Updated to v3.4.2 (#7)

Author: Andrew

CMakeLists.txt

@@ -113,19 +113,21 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 endif()
 
 if(WIN32)
-	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
-	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600)
 	add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT)
+	add_definitions(-DWIN32_LEAN_AND_MEAN)
+	if(NOT CMAKE_SYSTEM_NAME MATCHES "WindowsStore")
+		add_definitions(-D_WIN32_WINNT=0x0600)
+	endif()
 	set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32 bcrypt)
 endif()
 
 if(MSVC)
 	add_definitions(-Dinline=__inline)
 	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
-	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
+	if(CMAKE_C_COMPILER_ID MATCHES "MSVC" OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4018" # 'expression' : signed/unsigned mismatch
 			"C4057" # 'operator' : 'identifier1' indirection to
@@ -332,7 +334,8 @@ if(SIZEOF_TIME_T STREQUAL "4")
 endif()
 add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
 
-set(OPENSSL_LIBS tls ssl crypto ${PLATFORM_LIBS})
+set(OPENSSL_LIBS ssl crypto ${PLATFORM_LIBS})
+set(LIBTLS_LIBS tls ${PLATFORM_LIBS})
 
 add_subdirectory(crypto)
 add_subdirectory(ssl)

ChangeLog

@@ -28,6 +28,68 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.4.2 - Security fix
+
+	* In some situations the X.509 verifier would discard an error on an
+	  unverified certificate chain, resulting in an authentication bypass.
+	  Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
+
+3.4.1 - Stable release
+
+	* New Features
+	  - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
+	  - Enabled the new X.509 validator to allow verification of
+	    modern certificate chains.
+	* Portable Improvements
+	  - Ported continuous integration and test infrastructure to Github
+	    actions.
+	  - Added Universal Windows Platform (UWP) build support.
+	  - Fixed mingw-w64 builds on newer versions with missing SSP support.
+	  - Added non-executable stack annotations for CMake builds.
+	* API and Documentation Enhancements
+	  - Added the following APIs from OpenSSL
+	    BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
+	    EC_GROUP_order_bits EC_GROUP_set_curve
+	    EC_POINT_get_affine_coordinates
+	    EC_POINT_set_affine_coordinates
+	    EC_POINT_set_compressed_coordinates EVP_DigestSign
+	    EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
+	    SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
+	    SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
+	    SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
+	    SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
+	    SSL_SESSION_set_max_early_data SSL_get_early_data_status
+	    SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
+	    SSL_set_ciphersuites SSL_set_max_early_data
+	    SSL_set_post_handshake_auth
+	    SSL_set_psk_use_session_callback
+	    SSL_verify_client_post_handshake SSL_write_early_data
+	  - Added AES-GCM constants from RFC 7714 for SRTP.
+	* Compatibility Changes
+	  - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
+	  - Call the info callback on connect/accept exit in TLSv1.3,
+	    needed for p5-Net-SSLeay.
+	  - Default to using named curve parameter encoding from
+	    pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
+	  - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
+	* Testing and Proactive Security
+	  - Added additional state machine test coverage.
+	  - Improved integration test support with ruby/openssl tests.
+	  - Error codes and callback support in new X.509 validator made
+	    compatible with p5-Net_SSLeay tests.
+	* Internal Improvements
+	  - Numerous fixes and improvements to the new X.509 validator to
+	    ensure compatible error codes and callback support compatible
+	    with the legacy OpenSSL validator.
+
+3.4.0 - Development release
+
+	* Add support for OpenSSL 1.1.1 TLSv1.3 APIs.
+
+	* Enable new x509 validator.
+
+	* More details to come, testing is appreciated.
+
 3.3.5 - Security fix
 
 	* A stack overread could occur when checking X.509 name constraints.

README.md

@@ -1,7 +1,11 @@
 ![LibreSSL image](https://www.libressl.org/images/libressl.jpg)
 ## Official portable version of [LibreSSL](https://www.libressl.org) ##
 
-[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl)
+[![Linux Build Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml)
+[![macOS Build Status](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml)
+[![Android_Build Status](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml)
+[![Cross_Build Status](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl)
 
 LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
 [OpenBSD](https://www.openbsd.org) project.  Our goal is to modernize the codebase,

