From b2c59887a2eeb74d331e3321e0de9e154cb8be13 Mon Sep 17 00:00:00 2001
From: kinichiro <kinichiro.inoguchi@gmail.com>
Date: Sun, 10 Apr 2022 12:13:31 +0900
Subject: [PATCH 1/8] Add regress objectstest

---
 tests/CMakeLists.txt | 5 +++++
 tests/Makefile.am    | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 7c80002..e6cb2bc 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -341,6 +341,11 @@ add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_TEST_LIBS})
 add_test(mont mont)
 
+# objectstest
+add_executable(objectstest objectstest.c)
+target_link_libraries(objectstest ${OPENSSL_TEST_LIBS})
+add_test(objectstest objectstest)
+
 # ocsp_test
 if(ENABLE_EXTRATESTS)
 	add_executable(ocsp_test ocsp_test.c)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index e58c0c0..6c88c90 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -354,6 +354,11 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
+# objectstest
+TESTS += objectstest
+check_PROGRAMS += objectstest
+objectstest_SOURCES = objectstest.c
+
 # ocsp_test
 if ENABLE_EXTRATESTS
 TESTS += ocsptest.sh

From 87441bdbceeceb8eebc8d8b4d7211c890248c0c7 Mon Sep 17 00:00:00 2001
From: Theo Buehler <tb@openbsd.org>
Date: Fri, 15 Apr 2022 18:03:35 +0200
Subject: [PATCH 2/8] LibreSSL 3.5.2 ChangeLog

---
 ChangeLog | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b58f52d..486b6c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,49 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.5.2 - Stable release
+
+	* Bug fixes
+	  - Fix NULL dereferences in openssl(1) cms option parsing.
+	  - Do not zero the computed cofactor on ec_guess_cofactor() success.
+	  - Bound cofactor in EC_GROUP_set_generator() to reduce the number of
+	    bogus groups that can be described with nonsensical parameters.
+	  - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
+	    memory conditions. Reported for HMAC by Masaru Masuda.
+	  - Plug leak in ASN1_TIME_adj_internal().
+	  - Avoid infinite loop for custom curves of order 1.
+	    Issue reported by Hanno Boeck, comments by David Benjamin.
+	  - Avoid an infinite loop on parsing DSA private keys by validating
+	    that the provided parameters conform to FIPS 186-4.
+	    Issue reported by Hanno Boeck, comments by David Benjamin.
+	* Internal improvements
+	  - Suppress various compiler warnings for old gcc versions.
+	  - Rework ASN1_STRING_set().
+	  - Remove const from tls1_transcript_hash_value().
+	  - Clean up and simplify ssl3_renegotiate{,_check}().
+	  - Rewrite legacy TLS and DTLS unexpected handshake message handling.
+	  - Simplify SSL_do_handshake().
+	  - Rewrite ASCII/text to ASN.1 object conversion.
+	  - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
+	  - Split armv7 and aarch64 code into separate locations.
+	  - Rewrote openssl(1) ts to use the new option handling and cleaned
+	    up the C code.
+	  - Provide asn1_get_primitive().
+	  - Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
+	  - Remove the minimum record length checks from dtls1_read_bytes().
+	  - Clean up {dtls1,ssl3}_read_bytes().
+	  - Be more careful with embedded and terminating NULs in the new
+	    name constraints code.
+	  - Check EVP_Digest* return codes in openssl(1) ts
+	  - Various minor code cleanup in openssl(1) pkcs12
+	  - Use calloc() in pkey_hmac_init().
+	  - Simplify priv_key handling in d2i_ECPrivateKey().
+	* Documentation improvements
+	  - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
+	    refactoring and bug fixes.
+	  - Fixed numerous minor grammar, spelling, wording, and punctuation
+	    issues.
+
 3.5.1 - Security release
 
 	* A malicious certificate can cause an infinite loop.

