Land #376, adjust MSVC warnings

Merge remote-tracking branch 'upstream/pr/374'

.gitignore

@@ -39,11 +39,13 @@ Makefile.in
 *.la
 
 *.def
+*.sym
 *.pc
 
 # man pages
 *.1
 *.3
+*.5
 
 # tests
 test-driver
@@ -51,21 +53,26 @@ test-driver
 *.trs
 tests/aes_wrap*
 tests/arc4random_fork*
+tests/asn1evp*
 tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*
+tests/freenull*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
+tests/ssl_versions*
 tests/timingsafe*
+tests/tls_ext_alpn*
+tests/tls_prf*
 tests/*test
 tests/tests.h
 tests/*test.c
-tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+tests/compat/*.c
 !tests/optionstest.c
 !tests/*.test
 
@@ -114,10 +121,18 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
+/apps/ocspcheck/*.h
+/apps/ocspcheck/*.c
+/apps/ocspcheck/ocspcheck*
+/apps/ocspcheck/compat/inet_ntop.c
+/apps/ocspcheck/compat/memmem.c
+
 /apps/nc/*.h
 /apps/nc/*.c
 /apps/nc/nc*
 !/apps/nc/readpassphrase.c
+/apps/nc/compat/*.c
+
 /apps/openssl/*.h
 /apps/openssl/*.c
 /apps/openssl/*.cnf
@@ -131,6 +146,8 @@ include/openssl/*.h
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
 !/crypto/compat/explicit_bzero_win.c
+!/crypto/compat/freezero.c
+!/crypto/compat/getpagesize.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
@@ -154,3 +171,4 @@ openbsd/
 
 *.tar.gz
 man/Makefile.am
+man/mandoc.db

.travis.yml

@@ -10,15 +10,23 @@ matrix:
     - compiler: clang
       os: linux
       env: ARCH=native
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=native
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=mingw32
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=mingw64
+      dist: trusty
+      sudo: required
 
 script:
   "./scripts/travis"

CMakeLists.txt

@@ -1,27 +1,50 @@
-cmake_minimum_required (VERSION 2.8)
+cmake_minimum_required (VERSION 2.8.8)
 include(CheckFunctionExists)
 include(CheckLibraryExists)
 include(CheckIncludeFiles)
+include(CheckTypeSize)
 
-project (LibreSSL)
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+include(cmake_export_symbol)
+include(GNUInstallDirs)
+
+project (LibreSSL C)
 
 enable_testing()
 
-file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
 string(STRIP ${SSL_VERSION} SSL_VERSION)
 string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
 string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
 
-file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
 string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
 string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
 string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
 
-file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/tls/VERSION TLS_VERSION)
 string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
+option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL})
+option(ENABLE_ASM "Enable assembly" ON)
+option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
+option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
+option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
+set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
+
+if(NOT LIBRESSL_SKIP_INSTALL)
+	set( ENABLE_LIBRESSL_INSTALL ON )
+endif(NOT LIBRESSL_SKIP_INSTALL)
+
+
+set(BUILD_NC true)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
+	add_definitions(-fno-common)
+endif()
+
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
@@ -33,9 +56,36 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
 endif()
 
+if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
+	set(BUILD_NC false)
+endif()
+
+if(WIN32)
+	set(BUILD_NC false)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	if(CMAKE_C_COMPILER MATCHES "gcc")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
+	else()
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
+	endif()
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
+endif()
+
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
-add_definitions(-DOPENSSL_NO_ASM)
+add_definitions(-D__BEGIN_HIDDEN_DECLS=)
+add_definitions(-D__END_HIDDEN_DECLS=)
 
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 
@@ -43,32 +93,60 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 
-if(MSVC)
-	add_definitions(-Dinline=__inline)
+if(WIN32)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+endif()
 
+if(MSVC)
+	add_definitions(-Dinline=__inline)
+	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
+	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
 		set(MSVC_DISABLED_WARNINGS_LIST
-		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
-		        # indirection to slightly different base types from 'char [2]'
-		"C4100" # 'exarg' : unreferenced formal parameter
+			"C4018" # 'expression' : signed/unsigned mismatch
+			"C4057" # 'operator' : 'identifier1' indirection to
+		        	# slightly different base types from 'identifier2'
+			"C4100" # 'identifier' : unreferenced formal parameter
 			"C4127" # conditional expression is constant
-		"C4242" # 'function' : conversion from 'int' to 'uint8_t',
+			"C4146" # unary minus operator applied to unsigned type,
+				# result still unsigned
+			"C4244" # 'argument' : conversion from 'type1' to 'type2',
 				# possible loss of data
-		"C4244" # 'function' : conversion from 'int' to 'uint8_t',
+			"C4245" # 'conversion' : conversion from 'type1' to 'type2',
+				# signed/unsigned mismatch
+			"C4267" # 'var' : conversion from 'size_t' to 'type',
 				# possible loss of data
+			"C4389" # 'operator' : signed/unsigned mismatch
 			"C4706" # assignment within conditional expression
-		"C4820" # 'bytes' bytes padding added after construct 'member_name'
-		"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
-		        # use the ISO C++ conformant name: _read.
+			"C4996" # The POSIX name for this item is deprecated.
+				# Instead, use the ISO C and C++ conformant name
 		)
+	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
+		add_definitions(-D_CRT_SUPPRESS_RESTRICT)
+		set(MSVC_DISABLED_WARNINGS_LIST
+			"C111"  # Unreachable statement
+			"C128"  # Unreachable loop
+			"C167"  # Unexplict casting unsigned to signed
+			"C186"  # Pointless comparison of unsigned int with zero
+			"C188"  # Enumerated type mixed with another type
+			"C344"  # Redeclared type
+			"C556"  # Unexplict casting signed to unsigned
+			"C869"  # Unreferenced parameters
+			"C1786" # Deprecated functions
+			"C2545" # Empty else statement
+			"C2557" # Comparing signed to unsigned
+			"C2722" # List init syntax is c++11 feature
+			"C3280" # Declaration hides variable
+		)
+	endif()
 	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
 		${MSVC_DISABLED_WARNINGS_LIST})
-	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+	string(REGEX REPLACE "[/-]W[1234][ ]?" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
 endif()
 
 check_function_exists(asprintf HAVE_ASPRINTF)
@@ -106,7 +184,7 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 
-if(MSVC)
+if(WIN32)
 	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
@@ -131,6 +209,11 @@ if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)
 endif()
 
+check_function_exists(arc4random_uniform HAVE_ARC4RANDOM_UNIFORM)
+if(HAVE_ARC4RANDOM_UNIFORM)
+	add_definitions(-DHAVE_ARC4RANDOM_UNIFORM)
+endif()
+
 check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
 if(HAVE_EXPLICIT_BZERO)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
@@ -146,6 +229,11 @@ if(HAVE_GETENTROPY)
 	add_definitions(-DHAVE_GETENTROPY)
 endif()
 
+check_function_exists(getpagesize HAVE_GETPAGESIZE)
+if(HAVE_GETPAGESIZE)
+	add_definitions(-DHAVE_GETPAGESIZE)
+endif()
+
 check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
 if(HAVE_TIMINGSAFE_BCMP)
 	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
@@ -156,12 +244,46 @@ if(HAVE_MEMCMP)
 	add_definitions(-DHAVE_MEMCMP)
 endif()
 
+check_function_exists(memmem HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+	add_definitions(-DHAVE_MEMMEM)
+endif()
+
 check_include_files(err.h HAVE_ERR_H)
 if(HAVE_ERR_H)
 	add_definitions(-DHAVE_ERR_H)
 endif()
 
-set(OPENSSL_LIBS ssl crypto)
+if(ENABLE_ASM)
+	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
+		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
+			set(HOST_ASM_ELF_X86_64 true)
+		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+			set(HOST_ASM_ELF_X86_64 true)
+		endif()
+	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
+		set(HOST_ASM_MACOSX_X86_64 true)
+	endif()
+endif()
+
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
+	set(BUILD_SHARED true)
+endif()
+
+# USE_SHARED builds applications (e.g. openssl) using shared LibreSSL.
+# By default, applications use LibreSSL static library to avoid dependencies.
+# USE_SHARED isn't set by default; use -DUSE_SHARED=ON with CMake to enable.
+# Can be helpful for debugging; don't use for public releases.
+if(NOT BUILD_SHARED)
+	set(USE_SHARED off)
+endif()
+
+if(USE_SHARED)
+	set(OPENSSL_LIBS tls-shared ssl-shared crypto-shared)
+else()
+	set(OPENSSL_LIBS tls ssl crypto)
+endif()
+
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
@@ -171,10 +293,21 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
 	endif()
 endif()
-
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
-	set(BUILD_SHARED true)
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
 endif()
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
+endif()
+
+check_type_size(time_t SIZEOF_TIME_T)
+if(SIZEOF_TIME_T STREQUAL "4")
+	set(SMALL_TIME_T true)
+	add_definitions(-DSMALL_TIME_T)
+	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
+	                " ** It will behave incorrectly when handling valid RFC5280 dates")
+endif()
+add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
 
 add_subdirectory(crypto)
 add_subdirectory(ssl)
@@ -183,5 +316,32 @@ add_subdirectory(tls)
 add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
+endif()
+if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()
+
+if(NOT MSVC)
+	# Create pkgconfig files.
+	set(prefix      ${CMAKE_INSTALL_PREFIX})
+	set(exec_prefix \${prefix})
+	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
+	set(includedir  \${prefix}/include)
+	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
+	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
+	foreach(file ${OPENSSL_PKGCONFIGS})
+		get_filename_component(filename ${file} NAME)
+		string(REPLACE ".in" "" new_file "${filename}")
+		configure_file(${filename} pkgconfig/${new_file} @ONLY)
+	endforeach()
+	install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig
+		DESTINATION ${CMAKE_INSTALL_LIBDIR})
+endif()
+
+configure_file(
+	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
+	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+	IMMEDIATE @ONLY)
+
+add_custom_target(uninstall
+	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

ChangeLog

@@ -28,25 +28,365 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.3.10 - Security and compatibility fixes
+2.7.0 - Bug fixes and improvements
+
+	* Merged more DTLS support into the regular TLS code path, removing
+	  duplicated code.
+
+	* Converted ssl3_send_client_hello(), ssl3_send_server_hello() to CBB.
+
+	* Rewrite ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
+	  This removes the last remaining use of the old M_ASN1_* macros
+	  (asn1_mac.h) from API that needs to continue to exist.
+
+2.6.4 - Bug fixes
+
+	* Make tls_config_parse_protocols() work correctly when passed a NULL
+	  pointer for a protocol string. Issue found by semarie@, who also
+	  provided the diff.
+
+	* Correct TLS extensions handling when no extensions are present.
+	  If no TLS extensions are present in a client hello or server hello,
+	  omit the entire extensions block, rather than including it with a
+	  length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
+	  providing packet captures and testing the fix.
+
+	* Fixed portable builds on older Android systems, and systems with out
+	  IPV6_TCLASS support.
+
+2.6.3 - OpenBSD 6.2 Release
+
+	* No core changes from LibreSSL 2.6.2
+
+	* Minor compatibility fixes in portable version.
+
+2.6.2 - Bug fixes
+
+	* Provide a useful error with libtls if there are no OCSP URLs in a
+	  peer certificate.
+
+	* Keep track of which keypair is in use by a TLS context, fixing a bug
+	  where a TLS server with SNI would only return the OCSP staple for the
+	  default keypair. Issue reported by William Graeber and confirmed by
+	  Andreas Bartelt.
+
+	* Fixed various issues in the OCSP extension parsing code.
+	  The original code incorrectly passes the pointer allocated via
+	  CBS_stow() (using malloc()) to a d2i_*() function and then calls
+	  free() on the now incremented pointer, most likely resulting in a
+	  crash. This issue was reported by Robert Swiecki who found the issue
+	  using honggfuzz.
+
+	* If tls_config_parse_protocols() is called with a NULL pointer,
+	  return the default protocols instead of crashing - this makes the
+	  behaviour more useful and mirrors what we already do in
+	  tls_config_set_ciphers() et al.
+
+2.6.1 - Code removal, rewrites
+
+	* Added a "-T tlscompat" option to nc(1), which enables the use of all
+	  TLS protocols and "compat" ciphers. This allows for TLS connections
+	  to TLS servers that are using less than ideal cipher suites, without
+	  having to resort to "-T tlsall" which enables all known cipher
+	  suites.  Diff from Kyle J. McKay.
+
+	* Added a new TLS extension handling framework, somewhat analogous to
+	  BoringSSL, and converted all TLS extensions to use it. Added new TLS
+	  extension regression tests.
+
+	* Improved and added many new manpages. Updated *check_private_key
+	  manpages with additional cautions regarding their use.
+
+	* Cleaned up the EC key/curve configuration handling.
+
+	* Added tls_config_set_ecdhecurves() to libtls, which allows the names
+	  of the eliptical curves that may be used during client and server
+	  key exchange to be specified.
+
+	* Converted more code paths to use CBB/CBS.
+
+	* Removed support for DSS/DSA, since we removed the cipher suites a
+	  while back.
+
+	* Removed NPN support. NPN was never standardised and the last draft
+	  expired in October 2012. ALPN was standardised in July 2014 and has
+	  been supported in LibreSSL since December 2014. NPN has also been
+	  removed from Chromium in May 2016.
+
+	* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
+	  CryptoPro clients.
+
+	* Removed support for the TLS padding extension, which was added as a
+	  workaround for an old bug in F5's TLS termination.
+
+	* Worked around another bug in F5's TLS termination handling of the
+	  elliptical curves extension. RFC 4492 only defines elliptic_curves
+	  for ClientHello. However, F5 is sending it in ServerHello.  We need
+	  to skip over it since our TLS extension parsing code is now more
+	  strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
+
+	* Added ability to clamp notafter valies in certificates for systems
+	  with 32-bit time_t. This is necessary to conform to RFC 5280
+	  4.1.2.5.
+
+	* Implemented the SSL_CTX_set_min_proto_version(3) API.
+
+	* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
+
+	* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
+
+2.6.0 - New APIs, bug fixes and improvements
+
+	* Added support for providing CRLs to libtls. Once a CRL is provided we
+	  enable CRL checking for the full certificate chain. Based on a diff
+	  from Jack Burton
+
+	* Allow non-compliant clients using IP literal addresses with SNI
+	  to connect to a server using libtls.
+
+	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
+	  Reported by Robert Swiecki, who found the issue using honggfuzz.
+
+	* Added definitions for three OIDs used in EV certificates.
+	  From Kyle J. McKay
+
+	* Added tls_peer_cert_chain_pem to libtls, useful in private
+	  certificate validation callbacks such as those in relayd.
+
+	* Converted explicit clear/free sequences to use freezero(3).
+
+	* Reworked TLS certificate name verification code to more strictly
+	  follow RFC 6125.
+
+	* Cleaned up and simplified server key exchange EC point handling.
+
+	* Added tls_keypair_clear_key for clearing key material.
+
+	* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
+	  simplified BIO_get_host_ip and BIO_accept.
+
+	* Fixed the openssl(1) ca command so that is generates certificates
+	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
+
+	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
+
+	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
+
+	* Added HKDF (HMAC Key Derivation Function) from BoringSSL
+
+	* Provided a tls_unload_file() function that frees the memory returned
+	  from a tls_load_file() call, ensuring that it the contents become
+	  inaccessible. This is specifically needed on platforms where the
+	  library allocators may be different from the application allocator.
+
+	* Perform reference counting for tls_config. This allows
+	  tls_config_free() to be called as soon as it has been passed to the
+	  final tls_configure() call, simplifying lifetime tracking for the
+	  application.
+
+	* Moved internal state of SSL and other structures to be opaque.
+
+	* Dropped cipher suites with DSS authentication.
+
+	* nc(1) improvements, including:
+	   nc -W to terminate nc after receiving a number of packets
+	   nc -Z for saving the peer certificate and chain in a pem file
+
+2.5.5 - Bug fixes
+
+	* Distinguish between self-issued certificates and self-signed
+	  certificates. The certificate verification code has special cases
+	  for self-signed certificates and without this change, self-issued
+	  certificates (which it seems are common place with
+	  openvpn/easyrsa) were also being included in this category.
+
+	* Added getpagesize fallback, needed for Android bionic libc.
+
+2.5.4 - Security Updates
+
+	* Revert a previous change that forced consistency between return
+	  value and error code when specifing a certificate verification
+	  callback, since this breaks the documented API. When a user supplied
+	  callback always returns 1, and later code checks the error code to
+	  potentially abort post verification, this will result in incorrect
+	  successul certificate verification.
+
+	* Switched Linux getrandom() usage to non-blocking mode, continuing to
+	  use fallback mechanims if unsuccessful. This works around a design
+	  flaw in Linux getrandom(2) where early boot usage in a library makes
+	  it impossible to recover if getrandom(2) is not yet initialized.
+
+	* Fixed a bug caused by the return value being set early to signal
+	  successful DTLS cookie validation. This can mask a later failure and
+	  result in a positive return value being returned from
+	  ssl3_get_client_hello(), when it should return a negative value to
+	  propagate the error.
+
+	* Fixed a build error on non-x86/x86_64 systems running Solaris.
+
+2.5.3 - OpenBSD 6.1 Release
+
+	* Documentation updates
+
+	* Improved ocspcheck(1) error handling
+
+2.5.2 - Security features and bugfixes
+
+	* Added the recallocarray(3) memory allocation function, and converted
+	  various places in the library to use it, such as CBB and BUF_MEM_grow.
+	  recallocarray(3) is similar to reallocarray. Newly allocated memory
+	  is cleared similar to calloc(3). Memory that becomes unallocated
+	  while shrinking or moving existing allocations is explicitly
+	  discarded by unmapping or clearing to 0
+
+	* Added new root CAs from SECOM Trust Systems / Security Communication
+	  of Japan.
+
+	* Added EVP interface for MD5+SHA1 hashes.
+
+	* Fixed DTLS client failures when the server sends a certificate
+	  request.
+
+	* Correct handling of padding when upgrading an SSLv2 challenge into
+	  an SSLv3/TLS connection.
+
+	* Allow protocols and ciphers to be set on a TLS config object in
+	  libtls.
+
+	* Improved nc(1) TLS handshake CPU usage and server-side error
+	  reporting.
+
+2.5.1 - Bug and security fixes, new features, documentation updates
+
+	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
+	  error. Reported by Theofilos Petsios.
+
+	* Detect zero-length encrypted session data early, instead of when
+	  malloc(0) fails or the HMAC check fails. Noted independently by
+	  jsing@ and Kurt Cancemi.
+
+	* Check for and handle failure of HMAC_{Update,Final} or
+	  EVP_DecryptUpdate().
+
+	* Massive update and normalization of manpages, conversion to
+	  mandoc format. Many pages were rewritten for clarity and accuracy.
+	  Portable doc links are up-to-date with a new conversion tool.
+
+	* Curve25519 Key Exchange support.
+
+	* Support for alternate chains for certificate verification.
+
+	* Code cleanups, CBS conversions, further unification of DTLS/SSL
+	  handshake code, further ASN1 macro expansion and removal.
+
+	* Private symbol are now hidden in libssl and libcryto.
+
+	* Friendly certificate verification error messages in libtls, peer
+	  verification is now always enabled.
+
+	* Added OCSP stapling support to libtls and netcat.
+
+	* Added ocspcheck utility to validate a certificate against its OCSP
+	  responder and save the reply for stapling
+
+	* Enhanced regression tests and error handling for libtls.
+
+	* Added explicit constant and non-constant time BN functions,
+	  defaulting to constant time wherever possible.
+
+	* Moved many leaked implementation details in public structs behind
+	  opaque pointers.
+
+	* Added ticket support to libtls.
+
+	* Added support for setting the supported EC curves via
+	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
+	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
+	  list of curves to be X25519, P-256 and P-384. All other curves must
+	  be manually enabled.
+
+	* Added -groups option to openssl(1) s_client for specifying the curves
+	  to be used in a colon-separated list.
+
+	* Merged client/server version negotiation code paths into one,
+	  reducing much duplicate code.
+
+	* Removed error function codes from libssl and libcrypto.
+
+	* Fixed an issue where a truncated packet could crash via an OOB read.
+
+	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
+	  client-initiated renegotiation. This is the default for libtls
+	  servers.
 
