upgrade to 3.7.2 (#21)

Author: tgauth

CMakeLists.txt

@@ -306,6 +306,33 @@ if(HAVE_NETINET_IP_H)
 	add_definitions(-DHAVE_NETINET_IP_H)
 endif()
 
+if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(aarch64|arm64)")
+	set(HOST_AARCH64 true)
+elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "arm")
+	set(HOST_ARM true)
+elseif("${CMAKE_SYSTEM_NAME}" STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+	set(HOST_X86_64 true)
+elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
+	set(HOST_X86_64 true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "[i?86|x86]")
+	set(ENABLE_ASM false)
+	set(HOST_I386 true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "mips64")
+	set(HOST_MIPS64 true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "mips")
+	set(HOST_MIPS true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "powerpc")
+	set(HOST_POWERPC true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "ppc64")
+	set(HOST_PPC64 true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "riscv64")
+	set(HOST_RISCV64 true)
+elseif("${CMAKE_SYSTEM_NAME}" MATCHES "sparc64")
+	set(HOST_SPARC64 true)
+else()
+	set(ENABLE_ASM false)
+endif()
+
 if(ENABLE_ASM)
 	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
 		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
@@ -361,13 +388,13 @@ else()
 	set(LIBTLS_TEST_LIBS tls ${PLATFORM_LIBS})
 endif()
 
+add_subdirectory(include)
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 if(LIBRESSL_APPS)
 	add_subdirectory(apps)
 endif()
 add_subdirectory(tls)
-add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
 endif()

ChangeLog

@@ -19,21 +19,129 @@ with relevant portions of the C library, to a Git repository. This makes it
 easier to follow all of the relevant changes to the upstream project in a
 single place:
 
-	https://github.com/libressl-portable/openbsd
+	https://github.com/libressl/openbsd
 
 The portable bits of the project are largely maintained out-of-tree, and their
 history is also available from Git.
 
-	https://github.com/libressl-portable/portable
+	https://github.com/libressl/portable
 
 LibreSSL Portable Release Notes:
 
-3.6.2 - Stable release
+3.7.2 - Stable release
 
-	* Security fix
+	* Portable changes
+	  - Moved official Github project to https://github.com/libressl/.
+	  - Build support for Apple Silicon.
+	  - Installed opensslconf.h is now architecture-specific.
+	  - Removed internal defines from opensslconf.h.
+	  - Support reproducible builds on tagged commits in main branch.
+
+3.7.1 - Development release
+
+	* Internal improvements
+	  - Initial overhaul of the BIGNUM code:
+	    - Added a new framework that allows architecture-dependent
+	      replacement implementations for bignum primitives.
+	    - Imported various s2n-bignum's constant time assembly primitives
+	      and switched amd64 to them.
+	    - Lots of cleanup, simplification and bug fixes.
+	  - Changed Perl assembly generators to move constants into .rodata,
+	    allowing code to run with execute-only permissions.
+	  - Capped the number of iterations in DSA and ECDSA signing (avoiding
+	    infinite loops), added additional sanity checks to DSA.
+	  - ASN.1 parsing improvements.
+	  - Made UI_destroy_method() NULL safe.
+	  - Various improvements to nc(1).
+	  - Always clear EC groups and points on free.
+	  - Cleanup and improvements in EC code.
+	  - Various openssl(1) improvements.
+	* Bug fixes
+	  - Fixed a memory leak, a double free and various other issues in
+	    BIO_new_NDEF().
+	  - Fixed various crashes in the openssl(1) testing utility.
+	  - Do not check policies by default in the new X.509 verifier.
+	  - Added missing error checking in PKCS7.
+	  - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
+	* New features
+	  - Added UI_null()
+	  - Added X509_STORE_*check_issued()
+	  - Added X509_CRL_get0_tbs_sigalg() and X509_get0_uids() accessors.
+	  - Added EVP_CIPHER_meth_*() setter API.
+	* Documentation improvements
+	  - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
+	    BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
+	  - Document BIO_number_read(3), BIO_number_written(3),
+		BIO_set_retry_read(3), BIO_set_retry_write(3),
+		BIO_set_retry_special(3), BIO_clear_retry_flags(3),
+		BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3),
+		BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3).
+		BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3),
+		BIO_callback_fn(3), and the BIO_FLAGS_* constants
+	  - Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3).
+	  - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
+	  - Document EVP_PKEY_new_raw_private_key(3),
+		EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and
+		EVP_PKEY_get_raw_public_key(3).
+	  - Document ASN1_buf_print(3).
+	  - Document DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_{r,s}() and RSA_get0_*.
+	  - Merged documentation of UI_null() from OpenSSL 1.1
+	  - Various spelling and other documentation improvements.
+	* Testing and Proactive Security
+	  - As always, new test coverage is added as bugs are fixed and subsystems
+	    are cleaned up.
+	  - New Wycheproof tests added.
+	  - OpenSSL 3.0 Interop tests added.
+	  - Many old tests rewritten, cleaned up and extended.
+	* Security fixes
 	  - A malicious certificate revocation list or timestamp response token
 	    would allow an attacker to read arbitrary memory.
 
