add release notes

If the target system does not define IPV6_TCLASS, this part of
the patch handles that with an ENOPROTOOPT error rather than
failing to compile.

Unfortunately it's missing a trailing semicolon leading to
a compilation error.

Add the missing semicolon to fix the problem.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>

.gitignore

@@ -45,6 +45,7 @@ Makefile.in
 # man pages
 *.1
 *.3
+*.5
 
 # tests
 test-driver

CMakeLists.txt

@@ -324,6 +324,23 @@ if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()
 
+if(NOT MSVC)
+	# Create pkgconfig files.
+	set(prefix      ${CMAKE_INSTALL_PREFIX})
+	set(exec_prefix \${prefix})
+	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
+	set(includedir  \${prefix}/include)
+	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
+	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
+	foreach(file ${OPENSSL_PKGCONFIGS})
+		get_filename_component(filename ${file} NAME)
+		string(REPLACE ".in" "" new_file "${filename}")
+		configure_file(${filename} pkgconfig/${new_file} @ONLY)
+	endforeach()
+	install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig
+		DESTINATION ${CMAKE_INSTALL_LIBDIR})
+endif()
+
 configure_file(
 	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
 	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"

ChangeLog

@@ -28,6 +28,49 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.6.4 - Bug fixes
+
+	* Make tls_config_parse_protocols() work correctly when passed a NULL
+	  pointer for a protocol string. Issue found by semarie@, who also
+	  provided the diff.
+
+	* Correct TLS extensions handling when no extensions are present.
+	  If no TLS extensions are present in a client hello or server hello,
+	  omit the entire extensions block, rather than including it with a
+	  length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
+	  providing packet captures and testing the fix.
+
+	* Fixed portable builds on older Android systems, and systems with out
+	  IPV6_TCLASS support.
+
+2.6.3 - OpenBSD 6.2 Release
+
+	* No core changes from LibreSSL 2.6.2
+
+	* Minor compatibility fixes in portable version.
+
+2.6.2 - Bug fixes
+
+	* Provide a useful error with libtls if there are no OCSP URLs in a
+	  peer certificate.
+
+	* Keep track of which keypair is in use by a TLS context, fixing a bug
+	  where a TLS server with SNI would only return the OCSP staple for the
+	  default keypair. Issue reported by William Graeber and confirmed by
+	  Andreas Bartelt.
+
+	* Fixed various issues in the OCSP extension parsing code.
+	  The original code incorrectly passes the pointer allocated via
+	  CBS_stow() (using malloc()) to a d2i_*() function and then calls
+	  free() on the now incremented pointer, most likely resulting in a
+	  crash. This issue was reported by Robert Swiecki who found the issue
+	  using honggfuzz.
+
+	* If tls_config_parse_protocols() is called with a NULL pointer,
+	  return the default protocols instead of crashing - this makes the
+	  behaviour more useful and mirrors what we already do in
+	  tls_config_set_ciphers() et al.
+
 2.6.1 - Code removal, rewrites
 
 	* Added a "-T tlscompat" option to nc(1), which enables the use of all
@@ -63,7 +106,7 @@ LibreSSL Portable Release Notes:
 	  CryptoPro clients.
 
 	* Removed support for the TLS padding extension, which was added as a
-	  workaround for an old bug in F5's TLS termintation.
+	  workaround for an old bug in F5's TLS termination.
 
 	* Worked around another bug in F5's TLS termination handling of the
 	  elliptical curves extension. RFC 4492 only defines elliptic_curves

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_2

apps/ocspcheck/CMakeLists.txt

@@ -20,7 +20,7 @@ else()
         set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
 endif()
 
-check_function_exists(inet_ntop HAVE_MEMMEM)
+check_function_exists(memmem HAVE_MEMMEM)
 if(HAVE_MEMMEM)
         add_definitions(-DHAVE_MEMMEM)
 else()

apps/openssl/CMakeLists.txt

@@ -88,5 +88,5 @@ else()
 endif()
 if(ENABLE_LIBRESSL_INSTALL)
 	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
 endif(ENABLE_LIBRESSL_INSTALL)

check-release.sh

@@ -57,6 +57,7 @@ fi
 echo "differences between release and regenerated release tag:"
 diff -urN \
 	-x *.3 \
+	-x *.5 \
 	-x Makefile.in \
 	-x aclocal.m4 \
 	-x compile \

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3 include/openssl/*.h
+rm -f man/*.[35] include/openssl/*.h
 ./autogen.sh
 ./configure
 make -j2 distcheck

include/CMakeLists.txt

@@ -3,5 +3,6 @@ if(ENABLE_LIBRESSL_INSTALL)
 	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
 	        PATTERN "CMakeLists.txt" EXCLUDE
 	        PATTERN "compat" EXCLUDE
+	        PATTERN "pqueue.h" EXCLUDE
 	        PATTERN "Makefile*" EXCLUDE)
 endif(ENABLE_LIBRESSL_INSTALL)

m4/check-libc.m4

@@ -2,10 +2,23 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([asprintf freezero inet_ntop inet_pton memmem])
 AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
+AC_CACHE_CHECK([for getpagesize], ac_cv_func_getpagesize, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+// Since Android NDK v16 getpagesize is defined as inline inside unistd.h
+#ifdef __ANDROID__
+#	include <unistd.h>
+#endif
+		]], [[
+	getpagesize();
+]])],
+	[ ac_cv_func_getpagesize="yes" ],
+	[ ac_cv_func_getpagesize="no"
+	])
+])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
 AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])

man/CMakeLists.txt

@@ -5,7 +5,7 @@ if(ENABLE_LIBRESSL_INSTALL)
 	    )
 
 	install(DIRECTORY .
-	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
-	    FILES_MATCHING PATTERN "*.1"
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+	    FILES_MATCHING PATTERN "*.5"
 	    )
 endif(ENABLE_LIBRESSL_INSTALL)

patches/netcat.c.patch

@@ -134,7 +134,7 @@
  			err(1, "set IPv6 traffic class");
 +#else
 +		else if (af == AF_INET6) {
-+			errno = ENOPROTOOPT
++			errno = ENOPROTOOPT;
 +			err(1, "set IPv6 traffic class not supported");
 +		}
 +#endif

update.sh

@@ -13,6 +13,7 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
  git checkout $openbsd_branch
  git pull --rebase)
 
@@ -338,25 +339,32 @@ done
 # copy manpages
 echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
-echo dist_man_MANS = >> man/Makefile.am
+echo dist_man3_MANS = >> man/Makefile.am
+echo dist_man5_MANS = >> man/Makefile.am
 
 (cd man
 	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done
 
 	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done
 
 	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
+	done
+
+	for i in `ls -1 $libcrypto_src/man/*.5 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man5_MANS += $NAME" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am