 	* Avoid a side-channel cache-timing attack that can leak the ECDSA
 	  private keys when signing. This is due to BN_mod_inverse() being
-	  used without the constant time flag being set.
-
-	  This issue was reported by Cesar Pereida Garcia and Billy Brumley
-	  (Tampere University of Technology). The fix was developed by Cesar
-	  Pereida Garcia.
+	  used without the constant time flag being set. Reported by Cesar
+	  Pereida Garcia and Billy Brumley (Tampere University of Technology).
+	  The fix was developed by Cesar Pereida Garcia.
 
 	* iOS and MacOS compatibility updates from Simone Basso and Jacob
 	  Berkman.
 
-2.3.9 - Reliability improvements
 
-	* Avoid continual processing of an unlimited number of TLS records,
-	  which can cause a denial-of-service condition.
+2.5.0 - New APIs, bug fixes and improvements
 
-2.3.8 - Security and reliability fixes
+	* libtls now supports ALPN and SNI
+
+	* libtls adds a new callback interface for integrating custom IO
+	  functions. Thanks to Tobias Pape.
+
+	* libtls now handles 4 cipher suite groups:
+	    "secure" (TLSv1.2+AEAD+PFS)
+	    "compat" (HIGH:!aNULL)
+	    "legacy" (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+
+	    This allows for flexibility and finer grained control, rather than
+	    having two extremes (an issue raised by Marko Kreen some time ago).
+
+	* Tightened error handling for tls_config_set_ciphers().
+
+	* libtls now always loads CA, key and certificate files at the time the
+	  configuration function is called. This simplifies code and results in
+	  a single memory based code path being used to provide data to libssl.
+
+	* Add support for OCSP intermediate certificates.
+
+	* Added functions used by stunnel and exim from BoringSSL - this
+	  brings in X509_check_host, X509_check_email, X509_check_ip, and
+	  X509_check_ip_asc.
+
+	* Added initial support for iOS, thanks to Jacob Berkman.
+
+	* Improved behavior of arc4random on Windows when using memory leak
+	  analysis software.
+
+	* Correctly handle an EOF that occurs prior to the TLS handshake
+	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
+	  Kreen.
+
+	* Limit the support of the "backward compatible" ssl2 handshake to
+	  only be used if TLS 1.0 is enabled.
+
+	* Fix incorrect results in certain cases on 64-bit systems when
+	  BN_mod_word() can return incorrect results. BN_mod_word() now can
+	  return an error condition. Thanks to Brian Smith.
+
+	* Added constant-time updates to address CVE-2016-0702
+
+	* Fixed undefined behavior in BN_GF2m_mod_arr()
+
+	* Removed unused Cryptographic Message Support (CMS)
+
+	* More conversions of long long idioms to time_t
+
+	* Improved compatibility by avoiding printing NULL strings with
+	  printf.
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
 
 	* Avoid unbounded memory growth in libssl, which can be triggered by a
 	  TLS client repeatedly renegotiating and sending OCSP Status Request
@@ -55,25 +395,79 @@ LibreSSL Portable Release Notes:
 	* Avoid falling back to a weak digest for (EC)DH when using SNI with
 	  libssl.
 
-2.3.7 - OCSP fixes
+2.4.2 - Bug fixes and improvements
 
-	* Fix several issues in the OCSP code that could result in the
-	  incorrect generation and parsing of OCSP requests. This remediates a
-	  lack of error checking on time parsing in these functions, and
-	  ensures that only GENERALIZEDTIME formats are accepted for OCSP, as
-	  per RFC 6960.
+	* Fixed loading default certificate locations with openssl s_client.
 
-	  Issues reported, and fixes provided by  Kazuki Yamaguchi <k@rhe.jp>
-	  and Kinichiro Inoguchi <kinichiro.inoguchi@gmail.com>
+	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
 
-2.3.6 - Security fix
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
+2.4.1 - Security fix
 
 	* Correct a problem that prevents the DSA signing algorithm from
 	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
 	  This issue was reported by Cesar Pereida (Aalto University), Billy
 	  Brumley (Tampere University of Technology), and Yuval Yarom (The
 	  University of Adelaide and NICTA). The fix was developed by Cesar
-	  Pereida. See OpenBSD 5.9 errata 11, June 6, 2016
+	  Pereida.
+
+2.4.0 - Build improvements, new features
+
+	* Many improvements to the CMake build infrastructure, including
+	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
+	  Inoguchi for this work.
+
+	* Added missing error handling around bn_wexpand() calls.
+
+	* Added explicit_bzero calls for freed ASN.1 objects.
+
+	* Fixed X509_*set_object functions to return 0 on allocation failure.
+
+	* Implemented the IETF ChaCha20-Poly1305 cipher suites.
+
+	* Changed default EVP_aead_chacha20_poly1305() implementation to the
+	  IETF version, which is now the default.
+
+	* Fixed password prompts from openssl(1) to properly handle ^C.
+
+	* Reworked error handling in libtls so that configuration errors are
+	  visible.
+
+	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
+
+	* Manpage fixes and updates
 
 2.3.5 - Reliability fix
 

Makefile.am

@@ -5,7 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in
 
 .PHONY: install_sw
 install_sw: install

Makefile.am.common

@@ -1,2 +1,3 @@
 AM_CFLAGS =
 AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
+AM_CPPFLAGS += -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=

OPENBSD_BRANCH

@@ -1 +1 @@
-OPENBSD_5_9
+master

README.md

@@ -30,7 +30,7 @@ At the time of this writing, LibreSSL is know to build and work on:
 
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
-* NetBSD (tested with 6.1.5)
+* NetBSD (7.0 or later recommended)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)
@@ -56,20 +56,25 @@ or to the github
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.
 
-## Prerequisites when building from git ##
+# Building LibreSSL #
 
-If you have checked this source using Git, follow these initial steps to
-prepare the source tree for building:
+## Prerequisites when building from a Git checkout ##
+
+If you have checked this source using Git, or have downloaded a source tarball
+from Github, follow these initial steps to prepare the source tree for
+building. _Note: Your build will fail if you do not follow these instructions! If you cannot follow these instructions (e.g. Windows system using CMake) or cannot meet these prerequistes, please download an official release distribution from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official releases is strongly advised if you are not a developer._
 
 1. Ensure you have the following packages installed:
-   automake, autoconf, git, libtool, perl, pod2man
+   automake, autoconf, git, libtool, perl
 2. Run './autogen.sh' to prepare the source tree for building or
    run './dist.sh' to prepare a tarball.
 
-## Building LibreSSL ##
+## Steps that apply to all builds ##
 
-Once you have a source tree from Git or FTP, run these commands to build and
-install the package on most systems:
+Once you have a source tree, either by downloaded using git and having
+run the autogen.sh script above, or by downloading a release distribution from
+an OpenBSD mirror, run these commands to build and install the package on most
+systems:
 
 ```sh
 ./configure   # see ./configure --help for configuration options
@@ -119,9 +124,9 @@ should work. See README.windows for more information
 
 #### Windows - Visual Studio ####
 
-LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
-against older/newer targets as well. To generate a Visual Studio project,
-install CMake, enter the LibreSSL source directory and run:
+LibreSSL builds using the CMake target "Visual Studio 12 2013" and newer. To
+generate a Visual Studio project, install CMake, enter the LibreSSL source
+directory and run:
 