From ac053c8453d0ae1e16a15f435dbd4d3169ebbae8 Mon Sep 17 00:00:00 2001
From: Theo Buehler <tb@openbsd.org>
Date: Fri, 15 Apr 2022 18:34:43 +0200
Subject: [PATCH 3/8] add a few more things

---
 ChangeLog | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 486b6c1..c739281 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,10 @@ LibreSSL Portable Release Notes:
 3.5.2 - Stable release
 
 	* Bug fixes
+	  - Avoid single byte overread in asn1_parse2().
+	  - Allow name constraints with a leading dot. From Alex Wilson.
+	  - Relax a check in x509_constraints_dirname() to allow prefixes.
+	    From Alex Wilson.
 	  - Fix NULL dereferences in openssl(1) cms option parsing.
 	  - Do not zero the computed cofactor on ec_guess_cofactor() success.
 	  - Bound cofactor in EC_GROUP_set_generator() to reduce the number of
@@ -43,8 +47,17 @@ LibreSSL Portable Release Notes:
 	  - Avoid an infinite loop on parsing DSA private keys by validating
 	    that the provided parameters conform to FIPS 186-4.
 	    Issue reported by Hanno Boeck, comments by David Benjamin.
+	* Compatibility improvements
+	  - Allow non-standard name constraints of the form @domain.com.
 	* Internal improvements
+	  - Limit OID text conversion to 64 bits per arc.
+	  - Clean up and simplify memory BIO code.
+	  - Reduce number of memmove() calls in memory BIOs.
+	  - Factor out alert handling code in the legacy stack.
+	  - Add sanity checks on p and q in old_dsa_priv_decode()
+	  - Cache the SHA-512 hash instead of the SHA-1 for CRLs.
 	  - Suppress various compiler warnings for old gcc versions.
+	  - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
 	  - Rework ASN1_STRING_set().
 	  - Remove const from tls1_transcript_hash_value().
 	  - Clean up and simplify ssl3_renegotiate{,_check}().

From fe903fb7c59600f7679b2afb0d33f4a0c3f93ae2 Mon Sep 17 00:00:00 2001
From: Sebastian Blunt <git@sebastianblunt.com>
Date: Fri, 15 Apr 2022 23:48:50 -0700
Subject: [PATCH 4/8] Fix unreachable nc portability shim

This fixes nc failing to run on darwin due to it incorrectly setting the
linux-specific SOCK_NONBLOCK flag on connect.

nc already had a portability shim in apps/nc/compat/sys/socket.h, which
kicks in if SOCK_NONBLOCK is undefined. But that header includes
include/compat/sys/socket.h, which also has a portability shim that
defines a default value for SOCK_NONBLOCK if it's undefined. Thus the
first portability shim was unreachable.

Fixes this by moving the NEED_SOCKET_FLAGS flag into the outer shim, and
having the inner shim activate if NEED_SOCKET_FLAGS is defined.

This closes https://github.com/libressl-portable/portable/issues/631
---
 apps/nc/compat/sys/socket.h | 3 +--
 include/compat/sys/socket.h | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/nc/compat/sys/socket.h b/apps/nc/compat/sys/socket.h
index 13eb380..2c7ee4f 100644
--- a/apps/nc/compat/sys/socket.h
+++ b/apps/nc/compat/sys/socket.h
@@ -6,8 +6,7 @@
 #ifndef _WIN32
 #include_next <sys/socket.h>
 
-#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
-#define NEED_SOCKET_FLAGS
+#if defined(NEED_SOCKET_FLAGS)
 int _socket(int domain, int type, int protocol);
 #ifndef SOCKET_FLAGS_PRIV
 #define socket(d, t, p) _socket(d, t, p)
diff --git a/include/compat/sys/socket.h b/include/compat/sys/socket.h
index 10eb05f..2f0b197 100644
--- a/include/compat/sys/socket.h
+++ b/include/compat/sys/socket.h
@@ -10,6 +10,7 @@
 #endif
 
 #if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
 #define SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
 #define SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
 int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]);

From 4458b705f4acf9265a346403f3da3cbd8afaa21a Mon Sep 17 00:00:00 2001
From: kinichiro <kinichiro.inoguchi@gmail.com>
Date: Sat, 16 Apr 2022 20:55:27 +0900
Subject: [PATCH 5/8] Update ChangeLog

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index c739281..e4dc7ad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -58,6 +58,7 @@ LibreSSL Portable Release Notes:
 	  - Cache the SHA-512 hash instead of the SHA-1 for CRLs.
 	  - Suppress various compiler warnings for old gcc versions.
 	  - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
+	  - Rework ownership handling in x509_constraints_validate().
 	  - Rework ASN1_STRING_set().
 	  - Remove const from tls1_transcript_hash_value().
 	  - Clean up and simplify ssl3_renegotiate{,_check}().

