diff --git a/pkg/libressl/gen.lua b/pkg/libressl/gen.lua index a2a18535..69ad18ae 100644 --- a/pkg/libressl/gen.lua +++ b/pkg/libressl/gen.lua @@ -574,7 +574,6 @@ lib('libssl.a', [[ssl/( ssl_kex.c ssl_lib.c ssl_methods.c - ssl_packet.c ssl_pkt.c ssl_rsa.c ssl_seclevel.c diff --git a/pkg/libressl/patch/0004-Avoid-implicit-pointer-sign-conversions.patch b/pkg/libressl/patch/0004-Avoid-implicit-pointer-sign-conversions.patch index bb0495ed..d57c5b81 100644 --- a/pkg/libressl/patch/0004-Avoid-implicit-pointer-sign-conversions.patch +++ b/pkg/libressl/patch/0004-Avoid-implicit-pointer-sign-conversions.patch @@ -1,4 +1,4 @@ -From 89e3854e0e38996edb165111a24b1bf498b392dc Mon Sep 17 00:00:00 2001 +From 44bc6dfcdd2581f64fc869c8863dd590ea947033 Mon Sep 17 00:00:00 2001 From: Michael Forney Date: Thu, 2 Apr 2026 23:52:53 -0700 Subject: [PATCH] Avoid implicit pointer sign conversions @@ -35,7 +35,7 @@ All other changes simply make explicit the conversions among pointers to character types already being done. These implicit conversions are constraint violations in ISO C. --- - apps/openssl/ca.c | 6 +++--- + apps/openssl/ca.c | 7 ++++--- apps/openssl/cms.c | 2 +- apps/openssl/s_client.c | 4 ++-- crypto/asn1/a_object.c | 12 ++++++------ @@ -67,44 +67,45 @@ are constraint violations in ISO C. ssl/tls13_lib.c | 3 ++- ssl/tls13_record_layer.c | 2 +- ssl/tls13_server.c | 10 +++++----- - 32 files changed, 95 insertions(+), 85 deletions(-) + 32 files changed, 96 insertions(+), 85 deletions(-) diff --git a/apps/openssl/ca.c b/apps/openssl/ca.c -index b644b74..0d78f63 100644 +index a2e8a6836..5505983ff 100644 --- a/apps/openssl/ca.c +++ b/apps/openssl/ca.c -@@ -2153,7 +2153,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, +@@ -2197,7 +2197,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, if ((tm = X509_get_notAfter(ret)) == NULL) goto err; -- row[DB_exp_date] = strndup(tm->data, tm->length); -+ row[DB_exp_date] = strndup((char *)tm->data, tm->length); +- row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm), ++ row[DB_exp_date] = strndup((char *)ASN1_STRING_get0_data(tm), + ASN1_STRING_length(tm)); if (row[DB_type] == NULL || row[DB_exp_date] == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; -@@ -2280,7 +2280,7 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value) +@@ -2325,7 +2325,7 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value) if ((tm = X509_get_notAfter(x509)) == NULL) goto err; -- row[DB_exp_date] = strndup(tm->data, tm->length); -+ row[DB_exp_date] = strndup((char *)tm->data, tm->length); +- row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm), ++ row[DB_exp_date] = strndup((char *)ASN1_STRING_get0_data(tm), + ASN1_STRING_length(tm)); if (row[DB_type] == NULL || row[DB_exp_date] == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; -@@ -2443,7 +2443,7 @@ do_updatedb(CA_DB *db) +@@ -2489,7 +2489,8 @@ do_updatedb(CA_DB *db) cnt = -1; goto err; } -- a_tm_s = strndup(a_tm->data, a_tm->length); -+ a_tm_s = strndup((char *)a_tm->data, a_tm->length); +- a_tm_s = strndup(ASN1_STRING_get0_data(a_tm), ASN1_STRING_length(a_tm)); ++ a_tm_s = strndup((char *)ASN1_STRING_get0_data(a_tm), ++ ASN1_STRING_length(a_tm)); if (a_tm_s == NULL) { cnt = -1; goto err; diff --git a/apps/openssl/cms.c b/apps/openssl/cms.c -index 458ddb0..26197ea 100644 +index 7430f4c93..a63d6e453 100644 --- a/apps/openssl/cms.c +++ b/apps/openssl/cms.c -@@ -1530,7 +1530,7 @@ cms_main(int argc, char **argv) +@@ -1512,7 +1512,7 @@ cms_main(int argc, char **argv) cfg.secret_keyid = NULL; } if (cfg.pwri_pass != NULL) { @@ -114,10 +115,10 @@ index 458ddb0..26197ea 100644 goto end; if (CMS_add0_recipient_password(cms, -1, NID_undef, diff --git a/apps/openssl/s_client.c b/apps/openssl/s_client.c -index 84718c1..90c203e 100644 +index 2b05facc1..d12423d0f 100644 --- a/apps/openssl/s_client.c +++ b/apps/openssl/s_client.c -@@ -193,7 +193,7 @@ static struct { +@@ -194,7 +194,7 @@ static struct { char *cert_file; int cert_format; char *cipher; @@ -126,7 +127,7 @@ index 84718c1..90c203e 100644 char *connect; int crlf; int debug; -@@ -214,7 +214,7 @@ static struct { +@@ -215,7 +215,7 @@ static struct { int nbio_test; int no_servername; char *npn_in; @@ -136,7 +137,7 @@ index 84718c1..90c203e 100644 int peekaboo; char *port; diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c -index 333ac60..25e7a2a 100644 +index 333ac6034..25e7a2ae6 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -182,7 +182,7 @@ oid_add_arc_txt(CBB *cbb, uint64_t arc, int first) @@ -194,7 +195,7 @@ index 333ac60..25e7a2a 100644 err: CBB_cleanup(&cbb); diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c -index 3deff56..10634c0 100644 +index 3deff56ed..10634c067 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -99,7 +99,7 @@ ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm) @@ -207,7 +208,7 @@ index 3deff56..10634c0 100644 time(&now); memset(tm, 0, sizeof(*tm)); diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c -index dd28931..c0e0d62 100644 +index dd2893167..c0e0d6245 100644 --- a/crypto/asn1/a_time_tm.c +++ b/crypto/asn1/a_time_tm.c @@ -96,7 +96,7 @@ tm_to_gentime(struct tm *tm, ASN1_TIME *atime) @@ -298,7 +299,7 @@ index dd28931..c0e0d62 100644 LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_check); diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c -index 3f67320..40b09dc 100644 +index 3f673205c..40b09dc23 100644 --- a/crypto/bio/b_dump.c +++ b/crypto/bio/b_dump.c @@ -86,7 +86,7 @@ BIO_dump_indent(BIO *bio, const char *s, int len, int indent) @@ -311,7 +312,7 @@ index 3f67320..40b09dc 100644 if (indent < 0) indent = 0; diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c -index 0fa6317..afcd6b2 100644 +index 0fa6317a2..afcd6b216 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -84,7 +84,7 @@ bio_mem_pending(struct bio_mem *bm) @@ -333,10 +334,10 @@ index 0fa6317..afcd6b2 100644 if (p[i] == '\n') { i++; diff --git a/crypto/bn/bn_convert.c b/crypto/bn/bn_convert.c -index ca5c7d7..60d0c86 100644 +index ab5bc519c..cb006a209 100644 --- a/crypto/bn/bn_convert.c +++ b/crypto/bn/bn_convert.c -@@ -253,7 +253,7 @@ BN_asc2bn(BIGNUM **bnp, const char *s) +@@ -261,7 +261,7 @@ BN_asc2bn(BIGNUM **bnp, const char *s) if ((s_len = strlen(s)) == 0) return 0; @@ -345,7 +346,7 @@ index ca5c7d7..60d0c86 100644 /* Handle negative sign. */ if (!CBS_peek_u8(&cbs, &v)) -@@ -365,7 +365,7 @@ BN_bn2dec(const BIGNUM *bn) +@@ -373,7 +373,7 @@ BN_bn2dec(const BIGNUM *bn) CBB_cleanup(&cbb); freezero(data, data_len); @@ -354,7 +355,7 @@ index ca5c7d7..60d0c86 100644 } LCRYPTO_ALIAS(BN_bn2dec); -@@ -468,7 +468,7 @@ BN_dec2bn(BIGNUM **bnp, const char *s) +@@ -476,7 +476,7 @@ BN_dec2bn(BIGNUM **bnp, const char *s) if ((s_len = strlen(s)) == 0) return 0; @@ -363,7 +364,7 @@ index ca5c7d7..60d0c86 100644 return bn_dec2bn_cbs(bnp, &cbs); } -@@ -669,7 +669,7 @@ BN_hex2bn(BIGNUM **bnp, const char *s) +@@ -677,7 +677,7 @@ BN_hex2bn(BIGNUM **bnp, const char *s) if ((s_len = strlen(s)) == 0) return 0; @@ -373,7 +374,7 @@ index ca5c7d7..60d0c86 100644 return bn_hex2bn_cbs(bnp, &cbs); } diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c -index cd8b663..6557324 100644 +index cd8b66360..655732413 100644 --- a/crypto/bn/bn_print.c +++ b/crypto/bn/bn_print.c @@ -82,7 +82,7 @@ bn_print_bignum(BIO *bio, const BIGNUM *bn, int indent) @@ -386,7 +387,7 @@ index cd8b663..6557324 100644 if (BN_is_negative(bn)) { if (BIO_printf(bio, " (Negative)") <= 0) diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c -index cde2f6c..9f8b13e 100644 +index cde2f6c64..9f8b13ed1 100644 --- a/crypto/evp/e_sm4.c +++ b/crypto/evp/e_sm4.c @@ -237,9 +237,11 @@ sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, @@ -403,7 +404,7 @@ index cde2f6c..9f8b13e 100644 } diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c -index 460c1bc..15a70b1 100644 +index 460c1bce5..15a70b1c5 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -410,7 +410,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, @@ -425,7 +426,7 @@ index 460c1bc..15a70b1 100644 OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD); return 0; diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c -index f2e1780..cb6b2e8 100644 +index f2e17806d..cb6b2e84f 100644 --- a/crypto/pkcs7/pk7_attr.c +++ b/crypto/pkcs7/pk7_attr.c @@ -192,7 +192,7 @@ PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t) @@ -438,7 +439,7 @@ index f2e1780..cb6b2e8 100644 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm)) goto err; diff --git a/crypto/x509/x509_addr.c b/crypto/x509/x509_addr.c -index b4ee92a..615375d 100644 +index b4ee92a14..615375dd6 100644 --- a/crypto/x509/x509_addr.c +++ b/crypto/x509/x509_addr.c @@ -1875,7 +1875,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, @@ -451,7 +452,7 @@ index b4ee92a..615375d 100644 /* We need a non-empty chain to test against. */ diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c -index 0773d2b..673a159 100644 +index c4f32c9cf..597fdde06 100644 --- a/crypto/x509/x509_constraints.c +++ b/crypto/x509/x509_constraints.c @@ -347,7 +347,7 @@ x509_constraints_parse_mailbox(CBS *candidate, @@ -492,7 +493,7 @@ index 0773d2b..673a159 100644 if (!x509_constraints_valid_host(&host_cbs, 1)) return 0; if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart)) -@@ -648,8 +648,8 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, +@@ -667,8 +667,8 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; goto err; } @@ -503,7 +504,7 @@ index 0773d2b..673a159 100644 err: free(hostpart); return ret; -@@ -999,7 +999,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, +@@ -1018,7 +1018,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, case GEN_DNS: if (!x509_constraints_valid_domain_constraint(&cbs)) goto err; @@ -512,7 +513,7 @@ index 0773d2b..673a159 100644 error = X509_V_ERR_OUT_OF_MEM; goto err; } -@@ -1045,7 +1045,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, +@@ -1064,7 +1064,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, case GEN_URI: if (!x509_constraints_valid_domain_constraint(&cbs)) goto err; @@ -522,7 +523,7 @@ index 0773d2b..673a159 100644 goto err; } diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c -index db1741c..43afeb8 100644 +index db1741cc9..43afeb8cf 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -78,13 +78,13 @@ X509_NAME_ENTRY_add_object_cbb(CBB *cbb, const ASN1_OBJECT *aobj) @@ -555,10 +556,10 @@ index db1741c..43afeb8 100644 return buf; diff --git a/crypto/x509/x509_utl.c b/crypto/x509/x509_utl.c -index 4be8630..0960fc9 100644 +index 2e60834ed..0746ac0c5 100644 --- a/crypto/x509/x509_utl.c +++ b/crypto/x509/x509_utl.c -@@ -508,7 +508,7 @@ hex_to_string(const unsigned char *buffer, long len) +@@ -504,7 +504,7 @@ hex_to_string(const unsigned char *buffer, long len) err: CBB_cleanup(&cbb); @@ -567,7 +568,7 @@ index 4be8630..0960fc9 100644 } LCRYPTO_ALIAS(hex_to_string); -@@ -573,7 +573,7 @@ string_to_hex(const char *str, long *len) +@@ -569,7 +569,7 @@ string_to_hex(const char *str, long *len) goto err; } @@ -576,7 +577,7 @@ index 4be8630..0960fc9 100644 while (CBS_len(&cbs) > 0) { /* * Skipping only a single colon between two pairs of digits -@@ -817,7 +817,7 @@ equal_nocase(const unsigned char *pattern, size_t pattern_len, +@@ -813,7 +813,7 @@ equal_nocase(const unsigned char *pattern, size_t pattern_len, skip_prefix(&pattern, &pattern_len, subject, subject_len, flags); if (pattern_len != subject_len) return 0; @@ -585,7 +586,7 @@ index 4be8630..0960fc9 100644 } /* Compare using strncmp. */ -@@ -832,7 +832,7 @@ equal_case(const unsigned char *pattern, size_t pattern_len, +@@ -828,7 +828,7 @@ equal_case(const unsigned char *pattern, size_t