2.1.7 security update

The API/ABI for the LibreSSL 2.1.x series is now fixed, so we can safely
enable libtls it by default. This is useful for new OpenNTPD and
OpenSMTPD releases as well.

ok deraadt@ beck@ sthen@

.gitignore

@@ -9,6 +9,10 @@
 # C stuff
 *.o
 
+# Assembly stuff
+*.S
+*.s
+
 # Windows stuff
 *.obj
 *.exe
@@ -34,6 +38,7 @@ Makefile.in
 *.lo
 *.la
 
+*.def
 *.pc
 
 # tests
@@ -43,11 +48,13 @@ test-driver
 tests/aes_wrap*
 tests/arc4random_fork*
 tests/explicit_bzero*
+tests/gost2814789t*
 tests/mont*
 tests/timingsafe*
 tests/*test
 tests/*test.c
 tests/memmem.c
+tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
@@ -74,7 +81,6 @@ INSTALL
 /config.status
 /config.sub
 /configure
-/configure.ac
 /depcomp
 /config.h
 /config.h.in
@@ -85,21 +91,28 @@ INSTALL
 /stamp-h1
 /stamp-h2
 
-crypto/Makefile.am
 include/openssl/Makefile.am
-ssl/Makefile.am
-apps/Makefile.am
 tests/Makefile.am
 
+crypto/VERSION
+ssl/VERSION
+tls/VERSION
+
 ssl/*.c
 ssl/*.h
+tls/*.c
+tls/*.h
 include/pqueue.h
+include/tls.h
 include/openssl/*.h
 include/openssl/*.he
-apps/*.c
 apps/*.h
-apps/*.cnf
+apps/*.c
 apps/openssl
+apps/openssl.cnf
+!apps/apps_win.c
+!apps/poll_win.c
+!apps/certhash_disabled.c
 
 crypto/compat/arc4random.c
 crypto/compat/chacha_private.h
@@ -110,7 +123,6 @@ crypto/compat/strlcat.c
 crypto/compat/strlcpy.c
 crypto/compat/strndup.c
 crypto/compat/strnlen.c
-crypto/compat/strtonum.c
 crypto/compat/timingsafe_bcmp.c
 crypto/compat/timingsafe_memcmp.c
 crypto/compat/arc4random_*.h
@@ -121,7 +133,9 @@ crypto/bf/
 crypto/bio/
 crypto/bn/
 crypto/buffer/
+crypto/camellia/
 crypto/cast/
+crypto/camellia/
 crypto/chacha/
 crypto/cmac/
 crypto/comp/
@@ -141,6 +155,7 @@ crypto/engine/
 crypto/err/
 crypto/evp/
 crypto/ex_data.c
+crypto/gost/
 crypto/hmac/
 crypto/idea/
 crypto/krb5/
@@ -178,9 +193,10 @@ crypto/whrlpool/
 crypto/x509/
 crypto/x509v3/
 openbsd/
+*.tar.gz
+apps/*.1*
 man/*.3
 man/*.1
 man/Makefile.am
 .gitmodules
-ChangeLog
 COPYING

.travis.yml

@@ -0,0 +1,24 @@
+language: c
+matrix:
+        include:
+                - compiler: clang
+                  os: osx
+                  env: ARCH=native
+                - compiler: gcc
+                  os: osx
+                  env: ARCH=native
+                - compiler: clang
+                  os: linux
+                  env: ARCH=native
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=native
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=mingw32
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=mingw64
+
+script:
+        "./scripts/travis"