 ```sh
  mkdir build-vs2013
@@ -129,5 +134,18 @@ install CMake, enter the LibreSSL source directory and run:
  cmake -G"Visual Studio 12 2013" ..
 ```
 
-This will generate a LibreSSL.sln file that you can incorporate into other
-projects or build by itself.
+Replace "Visual Studion 12 2013" with whatever version of Visual Studio you
+have installed. This will generate a LibreSSL.sln file that you can incorporate
+into other projects or build by itself.
+
+#### Cmake - Additional Options ####
+
+| Option Name | Default | Description
+| ------------ | -----: | ------
+|  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
+|  ENABLE_ASM | ON | builds assembly optimized rules. |
+|  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
+|  ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) |
+|  ENABLE_VSTEST | OFF | Enable test on Visual Studio |
+|  OPENSSLDIR | Blank | Set the default openssl directory.  Can be specified from command line using <br>```-DOPENSSLDIR=<dirname>``` |
+

README.windows

@@ -12,7 +12,8 @@ cross compilers on Windows.
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
 
- CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
+ CC=i686-w64-mingw32-gcc CPPFLAGS=-D__MINGW_USE_VC2005_COMPAT \
+ ./configure --host=i686-w64-mingw32
  make
  make check
 
@@ -22,6 +23,25 @@ For 64-bit builds, use these instead:
  make
  make check
 
+# Why the -D__MINGW_USE_VC2005_COMPAT flag on 32-bit systems?
+
+An ABI change introduced with Microsoft Visual C++ 2005 (also known as
+Visual C++ 8.0) switched time_t from 32-bit to 64-bit. It is important to
+build LibreSSL with 64-bit time_t whenever possible, because 32-bit time_t
+is unable to represent times past 2038 (this is commonly known as the
+Y2K38 problem).
+
+If LibreSSL is built with 32-bit time_t, when verifying a certificate whose
+expiry date is set past 19 January 2038, it will be unable to tell if the
+certificate has expired or not, and thus take the safe stance and reject it.
+
+In order to avoid this, you need to build LibreSSL (and everything that links
+with it) with the -D__MINGW_USE_VC2005_COMPAT flag. This tells mingw-w64 to
+use the new ABI.
+
+64-bit systems always have a 64-bit time_t and are not affected by this
+problem.
+
 # Using Libressl with Visual Studio
 
 A script for generating ready-to-use .DLL and static .LIB files is included in

apps/CMakeLists.txt

@@ -1,80 +1,3 @@
-include_directories(
-	.
-	../include
-	../include/compat
-)
-
-set(
-	OPENSSL_SRC
-	openssl/apps.c
-	openssl/asn1pars.c
-	openssl/ca.c
-	openssl/ciphers.c
-	openssl/cms.c
-	openssl/crl.c
-	openssl/crl2p7.c
-	openssl/dgst.c
-	openssl/dh.c
-	openssl/dhparam.c
-	openssl/dsa.c
-	openssl/dsaparam.c
-	openssl/ec.c
-	openssl/ecparam.c
-	openssl/enc.c
-	openssl/errstr.c
-	openssl/gendh.c
-	openssl/gendsa.c
-	openssl/genpkey.c
-	openssl/genrsa.c
-	openssl/nseq.c
-	openssl/ocsp.c
-	openssl/openssl.c
-	openssl/passwd.c
-	openssl/pkcs12.c
-	openssl/pkcs7.c
-	openssl/pkcs8.c
-	openssl/pkey.c
-	openssl/pkeyparam.c
-	openssl/pkeyutl.c
-	openssl/prime.c
-	openssl/rand.c
-	openssl/req.c
-	openssl/rsa.c
-	openssl/rsautl.c
-	openssl/s_cb.c
-	openssl/s_client.c
-	openssl/s_server.c
-	openssl/s_socket.c
-	openssl/s_time.c
-	openssl/sess_id.c
-	openssl/smime.c
-	openssl/speed.c
-	openssl/spkac.c
-	openssl/ts.c
-	openssl/verify.c
-	openssl/version.c
-	openssl/x509.c
-)
-
-if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
-endif()
-
-if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
-endif()
-
-add_executable(openssl ${OPENSSL_SRC})
-target_link_libraries(openssl ${OPENSSL_LIBS})
-
-install(TARGETS openssl DESTINATION bin)
+add_subdirectory(ocspcheck)
+add_subdirectory(openssl)
+add_subdirectory(nc)

apps/Makefile.am

@@ -1,5 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS = openssl nc
+SUBDIRS = ocspcheck openssl nc
 
 EXTRA_DIST = CMakeLists.txt

apps/nc/CMakeLists.txt

@@ -0,0 +1,62 @@
+if(BUILD_NC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	NC_SRC
+	atomicio.c
+	netcat.c
+	socks.c
+	compat/socket.c
+)
+
+check_function_exists(b64_ntop HAVE_B64_NTOP)
+if(HAVE_B64_NTOP)
+	add_definitions(-DHAVE_B64_NTOP)
+else()
+	set(NC_SRC ${NC_SRC} compat/base64.c)
+endif()
+
+check_function_exists(accept4 HAVE_ACCEPT4)
+if(HAVE_ACCEPT4)
+	add_definitions(-DHAVE_ACCEPT4)
+else()
+	set(NC_SRC ${NC_SRC} compat/accept4.c)
+endif()
+
+check_function_exists(readpassphrase HAVE_READPASSPHRASE)
+if(HAVE_READPASSPHRASE)
+	add_definitions(-DHAVE_READPASSPHRASE)
+else()
+	set(NC_SRC ${NC_SRC} compat/readpassphrase.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(NC_SRC ${NC_SRC} compat/strtonum.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(nc ${NC_SRC})
+target_link_libraries(nc tls ${OPENSSL_LIBS})
+
+if(ENABLE_NC)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
+		install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+	endif(ENABLE_LIBRESSL_INSTALL)
+endif()
+
+endif()

apps/nc/Makefile.am

@@ -4,23 +4,20 @@ if BUILD_NC
 
 if ENABLE_NC
 bin_PROGRAMS = nc
+dist_man_MANS = nc.1
 else
 noinst_PROGRAMS = nc
 endif
 
 EXTRA_DIST = nc.1
+EXTRA_DIST += CMakeLists.txt
 
-nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
 nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
 nc_LDADD += $(abs_top_builddir)/tls/libtls.la
+nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
-if OPENSSLDIR_DEFINED
-AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
-else
-AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
-endif
 
 nc_SOURCES = atomicio.c
 nc_SOURCES += netcat.c

apps/nc/compat/base64.c

@@ -1,315 +0,0 @@
-/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/*
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <resolv.h>
-#include <stdio.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-static const char Base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static const char Pad64 = '=';
-
-/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
-   and Freed.  It is reproduced here in a slightly edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.
-
-   Since all base64 input is an integral number of octets, only the
-         -------------------------------------------------                       
-   following cases can arise:
-   
-       (1) the final quantum of encoding input is an integral
-           multiple of 24 bits; here, the final unit of encoded
-	   output will be an integral multiple of 4 characters
-	   with no "=" padding,
-       (2) the final quantum of encoding input is exactly 8 bits;
-           here, the final unit of encoded output will be two
-	   characters followed by two "=" padding characters, or
-       (3) the final quantum of encoding input is exactly 16 bits;
-           here, the final unit of encoded output will be three
-	   characters followed by one "=" padding character.
-   */
-
-int
-b64_ntop(src, srclength, target, targsize)
-	u_char const *src;
-	size_t srclength;
-	char *target;
-	size_t targsize;
-{
-	size_t datalength = 0;
-	u_char input[3];
-	u_char output[4];
-	int i;
-
-	while (2 < srclength) {
-		input[0] = *src++;
-		input[1] = *src++;
-		input[2] = *src++;
-		srclength -= 3;
-
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		output[3] = input[2] & 0x3f;
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		target[datalength++] = Base64[output[2]];
-		target[datalength++] = Base64[output[3]];
-	}
-    
-	/* Now we worry about padding. */
-	if (0 != srclength) {
-		/* Get what's left. */
-		input[0] = input[1] = input[2] = '\0';
-		for (i = 0; i < srclength; i++)
-			input[i] = *src++;
-	
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		if (srclength == 1)
-			target[datalength++] = Pad64;
-		else
-			target[datalength++] = Base64[output[2]];
-		target[datalength++] = Pad64;
-	}
-	if (datalength >= targsize)
-		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
-	return (datalength);
-}
-
-/* skips all whitespace anywhere.
-   converts characters, four at a time, starting at (or after)
-   src from base - 64 numbers into three 8 bit bytes in the target area.
-   it returns the number of data bytes stored at the target, or -1 on error.
- */
-
-int
-b64_pton(src, target, targsize)
-	char const *src;
-	u_char *target;
-	size_t targsize;
-{
-	int tarindex, state, ch;
-	u_char nextbyte;
-	char *pos;
-
-	state = 0;
-	tarindex = 0;
-
-	while ((ch = (unsigned char)*src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
-			continue;
-
-		if (ch == Pad64)
-			break;
-
-		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
-			return (-1);
-
-		switch (state) {
-		case 0:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] = (pos - Base64) << 2;
-			}
-			state = 1;
-			break;
-		case 1:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 4;
-				nextbyte = ((pos - Base64) & 0x0f) << 4;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 2;
-			break;
-		case 2:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 2;
-				nextbyte = ((pos - Base64) & 0x03) << 6;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 3;
-			break;
-		case 3:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] |= (pos - Base64);
-			}
-			tarindex++;
-			state = 0;
-			break;
-		}
-	}
-
-	/*
-	 * We are done decoding Base-64 chars.  Let's see if we ended
-	 * on a byte boundary, and/or with erroneous trailing characters.
-	 */
-
-	if (ch == Pad64) {			/* We got a pad char. */
-		ch = (unsigned char)*src++;	/* Skip it, get next. */
-		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
-			return (-1);
-
-		case 2:		/* Valid, means one byte of info */
-			/* Skip any number of spaces. */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					break;
-			/* Make sure there is another trailing = sign. */
-			if (ch != Pad64)
-				return (-1);
-			ch = (unsigned char)*src++;		/* Skip the = */
-			/* Fall through to "single trailing =" case. */
-			/* FALLTHROUGH */
-
-		case 3:		/* Valid, means two bytes of info */
-			/*
-			 * We know this char is an =.  Is there anything but
-			 * whitespace after it?
-			 */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					return (-1);
-
-			/*
-			 * Now make sure for cases 2 and 3 that the "extra"
-			 * bits that slopped past the last full byte were
-			 * zeros.  If we don't check them, they become a
-			 * subliminal channel.
-			 */
-			if (target && tarindex < targsize &&
-			    target[tarindex] != 0)
-				return (-1);
-		}
-	} else {
-		/*
-		 * We ended by seeing the end of the string.  Make sure we
-		 * have no partial bytes lying around.
-		 */
-		if (state != 0)
-			return (-1);
-	}
-
-	return (tarindex);
-}

apps/nc/compat/strtonum.c

@@ -1,65 +0,0 @@
-/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
-
-/*
- * Copyright (c) 2004 Ted Unangst and Todd Miller
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-#define	INVALID		1
-#define	TOOSMALL	2
-#define	TOOLARGE	3
-
-long long
-strtonum(const char *numstr, long long minval, long long maxval,
-    const char **errstrp)
-{
-	long long ll = 0;
-	int error = 0;
-	char *ep;
-	struct errval {
-		const char *errstr;
-		int err;
-	} ev[4] = {
-		{ NULL,		0 },
-		{ "invalid",	EINVAL },
-		{ "too small",	ERANGE },
-		{ "too large",	ERANGE },
-	};
-
-	ev[0].err = errno;
-	errno = 0;
-	if (minval > maxval) {
-		error = INVALID;
-	} else {
-		ll = strtoll(numstr, &ep, 10);
-		if (numstr == ep || *ep != '\0')
-			error = INVALID;
-		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
-			error = TOOSMALL;
-		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
-			error = TOOLARGE;
-	}
-	if (errstrp != NULL)
-		*errstrp = ev[error].errstr;
-	errno = ev[error].err;
-	if (error)
-		ll = 0;
-
-	return (ll);
-}

apps/ocspcheck/CMakeLists.txt

@@ -0,0 +1,45 @@
+if(NOT MSVC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	OCSPCHECK_SRC
+	http.c
+	ocspcheck.c
+)
+
+check_function_exists(inet_ntop HAVE_INET_NTOP)
+if(HAVE_INET_NTOP)
+        add_definitions(-DHAVE_INET_NTOP)
+else()
+        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
+endif()
+
+check_function_exists(memmem HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+        add_definitions(-DHAVE_MEMMEM)
+else()
+        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(ocspcheck ${OCSPCHECK_SRC})
+target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
+
+if(ENABLE_LIBRESSL_INSTALL)
+	install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
+
+endif(ENABLE_LIBRESSL_INSTALL)
+
+endif()

apps/ocspcheck/Makefile.am

@@ -0,0 +1,23 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = ocspcheck
+
+EXTRA_DIST = ocspcheck.8
+EXTRA_DIST += CMakeLists.txt
+
+ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
+ocspcheck_LDADD += $(abs_top_builddir)/ssl/libssl.la
+ocspcheck_LDADD += $(abs_top_builddir)/tls/libtls.la
+ocspcheck_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
+
+ocspcheck_SOURCES = http.c
+ocspcheck_SOURCES += ocspcheck.c
+noinst_HEADERS = http.h
+
+if !HAVE_INET_NTOP
+ocspcheck_SOURCES += compat/inet_ntop.c
+endif
+
+if !HAVE_MEMMEM
+ocspcheck_SOURCES += compat/memmem.c
+endif

apps/openssl/CMakeLists.txt

@@ -0,0 +1,92 @@
+include_directories(
+	.
+	../../include
+	../../include/compat
+)
+
+set(
+	OPENSSL_SRC
+	apps.c
+	asn1pars.c
+	ca.c
+	ciphers.c
+	crl.c
+	crl2p7.c
+	dgst.c
+	dh.c
+	dhparam.c
+	dsa.c
+	dsaparam.c
+	ec.c
+	ecparam.c
+	enc.c
+	errstr.c
+	gendh.c
+	gendsa.c
+	genpkey.c
+	genrsa.c
+	nseq.c
+	ocsp.c
+	openssl.c
+	passwd.c
+	pkcs12.c
+	pkcs7.c
+	pkcs8.c
+	pkey.c
+	pkeyparam.c
+	pkeyutl.c
+	prime.c
+	rand.c
+	req.c
+	rsa.c
+	rsautl.c
+	s_cb.c
+	s_client.c
+	s_server.c
+	s_socket.c
+	s_time.c
+	sess_id.c
+	smime.c
+	speed.c
+	spkac.c
+	ts.c
+	verify.c
+	version.c
+	x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+if(ENABLE_LIBRESSL_INSTALL)
+	install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+endif(ENABLE_LIBRESSL_INSTALL)
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	set(CONF_DIR "${OPENSSLDIR}")
+else()
+	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
+endif()
+if(ENABLE_LIBRESSL_INSTALL)
+	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
+endif(ENABLE_LIBRESSL_INSTALL)

apps/openssl/Makefile.am

@@ -4,15 +4,14 @@ bin_PROGRAMS = openssl
 
 dist_man_MANS = openssl.1
 
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la
 openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+openssl_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 
 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c
@@ -89,12 +88,13 @@ noinst_HEADERS += timeouts.h
 EXTRA_DIST = cert.pem
 EXTRA_DIST += openssl.cnf
 EXTRA_DIST += x509v3.cnf
+EXTRA_DIST += CMakeLists.txt
 
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
@@ -107,9 +107,9 @@ install-exec-hook:
 
 uninstall-local:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \

apps/openssl/apps_win.c

@@ -13,7 +13,7 @@
 #include "apps.h"
 
 double
-app_tminterval(int stop, int usertime)
+app_timer_user(int stop)
 {
 	static unsigned __int64 tmstart;
 	union {
@@ -22,13 +22,11 @@ app_tminterval(int stop, int usertime)
 	} ct, et, kt, ut;
 
 	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
+	if (stop)
 		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
+
+	tmstart = ut.u64 + kt.u64;
+	return 0.0;
 }
 
 int

apps/openssl/compat/poll_win.c

@@ -253,7 +253,9 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	looptime_ms = timeout_ms > 100 ? 100 : timeout_ms;
 
 	do {
-		struct timeval tv = {0, looptime_ms * 1000};
+		struct timeval tv;
+		tv.tv_sec = 0;
+		tv.tv_usec = looptime_ms * 1000;
 		int handle_signaled = 0;
 
 		/*

check-release.sh

@@ -57,6 +57,7 @@ fi
 echo "differences between release and regenerated release tag:"
 diff -urN \
 	-x *.3 \
+	-x *.5 \
 	-x Makefile.in \
 	-x aclocal.m4 \
 	-x compile \

cmake_export_symbol.cmake

@@ -0,0 +1,50 @@
+macro(export_symbol TARGET FILENAME)
+
+	set(FLAG "")
+
+	if(WIN32)
+		string(REPLACE ".sym" ".def" DEF_FILENAME ${FILENAME})
+		file(WRITE ${DEF_FILENAME} "EXPORTS\n")
+		file(READ ${FILENAME} SYMBOLS)
+		file(APPEND ${DEF_FILENAME} "${SYMBOLS}")
+		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})
+
+	elseif(APPLE)
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n_" SYMBOLS ${SYMBOLS})
+		string(REGEX REPLACE "(.)$" "\\1\\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".exp" EXP_FILENAME ${FILENAME})
+		file(WRITE ${EXP_FILENAME} "_${SYMBOLS}")
+		set(FLAG "-exported_symbols_list ${EXP_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n+e " SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".opt" OPT_FILENAME ${FILENAME})
+		file(WRITE ${OPT_FILENAME} "+e ${SYMBOLS}")
+		set(FLAG "-Wl,-c,${OPT_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
+		file(WRITE ${VER_FILENAME}
+			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
+		set(FLAG "-Wl,-M${VER_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
+		file(WRITE ${VER_FILENAME}
+			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
+		set(FLAG "-Wl,--version-script,\"${VER_FILENAME}\"")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+	endif()
+
+endmacro()

cmake_uninstall.cmake.in

@@ -0,0 +1,21 @@
+if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+	message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+
+file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
+string(REGEX REPLACE "\n" ";" files "${files}")
+foreach(file ${files})
+	message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
+	if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		exec_program(
+			"@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
+			OUTPUT_VARIABLE rm_out
+			RETURN_VALUE rm_retval
+			)
+		if(NOT "${rm_retval}" STREQUAL 0)
+			message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
+		endif(NOT "${rm_retval}" STREQUAL 0)
+	else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
+	endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+endforeach(file)

configure.ac

@@ -78,19 +78,15 @@ AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       BSWAP4=no)
 CFLAGS="$old_cflags"
 
-case $host_cpu in
-	*sparc*)
-		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
-		;;
-	*arm*)
-		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
-		;;
-	*amd64*)
-		host_cpu=x86_64
-		;;
-
-esac
+AS_CASE([$host_cpu],
+	[*sparc*], [CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"],
+	[*arm*], AS_IF([test "x$BSWAP4" = "xyes"],,
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"),
+	[*amd64*], [host_cpu=x86_64, HOSTARCH=intel],
+	[i?86], [HOSTARCH=intel],
+	[x86_64], [HOSTARCH=intel]
+)
+AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"])
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[
@@ -126,6 +122,7 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/ocspcheck/Makefile
 	apps/openssl/Makefile
 	apps/nc/Makefile
 	man/Makefile
@@ -137,8 +134,15 @@ AC_CONFIG_FILES([
 
 AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
 if test "$ac_cv_sizeof_time_t" = "4"; then
+    AC_DEFINE([SMALL_TIME_T])
     echo " ** Warning, this system is unable to represent times past 2038"
     echo " ** It will behave incorrectly when handling valid RFC5280 dates"