+3.7.0 - Development release
+
+	* Internal improvements
+	  - Remove dependency on system timegm() and gmtime() by replacing
+	    traditional Julian date conversion with POSIX epoch-seconds date
+	    conversion from BoringSSL.
+	  - Clean old and unused BN code dealing with primes.
+	  - Start rewriting name constraints code using CBS.
+	  - Remove support for the HMAC PRIVATE KEY.
+	  - Rework DSA signing and verifying internals.
+	  - First few passes on cleaning up the BN code.
+	  - Internal headers coming from OpenSSL are all called *_local.h now.
+	  - Rewrite TLSv1.2 key exporter.
+	  - Cleaned up and refactored various aspects of the legacy TLS stack.
+	* Compatibility changes
+	  - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
+	    various corner cases. More work is needed here.
+	* Bug fixes
+	  - Add EVP_chacha20_poly1305() to the list of all ciphers.
+	  - Fix potential leaks of EVP_PKEY in various printing functions
+	  - Fix potential leak in OBJ_NAME_add().
+	  - Avoid signed overflow in i2c_ASN1_BIT_STRING().
+	  - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
+	  - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
+	  - Fix segfaults in BN_{dec,hex}2bn().
+	  - Fix NULL dereference in x509_constraints_uri_host() reachable only
+	    in the process of generating certificates.
+	  - Fixed a variety of memory corruption issues in BIO chains coming
+	    from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
+	  - Avoid potential divide by zero in BIO_dump_indent_cb()
+	* Documentation improvements
+	  - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
+	  - The BN documentation is now considered to be complete.
+	* Testing and Proactive Security
+	  - As always, new test coverage is added as bugs are fixed and
+	    subsystems are cleaned up.
+	  - Many old tests rewritten, cleaned up and extended.
+	* New features
+	  - Added Ed25519 support both as a primitive and via OpenSSL's EVP
+	    interfaces.
+	  - X25519 is now also supported via EVP.
+	  - The OpenSSL 1.1 raw public and private key API is available with
+	    support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
+	    Poly1305 is not currently supported via this interface.
+
 3.6.1 - Stable release
 
 	* Bug fixes
@@ -2563,7 +2671,7 @@ LibreSSL Portable Release Notes:
 	* Address POODLE attack by disabling SSLv3 by default
 
 	* Fix Eliptical Curve cipher selection bug
-	  (https://github.com/libressl-portable/portable/issues/35)
+	  (https://github.com/libressl/portable/issues/35)
 
 2.1.0 - First release from the OpenBSD 5.7 tree
 	* Added support for automatic ephemeral EC keys

Makefile.am

@@ -1,4 +1,4 @@
-SUBDIRS = crypto ssl tls include apps man
+SUBDIRS = include crypto ssl tls apps man
 if ENABLE_TESTS
 SUBDIRS += tests
 endif