ChangeLog

@@ -0,0 +1,255 @@
+Because this project is maintained both in the OpenBSD tree using CVS and in
+Git, it can be confusing following all of the changes.
+
+Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
+
+	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
+
+Some of the libcrypto and OS-compatibility files for entropy and random number
+generation are here:
+
+	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
+
+A simplified TLS wrapper library is here:
+
+	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
+
+The LibreSSL Portable project copies these portions of the OpenBSD tree, along
+with relevant portions of the C library, to a Git repository. This makes it
+easier to follow all of the relevant changes to the upstream project in a
+single place:
+
+	https://github.com/libressl-portable/openbsd
+
+The portable bits of the project are largely maintained out-of-tree, and their
+history is also available from Git.
+
+	https://github.com/libressl-portable/portable
+
+LibreSSL Portable Release Notes:
+
+This release primarily addresses a number of security issues in coordination
+with the OpenSSL project.
+
+2.1.7 - Security Update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.7:
+	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
+	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
+	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+	* The following CVEs did not apply to LibreSSL or were fixed in
+	  earlier releases:
+	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
+	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
+	 - CVE-2014-8176 - Invalid free in DTLS
+
+	* Fixes for the following CVEs are still in review for LibreSSL
+	 - CVE-2015-1791 - Race condition handling NewSessionTicket
+
+2.1.6 - Security update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
+	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
+	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
+	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption
+	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
+	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences
+
+	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
+	  is integrated for safety, but LibreSSL is not vulnerable.
+
+	* Libtls is now built by default. The --enable-libtls
+	  configuration option is no longer required.
+	  The libtls API is now stable for the 2.1.x series.
+
+2.1.5 - Bug fixes and a security update
+	* Fix incorrect comparison function in openssl(1) certhash command.
+	  Thanks to Christian Neukirchen / Void Linux.
+
+	* Windows port improvements and bug fixes.
+	  - Removed a dependency on libgcc in 32-bit dynamic libraries.
+	  - Correct a hang in openssl(1) reading from stdin on an connection.
+	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
+	    any other network-related commands to function properly.
+
+	* Reject all server DH keys smaller than 1024 bits.
+
+2.1.4 - Security and feature updates
+	* Improvements to libtls:
+	  - a new API for loading CA chains directly from memory instead of a
+	    file, allowing verification with privilege separation in a chroot
+	    without direct access to CA certificate files.
+
+	  - Ciphers default to TLSv1.2 with AEAD and PFS.
+
+	  - Improved error handling and message generation
+
+	  - New APIs and improved documentation
+
+	* Added X509_STORE_load_mem API for loading certificates from memory.
+	  This facilitates accessing certificates from a chrooted environment.
+
+	* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
+	  using 'TLSv1.2+AEAD' as the cipher selection string.
+
+	* Dead and disabled code removal including MD5, Netscape workarounds,
+	  non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
+
+	* ASN1 macro maze expanded to aid reading and searching the code.
+
+	* NULL pointer asserts removed in favor of letting the OS/signal
+	  handler catch them.
+
+	* Refactored argument handling in openssl(1) for consistency and
+	  maintainability.
+
+	* New openssl(1) command 'certhash' replaces the c_rehash script.
+
+	* Support for building with OPENSSL_NO_DEPRECATED
+
+	* Server-side support for TLS_FALLBACK_SCSV for compatibility with
+	  various auditor and vulnerability scanners.
+
+	* Dozens of issues found with the Coverity scanner fixed.
+
+	* Security Updates:
+
+	  - Fix a minor information leak that was introduced in t1_lib.c
+	    r1.71, whereby an additional 28 bytes of .rodata (or .data) is
+	    provided to the network. In most cases this is a non-issue since
+	    the memory content is already public. Issue found and reported by
+	    Felix Groebert of the Google Security Team.
+
+	  - Fixes for the following low-severity issues were integrated into
+	    LibreSSL from OpenSSL 1.0.1k:
+
+	     CVE-2015-0205 - DH client certificates accepted without
+	                     verification
+	     CVE-2014-3570 - Bignum squaring may produce incorrect results
+	     CVE-2014-8275 - Certificate fingerprints can be modified
+	     CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
+	     Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
+
+	    The following CVEs were fixed in earlier LibreSSL releases:
+	     CVE-2015-0206 - Memory leak handling repeated DLTS records
+	     CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
+
+	    The following CVEs did not apply to LibreSSL:
+	     CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
+	     CVE-2014-3569 - no-ssl3 configuration sets method to NULL
+	     CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
+
+2.1.3 - Security update and OS support improvements
+	* Fixed various memory leaks in DTLS, including fixes for
+	  CVE-2015-0206.
+
+	* Added Application-Layer Protocol Negotiation (ALPN) support.
+
+	* Removed GOST R 34.10-94 signature authentication.
+
+	* Removed nonfunctional Netscape browser-hang workaround code.
+
+	* Simplfied and refactored SSL/DTLS handshake code.
+
+	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
+
+	* Hide timing info about padding errors during handshakes.
+
+	* Improved libtls support for non-blocking sockets, added randomized
+	  session ID contexts. Work is ongoing with this library - feedback
+	  and potential use-cases are welcome.
+
+	* Support building Windows DLLs.
+	  Thanks to Jan Engelhard.
+
+	* Packaged config wrapper for better compatibility with OpenSSL-based
+	  build systems.
+	  Thanks to @technion from github
+
+	* Ensure the stack is marked non-executable for assembly sections.
+	  Thanks to Anthony G. Bastile.
+
+	* Enable extra compiler hardening flags by default, where applicable.
+	  The default set of hardening features can vary by OS to OS, so
+	  feedback is welcome on this. To disable the default hardening flags,
+	  specify '--disable-hardening' during configure.
+	  Thanks to Jim Barlow
+
+	* Initial HP-UX support, tested with HP-UX 11.31 ia64
+	  Thanks to Kinichiro Inoguchi
+
+	* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
+	  Imported from OpenNTPD, thanks to @gitisihara from github
+
+2.1.2 - Many new features and improvements
+	* Added reworked GOST cipher suite support
+	   thanks to Dmitry Eremin-Solenikov
+
+	* Enabled Camellia ciphers due to improved patent situation
+
+	* Use builtin arc4random implementation on OS X and FreeBSD
+	   this addresses some deficiencies in the native implementations of
+	   these operating systems, see commit logs for more information
+
+	* Added initial Windows mingw-w64 support (32 and 64-bit)
+	   thanks to Song Dongsheng and others for code and feedback
+
+	* Enabled assembly optimizations on x86_64 CPUs
+	   supports Linux, *BSD, Solaris and OS X operating systems
+	   thanks to Wouter Clarie for the initial implementation
+
+	* Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
+
+	* Improved build infrastructure, 'make distcheck' now passes
+	   this simplifies and speeds developer efficiency
+	   thanks to Dmitry Eremin-Solenikov and Wouter Clarie
+
+	* Allow conditional building of the libtls library
+	   expect the API and ABI of the library to change
+	   feedback is welcome
+
+	* Fixes for more memory leaks, cleanups, etc.
+
+2.1.1 - Security update
+	* Address POODLE attack by disabling SSLv3 by default
+
+	* Fix Eliptical Curve cipher selection bug
+	  (https://github.com/libressl-portable/portable/issues/35)
+
+2.1.0 - First release from the OpenBSD 5.7 tree
+	* Added support for automatic ephemeral EC keys
+
+	* Fixes for many memory leaks and overflows in error handlers
+
+	* The TLS padding extension (that works around bugs in F5 terminators) is
+	  off by default
+
+	* support for getrandom(2) on Linux 3.17
+
+	* the NO_ASM macro is no longer being set, providing the first bits toward
+	  enabling other assembly offloads.
+
+2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
+	* CVE-2014-3506
+	* CVE-2014-3507
+	* CVE-2014-3508 (partially vulnerable)he
+	* CVE-2014-3509
+	* CVE-2014-3510
+	* CVE-2014-3511
+	* Synced LibreSSL Portable with the release version of OpenBSD 5.6
+
+2.0.4 - Portability fixes, deleted unused SRP code
+
+2.0.3 - Portability fixes, improvements to fork detection
+
+2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
+
+2.0.1 - Portability fixes:
+	* Removed -Werror and and other non-portable compiler flags
+
+	* Allow setting OPENSSLDIR and ENGINSDIR
+
+2.0.0 - First release from the OpenBSD 5.6 tree
+	* Removal of many obsolete features and coding conventions from the OpenSSL
+	  1.0.1h source

Makefile.am

@@ -1,5 +1,7 @@
-SUBDIRS = crypto ssl include apps tests man
+SUBDIRS = crypto ssl tls include apps tests man
 ACLOCAL_AMFLAGS = -I m4
 
 pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libcrypto.pc libssl.pc openssl.pc
+pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
+
+EXTRA_DIST = README README.windows VERSION config scripts

Makefile.am.common

@@ -1,4 +1,2 @@
 AM_CPPFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS += -DOPENSSL_NO_ASM
-AM_CPPFLAGS += -DHAVE_CRYPTODEV
 AM_CPPFLAGS += -DLIBRESSL_INTERNAL

OPENBSD_BRANCH

@@ -0,0 +1 @@
+OPENBSD_5_7

README

@@ -1,34 +1,50 @@
 This package is the official portable version of LibreSSL
-(http://www.libressl.org).
+	(http://www.libressl.org).
 
 LibreSSL is a fork of OpenSSL developed by the OpenBSD project
 (http://www.openbsd.org). LibreSSL is developed on OpenBSD. This
-package then adds portability shims for other operating systems. 
+package then adds portability shims for other operating systems.
 
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory LibreSSL, e.g.:
-http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
-although it is suggested you use a mirror. 
 
-Development is done in the upstream OpenBSD codebase.  A github clone
-of the official repositories is kept at:
-https://github.com/libressl-portable
-We update this repository from the OpenBSD respositories
-semi-frequently, so changes may not show up in GitHub immediately. 
-The GitHub repository should be used for informational purposes
-only.
+	http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
 
-./configure && make check && make install
+although we suggest that you use a mirror:
 
-See crypto/compat for the bulk of the local compatibility code. 
+	http://www.openbsd.org/ftp.html
 
-It will likely build on any reasonably modern version of Linux, Solaris,
-or OSX with a sane compiler and C library.
+The LibreSSL portable build framework is also mirrored in Github:
 
-Note: Our policy is generally to use your system provided intrinsics.
-If your system provides security sensitive functions (such as
-arc4random(), issetugid(), calloc(), getentropy(), and others) we will
-assume they are implemented correctly and securely. If they are
-not please contact your OS provider. 
+	https://github.com/libressl-portable/portable
 
+Please report bugs either to tech@openbsd.org, or to the github issue tracker:
 
+	https://github.com/libressl-portable/portable/issues
+
+If you have checked this source using Git, follow these initial steps to
+prepare the source tree for building:
+
+ 1. ensure you have the following packages installed:
+	automake, autoconf, bash, git, libtool, perl, pod2man
+ 2. run './autogen.sh' to prepare the source tree for building
+    or run './dist.sh' to prepare a tarball.
+
+Once you have a source tree from Git or FTP, run these commands to build and
+install the package:
+
+  ./configure   # see ./configure --help for configuration options
+  make check    # runs builtin unit tests
+  make install  # set DESTDIR= to install to an alternate location
+
+The resulting library and 'openssl' utility is largely API-compatible with
+OpenSSL 1.0.1. However, it is not ABI compatible - you will need to relink your
+programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
+to 1.0.1.
+
+The project attempts to provide working alternatives for operating systems with
+limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
+assists with improving OS-native implementations where possible.
+
+LibreSSL portable will build on any reasonably modern version of Linux,
+Solaris, or OSX with a standards-compliant compiler and C library.