pattern_len, skip_prefix(&pattern, &pattern_len, subject, subject_len, flags); if (pattern_len != subject_len) return 0; @@ -595,7 +596,7 @@ index 4be8630..0960fc9 100644 /* diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c -index f25e2b3..c52be9e 100644 +index fc3fbc14d..95c6cf359 100644 --- a/crypto/x509/x509_verify.c +++ b/crypto/x509/x509_verify.c @@ -55,7 +55,8 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter, @@ -609,7 +610,7 @@ index f25e2b3..c52be9e 100644 return 0; diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c -index 9a582d3..20498dd 100644 +index e60d8b7a3..5fc4d2ee0 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -107,7 +107,8 @@ X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, @@ -623,10 +624,10 @@ index 9a582d3..20498dd 100644 /* It must be a C string */ buf[text_len] = '\0'; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index 86b32ae..e760c0b 100644 +index bcf26bec4..431af32f2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c -@@ -1548,7 +1548,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name) +@@ -1551,7 +1551,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name) if (name == NULL) return 1; @@ -636,10 +637,10 @@ index 86b32ae..e760c0b 100644 if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) { SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c -index 0d3dcf7..9a59d98 100644 +index 6ef81a170..ffc55e5f9 100644 --- a/ssl/ssl_clnt.c +++ b/ssl/ssl_clnt.c -@@ -2330,7 +2330,7 @@ ssl3_send_client_change_cipher_spec(SSL *s) +@@ -2337,7 +2337,7 @@ ssl3_send_client_change_cipher_spec(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) { @@ -649,7 +650,7 @@ index 0d3dcf7..9a59d98 100644 goto err; if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 630724e..32ab533 100644 +index 630724e67..32ab5332a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2004,12 +2004,12 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t out_len, @@ -670,10 +671,10 @@ index 630724e..32ab533 100644 LSSL_ALIAS(SSL_export_keying_material); diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c -index db4ba38..4dfaaf5 100644 +index af4b20f6c..e877bb3f9 100644 --- a/ssl/ssl_srvr.c +++ b/ssl/ssl_srvr.c -@@ -2371,7 +2371,7 @@ ssl3_send_server_change_cipher_spec(SSL *s) +@@ -2378,7 +2378,7 @@ ssl3_send_server_change_cipher_spec(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) { @@ -683,7 +684,7 @@ index db4ba38..4dfaaf5 100644 goto err; if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c -index 311c29b..e1c9b3c 100644 +index d879b3304..2b75b0fbb 100644 --- a/ssl/ssl_tlsext.c +++ b/ssl/ssl_tlsext.c @@ -808,7 +808,8 @@ tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) @@ -697,7 +698,7 @@ index 311c29b..e1c9b3c 100644 *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c -index 4ed76c9..1ad3b92 100644 +index 4ed76c95a..1ad3b9255 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -170,8 +170,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) @@ -712,10 +713,10 @@ index 4ed76c9..1ad3b92 100644 } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 57cd180..9797aab 100644 +index 912bea592..c93107383 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c -@@ -1018,6 +1018,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) +@@ -1014,6 +1014,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) EVP_CIPHER_CTX *cctx = NULL; SSL_CTX *tctx = s->initial_ctx; int slen, hlen, iv_len; @@ -723,7 +724,7 @@ index 57cd180..9797aab 100644 int alert_desc = SSL_AD_INTERNAL_ERROR; int ret = TLS1_TICKET_FATAL_ERROR; -@@ -1112,8 +1113,9 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) +@@ -1108,8 +1109,9 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) if (HMAC_Update(hctx, CBS_data(&ticket_encdata), CBS_len(&ticket_encdata)) <= 0) goto err; @@ -735,10 +736,10 @@ index 57cd180..9797aab 100644 if (!CBS_mem_equal(&ticket_hmac, hmac, hlen)) goto