+
+    if test "$host_os" = "mingw32" ; then
+        echo " **"
+        echo " ** You can solve this by adjusting the build flags in your"
+        echo " ** mingw-w64 toolchain. Refer to README.windows for details."
+    fi
 fi
 
 AC_REQUIRE_AUX_FILE([tap-driver.sh])

crypto/CMakeLists.txt

@@ -3,14 +3,100 @@ include_directories(
 	../include
 	../include/compat
 	asn1
+	bn
 	dsa
 	evp
 	modes
 )
 
-set(
-	CRYPTO_SRC
+if(HOST_ASM_ELF_X86_64)
+	set(
+		ASM_X86_64_ELF_SRC
+		aes/aes-elf-x86_64.S
+		aes/bsaes-elf-x86_64.S
+		aes/vpaes-elf-x86_64.S
+		aes/aesni-elf-x86_64.S
+		aes/aesni-sha1-elf-x86_64.S
+		bn/modexp512-elf-x86_64.S
+		bn/mont-elf-x86_64.S
+		bn/mont5-elf-x86_64.S
+		bn/gf2m-elf-x86_64.S
+		camellia/cmll-elf-x86_64.S
+		md5/md5-elf-x86_64.S
+		modes/ghash-elf-x86_64.S
+		rc4/rc4-elf-x86_64.S
+		rc4/rc4-md5-elf-x86_64.S
+		sha/sha1-elf-x86_64.S
+		sha/sha256-elf-x86_64.S
+		sha/sha512-elf-x86_64.S
+		whrlpool/wp-elf-x86_64.S
+		cpuid-elf-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_ELF_SRC})
+	set_property(SOURCE ${ASM_X86_64_ELF_SRC} PROPERTY LANGUAGE C)
+endif()
 
+if(HOST_ASM_MACOSX_X86_64)
+	set(
+		ASM_X86_64_MACOSX_SRC
+		aes/aes-macosx-x86_64.S
+		aes/bsaes-macosx-x86_64.S
+		aes/vpaes-macosx-x86_64.S
+		aes/aesni-macosx-x86_64.S
+		aes/aesni-sha1-macosx-x86_64.S
+		bn/modexp512-macosx-x86_64.S
+		bn/mont-macosx-x86_64.S
+		bn/mont5-macosx-x86_64.S
+		bn/gf2m-macosx-x86_64.S
+		camellia/cmll-macosx-x86_64.S
+		md5/md5-macosx-x86_64.S
+		modes/ghash-macosx-x86_64.S
+		rc4/rc4-macosx-x86_64.S
+		rc4/rc4-md5-macosx-x86_64.S
+		sha/sha1-macosx-x86_64.S
+		sha/sha256-macosx-x86_64.S
+		sha/sha512-macosx-x86_64.S
+		whrlpool/wp-macosx-x86_64.S
+		cpuid-macosx-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
+	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
+	set(
+		CRYPTO_SRC
+		${CRYPTO_SRC}
 		aes/aes_cbc.c
 		aes/aes_core.c
 		camellia/camellia.c
@@ -18,6 +104,12 @@ set(
 		rc4/rc4_enc.c
 		rc4/rc4_skey.c
 		whrlpool/wp_block.c
+	)
+endif()
+
+set(
+	CRYPTO_SRC
+	${CRYPTO_SRC}
 	cpt_err.c
 	cryptlib.c
 	cversion.c
@@ -190,6 +282,8 @@ set(
 	conf/conf_mall.c
 	conf/conf_mod.c
 	conf/conf_sap.c
+	curve25519/curve25519-generic.c
+	curve25519/curve25519.c
 	des/cbc_cksm.c
 	des/cbc_enc.c
 	des/cfb64ede.c
@@ -331,6 +425,7 @@ set(
 	evp/m_gostr341194.c
 	evp/m_md4.c
 	evp/m_md5.c
+	evp/m_md5_sha1.c
 	evp/m_null.c
 	evp/m_ripemd.c
 	evp/m_sha1.c
@@ -364,6 +459,7 @@ set(
 	gost/gostr341001_pmeth.c
 	gost/gostr341194.c
 	gost/streebog.c
+	hkdf/hkdf.c
 	hmac/hm_ameth.c
 	hmac/hm_pmeth.c
 	hmac/hmac.c
@@ -372,7 +468,6 @@ set(
 	idea/i_ecb.c
 	idea/i_ofb64.c
 	idea/i_skey.c
-	krb5/krb5_asn.c
 	lhash/lh_stats.c
 	lhash/lhash.c
 	md4/md4_dgst.c
@@ -464,7 +559,6 @@ set(
 	rsa/rsa_pss.c
 	rsa/rsa_saos.c
 	rsa/rsa_sign.c
-	rsa/rsa_ssl.c
 	rsa/rsa_x931.c
 	sha/sha1_one.c
 	sha/sha1dgst.c
@@ -556,46 +650,89 @@ endif()
 
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
+	set(CRYPTO_UNEXPORT ${CRYPTO_UNEXPORT} BIO_s_log)
 	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} gettimeofday)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_perror)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fopen)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fgets)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_open)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_rename)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_connect)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_close)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_read)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_write)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_getsockopt)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_setsockopt)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} sleep)
 endif()
 
 if(NOT HAVE_ASPRINTF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} asprintf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
+endif()
+
+if(NOT HAVE_FREEZERO)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/freezero.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} freezero)
+endif()
+
+if(NOT HAVE_GETPAGESIZE)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c)
 endif()
 
 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} inet_pton)
 endif()
 
 if(NOT HAVE_REALLOCARRAY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray)
+endif()
+
+if(NOT HAVE_RECALLOCARRAY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/recallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} recallocarray)
 endif()
 
 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strcasecmp)
 endif()
 
 if(NOT HAVE_STRLCAT)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcat)
 endif()
 
 if(NOT HAVE_STRLCPY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcpy)
 endif()
 
 if(NOT HAVE_STRNDUP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strndup)
 	if(NOT HAVE_STRNLEN)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
+		set(EXTRA_EXPORT ${EXTRA_EXPORT} strnlen)
 	endif()
 endif()
 
+if(NOT HAVE_STRSEP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strsep.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strsep)
+endif()
+
 if(NOT HAVE_TIMEGM)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timegm)
 endif()
 
 if(NOT HAVE_EXPLICIT_BZERO)
@@ -605,10 +742,15 @@ if(NOT HAVE_EXPLICIT_BZERO)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
 		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
 	endif()
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} explicit_bzero)
 endif()
 
 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_buf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
 
 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
@@ -617,39 +759,78 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_hpux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
+		set(EXTRA_EXPORT ${EXTRA_EXPORT} getentropy)
 	endif()
 endif()
 
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_bcmp)
 endif()
 
 if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_memcmp)
 endif()
 
+if(NOT ENABLE_ASM)
+	add_definitions(-DOPENSSL_NO_ASM)
+else()
+	if(CMAKE_HOST_WIN32)
+		add_definitions(-DOPENSSL_NO_ASM)
+	endif()
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\")
+else()
+	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
+endif()
+
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto.sym SYMS)
+foreach(SYM IN LISTS CRYPTO_UNEXPORT)
+	string(REPLACE "${SYM}\n" "" SYMS ${SYMS})
+endforeach()
+file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym ${SYMS})
+if(EXTRA_EXPORT)
+	list(SORT EXTRA_EXPORT)
+	foreach(SYM IN LISTS EXTRA_EXPORT)
+		file(APPEND ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym "${SYM}\n")
+	endforeach()
+endif()
+
+add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 if (BUILD_SHARED)
-	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	if (MSVC)
-		target_link_libraries(crypto-shared crypto Ws2_32.lib)
+	export_symbol(crypto-shared ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym)
+	if (WIN32)
+		target_link_libraries(crypto-shared Ws2_32.lib)
+		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
 	endif()
-	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	set_target_properties(crypto-shared PROPERTIES
+		OUTPUT_NAME crypto${CRYPTO_POSTFIX}
+		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	install(TARGETS crypto crypto-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
-	install(TARGETS crypto DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

crypto/Makefile.am

@@ -1,6 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/bn
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I$(top_srcdir)/crypto
@@ -9,11 +10,89 @@ lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += crypto.sym
 
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
+BUILT_SOURCES = crypto_portable.sym
+CLEANFILES = crypto_portable.sym
+
+crypto_portable.sym:
+	-echo "generating crypto_portable.sym ..."
+	-cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym
+	-chmod u+w crypto_portable.sym
+if !HAVE_ARC4RANDOM_BUF
+	-echo arc4random >> crypto_portable.sym
+	-echo arc4random_buf >> crypto_portable.sym
+	-echo arc4random_uniform >> crypto_portable.sym
+if !HAVE_GETENTROPY
+	-echo getentropy >> crypto_portable.sym
+endif
+endif
+if !HAVE_ASPRINTF
+	-echo asprintf >> crypto_portable.sym
+	-echo vasprintf >> crypto_portable.sym
+endif
+if !HAVE_EXPLICIT_BZERO
+	-echo explicit_bzero >> crypto_portable.sym
+endif
+if !HAVE_FREEZERO
+	-echo freezero >> crypto_portable.sym
+endif
+if !HAVE_INET_PTON
+	-echo inet_pton >> crypto_portable.sym
+endif
+if !HAVE_REALLOCARRAY
+	-echo reallocarray >> crypto_portable.sym
+endif
+if !HAVE_RECALLOCARRAY
+	-echo recallocarray >> crypto_portable.sym
+endif
+if !HAVE_STRLCAT
+	-echo strlcat >> crypto_portable.sym
+endif
+if !HAVE_STRLCPY
+	-echo strlcpy >> crypto_portable.sym
+endif
+if !HAVE_STRNDUP
+	-echo strndup >> crypto_portable.sym
+endif
+if !HAVE_STRNLEN
+	-echo strnlen >> crypto_portable.sym
+endif
+if !HAVE_STRSEP
+	-echo strsep >> crypto_portable.sym
+endif
+if !HAVE_TIMEGM
+	-echo timegm >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_BCMP
+	-echo timingsafe_bcmp >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_MEMCMP
+	-echo timingsafe_memcmp >> crypto_portable.sym
+endif
+if HOST_CPU_IS_INTEL
+	-echo OPENSSL_ia32cap_P >> crypto_portable.sym
+endif
+if HOST_WIN
+	-echo posix_perror >> crypto_portable.sym
+	-echo posix_fopen >> crypto_portable.sym
+	-echo posix_fgets >> crypto_portable.sym
+	-echo posix_open >> crypto_portable.sym
+	-echo posix_rename >> crypto_portable.sym
+	-echo posix_connect >> crypto_portable.sym
+	-echo posix_close >> crypto_portable.sym
+	-echo posix_read >> crypto_portable.sym
+	-echo posix_write >> crypto_portable.sym
+	-echo posix_getsockopt >> crypto_portable.sym
+	-echo posix_setsockopt >> crypto_portable.sym
+	-grep -v BIO_s_log crypto_portable.sym > crypto_portable.sym.tmp
+	-mv crypto_portable.sym.tmp crypto_portable.sym
+endif
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
@@ -71,10 +150,22 @@ libcompat_la_SOURCES += compat/strnlen.c
 endif
 endif
 
+if !HAVE_STRSEP
+libcompat_la_SOURCES += compat/strsep.c
+endif
+
 if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
+if !HAVE_FREEZERO
+libcompat_la_SOURCES += compat/freezero.c
+endif
+
+if !HAVE_GETPAGESIZE
+libcompat_la_SOURCES += compat/getpagesize.c
+endif
+
 if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
@@ -87,6 +178,10 @@ if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
 
+if !HAVE_RECALLOCARRAY
+libcompat_la_SOURCES += compat/recallocarray.c
+endif
+
 if !HAVE_TIMINGSAFE_MEMCMP
 libcompat_la_SOURCES += compat/timingsafe_memcmp.c
 endif
@@ -133,6 +228,7 @@ noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
+noinst_HEADERS += x86_arch.h
 
 # aes
 libcrypto_la_SOURCES += aes/aes_cfb.c
@@ -342,6 +438,12 @@ libcrypto_la_SOURCES += conf/conf_mod.c
 libcrypto_la_SOURCES += conf/conf_sap.c
 noinst_HEADERS += conf/conf_def.h
 
+# curve25519
+libcrypto_la_SOURCES += curve25519/curve25519-generic.c
+libcrypto_la_SOURCES += curve25519/curve25519.c
+noinst_HEADERS += curve25519/curve25519_internal.h
+
+
 # des
 libcrypto_la_SOURCES += des/cbc_cksm.c
 libcrypto_la_SOURCES += des/cbc_enc.c
@@ -510,6 +612,7 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
+libcrypto_la_SOURCES += evp/m_md5_sha1.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha1.c
@@ -550,6 +653,9 @@ noinst_HEADERS += gost/gost.h
 noinst_HEADERS += gost/gost_asn1.h
 noinst_HEADERS += gost/gost_locl.h
 
+# hkdf
+libcrypto_la_SOURCES += hkdf/hkdf.c
+
 # hmac
 libcrypto_la_SOURCES += hmac/hm_ameth.c
 libcrypto_la_SOURCES += hmac/hm_pmeth.c
@@ -563,9 +669,6 @@ libcrypto_la_SOURCES += idea/i_ofb64.c
 libcrypto_la_SOURCES += idea/i_skey.c
 noinst_HEADERS += idea/idea_lcl.h
 
-# krb5
-libcrypto_la_SOURCES += krb5/krb5_asn.c
-
 # lhash
 libcrypto_la_SOURCES += lhash/lh_stats.c
 libcrypto_la_SOURCES += lhash/lhash.c
@@ -696,7 +799,6 @@ libcrypto_la_SOURCES += rsa/rsa_prn.c
 libcrypto_la_SOURCES += rsa/rsa_pss.c
 libcrypto_la_SOURCES += rsa/rsa_saos.c
 libcrypto_la_SOURCES += rsa/rsa_sign.c
-libcrypto_la_SOURCES += rsa/rsa_ssl.c
 libcrypto_la_SOURCES += rsa/rsa_x931.c
 noinst_HEADERS += rsa/rsa_locl.h
 
@@ -769,6 +871,7 @@ libcrypto_la_SOURCES += x509/x509spki.c
 libcrypto_la_SOURCES += x509/x509type.c
 libcrypto_la_SOURCES += x509/x_all.c
 noinst_HEADERS += x509/x509_lcl.h
+noinst_HEADERS += x509/vpm_int.h
 
 # x509v3
 libcrypto_la_SOURCES += x509v3/pcy_cache.c

crypto/Makefile.am.elf-x86_64

@@ -1,22 +1,22 @@
 
-ASM_X86_64_ELF = aes/aes-elf-x86_64.s
-ASM_X86_64_ELF += aes/bsaes-elf-x86_64.s
-ASM_X86_64_ELF += aes/vpaes-elf-x86_64.s
-ASM_X86_64_ELF += aes/aesni-elf-x86_64.s
-ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.s
-ASM_X86_64_ELF += bn/modexp512-elf-x86_64.s
-ASM_X86_64_ELF += bn/mont-elf-x86_64.s
-ASM_X86_64_ELF += bn/mont5-elf-x86_64.s
-ASM_X86_64_ELF += bn/gf2m-elf-x86_64.s
-ASM_X86_64_ELF += camellia/cmll-elf-x86_64.s
-ASM_X86_64_ELF += md5/md5-elf-x86_64.s
-ASM_X86_64_ELF += modes/ghash-elf-x86_64.s
-ASM_X86_64_ELF += rc4/rc4-elf-x86_64.s
-ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.s
-ASM_X86_64_ELF += sha/sha1-elf-x86_64.s
+ASM_X86_64_ELF = aes/aes-elf-x86_64.S
+ASM_X86_64_ELF += aes/bsaes-elf-x86_64.S
+ASM_X86_64_ELF += aes/vpaes-elf-x86_64.S
+ASM_X86_64_ELF += aes/aesni-elf-x86_64.S
+ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.S
+ASM_X86_64_ELF += bn/modexp512-elf-x86_64.S
+ASM_X86_64_ELF += bn/mont-elf-x86_64.S
+ASM_X86_64_ELF += bn/mont5-elf-x86_64.S
+ASM_X86_64_ELF += bn/gf2m-elf-x86_64.S
+ASM_X86_64_ELF += camellia/cmll-elf-x86_64.S
+ASM_X86_64_ELF += md5/md5-elf-x86_64.S
+ASM_X86_64_ELF += modes/ghash-elf-x86_64.S
+ASM_X86_64_ELF += rc4/rc4-elf-x86_64.S
+ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.S
+ASM_X86_64_ELF += sha/sha1-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha256-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha512-elf-x86_64.S
-ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.s
+ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.S
 ASM_X86_64_ELF += cpuid-elf-x86_64.S
 
 EXTRA_DIST += $(ASM_X86_64_ELF)

crypto/Makefile.am.macosx-x86_64

@@ -1,22 +1,22 @@
 
-ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.s
-ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.s
-ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.s
-ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.s
-ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.s
-ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.s
-ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.S
+ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.S
+ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.S
+ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.S
+ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.S
+ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.S
+ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha256-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha512-macosx-x86_64.S
-ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.s
+ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.S
 ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 
 EXTRA_DIST += $(ASM_X86_64_MACOSX)

crypto/compat/b_win.c

@@ -23,8 +23,8 @@ BIO_sock_init(void)
 	if (!wsa_init_done) {
 		if (WSAStartup(version_requested, &wsa_state) != 0) {
 			int err = WSAGetLastError();
-			SYSerr(SYS_F_WSASTARTUP, err);
-			BIOerr(BIO_F_BIO_SOCK_INIT, BIO_R_WSASTARTUP);
+			SYSerror(err);
+			BIOerror(BIO_R_WSASTARTUP);
 			return (-1);
 		}
 		wsa_init_done = 1;

crypto/compat/freezero.c

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
+ * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
+ * Copyright (c) 2008 Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+void
+freezero(void *ptr, size_t sz)
+{
+	/* This is legal. */
+	if (ptr == NULL)
+		return;
+
+	explicit_bzero(ptr, sz);
+	free(ptr);
+}

crypto/compat/getpagesize.c

@@ -0,0 +1,18 @@
+/* $OpenBSD$ */
+
+#include <unistd.h>
+
+#ifdef _MSC_VER
+#include <windows.h>
+#endif
+
+int
+getpagesize(void) {
+#ifdef _MSC_VER
+	SYSTEM_INFO system_info;
+	GetSystemInfo(&system_info);
+	return system_info.dwPageSize;
+#else
+	return sysconf(_SC_PAGESIZE);
+#endif
+}

crypto/compat/inet_pton.c

@@ -1,212 +0,0 @@
-/*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/* Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <string.h>
-#include <errno.h>
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int	inet_pton4(const char *src, u_char *dst);
-static int	inet_pton6(const char *src, u_char *dst);
-
-/* int
- * inet_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-inet_pton(int af, const char *src, void *dst)
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, u_char *dst)
-{
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	u_char tmp[INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			u_int new = *tp * 10 + (pch - digits);
-
-			if (new > 255)
-				return (0);
-			if (! saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-			*tp = new;
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-
-	memcpy(dst, tmp, INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, u_char *dst)
-{
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, saw_xdigit, count_xdigit;
-	u_int val;
-
-	memset((tp = tmp), '\0', IN6ADDRSZ);
-	endp = tp + IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	saw_xdigit = count_xdigit = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			if (count_xdigit >= 4)
-				return (0);
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (val > 0xffff)
-				return (0);
-			saw_xdigit = 1;
-			count_xdigit++;
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!saw_xdigit) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			} else if (*src == '\0') {
-				return (0);
-			}
-			if (tp + INT16SZ > endp)
-				return (0);
-			*tp++ = (u_char) (val >> 8) & 0xff;
-			*tp++ = (u_char) val & 0xff;
-			saw_xdigit = 0;
-			count_xdigit = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += INADDRSZ;
-			saw_xdigit = 0;
-			count_xdigit = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (saw_xdigit) {
-		if (tp + INT16SZ > endp)
-			return (0);
-		*tp++ = (u_char) (val >> 8) & 0xff;
-		*tp++ = (u_char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			return (0);
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, IN6ADDRSZ);
-	return (1);
-}

crypto/compat/posix_win.c

@@ -12,6 +12,7 @@
 #include <ws2tcpip.h>
 
 #include <errno.h>
+#include <fcntl.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -39,6 +40,28 @@ posix_fopen(const char *path, const char *mode)
 	return fopen(path, mode);
 }
 
+int
+posix_open(const char *path, ...)
+{
+	va_list ap;
+	int mode = 0;
+	int flags;
+
+	va_start(ap, path);
+	flags = va_arg(ap, int);
+	if (flags & O_CREAT)
+		mode = va_arg(ap, int);
+	va_end(ap);
+
+	flags |= O_BINARY;
+	if (flags & O_CLOEXEC) {
+		flags &= ~O_CLOEXEC;
+		flags |= O_NOINHERIT;
+	}
+	flags &= ~O_NONBLOCK;
+	return open(path, flags, mode);