README.windows

@@ -0,0 +1,40 @@
+# Building
+
+For Windows systems, LibreSSL supports the mingw-w64 toolchain, which can use
+GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
+32-bit and 64-bit build environments. If your project already uses mingw-w64,
+then LibreSSL should integrate very nicely. Old versions of the mingw-w64
+toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
+building LibreSSL. Please try it with a recent toolchain if you encounter
+troubles. If you are building under Cygwin, only builds with the mingw-w64
+compiler are supported, though you can easily use Cygwin to drive the build
+process.
+
+To configure and build LibreSSL for a 32-bit system, use the following
+build steps:
+
+ CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
+ make
+ make check
+
+For 64-bit builds, use these instead:
+
+ CC=x86_64-w64-mingw32-gcc ./configure --host=x86_64-w64-mingw32
+ make
+ make check
+
+# Using Libressl with Visual Studio
+
+A script for generating ready-to-use .DLL and static .LIB files is included in
+the source repository at
+https://github.com/libressl-portable/portable/blob/master/dist-win.sh
+
+This script uses mingw-w64 to build LibreSSL and then uses Visual Studio tools
+to generate compatible library import files ready-to-use with Visual
+Studio projects. Static and dynamic libraries are included. The script uses
+cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
+tool developed for the D language and can be found here:
+https://github.com/rainers/cv2pdb
+
+Pre-build Windows binaries are available with the LibreSSL release for your
+convenience.

VERSION

@@ -1 +1 @@
-2.1.0
+2.1.7

apps/Makefile.am

@@ -0,0 +1,88 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = openssl
+
+openssl_CFLAGS = $(USER_CFLAGS)
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += engine.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += certhash_disabled.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+noinst_HEADERS += openssl.cnf

apps/Makefile.am.tpl

@@ -1,15 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-bin_PROGRAMS = openssl
-
-openssl_CFLAGS = $(USER_CFLAGS)
-openssl_LDADD = $(PLATFORM_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES =
-noinst_HEADERS =
-
-if NO_STRTONUM
-openssl_SOURCES += strtonum.c
-endif

apps/apps_win.c

@@ -0,0 +1,29 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include "apps.h"
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}

apps/certhash_disabled.c

@@ -0,0 +1,13 @@
+/*
+ * Public domain
+ * certhash dummy implementation for platforms without symlinks
+ */
+
+#include "apps.h"
+
+int
+certhash_main(int argc, char **argv)
+{
+	fprintf(stderr, "certhash is not enabled on this platform\n");
+	return (1);
+}