derr; diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c -index 901b38f..414c9cb 100644 +index 21d396079..a837b85fe 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c -@@ -656,7 +656,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) +@@ -668,7 +668,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) sizeof(tls13_cert_verify_pad))) goto err; if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, @@ -747,7 +748,7 @@ index 901b38f..414c9cb 100644 goto err; if (!CBB_add_u8(&cbb, 0)) goto err; -@@ -710,7 +710,7 @@ int +@@ -722,7 +722,7 @@ int tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) { struct tls13_secrets *secrets = ctx->hs->tls13.secrets; @@ -756,7 +757,7 @@ index 901b38f..414c9cb 100644 struct tls13_secret finished_key; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; size_t transcript_hash_len; -@@ -932,7 +932,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) +@@ -944,7 +944,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) sizeof(tls13_cert_verify_pad))) goto err; if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, @@ -765,7 +766,7 @@ index 901b38f..414c9cb 100644 goto err; if (!CBB_add_u8(&sig_cbb, 0)) goto err; -@@ -993,7 +993,7 @@ int +@@ -1005,7 +1005,7 @@ int tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) { struct tls13_secrets *secrets = ctx->hs->tls13.secrets; @@ -775,7 +776,7 @@ index 901b38f..414c9cb 100644 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; size_t transcript_hash_len; diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c -index 05bcf0f..19afc79 100644 +index 05bcf0f00..19afc7999 100644 --- a/ssl/tls13_key_schedule.c +++ b/ssl/tls13_key_schedule.c @@ -160,8 +160,8 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, @@ -826,10 +827,10 @@ index 05bcf0f..19afc79 100644 } diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c -index 6c33ecc..481ca9e 100644 +index 6a06330b2..220999745 100644 --- a/ssl/tls13_legacy.c +++ b/ssl/tls13_legacy.c -@@ -360,7 +360,7 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) +@@ -359,7 +359,7 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) tls13_handshake_msg_data(ctx->hs_msg, &cbs); if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs))) goto err; @@ -839,7 +840,7 @@ index 6c33ecc..481ca9e 100644 goto err; diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c -index c3470b2..5d9f159 100644 +index c3470b293..5d9f15950 100644 --- a/ssl/tls13_lib.c +++ b/ssl/tls13_lib.c @@ -378,7 +378,8 @@ tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs) @@ -853,7 +854,7 @@ index c3470b2..5d9f159 100644 memset(&nonce, 0, sizeof(nonce)); diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c -index f5604ad..9bdd61c 100644 +index f5604adbe..9bdd61c91 100644 --- a/ssl/tls13_record_layer.c +++ b/ssl/tls13_record_layer.c @@ -467,7 +467,7 @@ static int @@ -866,7 +867,7 @@ index f5604ad..9bdd61c 100644 int ret = 0; diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c -index 650fd13..184b3d3 100644 +index 604dab4cb..2beb72636 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c @@ -728,7 +728,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) diff --git a/pkg/libressl/sha256 b/pkg/libressl/sha256 index 5da0b8f6..1eedf581 100644 --- a/pkg/libressl/sha256 +++ b/pkg/libressl/sha256 @@ -1 +1 @@ -6d5c2f58583588ea791f4c8645004071d00dfa554a5bf788a006ca1eb5abd70b libressl-4.2.1.tar.gz +c2db42ace14e7d5419826fab35a742ec6e4d12725a051a51d0cea3c10ba0fa50 libressl-4.3.1.tar.gz diff --git a/pkg/libressl/url b/pkg/libressl/url index 768d3dd7..af0a4a53 100644 --- a/pkg/libressl/url +++ b/pkg/libressl/url @@ -1 +1 @@ -url = "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-4.2.1.tar.gz" +url = "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-4.3.1.tar.gz" diff --git a/pkg/libressl/ver b/pkg/libressl/ver index 196224a4..5625de94 100644 --- a/pkg/libressl/ver +++ b/pkg/libressl/ver @@ -1 +1 @@ -4.2.1 r0 +4.3.1 r0