+}
+
 char *
 posix_fgets(char *s, int size, FILE *stream)
 {
@@ -109,6 +132,9 @@ wsa_errno(int err)
 	case WSAEAFNOSUPPORT:
 		errno = EAFNOSUPPORT;
 		break;
+	case WSAEBADF:
+		errno = EBADF;
+		break;
 	case WSAENETRESET:
 	case WSAENOTCONN:
 	case WSAECONNABORTED:
@@ -135,7 +161,7 @@ posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			close(fd) : wsa_errno(err);
 	}
 	return 0;
@@ -147,7 +173,7 @@ posix_read(int fd, void *buf, size_t count)
 	ssize_t rc = recv(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			read(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
@@ -159,7 +185,7 @@ posix_write(int fd, const void *buf, size_t count)
 	ssize_t rc = send(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			write(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
@@ -183,6 +209,7 @@ posix_setsockopt(int sockfd, int level, int optname,
 }
 
 #ifdef _MSC_VER
+struct timezone;
 int gettimeofday(struct timeval * tp, struct timezone * tzp)
 {
 	/*

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3 include/openssl/*.h
+rm -f man/*.[35] include/openssl/*.h
 ./autogen.sh
 ./configure
-make distcheck
+make -j2 distcheck

include/CMakeLists.txt

@@ -1,5 +1,8 @@
-install(DIRECTORY .
-        DESTINATION include
+if(ENABLE_LIBRESSL_INSTALL)
+	install(DIRECTORY .
+	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
 	        PATTERN "CMakeLists.txt" EXCLUDE
 	        PATTERN "compat" EXCLUDE
-        PATTERN "Makefile.*" EXCLUDE)
+	        PATTERN "pqueue.h" EXCLUDE
+	        PATTERN "Makefile*" EXCLUDE)
+endif(ENABLE_LIBRESSL_INSTALL)

include/Makefile.am

@@ -8,6 +8,7 @@ noinst_HEADERS = pqueue.h
 noinst_HEADERS += compat/dirent.h
 noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
+noinst_HEADERS += compat/fcntl.h
 noinst_HEADERS += compat/limits.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
@@ -29,7 +30,6 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
-noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h

include/compat/arpa/inet.h

@@ -14,6 +14,10 @@
 
 #endif
 
+#ifndef HAVE_INET_NTOP
+const char * inet_ntop(int af, const void *src, char *dst, socklen_t size);
+#endif
+
 #ifndef HAVE_INET_PTON
 int inet_pton(int af, const char * src, void * dst);
 #endif

include/compat/err.h

@@ -18,6 +18,11 @@
 #include <stdio.h>
 #include <string.h>
 
+#if defined(_MSC_VER)
+__declspec(noreturn)
+#else
+__attribute__((noreturn))
+#endif
 static inline void
 err(int eval, const char *fmt, ...)
 {
@@ -29,11 +34,16 @@ err(int eval, const char *fmt, ...)
 		vfprintf(stderr, fmt, ap);
 		fprintf(stderr, ": ");
 	}
+	va_end(ap);
 	fprintf(stderr, "%s\n", strerror(sverrno));
 	exit(eval);
-	va_end(ap);
 }
 
+#if defined(_MSC_VER)
+__declspec(noreturn)
+#else
+__attribute__((noreturn))
+#endif
 static inline void
 errx(int eval, const char *fmt, ...)
 {
@@ -42,9 +52,9 @@ errx(int eval, const char *fmt, ...)
 	va_start(ap, fmt);
 	if (fmt != NULL)
 		vfprintf(stderr, fmt, ap);
+	va_end(ap);
 	fprintf(stderr, "\n");
 	exit(eval);
-	va_end(ap);
 }
 
 static inline void
@@ -58,8 +68,8 @@ warn(const char *fmt, ...)
 		vfprintf(stderr, fmt, ap);
 		fprintf(stderr, ": ");
 	}
-	fprintf(stderr, "%s\n", strerror(sverrno));
 	va_end(ap);
+	fprintf(stderr, "%s\n", strerror(sverrno));
 }
 
 static inline void
@@ -70,8 +80,8 @@ warnx(const char *fmt, ...)
 	va_start(ap, fmt);
 	if (fmt != NULL)
 		vfprintf(stderr, fmt, ap);
-	fprintf(stderr, "\n");
 	va_end(ap);
+	fprintf(stderr, "\n");
 }
 
 #endif

include/compat/fcntl.h

@@ -0,0 +1,32 @@
+/*
+ * Public domain
+ * fcntl.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <fcntl.h>
+#else
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/fcntl.h>
+#else
+#include <../include/fcntl.h>
+#endif
+#else
+#include_next <fcntl.h>
+#endif
+
+#endif
+
+#ifndef O_NONBLOCK
+#define O_NONBLOCK      0x100000
+#endif
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC       0x200000
+#endif
+
+#ifndef FD_CLOEXEC
+#define FD_CLOEXEC      1
+#endif

include/compat/limits.h

@@ -5,6 +5,14 @@
 
 #ifdef _MSC_VER
 #include <../include/limits.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
+#include <../include/stdlib.h>
+#endif
+#ifndef PATH_MAX
+#define PATH_MAX _MAX_PATH
+#endif
 #else
 #include_next <limits.h>
 #endif

include/compat/stdio.h

@@ -26,6 +26,10 @@ int asprintf(char **str, const char *fmt, ...);
 
 #ifdef _WIN32
 
+#if defined(_MSC_VER)
+#define __func__ __FUNCTION__
+#endif
+
 void posix_perror(const char *s);
 FILE * posix_fopen(const char *path, const char *mode);
 char * posix_fgets(char *s, int size, FILE *stream);

include/compat/stdlib.h

@@ -25,10 +25,18 @@ void arc4random_buf(void *_buf, size_t n);
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
+#ifndef HAVE_FREEZERO
+void freezero(void *ptr, size_t sz);
+#endif
+
 #ifndef HAVE_REALLOCARRAY
 void *reallocarray(void *, size_t, size_t);
 #endif
 
+#ifndef HAVE_RECALLOCARRAY
+void *recallocarray(void *, size_t, size_t, size_t);
+#endif
+
 #ifndef HAVE_STRTONUM
 long long strtonum(const char *nptr, long long minval,
 		long long maxval, const char **errstr);

include/compat/sys/cdefs.h

@@ -1,31 +0,0 @@
-/*
- * Public domain
- * sys/cdefs.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
-#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
-
-#ifdef _WIN32
-
-#define __warn_references(sym,msg)
-
-#else
-
-#include_next <sys/cdefs.h>
-
-#ifndef __warn_references
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-
-#endif /* _WIN32 */
-
-#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/socket.h

@@ -8,3 +8,10 @@
 #else
 #include <win32netcompat.h>
 #endif
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
+#define SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
+int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]);
+#define socketpair(d,t,p,sv) bsd_socketpair(d,t,p,sv)
+#endif

include/compat/sys/stat.h

@@ -8,6 +8,15 @@
 
 #ifndef _MSC_VER
 #include_next <sys/stat.h>
+
+/* for old MinGW */
+#ifndef S_IRGRP
+#define S_IRGRP         0
+#endif
+#ifndef S_IROTH
+#define S_IROTH         0
+#endif
+
 #else
 
 #include <windows.h>

include/compat/sys/time.h

@@ -13,4 +13,20 @@ int gettimeofday(struct timeval *tp, void *tzp);
 #include_next <sys/time.h>
 #endif
 
+#ifndef CLOCK_MONOTONIC
+#define CLOCK_MONOTONIC CLOCK_REALTIME
+#endif
+
+#ifndef timersub
+#define timersub(tvp, uvp, vvp)                                         \
+	do {                                                            \
+		(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec;          \
+		(vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec;       \
+		if ((vvp)->tv_usec < 0) {                               \
+			(vvp)->tv_sec--;                                \
+			(vvp)->tv_usec += 1000000;                      \
+		}                                                       \
+	} while (0)
+#endif
+
 #endif

include/compat/sys/types.h

@@ -20,12 +20,14 @@
 
 #ifdef __MINGW32__
 #include <_bsd_types.h>
+typedef uint32_t        in_addr_t;
 #endif
 
 #ifdef _MSC_VER
 typedef unsigned char   u_char;
 typedef unsigned short  u_short;
 typedef unsigned int    u_int;
+typedef uint32_t        in_addr_t;
 
 #include <basetsd.h>
 typedef SSIZE_T ssize_t;
@@ -44,4 +46,25 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif
 
+#ifdef _WIN32
+#define __warn_references(sym,msg)
+#else
+
+#ifndef __warn_references
+
+#ifndef __STRING
+#define __STRING(x) #x
+#endif
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+#endif /* _WIN32 */
+
 #endif

include/compat/time.h

@@ -21,3 +21,15 @@ struct tm *__gmtime_r(const time_t * t, struct tm * tm);
 #ifndef HAVE_TIMEGM
 time_t timegm(struct tm *tm);
 #endif
+
+#ifndef timespecsub
+#define timespecsub(tsp, usp, vsp)                                      \
+        do {                                                            \
+                (vsp)->tv_sec = (tsp)->tv_sec - (usp)->tv_sec;          \
+                (vsp)->tv_nsec = (tsp)->tv_nsec - (usp)->tv_nsec;       \
+                if ((vsp)->tv_nsec < 0) {                               \
+                        (vsp)->tv_sec--;                                \
+                        (vsp)->tv_nsec += 1000000000L;                  \
+                }                                                       \
+        } while (0)
+#endif

include/compat/unistd.h

@@ -14,6 +14,9 @@
 #include <io.h>
 #include <process.h>
 
+#define STDOUT_FILENO   1
+#define STDERR_FILENO   2
+
 #define R_OK    4
 #define W_OK    2
 #define X_OK    0
@@ -36,6 +39,14 @@ int getentropy(void *buf, size_t buflen);
 #endif
 #endif
 
+#ifndef HAVE_GETPAGESIZE
+int getpagesize(void);
+#endif
+
 #define pledge(request, paths) 0
 
+#ifndef HAVE_PIPE2
+int pipe2(int fildes[2], int flags);
+#endif
+
 #endif

include/compat/win32netcompat.h

@@ -26,7 +26,10 @@
 
 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 
+int posix_open(const char *path, ...);
+
 int posix_close(int fd);
+
 ssize_t posix_read(int fd, void *buf, size_t count);
 
 ssize_t posix_write(int fd, const void *buf, size_t count);
@@ -39,6 +42,7 @@ int posix_setsockopt(int sockfd, int level, int optname,
 
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
+#define open(path, ...) posix_open(path, __VA_ARGS__)
 #define close(fd) posix_close(fd)
 #define read(fd, buf, count) posix_read(fd, buf, count)
 #define write(fd, buf, count) posix_write(fd, buf, count)

libcrypto.pc.in

@@ -5,11 +5,11 @@ exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 
-Name: LibreSSL-libssl
-Description: Secure Sockets Layer and cryptography libraries
+Name: LibreSSL-libcrypto
+Description: LibreSSL cryptography library
 Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
-Libs.private: @LIBS@
+Libs.private: @LIBS@ @PLATFORM_LDADD@
 Cflags: -I${includedir}

libssl.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto
 Conflicts:
 Libs: -L${libdir} -lssl
-Libs.private: @LIBS@ -lcrypto
+Libs.private: @LIBS@ -lcrypto @PLATFORM_LDADD@
 Cflags: -I${includedir}

libtls-standalone/src/Makefile.am

@@ -8,6 +8,7 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 
 libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c

libtls.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl
+Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@
 Cflags: -I${includedir}

m4/check-libc.m4

@@ -2,14 +2,32 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem readpassphrase reallocarray])
+AC_CHECK_FUNCS([asprintf freezero inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
+AC_CACHE_CHECK([for getpagesize], ac_cv_func_getpagesize, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+// Since Android NDK v16 getpagesize is defined as inline inside unistd.h
+#ifdef __ANDROID__
+#	include <unistd.h>
+#endif
+		]], [[
+	getpagesize();
+]])],
+	[ ac_cv_func_getpagesize="yes" ],
+	[ ac_cv_func_getpagesize="no"
+	])
+])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
+AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
+AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_RECALLOCARRAY], [test "x$ac_cv_func_recallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
@@ -20,10 +38,12 @@ AM_CONDITIONAL([HAVE_TIMEGM], [test "x$ac_cv_func_timegm" = xyes])
 ])
 
 AC_DEFUN([CHECK_SYSCALL_COMPAT], [
-AC_CHECK_FUNCS([accept4 pledge poll])
+AC_CHECK_FUNCS([accept4 pipe2 pledge poll socketpair])
 AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
+AM_CONDITIONAL([HAVE_PIPE2], [test "x$ac_cv_func_pipe2" = xyes])
 AM_CONDITIONAL([HAVE_PLEDGE], [test "x$ac_cv_func_pledge" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_SOCKETPAIR], [test "x$ac_cv_func_socketpair" = xyes])
 ])
 
 AC_DEFUN([CHECK_B64_NTOP], [

m4/check-os-options.m4

@@ -13,6 +13,7 @@ case $host_os in
 		;;
 	*cygwin*)
 		HOST_OS=cygwin
+		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
 		;;
 	*darwin*)
 		HOST_OS=darwin
@@ -106,13 +107,12 @@ char buf[1]; getentropy(buf, 1);
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
+		CFLAGS="$CFLAGS -m64"
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;

man/CMakeLists.txt

@@ -1,9 +1,11 @@
-install(DIRECTORY .
-    DESTINATION share/man/man3
+if(ENABLE_LIBRESSL_INSTALL)
+	install(DIRECTORY .
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
 	    FILES_MATCHING PATTERN "*.3"
 	    )
 
-install(DIRECTORY .
-    DESTINATION share/man/man1
-    FILES_MATCHING PATTERN "*.1"
+	install(DIRECTORY .
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+	    FILES_MATCHING PATTERN "*.5"
 	    )
+endif(ENABLE_LIBRESSL_INSTALL)

man/update_links.sh

@@ -1,18 +1,19 @@
 #!/bin/sh
 
 # Run this periodically to ensure that the manpage links are up to date
+(
+    cd /usr/src/usr.bin/mandoc/
+    make obj
+    make cleandir
+    make depend
+    make
+    cd /usr/src/regress/usr.bin/mandoc/db/mlinks/
+    make obj
+    make cleandir
+    make
+)
+
+makewhatis -a .
 
 echo "# This is an auto-generated file by $0" > links
-doas makewhatis
-for i in `ls -1 *.3`; do
-  name=`echo $i|cut -d. -f1`
-  links=`sqlite3 /usr/share/man/mandoc.db \
-    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
-  for j in $links; do
-    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
-    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
-    if [[ $a != $b && $a != *"<type>"* ]]; then
-      echo $name.3,$j.3 >> links
-    fi
-  done
-done
+/usr/src/regress/usr.bin/mandoc/db/mlinks/obj/mlinks mandoc.db | sort >> links

patches/aeadtest.c.patch

@@ -0,0 +1,15 @@
+--- tests/aeadtest.c.orig	2016-10-18 17:03:33.845870889 +0900
++++ tests/aeadtest.c	2016-10-18 17:11:19.880841283 +0900
+@@ -75,6 +75,12 @@
+ 
+ #define BUF_MAX 1024
+ 
++#ifdef _MSC_VER
++#ifdef IN
++#undef IN
++#endif
++#endif
++
+ /* These are the different types of line that are found in the input file. */
+ enum {
+ 	AEAD = 0,	/* name of the AEAD algorithm. */

patches/bio.h.patch

@@ -0,0 +1,36 @@
+--- include/openssl/bio.h.orig	Mon Oct  3 06:09:28 2016
++++ include/openssl/bio.h	Sun Nov  6 04:24:57 2016
+@@ -678,8 +678,24 @@
+
+ /*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
+
++#ifdef __MINGW_PRINTF_FORMAT
+ int
+ BIO_printf(BIO *bio, const char *format, ...)
++	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 3), __nonnull__(2)));
++int
++BIO_vprintf(BIO *bio, const char *format, va_list args)
++	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 0), __nonnull__(2)));
++int
++BIO_snprintf(char *buf, size_t n, const char *format, ...)
++	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 4),
++	    __nonnull__(3)));
++int
++BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
++	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 0),
++	    __nonnull__(3)));
++#else
++int
++BIO_printf(BIO *bio, const char *format, ...)
+ 	__attribute__((__format__(__printf__, 2, 3), __nonnull__(2)));
+ int
+ BIO_vprintf(BIO *bio, const char *format, va_list args)
+@@ -692,6 +708,8 @@
+ BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
+ 	__attribute__((__deprecated__, __format__(__printf__, 3, 0),
+ 	    __nonnull__(3)));
++#endif
++
+
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes

patches/http.c.patch

@@ -0,0 +1,12 @@
+--- apps/ocspcheck/http.c.orig	Sun Jun  4 00:45:29 2017
++++ apps/ocspcheck/http.c	Sun Jun  4 00:45:57 2017
+@@ -35,7 +35,9 @@
+ #include "http.h"
+ #include <tls.h>
+ 
++#ifndef DEFAULT_CA_FILE
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ /*
+  * A buffer for transferring HTTP/S data.

patches/netcat.c.patch

@@ -1,17 +1,6 @@
---- apps/nc/netcat.c.orig	Mon Dec 28 08:46:10 2015
-+++ apps/nc/netcat.c	Mon Dec 28 08:46:19 2015
-@@ -57,6 +57,10 @@
- #include <tls.h>
- #include "atomicio.h"
- 
-+#ifndef IPV6_TCLASS
-+#define IPV6_TCLASS -1
-+#endif
-+
- #define PORT_MAX	65535
- #define UNIX_DG_TMP_SOCKET_SIZE	19
- 
-@@ -65,7 +69,9 @@
+--- apps/nc/netcat.c.orig	Mon Jul 17 06:06:51 2017
++++ apps/nc/netcat.c	Mon Jul 17 06:11:24 2017
+@@ -66,7 +66,9 @@
  #define POLL_NETIN	2
  #define POLL_STDOUT	3
  #define BUFSIZE		16384
@@ -19,9 +8,9 @@
  #define DEFAULT_CA_FILE	"/etc/ssl/cert.pem"
 +#endif
  
- #define TLS_LEGACY	(1 << 1)
+ #define TLS_ALL	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -92,9 +98,13 @@
+@@ -95,9 +97,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -35,16 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -150,7 +160,7 @@
- 	struct servent *sv;
- 	socklen_t len;
- 	struct sockaddr_storage cliaddr;
--	char *proxy;
-+	char *proxy = NULL;
- 	const char *errstr, *proxyhost = "", *proxyport = NULL;
- 	struct addrinfo proxyhints;
- 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -251,12 +261,14 @@
+@@ -266,12 +272,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -59,9 +39,9 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -289,9 +301,11 @@
- 				errx(1, "TCP send window %s: %s",
- 				    errstr, optarg);
+@@ -318,9 +326,11 @@
+ 		case 'o':
+ 			oflag = optarg;
  			break;
 +#ifdef TCP_MD5SIG
  		case 'S':
@@ -71,7 +51,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -315,9 +329,11 @@
+@@ -344,9 +354,11 @@
  	argc -= optind;
  	argv += optind;
  
@@ -83,31 +63,19 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -460,7 +476,10 @@
- 				errx(1, "-H and -T noverify may not be used"
- 				    "together");
- 			tls_config_insecure_noverifycert(tls_cfg);
--		}
-+		} else {
-+                        if (Rflag && access(Rflag, R_OK) == -1)
-+                                errx(1, "unable to find root CA file %s", Rflag);
-+                }
- 	}
- 	if (lflag) {
- 		struct tls *tls_cctx = NULL;
-@@ -807,7 +826,10 @@
+@@ -892,7 +904,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, error, on = 1;
-+	int s, error;
+-	int s = -1, error, on = 1, save_errno;
++	int s = -1, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
- 	if ((error = getaddrinfo(host, port, &hints, &res)))
- 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -822,8 +844,10 @@
+ 	if ((error = getaddrinfo(host, port, &hints, &res0)))
+ 		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
+@@ -907,8 +922,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -116,22 +84,22 @@
  			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
  			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -892,7 +916,10 @@
+@@ -979,7 +996,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, ret, x = 1;
-+	int s;
+-	int s = -1, ret, x = 1, save_errno;
++	int s = -1, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -914,9 +941,11 @@
- 		    res0->ai_protocol)) < 0)
+@@ -1000,9 +1020,11 @@
+ 		    res->ai_protocol)) < 0)
  			continue;
  
 +#ifdef SO_REUSEPORT
@@ -140,9 +108,9 @@
  			err(1, NULL);
 +#endif
  
- 		set_common_sockopts(s, res0->ai_family);
+ 		set_common_sockopts(s, res->ai_family);
  
-@@ -1356,11 +1385,13 @@
+@@ -1458,11 +1480,13 @@
  {
  	int x = 1;
  
@@ -156,7 +124,43 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1538,14 +1569,22 @@
+@@ -1473,9 +1497,16 @@
+ 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IP ToS");
+ 
++#ifdef IPV6_TCLASS
+ 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IPv6 traffic class");
++#else
++		else if (af == AF_INET6) {