apps/poll_win.c

@@ -0,0 +1,327 @@
+/*
+ * Public domain
+ *
+ * poll(2) emulation for Windows
+ *
+ * This emulates just-enough poll functionality on Windows to work in the
+ * context of the openssl(1) program. This is not a replacement for
+ * POSIX.1-2001 poll(2), though it may come closer than I care to admit.
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <conio.h>
+#include <errno.h>
+#include <io.h>
+#include <poll.h>
+#include <ws2tcpip.h>
+
+static int
+conn_is_closed(int fd)
+{
+	char buf[1];
+	int ret = recv(fd, buf, 1, MSG_PEEK);
+	if (ret == -1) {
+		switch (WSAGetLastError()) {
+		case WSAECONNABORTED:
+		case WSAECONNRESET:
+		case WSAENETRESET:
+		case WSAESHUTDOWN:
+			return 1;
+		}
+	}
+	return 0;
+}
+
+static int
+conn_has_oob_data(int fd)
+{
+	char buf[1];
+	return (recv(fd, buf, 1, MSG_PEEK | MSG_OOB) == 1);
+}
+
+static int
+is_socket(int fd)
+{
+	if (fd < 3)
+		return 0;
+	WSANETWORKEVENTS events;
+	return (WSAEnumNetworkEvents((SOCKET)fd, NULL, &events) == 0);
+}
+
+static int
+compute_select_revents(int fd, short events,
+    fd_set *rfds, fd_set *wfds, fd_set *efds)
+{
+	int rc = 0;
+
+	if ((events & (POLLIN | POLLRDNORM | POLLRDBAND)) &&
+			FD_ISSET(fd, rfds)) {
+		if (conn_is_closed(fd))
+			rc |= POLLHUP;
+		else
+			rc |= POLLIN | POLLRDNORM;
+	}
+
+	if ((events & (POLLOUT | POLLWRNORM | POLLWRBAND)) &&
+			FD_ISSET(fd, wfds))
+		rc |= POLLOUT;
+
+	if (FD_ISSET(fd, efds)) {
+		if (conn_is_closed(fd))
+			rc |= POLLHUP;
+		else if (conn_has_oob_data(fd))
+			rc |= POLLRDBAND | POLLPRI;
+	}
+
+	return rc;
+}
+
+static int
+compute_wait_revents(HANDLE h, short events, int object, int wait_rc)
+{
+	int rc = 0;
+	INPUT_RECORD record;
+	DWORD num_read;
+
+	/*
+	 * Assume we can always write to file handles (probably a bad
+	 * assumption but works for now, at least it doesn't block).
+	 */
+	if (events & (POLLOUT | POLLWRNORM))
+		rc |= POLLOUT;
+
+	/*
+	 * Check if this handle was signaled by WaitForMultipleObjects
+	 */
+	if (wait_rc >= WAIT_OBJECT_0 && (object == (wait_rc - WAIT_OBJECT_0))
+	    && (events & (POLLIN | POLLRDNORM))) {
+
+		/*
+		 * Check if this file is stdin, and if so, if it is a console.
+		 */
+		if (h == GetStdHandle(STD_INPUT_HANDLE) &&
+		    PeekConsoleInput(h, &record, 1, &num_read) == 1) {
+
+			/*
+			 * Handle the input console buffer differently,
+			 * since it can signal on other events like
+			 * window and mouse, but read can still block.
+			 */
+			if (record.EventType == KEY_EVENT &&
+			    record.Event.KeyEvent.bKeyDown) {
+				rc |= POLLIN;
+			} else {
+				/*
+				 * Flush non-character events from the
+				 * console buffer.
+				 */
+				ReadConsoleInput(h, &record, 1, &num_read);
+			}
+		} else {
+			rc |= POLLIN;
+		}
+	}
+
+	return rc;
+}
+
+static int
+wsa_select_errno(int err)
+{
+	switch (err) {
+	case WSAEINTR:
+	case WSAEINPROGRESS:
+		errno = EINTR;
+		break;
+	case WSAEFAULT:
+		/*
+		 * Windows uses WSAEFAULT for both resource allocation failures
+		 * and arguments not being contained in the user's address
+		 * space. So, we have to choose EFAULT or ENOMEM.
+		 */
+		errno = EFAULT;
+		break;
+	case WSAEINVAL:
+		errno = EINVAL;
+		break;
+	case WSANOTINITIALISED:
+		errno = EPERM;
+		break;
+	case WSAENETDOWN:
+		errno = ENOMEM;
+		break;
+	}
+	return -1;
+}
+
+int
+poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
+{
+	nfds_t i;
+	int timespent_ms, looptime_ms;
+
+	/*
+	 * select machinery
+	 */
+	fd_set rfds, wfds, efds;
+	int rc;
+	int num_sockets;
+
+	/*
+	 * wait machinery
+	 */
+	DWORD wait_rc;
+	HANDLE handles[FD_SETSIZE];
+	int num_handles;
+
+	if (pfds == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (nfds <= 0) {
+		return 0;
+	}
+
+	FD_ZERO(&rfds);
+	FD_ZERO(&wfds);
+	FD_ZERO(&efds);
+	num_sockets = 0;
+	num_handles = 0;
+
+	for (i = 0; i < nfds; i++) {
+		if ((int)pfds[i].fd < 0)
+			continue;
+
+		if (is_socket(pfds[i].fd)) {
+			if (num_sockets >= FD_SETSIZE) {
+				errno = EINVAL;
+				return -1;
+			}
+
+			FD_SET(pfds[i].fd, &efds);
+
+			if (pfds[i].events &
+			    (POLLIN | POLLRDNORM | POLLRDBAND)) {
+				FD_SET(pfds[i].fd, &rfds);
+			}
+
+			if (pfds[i].events &
+			    (POLLOUT | POLLWRNORM | POLLWRBAND)) {
+				FD_SET(pfds[i].fd, &wfds);
+			}
+			num_sockets++;
+
+		} else {
+			if (num_handles >= FD_SETSIZE) {
+				errno = EINVAL;
+				return -1;
+			}
+
+			handles[num_handles++] =
+			    (HANDLE)_get_osfhandle(pfds[i].fd);
+		}
+	}
+
+	/*
+	 * Determine if the files, pipes, sockets, consoles, etc. have signaled.
+	 *
+	 * Do this by alternating a loop between WaitForMultipleObjects for
+	 * non-sockets and and select for sockets.
+	 *
+	 * I tried to implement this all in terms of WaitForMultipleObjects
+	 * with a select-based 'poll' of the sockets at the end to get extra
+	 * specific socket status.
+	 *
+	 * However, the cost of setting up an event handle for each socket and
+	 * cleaning them up reliably was pretty high. Since the event handle
+	 * associated with a socket is also global, creating a new one here
+	 * cancels one that may exist externally to this function.
+	 *
+	 * At any rate, even if global socket event handles were not an issue,
+	 * the 'FD_WRITE' status of a socket event handle does not behave in an
+	 * expected fashion, being triggered by an edge on a write buffer rather
+	 * than simply triggering if there is space available.
+	 */
+	timespent_ms = 0;
+	wait_rc = WAIT_FAILED;
+
+	if (timeout_ms < 0)
+		timeout_ms = INFINITE;
+	looptime_ms = timeout_ms > 100 ? 100 : timeout_ms;
+
+	do {
+		struct timeval tv = {0, looptime_ms * 1000};
+		int handle_signaled = 0;
+
+		/*
+		 * Check if any file handles have signaled
+		 */
+		if (num_handles) {
+			wait_rc = WaitForMultipleObjects(num_handles, handles,
+					FALSE, 0);
+			if (wait_rc == WAIT_FAILED) {
+				/*
+				 * The documentation for WaitForMultipleObjects
+				 * does not specify what values GetLastError
+				 * may return here. Rather than enumerate
+				 * badness like for wsa_select_errno, assume a
+				 * general errno value.
+				 */
+				errno = ENOMEM;
+				return 0;
+			}
+		}
+
+		/*
+		 * If we signaled on a file handle, don't wait on the sockets.
+		 */
+		if (wait_rc >= WAIT_OBJECT_0 &&
+		    (wait_rc <= WAIT_OBJECT_0 + num_handles - 1)) {
+			tv.tv_usec = 0;
+			handle_signaled = 1;
+		}
+
+		/*
+		 * Check if any sockets have signaled
+		 */
+		rc = select(0, &rfds, &wfds, &efds, &tv);
+		if (!handle_signaled && rc == SOCKET_ERROR)
+			return wsa_select_errno(WSAGetLastError());
+
+		if (handle_signaled || (num_sockets && rc > 0))
+			break;
+
+		timespent_ms += looptime_ms;
+
+	} while (timespent_ms < timeout_ms);
+
+	rc = 0;
+	num_handles = 0;
+	for (i = 0; i < nfds; i++) {
+		pfds[i].revents = 0;
+
+		if ((int)pfds[i].fd < 0)
+			continue;
+
+		if (is_socket(pfds[i].fd)) {
+
+			pfds[i].revents = compute_select_revents(pfds[i].fd,
+			    pfds[i].events, &rfds, &wfds, &efds);
+
+		} else {
+			pfds[i].revents = compute_wait_revents(
+			    handles[num_handles], pfds[i].events, num_handles,
+			    wait_rc);
+			num_handles++;
+		}
+
+		if (pfds[i].revents)
+			rc++;
+	}
+
+	return rc;
+}
+

config

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# This file exists for backwards-compatibility with build systems that expect a
+# config script similar to OpenSSL's.
+
+# New software should prefer the native configure script over this one.
+
+ARGS=""
+for var in "$@"; do
+	case $var in
+		no-shared ) ARGS="$ARGS --disable-shared";;
+		no-asm    ) ARGS="$ARGS --disable-asm";;
+		--prefix* ) ARGS="$ARGS $var";;
+	esac
+done
+
+./configure $ARGS

