,9 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
-	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	if(ENABLE_LIBRESSL_INSTALL)
 	install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
-	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

update.sh

@@ -18,17 +18,16 @@ fi
 
 # setup source paths
 CWD=`pwd`
-OPENBSD_SRC=$CWD/openbsd/src
+libc_src=$CWD/openbsd/src/lib/libc
-libc_src=$OPENBSD_SRC/lib/libc
+libc_regress=$CWD/openbsd/src/regress/lib/libc
-libc_regress=$OPENBSD_SRC/regress/lib/libc
+libcrypto_src=$CWD/openbsd/src/lib/libcrypto
-libcrypto_src=$OPENBSD_SRC/lib/libcrypto
+libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
-libcrypto_regress=$OPENBSD_SRC/regress/lib/libcrypto
+libssl_src=$CWD/openbsd/src/lib/libssl
-libssl_src=$OPENBSD_SRC/lib/libssl
+libssl_regress=$CWD/openbsd/src/regress/lib/libssl
-libssl_regress=$OPENBSD_SRC/regress/lib/libssl
+libtls_src=$CWD/openbsd/src/lib/libtls
-libtls_src=$OPENBSD_SRC/lib/libtls
+libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-libtls_regress=$OPENBSD_SRC/regress/lib/libtls
+bin_src=$CWD/openbsd/src/usr.bin
-bin_src=$OPENBSD_SRC/usr.bin
+sbin_src=$CWD/openbsd/src/usr.sbin
-sbin_src=$OPENBSD_SRC/usr.sbin
 
 # load library versions
 . $libcrypto_src/shlib_version
@@ -63,10 +62,6 @@ do_cp_libc() {
 CP_LIBC='do_cp_libc'
 
 CP='cp -p'
-GREP='grep'
-if [ -x /opt/csw/bin/ggrep ]; then
-	GREP='/opt/csw/bin/ggrep'
-fi
 
 $CP $libssl_src/LICENSE COPYING
 
@@ -125,7 +120,7 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
-	pem/pem2.h hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h
+	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
 	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
@@ -156,7 +151,7 @@ done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 # add the libcrypto symbol export list
-$GREP -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | $GREP '^[[:alpha:]]' > crypto/crypto.sym
+grep -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | grep '^[[:alpha:]]' > crypto/crypto.sym
 
 # generate assembly crypto algorithms
 asm_src=$libcrypto_src
@@ -211,7 +206,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	fi
 done
 # add the libtls symbol export list
-$GREP '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
+grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
 
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -264,7 +259,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
 	$CP $libssl_src/$i ssl
 done
 # add the libssl symbol export list
-$GREP '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
+grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
 
 # copy libcrypto tests
 echo "copying tests"
@@ -309,7 +304,7 @@ add_man_links() {
 	filter=$1
 	dest=$2
 	echo "install-data-hook:" >> $dest
-	for i in `$GREP $filter man/links`; do
+	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
@@ -317,7 +312,7 @@ add_man_links() {
 	done
 	echo "" >> $dest
 	echo "uninstall-local:" >> $dest
-	for i in `$GREP $filter man/links`; do
+	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest