update to version 3.9.2 (#31)

Author: tgauth

CMakeLists.txt

@@ -62,8 +62,13 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
 	  STRINGS "Debug" "Release" "MinSizeRel" "RelWithDebInfo")
 endif()
 
-# Enable asserts regardless of build type
-add_definitions(-UNDEBUG)
+# Do not disable assertions based on CMAKE_BUILD_TYPE
+foreach(_build_type "Release" "MinSizeRel" "RelWithDebInfo")
+	foreach(_lang C CXX)
+		string(TOUPPER "CMAKE_${_lang}_FLAGS_${_build_type}" _var)
+		string(REGEX REPLACE "(^| )[/-]D *NDEBUG($| )" " " ${_var} "${${_var}}")
+	endforeach()
+endforeach()
 
 set(BUILD_NC true)
 
@@ -84,16 +89,16 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	set(PLATFORM_LIBS ${PLATFORM_LIBS} pthread)
 endif()
 
-if(WIN32 OR (CMAKE_SYSTEM_NAME MATCHES "MINGW"))
+if(WIN32)
 	set(BUILD_NC false)
-	add_definitions(-D_GNU_SOURCE)
-	add_definitions(-D_POSIX)
-	add_definitions(-D_POSIX_SOURCE)
-	add_definitions(-D__USE_MINGW_ANSI_STDIO)
+	if(MINGW)
+		add_definitions(-D_GNU_SOURCE)
+		add_definitions(-D_POSIX)
+		add_definitions(-D_POSIX_SOURCE)
+		add_definitions(-D__USE_MINGW_ANSI_STDIO)
+	endif()
 endif()
 
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall")
-
 if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
 	if(CMAKE_C_COMPILER MATCHES "gcc")
 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -fno-strict-aliasing")
@@ -129,7 +134,7 @@ if(WIN32)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
-	add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT)
+	add_definitions(-DNO_SYSLOG)
 	add_definitions(-DWIN32_LEAN_AND_MEAN)
 	if(NOT CMAKE_SYSTEM_NAME MATCHES "WindowsStore")
 		add_definitions(-D_WIN32_WINNT=0x0600)
@@ -140,6 +145,15 @@ endif()
 if(MSVC)
 	add_definitions(-Dinline=__inline)
 	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
+
+	include(TestBigEndian)
+	TEST_BIG_ENDIAN(HAVE_BIG_ENDIAN)
+	if(HAVE_BIG_ENDIAN)
+		add_definitions(-DHAVE_BIG_ENDIAN)
+	else()
+		add_definitions(-DHAVE_LITTLE_ENDIAN)
+	endif()
+
 	if(CMAKE_C_COMPILER_ID MATCHES "MSVC" OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4018" # 'expression' : signed/unsigned mismatch
@@ -182,6 +196,8 @@ if(MSVC)
 		${MSVC_DISABLED_WARNINGS_LIST})
 	string(REGEX REPLACE "[/-]W[1234][ ]?" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
 	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+else()
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall")
 endif()
 
 check_function_exists(asprintf HAVE_ASPRINTF)
@@ -234,6 +250,11 @@ if(HAVE_STRSEP)
 	add_definitions(-DHAVE_STRSEP)
 endif()
 
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+endif()
+
 check_function_exists(timegm HAVE_TIMEGM)
 if(HAVE_TIMEGM)
 	add_definitions(-DHAVE_TIMEGM)
@@ -295,8 +316,8 @@ if(HAVE_TIMINGSAFE_BCMP)
 endif()
 
 check_function_exists(timingsafe_memcmp HAVE_TIMINGSAFE_MEMCMP)
-if(HAVE_MEMCMP)
-	add_definitions(-DHAVE_MEMCMP)
+if(HAVE_TIMINGSAFE_MEMCMP)
+	add_definitions(-DHAVE_TIMINGSAFE_MEMCMP)
 endif()
 
 check_function_exists(memmem HAVE_MEMMEM)
@@ -333,49 +354,53 @@ if(APPLE AND (NOT CMAKE_OSX_ARCHITECTURES STREQUAL ""))
 	set(CMAKE_SYSTEM_PROCESSOR "${CMAKE_OSX_ARCHITECTURES}")
 endif()
 