configure.ac

@@ -0,0 +1,331 @@
+AC_INIT([libressl], m4_esyscmd([tr -d '\n' < VERSION]))
+AC_SUBST([LIBCRYPTO_VERSION], m4_esyscmd([tr -d '\n' < crypto/VERSION]))
+AC_SUBST([LIBSSL_VERSION], m4_esyscmd([tr -d '\n' < ssl/VERSION]))
+AC_SUBST([LIBTLS_VERSION], m4_esyscmd([tr -d '\n' < tls/VERSION]))
+
+AC_CANONICAL_HOST
+AM_INIT_AUTOMAKE([subdir-objects])
+AC_CONFIG_MACRO_DIR([m4])
+
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+AC_SUBST([USER_CFLAGS], "$CFLAGS")
+CFLAGS="-Wall -std=gnu99 -g -O2"
+
+case $host_os in
+	*darwin*)
+		HOST_OS=darwin
+		HOST_ABI=macosx
+		;;
+	*freebsd*)
+		HOST_OS=freebsd
+		HOST_ABI=elf
+		AC_SUBST([PROG_LDADD], ['-lthr'])
+		;;
+	*hpux*)
+		HOST_OS=hpux;
+		CFLAGS="$CFLAGS -mlp64 -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
+		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
+		;;
+	*linux*)
+		HOST_OS=linux
+		HOST_ABI=elf
+		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		;;
+	*netbsd*)
+		HOST_OS=netbsd
+		;;
+	*openbsd*)
+		HOST_ABI=elf
+		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
+		;;
+	*mingw*)
+		HOST_OS=win
+		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -DNO_SYSLOG -D__USE_MINGW_ANSI_STDIO -static-libgcc"
+		LDFLAGS="$LDFLAGS -static-libgcc"
+		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
+		;;
+	*solaris*)
+		HOST_OS=solaris
+		HOST_ABI=elf
+		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
+		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
+		;;
+	*) ;;
+esac
+
+AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
+AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
+AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
+AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
+AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
+AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
+
+AC_CHECK_FUNC([clock_gettime],,
+	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
+
+AC_CHECK_FUNC([dl_iterate_phdr],,
+	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+
+AC_PROG_CC
+AC_PROG_LIBTOOL
+AC_PROG_CC_STDC
+AM_PROG_CC_C_O
+
+AC_MSG_CHECKING([if compiling with clang])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
+#ifndef __clang__
+	not clang
+#endif
+	]])],
+	[CLANG=yes],
+	[CLANG=no]
+)
+AC_MSG_RESULT([$CLANG])
+AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
+
+# We want to check for compiler flag support. Prior to clang v5.1, there was no
+# way to make clang's "argument unused" warning fatal.  So we invoke the
+# compiler through a wrapper script that greps for this message.
+saved_CC="$CC"
+saved_LD="$LD"
+flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
+CC="$flag_wrap $CC"
+LD="$flag_wrap $LD"
+
+AC_ARG_ENABLE([hardening],
+	[AS_HELP_STRING([--disable-hardening],
+			[Disable options to frustrate memory corruption exploits])],
+	[], [enable_hardening=yes])
+
+AC_ARG_ENABLE([windows-ssp],
+	[AS_HELP_STRING([--enable-windows-ssp],
+			[Enable building the stack smashing protection on
+			 Windows. This currently distributing libssp-0.dll.])])
+
+AC_DEFUN([CHECK_CFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
+	 old_cflags="$CFLAGS"
+	 CFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     CFLAGS=$old_cflags
+		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     CFLAGS=$old_cflags
+		     [$2])
+])
+
+AC_DEFUN([CHECK_LDFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
+	 old_ldflags="$LDFLAGS"
+	 LDFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     LDFLAGS=$old_ldflags
+		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     LDFLAGS=$old_ldflags
+		     [$2])
+])
+
+AS_IF([test "x$enable_hardening" = "xyes"], [
+	# Tell GCC to NOT optimize based on signed arithmetic overflow
+	CHECK_CFLAG([[-fno-strict-overflow]])
+
+	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
+	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
+
+	# Enable read only relocations
+	CHECK_LDFLAG([[-Wl,-z,relro]])
+	CHECK_LDFLAG([[-Wl,-z,now]])
+
+	# Windows security flags
+	AS_IF([test "x$HOST_OS" = "xwin"], [
+		CHECK_LDFLAG([[-Wl,--nxcompat]])
+		CHECK_LDFLAG([[-Wl,--dynamicbase]])
+		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
+	])
+
+	# Use stack-protector-strong if available; if not, fallback to
+	# stack-protector-all which is considered to be overkill
+	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
+		CHECK_CFLAG([[-fstack-protector-strong]],
+			CHECK_CFLAG([[-fstack-protector-all]],
+				AC_MSG_WARN([compiler does not appear to support stack protection])
+			)
+		)
+		AS_IF([test "x$HOST_OS" = "xwin"], [
+			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
+		])
+	])
+])
+
+
+# Restore CC, LD
+CC="$saved_CC"
+LD="$saved_LD"
+
+CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
+
+# Removing the dependency on -Wno-pointer-sign should be a goal
+save_cflags="$CFLAGS"
+CFLAGS=-Wno-pointer-sign
+AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-Wno-pointer-sign],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+
+save_cflags="$CFLAGS"
+CFLAGS=
+AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-DHAVE_GNU_STACK],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+AM_PROG_AS
+
+CFLAGS="$CFLAGS $CLANG_CFLAGS"
+LDFLAGS="$LDFLAGS $CLANG_FLAGS"
+
+AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
+AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AC_CHECK_FUNCS([symlink])
+AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+
+# Share test results with automake
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
+AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
+AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
+AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
+AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
+AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
+AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
+AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
+AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
+AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
+AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
+AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
+AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
+
+# overrides for arc4random_buf implementations with known issues
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
+	[test "x$HOST_OS" != xdarwin \
+	   -a "x$HOST_OS" != xfreebsd \
+	   -a "x$HOST_OS" != xnetbsd \
+	   -a "x$ac_cv_func_arc4random_buf" = xyes])
+
+# overrides for issetugid implementations with known issues
+AM_CONDITIONAL([HAVE_ISSETUGID],
+       [test "x$HOST_OS" != xdarwin \
+	  -a "x$ac_cv_func_issetugid" = xyes])
+
+AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <stdarg.h>
+va_list x,y;
+		]], [[ va_copy(x,y); ]])],
+	[ ac_cv_have_va_copy="yes" ],
+	[ ac_cv_have_va_copy="no"
+	])
+])
+if test "x$ac_cv_have_va_copy" = "xyes" ; then
+	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
+fi
+
+AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <stdarg.h>
+va_list x,y;
+		]], [[ __va_copy(x,y); ]])],
+	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
+	])
+])
+if test "x$ac_cv_have___va_copy" = "xyes" ; then
+	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
+fi
+
+AC_CHECK_HEADERS([sys/sysctl.h err.h])
+
+AC_ARG_WITH([openssldir],
+	AS_HELP_STRING([--with-openssldir],
+		       [Set the default openssl directory]),
+	AC_DEFINE_UNQUOTED(OPENSSLDIR, "$withval")
+)
+
+AC_ARG_WITH([enginesdir],
+	AS_HELP_STRING([--with-enginesdir],
+		       [Set the default engines directory (use with openssldir)]),
+	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
+)
+
+AC_ARG_ENABLE([asm],
+	AS_HELP_STRING([--disable-asm], [Disable assembly]))
+AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
+
+old_cflags=$CFLAGS
+CFLAGS="$USER_CFLAGS -I$srcdir/include"
+AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT])
+AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
+	       [int a = 0; BSWAP4(a);],
+	       AC_MSG_RESULT([yes])
+	       BSWAP4=yes,
+	       AC_MSG_RESULT([no])
+	       BSWAP4=no)
+CFLAGS="$old_cflags"
+
+case $host_cpu in
+	*sparc*)
+		CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT"
+		;;
+	*arm*)
+		AS_IF([test "x$BSWAP4" = "xyes"],,
+		    CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT")
+		;;
+esac
+
+AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
+    [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
+AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
+    [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
+
+LT_INIT
+
+AC_CONFIG_FILES([
+	Makefile
+	include/Makefile
+	include/openssl/Makefile
+	crypto/Makefile
+	ssl/Makefile
+	tls/Makefile
+	tests/Makefile
+	apps/Makefile
+	man/Makefile
+	libcrypto.pc
+	libssl.pc
+	libtls.pc
+	openssl.pc
+])
+
+AC_OUTPUT

configure.ac.tpl

@@ -1,179 +0,0 @@
-AC_INIT([libressl], [VERSION])
-AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects])
-AC_CONFIG_MACRO_DIR([m4])
-
-m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-
-AC_SUBST([USER_CFLAGS], "-O2 $CFLAGS")
-CFLAGS="$CFLAGS -Wall -std=c99 -g"
-
-case $host_os in
-	*darwin*)
-		HOST_OS=darwin;
-		LDFLAGS="$LDFLAGS -Qunused-arguments"
-		;;
-	*linux*)
-		HOST_OS=linux;
-		CFLAGS="$CFLAGS -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-		;;
-	*solaris*)
-		HOST_OS=solaris;
-		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
-		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
-		;;
-	*openbsd*)
-		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
-		;;
-	*mingw*)
-		HOST_OS=win32
-		;;
-	*) ;;
-esac
-
-AM_CONDITIONAL(HOST_DARWIN, test x$HOST_OS = xdarwin)
-AM_CONDITIONAL(HOST_LINUX, test x$HOST_OS = xlinux)
-AM_CONDITIONAL(HOST_SOLARIS, test x$HOST_OS = xsolaris)
-AM_CONDITIONAL(HOST_WIN, test x$HOST_OS = xwin)
-
-AC_CHECK_FUNC([clock_gettime],,
-	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-
-AC_CHECK_FUNC([dl_iterate_phdr],,
-	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
-
-AC_PROG_CC
-AC_PROG_LIBTOOL
-AC_PROG_CC_STDC
-AM_PROG_CC_C_O
-
-save_cflags="$CFLAGS"
-CFLAGS=-Wno-pointer-sign
-AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-	[AC_MSG_RESULT([yes])]
-	[AM_CFLAGS=-Wno-pointer-sign],
-	[AC_MSG_RESULT([no])]
-)
-CFLAGS="$save_cflags $AM_CFLAGS"
-
-AC_CHECK_FUNC(strlcpy, 
-	AM_CONDITIONAL(NO_STRLCPY, false),
-	AC_DEFINE(NO_STRLCPY)
-	AM_CONDITIONAL(NO_STRLCPY, true))
-
-AC_CHECK_FUNC(strlcat,
-	AM_CONDITIONAL(NO_STRLCAT, false),
-	AC_DEFINE(NO_STRLCAT)
-	AM_CONDITIONAL(NO_STRLCAT, true))
-
-AC_CHECK_FUNC(strndup,
-	AM_CONDITIONAL(NO_STRNDUP, false),
-	AC_DEFINE(NO_STRNDUP)
-	AM_CONDITIONAL(NO_STRNDUP, true))
-
-AC_CHECK_FUNC(asprintf,
-	AM_CONDITIONAL(NO_ASPRINTF, false),
-	AC_DEFINE(NO_ASPRINTF)
-	AM_CONDITIONAL(NO_ASPRINTF, true))
-
-AC_CHECK_FUNC(reallocarray,
-	AM_CONDITIONAL(NO_REALLOCARRAY, false),
-	AC_DEFINE(NO_REALLOCARRAY)
-	AM_CONDITIONAL(NO_REALLOCARRAY, true))
-
-AC_CHECK_FUNC(timingsafe_bcmp,
-	AM_CONDITIONAL(NO_TIMINGSAFE_BCMP, false),
-	AC_DEFINE(NO_TIMINGSAFE_BCMP)
-	AM_CONDITIONAL(NO_TIMINGSAFE_BCMP, true))
-
-AC_CHECK_FUNC(timingsafe_memcmp,
-	AM_CONDITIONAL(NO_TIMINGSAFE_MEMCMP, false),
-	AC_DEFINE(NO_TIMINGSAFE_MEMCMP)
-	AM_CONDITIONAL(NO_TIMINGSAFE_MEMCMP, true))
-
-AC_CHECK_FUNC(arc4random_buf,
-	AM_CONDITIONAL(NO_ARC4RANDOM_BUF, false),
-	AC_DEFINE(NO_ARC4RANDOM_BUF)
-	AM_CONDITIONAL(NO_ARC4RANDOM_BUF, true))
-
-AC_CHECK_FUNC(getentropy,
-	AM_CONDITIONAL(NO_GETENTROPY, false),
-	AC_DEFINE(NO_GETENTROPY)
-	AM_CONDITIONAL(NO_GETENTROPY, true))
-
-AC_CHECK_FUNC(issetugid,
-	AM_CONDITIONAL(NO_ISSETUGID, false),
-	AC_DEFINE(NO_ISSETUGID)
-	AM_CONDITIONAL(NO_ISSETUGID, true))
-
-AC_CHECK_FUNC(strtonum,
-	AM_CONDITIONAL(NO_STRTONUM, false),
-	AC_DEFINE(NO_STRTONUM)
-	AM_CONDITIONAL(NO_STRTONUM, true))
-
-AC_CHECK_FUNC(explicit_bzero,
-	AM_CONDITIONAL(NO_EXPLICIT_BZERO, false),
-	AC_DEFINE(NO_EXPLICIT_BZERO)
-	AM_CONDITIONAL(NO_EXPLICIT_BZERO, true))
-
-AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ va_copy(x,y); ]])],
-	[ ac_cv_have_va_copy="yes" ],
-	[ ac_cv_have_va_copy="no"
-	])
-])
-if test "x$ac_cv_have_va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
-fi
-
-AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ __va_copy(x,y); ]])],
-	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
-	])
-])
-if test "x$ac_cv_have___va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
-fi
-
-AC_CHECK_FUNC(getauxval, AC_DEFINE(HAVE_GETAUXVAL))
-
-AC_CHECK_FUNC(funopen, AC_DEFINE(HAVE_FUNOPEN))
-
-AC_CHECK_HEADER(sys/sysctl.h, AC_DEFINE(HAVE_SYS_SYSCTL_H))
-
-AC_CHECK_HEADER(err.h, AC_DEFINE(HAVE_ERR_H))
-
-AC_ARG_WITH([openssldir],
-	AS_HELP_STRING([--with-openssldir], [Set the default openssl directory]),
-	AC_DEFINE_UNQUOTED(OPENSSLDIR, "$withval")
-)
-
-AC_ARG_WITH([enginesdir],
-	AS_HELP_STRING([--with-enginesdir], [Set the default engines directory (use with openssldir)]),
-	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
-)
-
-LT_INIT
-
-AC_CONFIG_FILES([
-	Makefile
-	include/Makefile
-	include/openssl/Makefile
-	ssl/Makefile
-	crypto/Makefile
-	tests/Makefile
-	apps/Makefile
-	man/Makefile
-	libcrypto.pc
-	libssl.pc
-	openssl.pc
-])
-
-AC_OUTPUT