++			errno = ENOPROTOOPT;
++			err(1, "set IPv6 traffic class not supported");
++		}
++#endif
+ 	}
+ 	if (Iflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
+@@ -1499,13 +1530,17 @@
+ 	}
+ 
+ 	if (minttl != -1) {
++#ifdef IP_MINTTL
+ 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+ 		    IP_MINTTL, &minttl, sizeof(minttl)))
+ 			err(1, "set IP min TTL");
++#endif
+ 
+-		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
++#ifdef IPV6_MINHOPCOUNT
++		if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
+ 			err(1, "set IPv6 min hop count");
++#endif
+ 	}
+ }
+ 
+@@ -1714,14 +1749,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\
@@ -181,5 +185,5 @@
 +#endif
 +	"\
  	\t-v		Verbose\n\
+ 	\t-W recvlimit	Terminate after receiving a number of packets\n\
  	\t-w timeout	Timeout for connects and final net reads\n\
- 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\

patches/ocsp_test.c.patch

@@ -0,0 +1,14 @@
+--- tests/ocsp_test.c.orig	2016-10-18 18:12:39.854607509 +0900
++++ tests/ocsp_test.c	2016-10-18 18:14:29.261600559 +0900
+@@ -16,6 +16,11 @@
+ 	hints.ai_family = AF_INET;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
++#ifdef _MSC_VER
++	if (BIO_sock_init() != 1)
++		exit(-1);
++#endif
++
+ 	error = getaddrinfo(host, port, &hints, &res);
+ 	if (error != 0) {
+ 		perror("getaddrinfo()");

patches/openssl.c.patch

@@ -1,6 +1,6 @@
---- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
-+++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
-@@ -399,7 +399,9 @@
+--- apps/openssl/openssl.c.orig	Fri Nov  4 09:33:19 2016
++++ apps/openssl/openssl.c	Sat Nov  5 15:28:35 2016
+@@ -396,7 +396,9 @@
  static void
  openssl_startup(void)
  {

patches/tls.h.patch

@@ -0,0 +1,32 @@
+--- include/tls.h.orig	2017-02-13 20:19:55.918636579 +0900
++++ include/tls.h	2017-02-13 20:21:18.313073161 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
++#ifdef _MSC_VER
++#ifndef LIBRESSL_INTERNAL
++#include <basetsd.h>
++typedef SSIZE_T ssize_t;
++#endif
++#endif
++
+ #include <sys/types.h>
+ 
+ #include <stddef.h>
+--- libtls-standalone/include/tls.h.orig	2017-02-13 20:21:48.297958529 +0900
++++ libtls-standalone/include/tls.h	2017-02-13 20:21:48.296958502 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
++#ifdef _MSC_VER
++#ifndef LIBRESSL_INTERNAL
++#include <basetsd.h>
++typedef SSIZE_T ssize_t;
++#endif
++#endif
++
+ #include <sys/types.h>
+ 
+ #include <stddef.h>

patches/tls_internal.h.patch

@@ -1,12 +1,12 @@
---- ./openbsd/src/lib/libtls/tls_internal.h	Thu Oct 15 16:12:24 2015
-+++ ./tls/tls_internal.h	Sun Dec  6 20:18:17 2015
-@@ -24,7 +24,9 @@
+--- tls/tls_internal.h.orig	Sun Jul  9 06:16:17 2017
++++ tls/tls_internal.h	Mon Jul 17 06:10:01 2017
+@@ -26,7 +26,9 @@
  
- #include <openssl/ssl.h>
+ __BEGIN_HIDDEN_DECLS
  
 +#ifndef _PATH_SSL_CA_FILE
  #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
 +#endif
  
- #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
  #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+ #define TLS_CIPHERS_COMPAT	"HIGH:!aNULL"

patches/tlsexttest.c.patch

@@ -0,0 +1,111 @@
+--- tests/tlsexttest.c.orig	2017-12-30 20:03:09.279079726 +0900
++++ tests/tlsexttest.c	2017-12-30 20:07:21.849939140 +0900
+@@ -1676,7 +1676,9 @@ static unsigned char tlsext_sni_clienthe
+ };
+ 
+ static unsigned char tlsext_sni_serverhello[] = {
++	0x00
+ };
++const size_t sizeof_tlsext_sni_serverhello = 0;
+ 
+ static int
+ test_tlsext_sni_clienthello(void)
+@@ -1839,9 +1841,9 @@ test_tlsext_sni_serverhello(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_sni_serverhello)) {
++	if (dlen != sizeof_tlsext_sni_serverhello) {
+ 		FAIL("got serverhello SNI with length %zu, "
+-		    "want length %zu\n", dlen, sizeof(tlsext_sni_serverhello));
++		    "want length %zu\n", dlen, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+@@ -1850,14 +1852,14 @@ test_tlsext_sni_serverhello(void)
+ 		fprintf(stderr, "received:\n");
+ 		hexdump(data, dlen);
+ 		fprintf(stderr, "test data:\n");
+-		hexdump(tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
++		hexdump(tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+ 	free(ssl->session->tlsext_hostname);
+ 	ssl->session->tlsext_hostname = NULL;
+ 
+-	CBS_init(&cbs, tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
++	CBS_init(&cbs, tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 	if (!tlsext_sni_serverhello_parse(ssl, &cbs, &alert)) {
+ 		FAIL("failed to parse serverhello SNI\n");
+ 		goto err;
+@@ -2741,7 +2743,10 @@ unsigned char tlsext_clienthello_default
+ 	0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
+ };
+ 
+-unsigned char tlsext_clienthello_disabled[] = {};
++unsigned char tlsext_clienthello_disabled[] = {
++	0x00
++};
++const size_t sizeof_tlsext_clienthello_disabled = 0;
+ 
+ static int
+ test_tlsext_clienthello_build(void)
+@@ -2806,18 +2811,18 @@ test_tlsext_clienthello_build(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_clienthello_disabled)) {
++	if (dlen != sizeof_tlsext_clienthello_disabled) {
+ 		FAIL("got clienthello extensions with length %zu, "
+ 		    "want length %zu\n", dlen,
+-		    sizeof(tlsext_clienthello_disabled));
++		    sizeof_tlsext_clienthello_disabled);
+ 		compare_data(data, dlen, tlsext_clienthello_disabled,
+-		    sizeof(tlsext_clienthello_disabled));
++		    sizeof_tlsext_clienthello_disabled);
+ 		goto err;
+ 	}
+ 	if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
+ 		FAIL("clienthello extensions differs:\n");
+ 		compare_data(data, dlen, tlsext_clienthello_disabled,
+-		    sizeof(tlsext_clienthello_disabled));
++		    sizeof_tlsext_clienthello_disabled);
+ 		goto err;
+ 	}
+ 
+@@ -2832,7 +2837,10 @@ test_tlsext_clienthello_build(void)
+ 	return (failure);
+ }
+ 
+-unsigned char tlsext_serverhello_default[] = {};
++unsigned char tlsext_serverhello_default[] = {
++	0x00
++};
++const size_t sizeof_tlsext_serverhello_default = 0;
+ 
+ unsigned char tlsext_serverhello_enabled[] = {
+ 	0x00, 0x13, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
+@@ -2872,18 +2880,18 @@ test_tlsext_serverhello_build(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_serverhello_default)) {
++	if (dlen != sizeof_tlsext_serverhello_default) {
+ 		FAIL("got serverhello extensions with length %zu, "
+ 		    "want length %zu\n", dlen,
+-		    sizeof(tlsext_serverhello_default));
++		    sizeof_tlsext_serverhello_default);
+ 		compare_data(data, dlen, tlsext_serverhello_default,
+-		    sizeof(tlsext_serverhello_default));
++		    sizeof_tlsext_serverhello_default);
+ 		goto err;
+ 	}
+ 	if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
+ 		FAIL("serverhello extensions differs:\n");
+ 		compare_data(data, dlen, tlsext_serverhello_default,
+-		    sizeof(tlsext_serverhello_default));
++		    sizeof_tlsext_serverhello_default);
+ 		goto err;
+ 	}
+ 

patches/windows_headers.patch

@@ -13,9 +13,8 @@ diff -u include/openssl.orig/dtls1.h include/openssl/dtls1.h
 
  #include <stdio.h>
  #include <stdlib.h>
-diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
---- include/openssl.orig/opensslconf.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/opensslconf.h	Mon Dec  7 07:56:14 2015
+--- include/openssl/opensslconf.h.orig	Sat Nov  5 08:36:25 2016
++++ include/openssl/opensslconf.h	Mon Jul 17 06:06:58 2017
 @@ -1,6 +1,10 @@
  #include <openssl/opensslfeatures.h>
  /* crypto/opensslconf.h.in */
@@ -24,9 +23,9 @@ diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
 +#define __attribute__(a)
 +#endif
 +
- /* Generate 80386 code? */
- #undef I386_ONLY
- 
+ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+ #define OPENSSLDIR "/etc/ssl"
+ #endif
 diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
 --- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
 +++ include/openssl/ossl_typ.h	Mon Dec  7 07:56:14 2015

scripts/travis

@@ -21,9 +21,6 @@ if [ "x$ARCH" = "xnative" ]; then
 		make
 		make test
 	else
-		sudo apt-get update
-		sudo apt-get install -y python-software-properties
-		sudo apt-add-repository -y ppa:kalakris/cmake
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
@@ -38,12 +35,8 @@ else
 	export CC=$CPU-w64-mingw32-gcc
 
 	if [ -z $(which $CC) ]; then
-		# Update Ubuntu 12.04 with current mingw toolchain
 		sudo apt-get update
-		sudo apt-get install -y python-software-properties
-		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
-		sudo apt-get update
-		sudo apt-get install -y $ARCH-x-gcc make
+		sudo apt-get install -y mingw-w64 make
 		export PATH=$PATH:/opt/$ARCH/bin
 	fi
 

ssl/CMakeLists.txt

@@ -19,47 +19,54 @@ set(
 	d1_srtp.c
 	d1_srvr.c
 	pqueue.c
-	s23_clnt.c
-	s23_lib.c
-	s23_pkt.c
-	s23_srvr.c
-	s3_both.c
 	s3_cbc.c
-	s3_clnt.c
 	s3_lib.c
-	s3_pkt.c
-	s3_srvr.c
 	ssl_algs.c
 	ssl_asn1.c
+	ssl_both.c
 	ssl_cert.c
 	ssl_ciph.c
+	ssl_clnt.c
 	ssl_err.c
-	ssl_err2.c
 	ssl_lib.c
+	ssl_packet.c
+	ssl_pkt.c
 	ssl_rsa.c
 	ssl_sess.c
+	ssl_srvr.c
 	ssl_stat.c
+	ssl_tlsext.c
 	ssl_txt.c
+	ssl_versions.c
 	t1_clnt.c
 	t1_enc.c
+	t1_hash.c
 	t1_lib.c
 	t1_meth.c
-	t1_reneg.c
 	t1_srvr.c
 )
 
+add_library(ssl-objects OBJECT ${SSL_SRC})
 if (BUILD_SHARED)
-	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	if (MSVC)
-		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+	target_link_libraries(ssl-shared crypto-shared)
+	if (WIN32)
+		target_link_libraries(ssl-shared Ws2_32.lib)
+		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
 	endif()
-	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	set_target_properties(ssl-shared PROPERTIES
+		OUTPUT_NAME ssl${SSL_POSTFIX}
+		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	install(TARGETS ssl ssl-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	install(TARGETS ssl DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

ssl/Makefile.am

@@ -4,8 +4,9 @@ lib_LTLIBRARIES = libssl.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += ssl.sym
 
-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym
 libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
@@ -21,34 +22,33 @@ libssl_la_SOURCES += d1_pkt.c
 libssl_la_SOURCES += d1_srtp.c
 libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
-libssl_la_SOURCES += s23_clnt.c
-libssl_la_SOURCES += s23_lib.c
-libssl_la_SOURCES += s23_pkt.c
-libssl_la_SOURCES += s23_srvr.c
-libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
-libssl_la_SOURCES += s3_clnt.c
 libssl_la_SOURCES += s3_lib.c
-libssl_la_SOURCES += s3_pkt.c
-libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c
 libssl_la_SOURCES += ssl_asn1.c
+libssl_la_SOURCES += ssl_both.c
 libssl_la_SOURCES += ssl_cert.c
 libssl_la_SOURCES += ssl_ciph.c
+libssl_la_SOURCES += ssl_clnt.c
 libssl_la_SOURCES += ssl_err.c
-libssl_la_SOURCES += ssl_err2.c
 libssl_la_SOURCES += ssl_lib.c
+libssl_la_SOURCES += ssl_packet.c
+libssl_la_SOURCES += ssl_pkt.c
 libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
+libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
+libssl_la_SOURCES += ssl_tlsext.c
 libssl_la_SOURCES += ssl_txt.c
+libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
 libssl_la_SOURCES += t1_enc.c
+libssl_la_SOURCES += t1_hash.c
 libssl_la_SOURCES += t1_lib.c
 libssl_la_SOURCES += t1_meth.c
-libssl_la_SOURCES += t1_reneg.c
 libssl_la_SOURCES += t1_srvr.c
 
 noinst_HEADERS = srtp.h
 noinst_HEADERS += ssl_locl.h
+noinst_HEADERS += ssl_tlsext.h
 noinst_HEADERS += bytestring.h

tap-driver.sh

@@ -1,5 +1,5 @@
 #! /bin/sh
-# Copyright (C) 2011-2014 Free Software Foundation, Inc.
+# Copyright (C) 2011-2017 Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -646,6 +646,6 @@ test $? -eq 0 || fatal "I/O or internal error"
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
+# time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:

tests/CMakeLists.txt

@@ -9,274 +9,433 @@ include_directories(
 	../apps/openssl/compat
 )
 
-set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
+add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
+
+foreach(lib IN LISTS OPENSSL_LIBS)
+	if(${lib} STREQUAL "tls-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} tls)
+	elseif(${lib} STREQUAL "ssl-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} ssl)
+	elseif(${lib} STREQUAL "crypto-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} crypto)
+	else()
+		set(TESTS_LIBS ${TESTS_LIBS} ${lib})
+	endif()
+endforeach()
 
 # aeadtest
-#add_executable(aeadtest aeadtest.c)
-#target_link_libraries(aeadtest ${OPENSSL_LIBS})
-#add_test(aeadtest aeadtest.sh)
-#configure_file(aeadtests.txt aeadtests.txt COPYONLY)
-#configure_file(aeadtest.sh aeadtest.sh COPYONLY)
+add_executable(aeadtest aeadtest.c)
+target_link_libraries(aeadtest ${TESTS_LIBS})
+add_test(aeadtest aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtests.txt)
 
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
-target_link_libraries(aes_wrap ${OPENSSL_LIBS})
+target_link_libraries(aes_wrap ${TESTS_LIBS})
 add_test(aes_wrap aes_wrap)
 
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
-if(NOT CMAKE_HOST_WIN32)
-add_executable(arc4randomforktest arc4randomforktest.c)
-target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
-add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
+if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
+	add_executable(arc4randomforktest arc4randomforktest.c)
+	target_link_libraries(arc4randomforktest ${TESTS_LIBS})
+	add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()
 
+# asn1evp
+add_executable(asn1evp asn1evp.c)
+target_link_libraries(asn1evp ${TESTS_LIBS})
+add_test(asn1evp asn1evp)
+
 # asn1test
 add_executable(asn1test asn1test.c)
-target_link_libraries(asn1test ${OPENSSL_LIBS})
+target_link_libraries(asn1test ${TESTS_LIBS})
 add_test(asn1test asn1test)
 
 # asn1time
 add_executable(asn1time asn1time.c)
-target_link_libraries(asn1time ${OPENSSL_LIBS})
+target_link_libraries(asn1time ${TESTS_LIBS})
 add_test(asn1time asn1time)
 
 # base64test
 add_executable(base64test base64test.c)
-target_link_libraries(base64test ${OPENSSL_LIBS})
+target_link_libraries(base64test ${TESTS_LIBS})
 add_test(base64test base64test)
 
 # bftest
 add_executable(bftest bftest.c)
-target_link_libraries(bftest ${OPENSSL_LIBS})
+target_link_libraries(bftest ${TESTS_LIBS})
 add_test(bftest bftest)
 
+# biotest
+# the BIO tests rely on resolver results that are OS and environment-specific
+if(ENABLE_EXTRATESTS)
+	add_executable(biotest biotest.c)
+	target_link_libraries(biotest ${TESTS_LIBS})
+	add_test(biotest biotest)
+endif()
+
 # bntest
 add_executable(bntest bntest.c)
-target_link_libraries(bntest ${OPENSSL_LIBS})
+set_source_files_properties(bntest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
+target_link_libraries(bntest ${TESTS_LIBS})
 add_test(bntest bntest)
 
 # bytestringtest
 add_executable(bytestringtest bytestringtest.c)
-target_link_libraries(bytestringtest ${OPENSSL_LIBS})
+target_link_libraries(bytestringtest ${TESTS_LIBS})
 add_test(bytestringtest bytestringtest)
 
 # casttest
 add_executable(casttest casttest.c)
-target_link_libraries(casttest ${OPENSSL_LIBS})
+target_link_libraries(casttest ${TESTS_LIBS})
 add_test(casttest casttest)
 
 # chachatest
 add_executable(chachatest chachatest.c)
-target_link_libraries(chachatest ${OPENSSL_LIBS})
+target_link_libraries(chachatest ${TESTS_LIBS})
 add_test(chachatest chachatest)
 
 # cipher_list
 add_executable(cipher_list cipher_list.c)
-target_link_libraries(cipher_list ${OPENSSL_LIBS})
+target_link_libraries(cipher_list ${TESTS_LIBS})
 add_test(cipher_list cipher_list)
 
 # cipherstest
 add_executable(cipherstest cipherstest.c)
-target_link_libraries(cipherstest ${OPENSSL_LIBS})
+target_link_libraries(cipherstest ${TESTS_LIBS})
 add_test(cipherstest cipherstest)
 
 # clienttest
 add_executable(clienttest clienttest.c)
-target_link_libraries(clienttest ${OPENSSL_LIBS})
+target_link_libraries(clienttest ${TESTS_LIBS})
 add_test(clienttest clienttest)
 
+# configtest
+add_executable(configtest configtest.c)
+target_link_libraries(configtest ${TESTS_LIBS})
+add_test(configtest configtest)
+
 # cts128test
 add_executable(cts128test cts128test.c)
-target_link_libraries(cts128test ${OPENSSL_LIBS})
+target_link_libraries(cts128test ${TESTS_LIBS})
 add_test(cts128test cts128test)
 
 # destest
 add_executable(destest destest.c)
-target_link_libraries(destest ${OPENSSL_LIBS})
+target_link_libraries(destest ${TESTS_LIBS})
 add_test(destest destest)
 
 # dhtest
 add_executable(dhtest dhtest.c)
-target_link_libraries(dhtest ${OPENSSL_LIBS})
+target_link_libraries(dhtest ${TESTS_LIBS})
 add_test(dhtest dhtest)
 
 # dsatest
 add_executable(dsatest dsatest.c)
-target_link_libraries(dsatest ${OPENSSL_LIBS})
+target_link_libraries(dsatest ${TESTS_LIBS})
 add_test(dsatest dsatest)
 
 # ecdhtest
 add_executable(ecdhtest ecdhtest.c)
-target_link_libraries(ecdhtest ${OPENSSL_LIBS})
+target_link_libraries(ecdhtest ${TESTS_LIBS})
 add_test(ecdhtest ecdhtest)
 
 # ecdsatest
 add_executable(ecdsatest ecdsatest.c)
-target_link_libraries(ecdsatest ${OPENSSL_LIBS})
+target_link_libraries(ecdsatest ${TESTS_LIBS})
 add_test(ecdsatest ecdsatest)
 
 # ectest
 add_executable(ectest ectest.c)
-target_link_libraries(ectest ${OPENSSL_LIBS})
+target_link_libraries(ectest ${TESTS_LIBS})
 add_test(ectest ectest)
 
 # enginetest
 add_executable(enginetest enginetest.c)
-target_link_libraries(enginetest ${OPENSSL_LIBS})
+target_link_libraries(enginetest ${TESTS_LIBS})
 add_test(enginetest enginetest)
 
 # evptest
-#add_executable(evptest evptest.c)
-#target_link_libraries(evptest ${OPENSSL_LIBS})
-#add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
+add_executable(evptest evptest.c)
+target_link_libraries(evptest ${TESTS_LIBS})
+add_test(evptest evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptests.txt)
 
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if(NOT CMAKE_HOST_WIN32)
-add_executable(explicit_bzero explicit_bzero.c)
-target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
-add_test(explicit_bzero explicit_bzero)
-#if !HAVE_MEMMEM
-#explicit_bzero_SOURCES += memmem.c
-#endif
+	if(HAVE_MEMMEM)
+		add_executable(explicit_bzero explicit_bzero.c)
+	else()
+		add_executable(explicit_bzero explicit_bzero.c compat/memmem.c)
+	endif()
+	target_link_libraries(explicit_bzero ${TESTS_LIBS})
+	add_test(explicit_bzero explicit_bzero)
 endif()
 
 # exptest
 add_executable(exptest exptest.c)
-target_link_libraries(exptest ${OPENSSL_LIBS})
+set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
+target_link_libraries(exptest ${TESTS_LIBS})
 add_test(exptest exptest)
 
+# freenull
+add_executable(freenull freenull.c)
+target_link_libraries(freenull ${TESTS_LIBS})
+add_test(freenull freenull)
+
 # gcm128test
 add_executable(gcm128test gcm128test.c)
-target_link_libraries(gcm128test ${OPENSSL_LIBS})
+target_link_libraries(gcm128test ${TESTS_LIBS})
 add_test(gcm128test gcm128test)
 
 # gost2814789t
 add_executable(gost2814789t gost2814789t.c)
-target_link_libraries(gost2814789t ${OPENSSL_LIBS})
+target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)
 
+# hkdf_test
+add_executable(hkdf_test hkdf_test.c)
+target_link_libraries(hkdf_test ${TESTS_LIBS})