-if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(aarch64|arm64|ARM64)")
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "(aarch64|arm64|ARM64)")
 	set(HOST_AARCH64 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "arm")
+	if(WIN32)
+		set(ENABLE_ASM false)
+	endif()
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "arm")
 	set(HOST_ARM true)
-elseif("${CMAKE_SYSTEM_NAME}" STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND CMAKE_SYSTEM_PROCESSOR MATCHES "i386")
 	set(HOST_X86_64 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64|AMD64)")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(x86_64|amd64|AMD64)")
 	set(HOST_X86_64 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(i[3-6]86|[xX]86)")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "(i[3-6]86|[xX]86)")
 	set(ENABLE_ASM false)
 	set(HOST_I386 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "mips64")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "mips64")
 	set(HOST_MIPS64 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "mips")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "mips")
 	set(HOST_MIPS true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "powerpc")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "powerpc")
 	set(HOST_POWERPC true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "ppc64")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "ppc64")
 	set(HOST_PPC64 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "riscv64")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "riscv64")
 	set(HOST_RISCV64 true)
-elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "sparc64")
+elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "sparc64")
 	set(HOST_SPARC64 true)
 else()
 	set(ENABLE_ASM false)
 endif()
 
 if(ENABLE_ASM)
-	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
-		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
+	if(CMAKE_C_COMPILER_ABI STREQUAL "ELF")
+		if(CMAKE_SYSTEM_PROCESSOR MATCHES "(x86_64|amd64)")
 			set(HOST_ASM_ELF_X86_64 true)
-		elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "arm")
+		elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "arm" AND
+		       NOT CMAKE_SYSTEM_PROCESSOR MATCHES "arm64")
 			set(HOST_ASM_ELF_ARMV4 true)
-		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND CMAKE_SYSTEM_PROCESSOR MATCHES "i386")
 			set(HOST_ASM_ELF_X86_64 true)
 		endif()
 		add_definitions(-DHAVE_GNU_STACK)
-	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
+	elseif(APPLE AND CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
 		set(HOST_ASM_MACOSX_X86_64 true)
-	elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64"))
+	elseif(MSVC AND (CMAKE_GENERATOR MATCHES "Win64" OR CMAKE_GENERATOR_PLATFORM STREQUAL "x64"))
 		set(HOST_ASM_MASM_X86_64 true)
 		ENABLE_LANGUAGE(ASM_MASM)
-	elseif(MINGW AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
+	elseif(MINGW AND CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
 		set(HOST_ASM_MINGW64_X86_64 true)
 	endif()
 endif()
@@ -407,11 +432,23 @@ set(LIBTLS_LIBS tls ${PLATFORM_LIBS})
 
 # libraries for regression test
 if(BUILD_SHARED_LIBS)
-	set(OPENSSL_TEST_LIBS ssl-static crypto-static ${PLATFORM_LIBS})
-	set(LIBTLS_TEST_LIBS tls-static ${PLATFORM_LIBS})
+	set(OPENSSL_TEST_LIBS ssl-static crypto-static ${PLATFORM_LIBS} compat_obj)
+	set(LIBTLS_TEST_LIBS tls-static ${OPENSSL_TEST_LIBS} tls_compat_obj)
 else()
-	set(OPENSSL_TEST_LIBS ssl crypto ${PLATFORM_LIBS})
-	set(LIBTLS_TEST_LIBS tls ${PLATFORM_LIBS})
+	set(OPENSSL_TEST_LIBS ssl crypto ${PLATFORM_LIBS} compat_obj)
+	set(LIBTLS_TEST_LIBS tls ${PLATFORM_LIBS} compat_obj tls_compat_obj)
+endif()
+
+if(OPENSSLDIR STREQUAL "")
+	if(WIN32)
+		set(OPENSSLDIR "C:/Windows/libressl/ssl")
+	else()
+		set(OPENSSLDIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
+	endif()
+
+	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
+else()
+	set(CONF_DIR "${OPENSSLDIR}")
 endif()
 
 add_subdirectory(include)
@@ -495,12 +532,6 @@ if(ENABLE_LIBRESSL_INSTALL)
 	endif()
 endif(ENABLE_LIBRESSL_INSTALL)
 
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	set(CONF_DIR "${OPENSSLDIR}")
-else()
-	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
-endif()
-
 if(ENABLE_LIBRESSL_INSTALL)
 	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
 	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)

ChangeLog

@@ -28,14 +28,101 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.9.2 - Stable release
+
+	* Bugfixes
+	  - OpenBSD 7.5 errata 003. A missing bounds check could lead to a crash
+	    due to dereferencing a zero-sized allocation.
+
+3.9.1 - Stable release
+
+	* Portable changes
+	  - Updated tests with expiring certificates
+	  - CET-related build fixes for Windows and macOS targets
+	  - update libtls linker script to include libssl and libcrypto again
+
 3.9.0 - In development
 