crypto/Makefile.am

@@ -0,0 +1,838 @@
+include $(top_srcdir)/Makefile.am.common
+
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+
+lib_LTLIBRARIES = libcrypto.la
+
+EXTRA_DIST = VERSION
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
+libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
+libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
+if OPENSSL_NO_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+else
+if HOST_WIN
+libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+endif
+endif
+
+noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
+
+# compatibility functions that need to be built without optimizations
+libcompatnoopt_la_CFLAGS = -O0
+libcompatnoopt_la_SOURCES =
+
+if !HAVE_EXPLICIT_BZERO
+libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
+endif
+
+# other compatibility functions
+libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libcompat_la_SOURCES =
+libcompat_la_LIBADD = $(PLATFORM_LDADD)
+
+if !HAVE_STRLCAT
+libcompat_la_SOURCES += compat/strlcat.c
+endif
+
+if !HAVE_STRLCPY
+libcompat_la_SOURCES += compat/strlcpy.c
+endif
+
+if !HAVE_STRNDUP
+libcompat_la_SOURCES += compat/strndup.c
+# the only user of strnlen is strndup, so only build it if needed
+if !HAVE_STRNLEN
+libcompat_la_SOURCES += compat/strnlen.c
+endif
+endif
+
+if !HAVE_ASPRINTF
+libcompat_la_SOURCES += compat/bsd-asprintf.c
+endif
+
+if !HAVE_REALLOCARRAY
+libcompat_la_SOURCES += compat/reallocarray.c
+endif
+
+if !HAVE_TIMINGSAFE_MEMCMP
+libcompat_la_SOURCES += compat/timingsafe_memcmp.c
+endif
+
+if !HAVE_TIMINGSAFE_BCMP
+libcompat_la_SOURCES += compat/timingsafe_bcmp.c
+endif
+
+if !HAVE_ARC4RANDOM_BUF
+libcompat_la_SOURCES += compat/arc4random.c
+
+if !HAVE_GETENTROPY
+if HOST_FREEBSD
+libcompat_la_SOURCES += compat/getentropy_freebsd.c
+endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/getentropy_hpux.c
+endif
+if HOST_LINUX
+libcompat_la_SOURCES += compat/getentropy_linux.c
+endif
+if HOST_NETBSD
+libcompat_la_SOURCES += compat/getentropy_netbsd.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/getentropy_osx.c
+endif
+if HOST_SOLARIS
+libcompat_la_SOURCES += compat/getentropy_solaris.c
+endif
+if HOST_WIN
+libcompat_la_SOURCES += compat/getentropy_win.c
+endif
+endif
+
+endif
+
+if !HAVE_ISSETUGID
+if HOST_LINUX
+libcompat_la_SOURCES += compat/issetugid_linux.c
+endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/issetugid_hpux.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/issetugid_osx.c
+endif
+if HOST_WIN
+libcompat_la_SOURCES += compat/issetugid_win.c
+endif
+endif
+
+noinst_HEADERS =
+noinst_HEADERS += compat/arc4random.h
+noinst_HEADERS += compat/arc4random_freebsd.h
+noinst_HEADERS += compat/arc4random_hpux.h
+noinst_HEADERS += compat/arc4random_linux.h
+noinst_HEADERS += compat/arc4random_netbsd.h
+noinst_HEADERS += compat/arc4random_osx.h
+noinst_HEADERS += compat/arc4random_solaris.h
+noinst_HEADERS += compat/arc4random_win.h
+noinst_HEADERS += compat/chacha_private.h
+
+libcrypto_la_SOURCES =
+EXTRA_libcrypto_la_SOURCES =
+
+include Makefile.am.elf-x86_64
+include Makefile.am.macosx-x86_64
+
+if !HOST_ASM_ELF_X86_64
+if !HOST_ASM_MACOSX_X86_64
+libcrypto_la_SOURCES += aes/aes_cbc.c
+libcrypto_la_SOURCES += aes/aes_core.c
+libcrypto_la_SOURCES += camellia/camellia.c
+libcrypto_la_SOURCES += camellia/cmll_cbc.c
+libcrypto_la_SOURCES += rc4/rc4_enc.c
+libcrypto_la_SOURCES += rc4/rc4_skey.c
+libcrypto_la_SOURCES += whrlpool/wp_block.c
+endif
+endif
+
+libcrypto_la_SOURCES += cpt_err.c
+libcrypto_la_SOURCES += cryptlib.c
+libcrypto_la_SOURCES += cversion.c
+libcrypto_la_SOURCES += ex_data.c
+libcrypto_la_SOURCES += malloc-wrapper.c
+libcrypto_la_SOURCES += mem_clr.c
+libcrypto_la_SOURCES += mem_dbg.c
+libcrypto_la_SOURCES += o_init.c
+libcrypto_la_SOURCES += o_str.c
+libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += cryptlib.h
+noinst_HEADERS += md32_common.h
+noinst_HEADERS += o_time.h
+
+# aes
+libcrypto_la_SOURCES += aes/aes_cfb.c
+libcrypto_la_SOURCES += aes/aes_ctr.c
+libcrypto_la_SOURCES += aes/aes_ecb.c
+libcrypto_la_SOURCES += aes/aes_ige.c
+libcrypto_la_SOURCES += aes/aes_misc.c
+libcrypto_la_SOURCES += aes/aes_ofb.c
+libcrypto_la_SOURCES += aes/aes_wrap.c
+noinst_HEADERS += aes/aes_locl.h
+
+# asn1
+libcrypto_la_SOURCES += asn1/a_bitstr.c
+libcrypto_la_SOURCES += asn1/a_bool.c
+libcrypto_la_SOURCES += asn1/a_bytes.c
+libcrypto_la_SOURCES += asn1/a_d2i_fp.c
+libcrypto_la_SOURCES += asn1/a_digest.c
+libcrypto_la_SOURCES += asn1/a_dup.c
+libcrypto_la_SOURCES += asn1/a_enum.c
+libcrypto_la_SOURCES += asn1/a_gentm.c
+libcrypto_la_SOURCES += asn1/a_i2d_fp.c
+libcrypto_la_SOURCES += asn1/a_int.c
+libcrypto_la_SOURCES += asn1/a_mbstr.c
+libcrypto_la_SOURCES += asn1/a_object.c
+libcrypto_la_SOURCES += asn1/a_octet.c
+libcrypto_la_SOURCES += asn1/a_print.c
+libcrypto_la_SOURCES += asn1/a_set.c
+libcrypto_la_SOURCES += asn1/a_sign.c
+libcrypto_la_SOURCES += asn1/a_strex.c
+libcrypto_la_SOURCES += asn1/a_strnid.c
+libcrypto_la_SOURCES += asn1/a_time.c