Makefile.am.common

@@ -1,3 +1,5 @@
 AM_CFLAGS =
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
+AM_CPPFLAGS = -I$(top_srcdir)/include
+AM_CPPFLAGS += -I$(abs_top_builddir)/include
+AM_CPPFLAGS += -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
 AM_CPPFLAGS += -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=

Makefile.in

@@ -191,7 +191,7 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-DIST_SUBDIRS = crypto ssl tls include apps man tests
+DIST_SUBDIRS = include crypto ssl tls apps man tests
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libcrypto.pc.in \
 	$(srcdir)/libssl.pc.in $(srcdir)/libtls.pc.in \
 	$(srcdir)/openssl.pc.in COPYING ChangeLog INSTALL README.md \
@@ -368,7 +368,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUBDIRS = crypto ssl tls include apps man $(am__append_1)
+SUBDIRS = include crypto ssl tls apps man $(am__append_1)
 ACLOCAL_AMFLAGS = -I m4
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libtls.pc $(am__append_2)

README.md

@@ -1,12 +1,12 @@
 ![LibreSSL image](https://www.libressl.org/images/libressl.jpg)
 ## Official portable version of [LibreSSL](https://www.libressl.org) ##
 
-[![Linux Build Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml)
-[![macOS Build Status](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml)
-[![Android_Build Status](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml)
-[![Cross_Build Status](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml)
+[![Linux Build Status](https://github.com/libressl/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/linux_test.yml)
+[![macOS Build Status](https://github.com/libressl/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/macos_test.yml)
+[![Android_Build Status](https://github.com/libressl/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/android_test.yml)
+[![Cross_Build Status](https://github.com/libressl/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/cross_test.yml)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl)
-[![ASan Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test_asan.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test_asan.yml)
+[![ASan Status](https://github.com/libressl/portable/actions/workflows/linux_test_asan.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/linux_test_asan.yml)
 
 LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
 [OpenBSD](https://www.openbsd.org) project.  Our goal is to modernize the codebase,
@@ -52,11 +52,11 @@ OpenBSD mirror in directory
 although we suggest that you use a [mirror](https://www.openbsd.org/ftp.html).
 
 The LibreSSL portable build framework is also
-[mirrored](https://github.com/libressl-portable/portable) in Github.
+[mirrored](https://github.com/libressl/portable) on GitHub.
 
 Please report bugs either to the public libressl@openbsd.org mailing list,
-or to the github
-[issue tracker](https://github.com/libressl-portable/portable/issues)
+or to the GitHub
+[issue tracker](https://github.com/libressl/portable/issues)
 
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.

README.windows

@@ -46,7 +46,7 @@ problem.
 
 A script for generating ready-to-use .DLL and static .LIB files is included in
 the source repository at
-https://github.com/libressl-portable/portable/blob/master/dist-win.sh
+https://github.com/libressl/portable/blob/master/dist-win.sh
 
 This script uses mingw-w64 to build LibreSSL and then uses Visual Studio tools
 to generate compatible library import files ready-to-use with Visual

VERSION

@@ -1,2 +1,2 @@
-3.6.2.0
+3.7.2.0
 

apps/Makefile.in

@@ -313,9 +313,9 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 AM_CFLAGS = 
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \
-	-DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \
-	-D__END_HIDDEN_DECLS=
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(abs_top_builddir)/include \
+	-I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL \
+	-D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=
 SUBDIRS = ocspcheck openssl nc
 EXTRA_DIST = CMakeLists.txt
 all: all-recursive

apps/nc/Makefile.in

@@ -360,9 +360,9 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 AM_CFLAGS = 
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \
-	-DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \
-	-D__END_HIDDEN_DECLS= $(am__append_1)
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(abs_top_builddir)/include \
+	-I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL \
+	-D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= $(am__append_1)
 @BUILD_NC_TRUE@@ENABLE_NC_TRUE@dist_man_MANS = nc.1
 @BUILD_NC_TRUE@EXTRA_DIST = nc.1 CMakeLists.txt
 @BUILD_NC_TRUE@nc_LDADD = $(abs_top_builddir)/tls/libtls.la \