 	* Portable changes
+	  - libcrypto no longer exports compat symbols in cmake builds.
+	  - Most compatibility symbols are prefixed with libressl_ to avoid
+	    symbol clashes in static links.
+	  - Fixed various warnings on Windows.
+	  - Removed assert pop-ups with Windows debug builds.
+	  - Fixed crashes and hangs in Windows ARM64 builds.
+	  - Improved control-flow enforcement (CET) support.
 	* Internal improvements
+	  - Converted uses of OBJ_bsearch_() to standard bsearch().
+	  - Greatly simplified by_file_ctrl().
+	  - Simplified and cleaned up the OBJ_ API.
+	  - Cleaned up the EVP_Cipher{Init,Update,Final}() implementations.
+	  - Removed unused function pointers from X.509 stores and contexts.
+	  - A lot of cleanup and reorganization in EVP.
+	  - Removed all remaining ENGINE tentacles.
+	  - Simplified internals of X509_TRUST handling.
+	  - Made deletion from a lhash doall callback safe.
+	  - Rewrote BIO_dump*(3) internals to be less bad.
 	* Documentation improvements
+	  - ENGINE documentation was updated to reflect reality.
+	  - Made EVP API documentation more accurate and less incoherent. 
+	  - Call out some shortcomings of the EC_KEY_set_* API explicitly.
 	* Testing and proactive security
+	  - Bug fixes and simplifications in the Wycheproof tests.
+	* Compatibility changes
+	  - Added ChaCha20 and chacha20 aliases for ChaCha.
+	  - SSL_library_init() now has the same effect as OPENSSL_init_ssl().
+	  - EVP_add_{cipher,digest}() were removed. From the OBJ_NAME API,
+	    only OBJ_NAME_do_all*() remain. In particular, it is no longer
+	    possible to add aliases for ciphers and digests.
+	  - The thread unsafe global tables are no longer supported. It is no
+	    longer possible to add aliases for ciphers and digests, custom ASN.1
+	    strings table entries, ASN.1 methods, PKEY methods, digest methods,
+	    CRL methods, purpose and trust identifiers, or X.509 extensions.
+	  - Removed the _cb() and _fp() versions of BIO_dump{,_indent}().
+	  - BIO_set() was removed.
+	  - BIO_{sn,v,vsn}printf() were removed.
+	  - Turn the long dysfunctional openssl(1) s_client -pause into a noop.
+	  - openssl(1) x509 now supports -new -force_pubkey, -multivalue-rdn,
+	    -set_issuer, -set_subject, and -utf8.
+	  - Support ECDSA with SHA-3 signature algorithms.
+	  - Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
+	  - GOST and STREEBOG support was removed.
+	  - CRYPTO_THREADID, _LHASH, _STACK, X509_PURPOSE are now opaque,
+	    X509_CERT_AUX and X509_TRUST were removed from the public API.
+	  - ASN1_STRING_TABLE_get() and X509_PURPOSE_get0*() now return const
+	    pointers.
+	  - EVP_{CIPHER,MD}_CTX_init()'s signatures and semantics now match
+	    OpenSSL's behavior.
+	  - sk_find_ex() and OBJ_bsearch_() were removed.
+	  - CRYPTO_malloc() was fixed to use size_t argument.  CRYPTO_malloc()
+	    and CRYPTO_free() now accept file and line arguments.
+	  - A lot of decrepit CRYPTO memory API was removed.
 	* Bug fixes
-	  - Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp()
+	  - Fixed aliasing issues in BN_mod_exp_simple() and BN_mod_exp_recp().
+	  - Fixed numerous misuses of X509_ALGOR_set0() resulting in leaks and
+	    potentially incorrect encodings.
+	  - Fixed potential double free in X509v3_asid_add_id_or_range().
+	  - Stopped using ASN1_time_parse() outside of libcrypto.
+	  - Prepared OPENSSL_gmtime() and OPENSSL_timegm() as public API
+	    wrappers of internal functions compatible with BoringSSL API.
+	  - Removed print_bin() to avoid overwriting the stack with 5 bytes
+	    of ' ' when ECPK parameters are printed with large indentation.
+	  - Avoid a NULL dereference after memory allocation failure during TLS
+	    version downgrade.
+	  - Fixed various bugs in CMAC internals.
+	  - Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
+	  - Fixed various NULL dereferences in PKCS #12 code due to mishandling
+	    of OPTIONAL content in PKCS #7 ContentInfo.
+	  - Aligned SSL_shutdown() behavior in TLSv1.3 with the legacy stack.
+	  - Fixed the new X.509 verifier to find trust anchors in the trusted
+	    stack.
+
+3.8.3 - Stable release
+
+	* Portable changes
+	  - Removed assert pop-ups with Windows debug builds.
+	  - Fixed crashes and hangs in Windows ARM64 builds.
+	  - Improved control-flow enforcement (CET) support.
 
 3.8.2 - Stable release