+add_test(hkdf_test hkdf_test)
+
 # hmactest
 add_executable(hmactest hmactest.c)
-target_link_libraries(hmactest ${OPENSSL_LIBS})
+target_link_libraries(hmactest ${TESTS_LIBS})
 add_test(hmactest hmactest)
 
 # ideatest
 add_executable(ideatest ideatest.c)
-target_link_libraries(ideatest ${OPENSSL_LIBS})
+target_link_libraries(ideatest ${TESTS_LIBS})
 add_test(ideatest ideatest)
 
 # igetest
 add_executable(igetest igetest.c)
-target_link_libraries(igetest ${OPENSSL_LIBS})
+target_link_libraries(igetest ${TESTS_LIBS})
 add_test(igetest igetest)
 
 # md4test
 add_executable(md4test md4test.c)
-target_link_libraries(md4test ${OPENSSL_LIBS})
+target_link_libraries(md4test ${TESTS_LIBS})
 add_test(md4test md4test)
 
 # md5test
 add_executable(md5test md5test.c)
-target_link_libraries(md5test ${OPENSSL_LIBS})
+target_link_libraries(md5test ${TESTS_LIBS})
 add_test(md5test md5test)
 
 # mont
 add_executable(mont mont.c)
-target_link_libraries(mont ${OPENSSL_LIBS})
+target_link_libraries(mont ${TESTS_LIBS})
 add_test(mont mont)
 
+# ocsp_test
+if(ENABLE_EXTRATESTS)
+	add_executable(ocsp_test ocsp_test.c)
+	target_link_libraries(ocsp_test ${TESTS_LIBS})
+	if(NOT MSVC)
+		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
+	else()
+		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.bat)
+	endif()
+endif()
+
 # optionstest
 add_executable(optionstest optionstest.c)
-target_link_libraries(optionstest ${OPENSSL_LIBS})
+target_link_libraries(optionstest ${TESTS_LIBS})
 add_test(optionstest optionstest)
 
 # pbkdf2
 add_executable(pbkdf2 pbkdf2.c)
-target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
+target_link_libraries(pbkdf2 ${TESTS_LIBS})
 add_test(pbkdf2 pbkdf2)
 
+# pidwraptest
+# pidwraptest relies on an OS-specific way to give out pids and is generally
+# awkward on systems with slow fork
+if(ENABLE_EXTRATESTS AND NOT MSVC)
+	add_executable(pidwraptest pidwraptest.c)
+	target_link_libraries(pidwraptest ${TESTS_LIBS})
+	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
+endif()
+
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
-target_link_libraries(pkcs7test ${OPENSSL_LIBS})
+target_link_libraries(pkcs7test ${TESTS_LIBS})
 add_test(pkcs7test pkcs7test)
 
 # poly1305test
 add_executable(poly1305test poly1305test.c)
-target_link_libraries(poly1305test ${OPENSSL_LIBS})
+target_link_libraries(poly1305test ${TESTS_LIBS})
 add_test(poly1305test poly1305test)
 
 # pq_test
-#add_executable(pq_test pq_test.c)
-#target_link_libraries(pq_test ${OPENSSL_LIBS})
-#add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+add_executable(pq_test pq_test.c)
+target_link_libraries(pq_test ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+else()
+	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.bat)
+endif()
+set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # randtest
 add_executable(randtest randtest.c)
-target_link_libraries(randtest ${OPENSSL_LIBS})
+target_link_libraries(randtest ${TESTS_LIBS})
 add_test(randtest randtest)
 
 # rc2test
 add_executable(rc2test rc2test.c)
-target_link_libraries(rc2test ${OPENSSL_LIBS})
+target_link_libraries(rc2test ${TESTS_LIBS})
 add_test(rc2test rc2test)
 
 # rc4test
 add_executable(rc4test rc4test.c)
-target_link_libraries(rc4test ${OPENSSL_LIBS})
+target_link_libraries(rc4test ${TESTS_LIBS})
 add_test(rc4test rc4test)
 
 # rfc5280time
 add_executable(rfc5280time rfc5280time.c)
-target_link_libraries(rfc5280time ${OPENSSL_LIBS})
-add_test(rfc5280time rfc5280time)
+target_link_libraries(rfc5280time ${TESTS_LIBS})
+if(SMALL_TIME_T)
+	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
+else()
+	add_test(rfc5280time rfc5280time)
+endif()
 
 # rmdtest
 add_executable(rmdtest rmdtest.c)
-target_link_libraries(rmdtest ${OPENSSL_LIBS})
+target_link_libraries(rmdtest ${TESTS_LIBS})
 add_test(rmdtest rmdtest)
 
+# rsa_test
+add_executable(rsa_test rsa_test.c)
+target_link_libraries(rsa_test ${TESTS_LIBS})
+add_test(rsa_test rsa_test)
+
+# servertest
+add_executable(servertest servertest.c)
+target_link_libraries(servertest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.sh)
+else()
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.bat)
+endif()
+set_tests_properties(servertest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
 # sha1test
 add_executable(sha1test sha1test.c)
-target_link_libraries(sha1test ${OPENSSL_LIBS})
+target_link_libraries(sha1test ${TESTS_LIBS})
 add_test(sha1test sha1test)
 
 # sha256test
 add_executable(sha256test sha256test.c)
-target_link_libraries(sha256test ${OPENSSL_LIBS})
+target_link_libraries(sha256test ${TESTS_LIBS})
 add_test(sha256test sha256test)
 
 # sha512test
 add_executable(sha512test sha512test.c)
-target_link_libraries(sha512test ${OPENSSL_LIBS})
+target_link_libraries(sha512test ${TESTS_LIBS})
 add_test(sha512test sha512test)
 
+# ssl_versions
+add_executable(ssl_versions ssl_versions.c)
+target_link_libraries(ssl_versions ${TESTS_LIBS})
+add_test(ssl_versions ssl_versions)
+
 # ssltest
-#add_executable(ssltest ssltest.c)
-#target_link_libraries(ssltest ${OPENSSL_LIBS})
-#add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+add_executable(ssltest ssltest.c)
+target_link_libraries(ssltest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+else()
+	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.bat)
+endif()
+set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testdsa
-#add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+if(NOT MSVC)
+	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+else()
+	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.bat)
+endif()
+set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testenc
-add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
+if(NOT MSVC)
+	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
+else()
+	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.bat)
+endif()
+set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testrsa
-#add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+if(NOT MSVC)
+	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+else()
+	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.bat)
+endif()
+set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # timingsafe
 add_executable(timingsafe timingsafe.c)
-target_link_libraries(timingsafe ${OPENSSL_LIBS})
+target_link_libraries(timingsafe ${TESTS_LIBS})
 add_test(timingsafe timingsafe)
 
+# tlsexttest
+add_executable(tlsexttest tlsexttest.c)
+target_link_libraries(tlsexttest ${TESTS_LIBS})
+add_test(tlsexttest tlsexttest)
+
+# tlstest
+set(TLSTEST_SRC tlstest.c)
+check_function_exists(pipe2 HAVE_PIPE2)
+if(HAVE_PIPE2)
+	add_definitions(-DHAVE_PIPE2)
+else()
+	set(TLSTEST_SRC ${TLSTEST_SRC} compat/pipe2.c)
+endif()
+
+add_executable(tlstest ${TLSTEST_SRC})
+target_link_libraries(tlstest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.sh)
+else()
+	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.bat)
+endif()
+set_tests_properties(tlstest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
+# tls_ext_alpn
+add_executable(tls_ext_alpn tls_ext_alpn.c)
+target_link_libraries(tls_ext_alpn ${TESTS_LIBS})
+add_test(tls_ext_alpn tls_ext_alpn)
+
+# tls_prf
+add_executable(tls_prf tls_prf.c)
+target_link_libraries(tls_prf ${TESTS_LIBS})
+add_test(tls_prf tls_prf)
+
 # utf8test
 add_executable(utf8test utf8test.c)
-target_link_libraries(utf8test ${OPENSSL_LIBS})
+target_link_libraries(utf8test ${TESTS_LIBS})
 add_test(utf8test utf8test)
 
 # verifytest
 add_executable(verifytest verifytest.c)
-target_link_libraries(verifytest tls ${OPENSSL_LIBS})
+target_link_libraries(verifytest tls ${TESTS_LIBS})
 add_test(verifytest verifytest)
+
+# x25519test
+add_executable(x25519test x25519test.c)
+target_link_libraries(x25519test ${TESTS_LIBS})
+add_test(x25519test x25519test)
+
+if(ENABLE_VSTEST AND USE_SHARED)
+	add_custom_command(TARGET x25519test POST_BUILD
+		COMMAND "${CMAKE_COMMAND}" -E copy
+		"$<TARGET_FILE:tls-shared>"
+		"$<TARGET_FILE:ssl-shared>"
+		"$<TARGET_FILE:crypto-shared>"
+		"${CMAKE_CURRENT_BINARY_DIR}"
+		COMMENT "Copying DLLs for regression tests")
+endif()
+

tests/Makefile.am

@@ -5,11 +5,15 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
+AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"
 
-LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(abs_top_builddir)/ssl/libssl.la
-LDADD += $(abs_top_builddir)/crypto/libcrypto.la
-LDADD += $(abs_top_builddir)/tls/libtls.la
+LDADD = $(abs_top_builddir)/tls/.libs/libtls.a
+LDADD += $(abs_top_builddir)/ssl/.libs/libssl.a
+LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto.a
+LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
+if HOST_ASM_MACOSX_X86_64
+LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto_la-cpuid-macosx-x86_64.o
+endif
 
 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 
@@ -39,6 +43,11 @@ arc4randomforktest_SOURCES = arc4randomforktest.c
 endif
 EXTRA_DIST += arc4randomforktest.sh
 
+# asn1evp
+TESTS += asn1evp
+check_PROGRAMS += asn1evp
+asn1evp_SOURCES = asn1evp.c
+
 # asn1test
 TESTS += asn1test
 check_PROGRAMS += asn1test
@@ -69,6 +78,7 @@ endif
 
 # bntest
 TESTS += bntest
+bntest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 check_PROGRAMS += bntest
 bntest_SOURCES = bntest.c
 
@@ -103,6 +113,11 @@ TESTS += clienttest
 check_PROGRAMS += clienttest
 clienttest_SOURCES = clienttest.c
 
+# configtest
+TESTS += configtest
+check_PROGRAMS += configtest
+configtest_SOURCES = configtest.c
+
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -158,7 +173,7 @@ TESTS += explicit_bzero
 check_PROGRAMS += explicit_bzero
 explicit_bzero_SOURCES = explicit_bzero.c
 if !HAVE_MEMMEM
-explicit_bzero_SOURCES += memmem.c
+explicit_bzero_SOURCES += compat/memmem.c
 endif
 endif
 endif
@@ -166,8 +181,14 @@ endif
 # exptest
 TESTS += exptest
 check_PROGRAMS += exptest
+exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c
 
+# freenull
+TESTS += freenull
+check_PROGRAMS += freenull
+freenull_SOURCES = freenull.c
+
 # gcm128test
 TESTS += gcm128test
 check_PROGRAMS += gcm128test
@@ -178,6 +199,11 @@ TESTS += gost2814789t
 check_PROGRAMS += gost2814789t
 gost2814789t_SOURCES = gost2814789t.c
 
+# hkdf_test
+TESTS += hkdftest
+check_PROGRAMS += hkdftest
+hkdftest_SOURCES = hkdf_test.c
+
 # hmactest
 TESTS += hmactest
 check_PROGRAMS += hmactest
@@ -208,6 +234,14 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
+# ocsp_test
+if ENABLE_EXTRATESTS
+TESTS += ocsptest.sh
+check_PROGRAMS += ocsp_test
+ocsp_test_SOURCES = ocsp_test.c
+endif
+EXTRA_DIST += ocsptest.sh ocsptest.bat
+
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest
@@ -242,7 +276,7 @@ poly1305test_SOURCES = poly1305test.c
 TESTS += pq_test.sh
 check_PROGRAMS += pq_test
 pq_test_SOURCES = pq_test.c
-EXTRA_DIST += pq_test.sh
+EXTRA_DIST += pq_test.sh pq_test.bat
 EXTRA_DIST += pq_expected.txt
 
 # randtest
@@ -275,6 +309,17 @@ TESTS += rmdtest
 check_PROGRAMS += rmdtest
 rmdtest_SOURCES = rmdtest.c
 
+# rsa_test
+TESTS += rsa_test
+check_PROGRAMS += rsa_test
+rsa_test_SOURCES = rsa_test.c
+
+# servertest
+TESTS += servertest.sh
+check_PROGRAMS += servertest
+servertest_SOURCES = servertest.c
+EXTRA_DIST += servertest.sh servertest.bat
+
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
@@ -290,31 +335,60 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
+# ssl_versions
+TESTS += ssl_versions
+check_PROGRAMS += ssl_versions
+ssl_versions_SOURCES = ssl_versions.c
+
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
 ssltest_SOURCES = ssltest.c
-EXTRA_DIST += ssltest.sh
-EXTRA_DIST += testssl ca.pem server.pem
+EXTRA_DIST += ssltest.sh ssltest.bat
+EXTRA_DIST += testssl testssl.bat ca.pem server.pem
 
 # testdsa
 TESTS += testdsa.sh
-EXTRA_DIST += testdsa.sh
+EXTRA_DIST += testdsa.sh testdsa.bat
 EXTRA_DIST += openssl.cnf
 
 # testenc
 TESTS += testenc.sh
-EXTRA_DIST += testenc.sh
+EXTRA_DIST += testenc.sh testenc.bat
 
 # testrsa
 TESTS += testrsa.sh
-EXTRA_DIST += testrsa.sh
+EXTRA_DIST += testrsa.sh testrsa.bat
 
 # timingsafe
 TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
+# tlsexttest
+TESTS += tlsexttest
+check_PROGRAMS += tlsexttest
+tlsexttest_SOURCES = tlsexttest.c
+
+# tlstest
+TESTS += tlstest.sh
+check_PROGRAMS += tlstest
+tlstest_SOURCES = tlstest.c
+if !HAVE_PIPE2
+tlstest_SOURCES += compat/pipe2.c
+endif
+EXTRA_DIST += tlstest.sh tlstest.bat
+
+# tls_ext_alpn
+TESTS += tls_ext_alpn
+check_PROGRAMS += tls_ext_alpn
+tls_ext_alpn_SOURCES = tls_ext_alpn.c
+
+# tls_prf
+TESTS += tls_prf
+check_PROGRAMS += tls_prf
+tls_prf_SOURCES = tls_prf.c
+
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test
@@ -324,3 +398,8 @@ utf8test_SOURCES = utf8test.c
 TESTS += verifytest
 check_PROGRAMS += verifytest
 verifytest_SOURCES = verifytest.c
+
+# x25519test
+TESTS += x25519test
+check_PROGRAMS += x25519test
+x25519test_SOURCES = x25519test.c

tests/compat/pipe2.c

@@ -0,0 +1,167 @@
+/*
+ * Public domain
+ *
+ * pipe2/pipe/socketpair emulation
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/socket.h>
+
+#undef socketpair
+
+#ifdef _WIN32
+
+static int setfd(int fd, int flag)
+{
+	int rc = -1;
+	if (flag & FD_CLOEXEC) {
+		HANDLE h = (HANDLE)_get_osfhandle(fd);
+		if (h != NULL)
+			rc = SetHandleInformation(h, HANDLE_FLAG_INHERIT, 0) == 0 ? -1 : 0;
+	}
+	return rc;
+}
+
+static int setfl(int fd, int flag)
+{
+	int rc = -1;
+	if (flag & O_NONBLOCK) {
+		long mode = 1;
+		rc = ioctlsocket(fd, FIONBIO, &mode);
+	}
+	return rc;
+}
+
+int socketpair(int domain, int type, int protocol, int socket_vector[2])
+{
+	if (domain != AF_UNIX || !(type & SOCK_STREAM) || protocol != PF_UNSPEC)
+		return -1;
+
+	socket_vector[0] = -1;
+	socket_vector[1] = -1;
+
+	int listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (listener == -1) {
+		return -1;
+	}
+
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_addr.s_addr = htonl(INADDR_LOOPBACK),
+		.sin_port = 0,
+	};
+
+	int yes = 1, e;
+	if (setsockopt(listener, SOL_SOCKET, SO_REUSEADDR,
+			(void *)&yes, sizeof yes) == -1)
+		goto err;
+
+	if (bind(listener, (struct sockaddr *)&addr, sizeof addr) != 0)
+		goto err;
+
+	memset(&addr, 0, sizeof addr);
+	socklen_t addrlen = sizeof addr;
+	if (getsockname(listener, (struct sockaddr *)&addr, &addrlen) != 0)
+		goto err;
+
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	addr.sin_family = AF_INET;
+
+	if (listen(listener, 1) != 0)
+		goto err;
+
+	socket_vector[0] = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
+	if (socket_vector[0] == -1)
+		goto err;
+
+	if (connect(socket_vector[0], (struct sockaddr *)&addr, sizeof addr) != 0)
+		goto err;
+
+	socket_vector[1] = accept(listener, NULL, NULL);
+	if (socket_vector[1] == -1)
+		goto err;
+
+	closesocket(listener);
+	return 0;
+
+err:
+	e = WSAGetLastError();
+	closesocket(listener);
+	closesocket(socket_vector[0]);
+	closesocket(socket_vector[1]);
+	WSASetLastError(e);
+	socket_vector[0] = -1;
+	socket_vector[1] = -1;
+	return -1;
+}
+
+int pipe(int fildes[2])
+{
+	return socketpair(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, PF_UNSPEC, fildes);
+}
+
+#else
+
+static int setfd(int fd, int flag)
+{
+	int flags = fcntl(fd, F_GETFD);
+	flags |= flag;
+	return fcntl(fd, F_SETFD, flags);
+}
+
+static int setfl(int fd, int flag)
+{
+	int flags = fcntl(fd, F_GETFL);
+	flags |= flag;
+	return fcntl(fd, F_SETFL, flags);
+}
+#endif
+
+int pipe2(int fildes[2], int flags)
+{
+	int rc = pipe(fildes);
+	if (rc == 0) {
+		if (flags & O_NONBLOCK) {
+			rc |= setfl(fildes[0], O_NONBLOCK);
+			rc |= setfl(fildes[1], O_NONBLOCK);
+		}
+		if (flags & O_CLOEXEC) {
+			rc |= setfd(fildes[0], FD_CLOEXEC);
+			rc |= setfd(fildes[1], FD_CLOEXEC);
+		}
+		if (rc != 0) {
+			int e = errno;
+			close(fildes[0]);
+			close(fildes[1]);
+			errno = e;
+		}
+	}
+	return rc;
+}
+
+int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2])
+{
+	int flags = type & ~0xf;
+	type &= 0xf;
+	int rc = socketpair(domain, type, protocol, socket_vector);
+	if (rc == 0) {
+		if (flags & SOCK_NONBLOCK) {
+			rc |= setfl(socket_vector[0], O_NONBLOCK);
+			rc |= setfl(socket_vector[1], O_NONBLOCK);
+		}
+		if (flags & SOCK_CLOEXEC) {
+			rc |= setfd(socket_vector[0], FD_CLOEXEC);
+			rc |= setfd(socket_vector[1], FD_CLOEXEC);
+		}
+		if (rc != 0) {
+			int e = errno;
+			close(socket_vector[0]);
+			close(socket_vector[1]);
+			errno = e;
+		}
+	}
+	return rc;
+}

tests/ocsptest.bat

@@ -0,0 +1,11 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	ocsptest.bat
+
+set TEST=Debug\ocsp_test.exe
+if not exist %TEST% exit /b 1
+
+%TEST% www.amazon.com 443 & if !errorlevel! neq 0 exit /b 1
+%TEST% cloudflare.com 443 & if !errorlevel! neq 0 exit /b 1
+
+endlocal

tests/ocsptest.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+TEST=./ocsp_test
+if [ -e ./ocsp_test.exe ]; then
+	TEST=./ocsp_test.exe
+fi
+$TEST www.amazon.com 443
+$TEST cloudflare.com 443

tests/pq_test.bat

@@ -0,0 +1,14 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	pq_test.bat
+
+set TEST=Debug\pq_test.exe
+if not exist %TEST% exit /b 1
+
+set pq_output=pq_output.txt
+if exist %pq_output% del %pq_output%
+
+%TEST% > %pq_output%
+fc /b %pq_output% %srcdir%\pq_expected.txt
+
+endlocal

tests/servertest.bat

@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	servertest.bat
+
+set servertest_bin=Debug\servertest.exe
+if not exist %servertest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%servertest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/servertest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+servertest_bin=./servertest
+if [ -e ./servertest.exe ]; then
+	servertest_bin=./servertest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$servertest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem

tests/ssltest.bat

@@ -0,0 +1,21 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	ssltest.bat
+
+set ssltest_bin=Debug\ssltest.exe
+if not exist %ssltest_bin% exit /b 1
+
+set openssl_bin=..\apps\openssl\Debug\openssl.exe
+if not exist %openssl_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%srcdir%\testssl.bat %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem ^
+    %ssltest_bin% %openssl_bin%
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/ssltest.sh

@@ -6,9 +6,16 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -d ../apps/openssl ]; then
+	openssl_bin=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
 		openssl_bin=../apps/openssl/openssl.exe
+	fi
+else
+	openssl_bin=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		openssl_bin=../apps/openssl.exe
+	fi
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.bat

@@ -0,0 +1,38 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testdsa.bat
+
+
+REM # Test DSA certificate generation of openssl
+
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+REM # Generate DSA paramter set
+%cmd% dsaparam 512 -out dsa512.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Generate a DSA certificate
+%cmd% req -config %srcdir%\openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Now check the certificate
+%cmd% x509 -text -in testdsa.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+del testdsa.key dsa512.pem testdsa.pem