VERSION

@@ -1,2 +1,2 @@
-3.3.5.0
+3.4.2.0
 

apps/nc/CMakeLists.txt

@@ -30,7 +30,8 @@ else()
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
+if(HAVE_STRTONUM AND CMAKE_SYSTEM_NAME MATCHES "Darwin" AND
+    CMAKE_HOST_SYSTEM_VERSION VERSION_GREATER_EQUAL 20)
 	add_definitions(-DHAVE_STRTONUM)
 else()
 	set(NC_SRC ${NC_SRC} compat/strtonum.c)
@@ -44,7 +45,7 @@ endif()
 
 add_executable(nc ${NC_SRC})
 target_include_directories(nc PRIVATE . ./compat ../../include/compat)
-target_link_libraries(nc tls ${OPENSSL_LIBS})
+target_link_libraries(nc ${LIBTLS_LIBS})
 
 if(ENABLE_NC)
 	if(ENABLE_LIBRESSL_INSTALL)

apps/nc/netcat.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.217 2020/02/12 14:46:36 schwarze Exp $ */
+/* $OpenBSD: netcat.c,v 1.218 2021/07/12 15:09:20 beck Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <[email protected]>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -374,13 +374,13 @@ main(int argc, char *argv[])
 
 	if (usetls) {
 		if (Cflag && unveil(Cflag, "r") == -1)
-			err(1, "unveil");
+			err(1, "unveil %s", Cflag);
 		if (unveil(Rflag, "r") == -1)
-			err(1, "unveil");
+			err(1, "unveil %s", Rflag);
 		if (Kflag && unveil(Kflag, "r") == -1)
-			err(1, "unveil");
+			err(1, "unveil %s", Kflag);
 		if (oflag && unveil(oflag, "r") == -1)
-			err(1, "unveil");
+			err(1, "unveil %s", oflag);
 	} else if (family == AF_UNIX && uflag && lflag && !kflag) {
 		/*
 		 * After recvfrom(2) from client, the server connects
@@ -390,20 +390,20 @@ main(int argc, char *argv[])
 	} else {
 		if (family == AF_UNIX) {
 			if (unveil(host, "rwc") == -1)
-				err(1, "unveil");
+				err(1, "unveil %s", host);
 			if (uflag && !kflag) {
 				if (sflag) {
 					if (unveil(sflag, "rwc") == -1)
-						err(1, "unveil");
+						err(1, "unveil %s", sflag);
 				} else {
 					if (unveil("/tmp", "rwc") == -1)
-						err(1, "unveil");
+						err(1, "unveil /tmp");
 				}
 			}
 		} else {
 			/* no filesystem visibility */
 			if (unveil("/", "") == -1)
-				err(1, "unveil");
+				err(1, "unveil /");
 		}
 	}
 

apps/ocspcheck/CMakeLists.txt

@@ -14,7 +14,8 @@ else()
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
+if(HAVE_STRTONUM AND CMAKE_SYSTEM_NAME MATCHES "Darwin" AND
+    CMAKE_HOST_SYSTEM_VERSION VERSION_GREATER_EQUAL 20)
 	add_definitions(-DHAVE_STRTONUM)
 else()
 	set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/strtonum.c)

apps/ocspcheck/http.c

@@ -1,4 +1,4 @@
-/*	$Id: http.c,v 1.13 2020/01/11 17:37:19 sthen Exp $ */
+/*	$Id: http.c,v 1.15 2021/09/14 16:37:20 tb Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <[email protected]>
  *
@@ -119,16 +119,11 @@ dotlswrite(const void *buf, size_t sz, const struct http *http)
 }
 
 int
-http_init()
+http_init(void)
 {
 	if (tlscfg != NULL)
 		return 0;
 
-	if (tls_init() == -1) {
-		warn("tls_init");
-		goto err;
-	}
-
 	tlscfg = tls_config_new();
 	if (tlscfg == NULL) {
 		warn("tls_config_new");

apps/ocspcheck/ocspcheck.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.29 2021/02/09 16:55:51 claudio Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.30 2021/07/12 15:09:21 beck Exp $ */
 
 /*
  * Copyright (c) 2017,2020 Bob Beck <[email protected]>
@@ -617,14 +617,14 @@ main(int argc, char **argv)
 
 	if (cafile != NULL) {
 		if (unveil(cafile, "r") == -1)
-			err(1, "unveil");
+			err(1, "unveil %s", cafile);
 	}
 	if (cadir != NULL) {
 		if (unveil(cadir, "r") == -1)
-			err(1, "unveil");
+			err(1, "unveil %s", cadir);
 	}
 	if (unveil(certfile, "r") == -1)
-		err(1, "unveil");
+		err(1, "unveil %s", certfile);
 
 	if (pledge("stdio inet rpath dns", NULL) == -1)
 		err(1, "pledge");

apps/openssl/CMakeLists.txt

@@ -62,7 +62,8 @@ if(WIN32)
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
+if(HAVE_STRTONUM AND CMAKE_SYSTEM_NAME MATCHES "Darwin" AND
+    CMAKE_HOST_SYSTEM_VERSION VERSION_GREATER_EQUAL 20)
 	add_definitions(-DHAVE_STRTONUM)
 else()
 	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)