From 500d16b32ce25231e7c721363cfb5fe121e0fd81 Mon Sep 17 00:00:00 2001
From: kinichiro <kinichiro.inoguchi@gmail.com>
Date: Fri, 29 Apr 2022 18:30:45 +0900
Subject: [PATCH 6/8] Add environment macos-12 to CI

---
 .github/workflows/macos_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/macos_test.yml b/.github/workflows/macos_test.yml
index 29e6cdc..6e7adac 100644
--- a/.github/workflows/macos_test.yml
+++ b/.github/workflows/macos_test.yml
@@ -6,7 +6,7 @@ jobs:
   build-native:
     strategy:
       matrix:
-        os: [macos-latest]
+        os: [macos-12, macos-11]
         compiler: [clang, gcc]
     runs-on: ${{ matrix.os }}
     continue-on-error: false

From 8a57de6ed06b9f0e706211b33af28b61590ab0c8 Mon Sep 17 00:00:00 2001
From: kinichiro <kinichiro.inoguchi@gmail.com>
Date: Fri, 29 Apr 2022 18:55:44 +0900
Subject: [PATCH 7/8] Set max number of processes for CI

---
 scripts/test | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/test b/scripts/test
index 80fa988..f2f0cb8 100755
--- a/scripts/test
+++ b/scripts/test
@@ -20,24 +20,24 @@ if [ "x$ARCH" = "xnative" ]; then
 	# test cmake and ninja
 	if [ `uname` = "Darwin" ]; then
 		cmake ..
-		make
+		make -j 4
 		make test
 
 		cd ../build-shared
 		cmake -DBUILD_SHARED_LIBS=ON ..
-		make
+		make -j 4
 		make test
 	else
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 
 		cmake -GNinja ..
-		ninja
+		ninja -j 4
 		ninja test
 
 		cd ../build-shared
 		cmake -GNinja -DBUILD_SHARED_LIBS=ON ..
-		ninja
+		ninja -j 4
 		ninja test
 	fi
 
@@ -58,21 +58,21 @@ elif [ "x$ARCH" = "xmingw32" -o "x$ARCH" = "xmingw64" ]; then
 	fi
 
 	./configure --host=$CPU-w64-mingw32
-	make -j
+	make -j 4
 
 	(
 	 rm -fr build-static
 	 mkdir build-static
 	 cd build-static
 	 cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=../scripts/$CPU-w64-mingw32.cmake ..
-	 ninja
+	 ninja -j 4
 	)
 	(
 	 rm -fr build-shared
 	 mkdir build-shared
 	 cd build-shared
 	 cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=../scripts/$CPU-w64-mingw32.cmake -DBUILD_SHARED_LIBS=ON ..
-	 ninja
+	 ninja -j 4
 	)
 
 elif [ "x$ARCH" = "xarm32" -o "x$ARCH" = "xarm64" ]; then

From ff798b2a33d89679ac6c25a4773b91c6a26cd015 Mon Sep 17 00:00:00 2001
From: kinichiro <kinichiro.inoguchi@gmail.com>
Date: Fri, 29 Apr 2022 19:30:07 +0900
Subject: [PATCH 8/8] Use current VS2019 with appveyor

---
 appveyor.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/appveyor.yml b/appveyor.yml
index bdb8001..33a32da 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,26 +1,26 @@
 image:
-  - Previous Visual Studio 2019
+  - Visual Studio 2019
 
 environment:
   PATH: C:\msys64\usr\bin;C:\msys64\mingw64\bin;C:\Windows\System32;C:\Windows;%PATH%
 
   matrix:
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: Win32
       CONFIG: Release
       SHARED_LIBS: ON
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: Win32
       CONFIG: Release
       SHARED_LIBS: OFF
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: x64
       CONFIG: Release
       SHARED_LIBS: ON
-    - APPVEYOR_BUILD_WORKER_IMAGE: Previous Visual Studio 2019
+    - APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2019
       GENERATOR: Visual Studio 16 2019
       ARCHITECTURE: x64
       CONFIG: Release