+
+exit /b 0
+endlocal

tests/testdsa.sh

@@ -4,9 +4,16 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -d ../apps/openssl ]; then
+	cmd=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
 		cmd=../apps/openssl/openssl.exe
+	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.bat

@@ -0,0 +1,69 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testenc.bat
+
+set test=p
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+set srcdir=..\..\tests
+
+copy %srcdir%\openssl.cnf %test%
+
+echo cat
+%cmd% enc -in %test% -out %test%.cipher
+%cmd% enc -in %test%.cipher -out %test%.clear
+fc /b %test% %test%.clear
+if !errorlevel! neq 0 (
+	exit /b 1
+) else (
+	del %test%.cipher %test%.clear
+)
+
+echo base64
+%cmd% enc -a -e -in %test% -out %test%.cipher
+%cmd% enc -a -d -in %test%.cipher -out %test%.clear
+fc /b %test% %test%.clear
+if !errorlevel! neq 0 (
+	exit /b 1
+) else (
+	del %test%.cipher %test%.clear
+)
+
+for %%i in (
+	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8
+	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb
+	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb
+	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8
+	aes-256-ecb aes-256-ofb
+	bf-cbc bf-cfb bf-ecb bf-ofb
+	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb
+	des-cbc des-cfb des-cfb8 des-ecb des-ede
+	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3
+	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc
+	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
+	rc4 rc4-40
+) do (
+	echo %%i
+	%cmd% %%i -e -k test -in %test% -out %test%.%%i.cipher
+	%cmd% %%i -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
+	fc /b %test% %test%.%%i.clear
+	if !errorlevel! neq 0 (
+		exit /b 1
+	) else (
+		del %test%.%%i.cipher %test%.%%i.clear
+	)
+
+	echo %%i base64
+	%cmd% %%i -a -e -k test -in %test% -out %test%.%%i.cipher
+	%cmd% %%i -a -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
+	fc /b %test% %test%.%%i.clear
+	if !errorlevel! neq 0 (
+		exit /b 1
+	) else (
+		del %test%.%%i.cipher %test%.%%i.clear
+	)
+)
+
+del %test%
+endlocal

tests/testenc.sh

@@ -2,12 +2,23 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -d ../apps/openssl ]; then
+	cmd=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
 		cmd=../apps/openssl/openssl.exe
+	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
 fi
 
-cat openssl.cnf >$test;
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+cat $srcdir/openssl.cnf >$test;
 
 echo cat
 $cmd enc < $test > $test.cipher

tests/testrsa.bat

@@ -0,0 +1,38 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testrsa.bat
+
+
+REM # Test RSA certificate generation of openssl
+
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+REM # Generate RSA private key
+%cmd% genrsa -out rsakey.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Generate an RSA certificate
+%cmd% req -config %srcdir%\openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Now check the certificate
+%cmd% x509 -text -in rsacert.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+del rsacert.pem rsakey.pem
+
+exit /b 0
+endlocal

tests/testrsa.sh

@@ -4,9 +4,16 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -d ../apps/openssl ]; then
+	cmd=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
 		cmd=../apps/openssl/openssl.exe
+	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
 fi
 
 if [ -z $srcdir ]; then

tests/testssl.bat

@@ -0,0 +1,145 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testssl.bat
+
+set key=%1
+set cert=%2
+set CA=-CAfile %3
+set ssltest=%4 -key %key% -cert %cert% -c_key %key% -c_cert %cert%
+set openssl=%5
+set extra=%6
+
+%openssl% version & if !errorlevel! neq 0 exit /b 1
+
+for /f "usebackq" %%s in (`%openssl% x509 -in %cert% -text -noout ^| find /c "DSA Public Key"`) do set lines=%%s
+if %lines% gtr 0 (
+  set dsa_cert=YES
+) else (
+  set dsa_cert=NO
+)
+
+REM #########################################################################
+
+echo test sslv2/sslv3
+%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with server authentication
+%ssltest% -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with client authentication
+%ssltest% -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication
+%ssltest% -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 via BIO pair
+%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
+
+if %dsa_cert%==NO (
+  echo "test sslv2/sslv3 w/o (EC)DHE via BIO pair"
+  %ssltest% -bio_pair -no_dhe -no_ecdhe %extra% & if !errorlevel! neq 0 exit /b 1
+)
+
+echo test sslv2/sslv3 with 1024bit DHE via BIO pair
+%ssltest% -bio_pair -dhe1024dsa -v %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with server authentication
+%ssltest% -bio_pair -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with client authentication via BIO pair
+%ssltest% -bio_pair -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair
+%ssltest% -bio_pair -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
+%ssltest% -bio_pair -server_auth -client_auth -app_verify %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo "Testing ciphersuites"
+for %%p in ( TLSv1.2 ) do (
+  echo "Testing ciphersuites for %%p"
+  for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p+aRSA"`) do (
+    echo "Testing %%c"
+    %ssltest% -cipher %%c
+    if !errorlevel! neq 0 (
+      echo "Failed %%c"
+      exit /b 1
+    )
+  )
+)
+
+REM ##########################################################################
+
+for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
+if %nodh%==no-dh (
+  echo skipping anonymous DH tests
+) else (
+  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  %ssltest% -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+)
+
+REM #for /f "usebackq" %%s in (`%openssl% no-rsa`) do set norsa=%%s
+REM #if %norsa%==no-rsa (
+REM #  echo skipping RSA tests
+REM #) else (
+REM #  echo "test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes"
+REM #  %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -no_dhe -no_ecdhe -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+REM #
+REM #  for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
+REM #  if %nodh%==no-dh (
+REM #    echo skipping RSA+DHE tests
+REM #  ) else (
+REM #    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+REM #    %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+REM #  )
+REM #)
+
+REM #
+REM # DTLS tests
+REM #
+
+echo test dtlsv1
+%ssltest% -dtls1 %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with server authentication
+%ssltest% -dtls1 -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with client authentication
+%ssltest% -dtls1 -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with both client and server authentication
+%ssltest% -dtls1 -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo "Testing DTLS ciphersuites"
+for %%p in ( SSLv3 ) do (
+  echo "Testing ciphersuites for %%p"
+  for /f "usebackq" %%c in (`%openssl% ciphers -v "RSA+%%p:-RC4"`) do (
+    echo "Testing %%c"
+    %ssltest% -cipher %%c -dtls1
+    if !errorlevel! neq 0 (
+      echo "Failed %%c"
+      exit /b 1
+    )
+  )
+)
+
+REM #
+REM # ALPN tests
+REM #
+echo "Testing ALPN..."
+%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo ^
+  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo ^
+  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo & if !errorlevel! neq 0 exit /b 1
+
+endlocal

tests/tlstest.bat

@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	tlstest.bat
+
+set tlstest_bin=Debug\tlstest.exe
+if not exist %tlstest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%tlstest_bin% %srcdir%\ca.pem %srcdir%\server.pem %srcdir%\server.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/tlstest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+tlstest_bin=./tlstest
+if [ -e ./tlstest.exe ]; then
+	tlstest_bin=./tlstest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$tlstest_bin $srcdir/ca.pem $srcdir/server.pem $srcdir/server.pem

tls/CMakeLists.txt

@@ -7,33 +7,46 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
+	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
 	tls_server.c
+	tls_ocsp.c
 	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )
 
 
-if(NOT HAVE_STRCASECMP)
-	set(TLS_SRC ${TLS_SRC} strsep.c)
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
 endif()
 
+add_library(tls-objects OBJECT ${TLS_SRC})
 if (BUILD_SHARED)
-	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	if (MSVC)
-		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
+	target_link_libraries(tls-shared ssl-shared crypto-shared)
+	if (WIN32)
+		target_link_libraries(tls-shared Ws2_32.lib)
+		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
 	endif()
-	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	set_target_properties(tls-shared PROPERTIES
+		OUTPUT_NAME tls${TLS_POSTFIX}
+		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	install(TARGETS tls tls-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	install(TARGETS tls DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

tls/Makefile.am

@@ -4,8 +4,9 @@ lib_LTLIBRARIES = libtls.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += tls.sym
 
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym
 libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
 libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
 libtls_la_LIBADD += $(PLATFORM_LDADD)
@@ -19,14 +20,12 @@ endif
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_ocsp.c
 libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
-
-if !HAVE_STRSEP
-libtls_la_SOURCES += strsep.c
-endif

update.sh

@@ -13,28 +13,31 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
  git checkout $openbsd_branch
  git pull --rebase)
 
 # setup source paths
 CWD=`pwd`
-libc_src=$CWD/openbsd/src/lib/libc
-libc_regress=$CWD/openbsd/src/regress/lib/libc
-libcrypto_src=$CWD/openbsd/src/lib/libcrypto
-libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
-libssl_src=$CWD/openbsd/src/lib/libssl
-libssl_regress=$CWD/openbsd/src/regress/lib/libssl
-libtls_src=$CWD/openbsd/src/lib/libtls
-libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-app_src=$CWD/openbsd/src/usr.bin
+OPENBSD_SRC=$CWD/openbsd/src
+libc_src=$OPENBSD_SRC/lib/libc
+libc_regress=$OPENBSD_SRC/regress/lib/libc
+libcrypto_src=$OPENBSD_SRC/lib/libcrypto
+libcrypto_regress=$OPENBSD_SRC/regress/lib/libcrypto
+libssl_src=$OPENBSD_SRC/lib/libssl
+libssl_regress=$OPENBSD_SRC/regress/lib/libssl
+libtls_src=$OPENBSD_SRC/lib/libtls
+libtls_regress=$OPENBSD_SRC/regress/lib/libtls
+bin_src=$OPENBSD_SRC/usr.bin
+sbin_src=$OPENBSD_SRC/usr.sbin
 
 # load library versions
-. $libcrypto_src/crypto/shlib_version
+. $libcrypto_src/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-. $libssl_src/ssl/shlib_version
+. $libssl_src/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -61,12 +64,16 @@ do_cp_libc() {
 CP_LIBC='do_cp_libc'
 
 CP='cp -p'
+GREP='grep'
+if [ -x /opt/csw/bin/ggrep ]; then
+	GREP='/opt/csw/bin/ggrep'
+fi
 
-$CP $libssl_src/src/LICENSE COPYING
+$CP $libssl_src/LICENSE COPYING
 
-$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
-$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/src/ssl/pqueue.h include
+$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
+$CP $libcrypto_src/opensslfeatures.h include/openssl
+$CP $libssl_src/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
@@ -75,17 +82,20 @@ for i in crypto/compat libtls-standalone/compat; do
 	for j in $libc_src/crypt/arc4random.c \
 	    $libc_src/crypt/arc4random_uniform.c \
 	    $libc_src/crypt/chacha_private.h \
-	    $libc_src/string/explicit_bzero.c \
+	    $libc_src/net/inet_pton.c \
 	    $libc_src/stdlib/reallocarray.c \
+	    $libc_src/stdlib/recallocarray.c \
+	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/string/strcasecmp.c \
 	    $libc_src/string/strlcpy.c \
 	    $libc_src/string/strlcat.c \
 	    $libc_src/string/strndup.c \
 	    $libc_src/string/strnlen.c \
+	    $libc_src/string/strsep.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h; do
+	    $libcrypto_src/arc4random/getentropy_*.c \
+	    $libcrypto_src/arc4random/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -99,36 +109,36 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 
-(cd $libssl_src/src/crypto/objects/;
+(cd $libcrypto_src/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
 copy_hdrs() {
 	for file in $2; do
-		$CP $libssl_src/src/$1/$file include/openssl
+		$CP $1/$file include/openssl
 	done
 }
 
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
-	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
-	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
+	pem/pem2.h hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h
+	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
-	gost/gost.h"
+	gost/gost.h curve25519/curve25519.h"
 
-copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-$CP $libssl_src/src/crypto/opensslv.h include/openssl
+$CP $libcrypto_src/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"
 
@@ -139,16 +149,18 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libssl_src/src/crypto/$i ]; then
-			$CP $libssl_src/src/crypto/$i crypto/$i
+		if [ -e $libcrypto_src/$i ]; then
+			$CP $libcrypto_src/$i crypto/$i
 		fi
 	fi
 done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
+# add the libcrypto symbol export list
+$GREP -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | $GREP '^[[:alpha:]]' > crypto/crypto.sym
 
 # generate assembly crypto algorithms
-asm_src=$libssl_src/src/crypto
+asm_src=$libcrypto_src
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -169,24 +181,24 @@ gen_asm() {
 }
 for abi in elf macosx; do
 	echo generating ASM source for $abi
-	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.s
-	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.s
-	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.s
-	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.s
-	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.s
-	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.s
-	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.S
+	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.S
+	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.S
+	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.S
+	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.S
+	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.S
+	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha256-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha512-$abi-x86_64.S
-	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.s
+	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.S
 	gen_asm        $abi x86_64cpuid.pl               crypto/cpuid-$abi-x86_64.S
 done
 
@@ -199,9 +211,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-
-$CP_LIBC $libc_src/string/strsep.c tls
-$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
+# add the libtls symbol export list
+$GREP '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
 
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -212,25 +223,38 @@ sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 
 # copy nc(1) source
 echo "copying nc(1) source"
-$CP $app_src/nc/nc.1 apps/nc
+$CP $bin_src/nc/nc.1 apps/nc
 rm -f apps/nc/*.c apps/nc/*.h
+$CP_LIBC $libc_src/net/base64.c apps/nc/compat
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
-	if [ -e $app_src/nc/$i ]; then
-		$CP $app_src/nc/$i apps/nc
+	if [ -e $bin_src/nc/$i ]; then
+		$CP $bin_src/nc/$i apps/nc
+	fi
+done
+
+# copy ocspcheck(1) source
+echo "copying ocspcheck(1) source"
+$CP $sbin_src/ocspcheck/ocspcheck.8 apps/ocspcheck
+rm -f apps/ocspcheck/*.c apps/ocspcheck/*.h
+$CP_LIBC $libc_src/net/inet_ntop.c apps/ocspcheck/compat
+$CP_LIBC $libc_src/string/memmem.c apps/ocspcheck/compat
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/ocspcheck/Makefile.am` ; do
+	if [ -e $sbin_src/ocspcheck/$i ]; then
+		$CP $sbin_src/ocspcheck/$i apps/ocspcheck
 	fi
 done
 
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $app_src/openssl/openssl.1 apps/openssl
+$CP $bin_src/openssl/openssl.1 apps/openssl
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
 $CP $libcrypto_src/cert.pem apps/openssl
 $CP $libcrypto_src/openssl.cnf apps/openssl
 $CP $libcrypto_src/x509v3.cnf apps/openssl
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
-	if [ -e $app_src/openssl/$i ]; then
-		$CP $app_src/openssl/$i apps/openssl
+	if [ -e $bin_src/openssl/$i ]; then
+		$CP $bin_src/openssl/$i apps/openssl
 	fi
 done
 
@@ -238,8 +262,10 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/src/ssl/$i ssl
+	$CP $libssl_src/$i ssl
 done
+# add the libssl symbol export list
+$GREP '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
 
 # copy libcrypto tests
 echo "copying tests"
@@ -248,12 +274,11 @@ for i in `find $libcrypto_regress -name '*.c'`; do
 done
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
-$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP_LIBC $libc_src/string/memmem.c tests
+$CP_LIBC $libc_src/string/memmem.c tests/compat
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -264,6 +289,7 @@ done
 $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
+$CP $libssl_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libtls tests
 for i in `find $libtls_regress -name '*.c'`; do
@@ -284,18 +310,18 @@ add_man_links() {
 	filter=$1
 	dest=$2
 	echo "install-data-hook:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
 		fi
 	done
 	echo "" >> $dest
 	echo "uninstall-local:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
 		fi
 	done
 }
@@ -313,43 +339,32 @@ done
 # copy manpages
 echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
-echo dist_man_MANS = >> man/Makefile.am
-
-$CP $libtls_src/tls_init.3 man
-echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
+echo dist_man3_MANS = >> man/Makefile.am
+echo dist_man5_MANS = >> man/Makefile.am
 
 (cd man
-	# update new-style manpages
-	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
+	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done
 
 	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done
 
-	# convert remaining POD manpages
-	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
-		BASE=`echo $i|sed -e "s/\.pod//"`
-		NAME=`basename "$BASE"`
-		# reformat file if new
-		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../include/openssl/opensslv.h -nt $NAME.3 ]; then
-			echo processing $NAME
-			pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
-				--section=3 $POD2MAN --name=$NAME < $BASE.pod > $NAME.3
-		fi
-		echo "dist_man_MANS += $NAME.3" >> Makefile.am
+	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
+	done
+
+	for i in `ls -1 $libcrypto_src/man/*.5 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man5_MANS += $NAME" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am
-
-# standalone libtls manpages
-mkdir -p libtls-standalone/man
-echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
-
-$CP $libtls_src/tls_init.3 libtls-standalone/man
-add_man_links tls_init libtls-standalone/man/Makefile.am