+libcrypto_la_SOURCES += asn1/a_type.c
+libcrypto_la_SOURCES += asn1/a_utctm.c
+libcrypto_la_SOURCES += asn1/a_utf8.c
+libcrypto_la_SOURCES += asn1/a_verify.c
+libcrypto_la_SOURCES += asn1/ameth_lib.c
+libcrypto_la_SOURCES += asn1/asn1_err.c
+libcrypto_la_SOURCES += asn1/asn1_gen.c
+libcrypto_la_SOURCES += asn1/asn1_lib.c
+libcrypto_la_SOURCES += asn1/asn1_par.c
+libcrypto_la_SOURCES += asn1/asn_mime.c
+libcrypto_la_SOURCES += asn1/asn_moid.c
+libcrypto_la_SOURCES += asn1/asn_pack.c
+libcrypto_la_SOURCES += asn1/bio_asn1.c
+libcrypto_la_SOURCES += asn1/bio_ndef.c
+libcrypto_la_SOURCES += asn1/d2i_pr.c
+libcrypto_la_SOURCES += asn1/d2i_pu.c
+libcrypto_la_SOURCES += asn1/evp_asn1.c
+libcrypto_la_SOURCES += asn1/f_enum.c
+libcrypto_la_SOURCES += asn1/f_int.c
+libcrypto_la_SOURCES += asn1/f_string.c
+libcrypto_la_SOURCES += asn1/i2d_pr.c
+libcrypto_la_SOURCES += asn1/i2d_pu.c
+libcrypto_la_SOURCES += asn1/n_pkey.c
+libcrypto_la_SOURCES += asn1/nsseq.c
+libcrypto_la_SOURCES += asn1/p5_pbe.c
+libcrypto_la_SOURCES += asn1/p5_pbev2.c
+libcrypto_la_SOURCES += asn1/p8_pkey.c
+libcrypto_la_SOURCES += asn1/t_bitst.c
+libcrypto_la_SOURCES += asn1/t_crl.c
+libcrypto_la_SOURCES += asn1/t_pkey.c
+libcrypto_la_SOURCES += asn1/t_req.c
+libcrypto_la_SOURCES += asn1/t_spki.c
+libcrypto_la_SOURCES += asn1/t_x509.c
+libcrypto_la_SOURCES += asn1/t_x509a.c
+libcrypto_la_SOURCES += asn1/tasn_dec.c
+libcrypto_la_SOURCES += asn1/tasn_enc.c
+libcrypto_la_SOURCES += asn1/tasn_fre.c
+libcrypto_la_SOURCES += asn1/tasn_new.c
+libcrypto_la_SOURCES += asn1/tasn_prn.c
+libcrypto_la_SOURCES += asn1/tasn_typ.c
+libcrypto_la_SOURCES += asn1/tasn_utl.c
+libcrypto_la_SOURCES += asn1/x_algor.c
+libcrypto_la_SOURCES += asn1/x_attrib.c
+libcrypto_la_SOURCES += asn1/x_bignum.c
+libcrypto_la_SOURCES += asn1/x_crl.c
+libcrypto_la_SOURCES += asn1/x_exten.c
+libcrypto_la_SOURCES += asn1/x_info.c
+libcrypto_la_SOURCES += asn1/x_long.c
+libcrypto_la_SOURCES += asn1/x_name.c
+libcrypto_la_SOURCES += asn1/x_nx509.c
+libcrypto_la_SOURCES += asn1/x_pkey.c
+libcrypto_la_SOURCES += asn1/x_pubkey.c
+libcrypto_la_SOURCES += asn1/x_req.c
+libcrypto_la_SOURCES += asn1/x_sig.c
+libcrypto_la_SOURCES += asn1/x_spki.c
+libcrypto_la_SOURCES += asn1/x_val.c
+libcrypto_la_SOURCES += asn1/x_x509.c
+libcrypto_la_SOURCES += asn1/x_x509a.c
+noinst_HEADERS += asn1/asn1_locl.h
+noinst_HEADERS += asn1/charmap.h
+
+# bf
+libcrypto_la_SOURCES += bf/bf_cfb64.c
+libcrypto_la_SOURCES += bf/bf_ecb.c
+libcrypto_la_SOURCES += bf/bf_enc.c
+libcrypto_la_SOURCES += bf/bf_ofb64.c
+libcrypto_la_SOURCES += bf/bf_skey.c
+noinst_HEADERS += bf/bf_locl.h
+noinst_HEADERS += bf/bf_pi.h
+
+# bio
+libcrypto_la_SOURCES += bio/b_dump.c
+if !HOST_WIN
+libcrypto_la_SOURCES += bio/b_posix.c
+endif
+libcrypto_la_SOURCES += bio/b_print.c
+libcrypto_la_SOURCES += bio/b_sock.c
+if HOST_WIN
+libcrypto_la_SOURCES += bio/b_win.c
+endif
+libcrypto_la_SOURCES += bio/bf_buff.c
+libcrypto_la_SOURCES += bio/bf_nbio.c
+libcrypto_la_SOURCES += bio/bf_null.c
+libcrypto_la_SOURCES += bio/bio_cb.c
+libcrypto_la_SOURCES += bio/bio_err.c
+libcrypto_la_SOURCES += bio/bio_lib.c
+libcrypto_la_SOURCES += bio/bss_acpt.c
+libcrypto_la_SOURCES += bio/bss_bio.c
+libcrypto_la_SOURCES += bio/bss_conn.c
+libcrypto_la_SOURCES += bio/bss_dgram.c
+libcrypto_la_SOURCES += bio/bss_fd.c
+libcrypto_la_SOURCES += bio/bss_file.c
+libcrypto_la_SOURCES += bio/bss_log.c
+libcrypto_la_SOURCES += bio/bss_mem.c
+libcrypto_la_SOURCES += bio/bss_null.c
+libcrypto_la_SOURCES += bio/bss_sock.c
+
+# bn
+libcrypto_la_SOURCES += bn/bn_add.c
+libcrypto_la_SOURCES += bn/bn_asm.c
+libcrypto_la_SOURCES += bn/bn_blind.c
+libcrypto_la_SOURCES += bn/bn_const.c
+libcrypto_la_SOURCES += bn/bn_ctx.c
+libcrypto_la_SOURCES += bn/bn_depr.c
+libcrypto_la_SOURCES += bn/bn_div.c
+libcrypto_la_SOURCES += bn/bn_err.c
+libcrypto_la_SOURCES += bn/bn_exp.c
+libcrypto_la_SOURCES += bn/bn_exp2.c
+libcrypto_la_SOURCES += bn/bn_gcd.c
+libcrypto_la_SOURCES += bn/bn_gf2m.c
+libcrypto_la_SOURCES += bn/bn_kron.c
+libcrypto_la_SOURCES += bn/bn_lib.c
+libcrypto_la_SOURCES += bn/bn_mod.c
+libcrypto_la_SOURCES += bn/bn_mont.c
+libcrypto_la_SOURCES += bn/bn_mpi.c
+libcrypto_la_SOURCES += bn/bn_mul.c
+libcrypto_la_SOURCES += bn/bn_nist.c
+libcrypto_la_SOURCES += bn/bn_prime.c
+libcrypto_la_SOURCES += bn/bn_print.c
+libcrypto_la_SOURCES += bn/bn_rand.c
+libcrypto_la_SOURCES += bn/bn_recp.c
+libcrypto_la_SOURCES += bn/bn_shift.c
+libcrypto_la_SOURCES += bn/bn_sqr.c
+libcrypto_la_SOURCES += bn/bn_sqrt.c
+libcrypto_la_SOURCES += bn/bn_word.c
+libcrypto_la_SOURCES += bn/bn_x931p.c
+noinst_HEADERS += bn/bn_lcl.h
+noinst_HEADERS += bn/bn_prime.h
+
+# buffer
+libcrypto_la_SOURCES += buffer/buf_err.c
+libcrypto_la_SOURCES += buffer/buf_str.c
+libcrypto_la_SOURCES += buffer/buffer.c
+
+# camellia
+libcrypto_la_SOURCES += camellia/cmll_cfb.c
+libcrypto_la_SOURCES += camellia/cmll_ctr.c
+libcrypto_la_SOURCES += camellia/cmll_ecb.c
+libcrypto_la_SOURCES += camellia/cmll_misc.c
+libcrypto_la_SOURCES += camellia/cmll_ofb.c
+noinst_HEADERS += camellia/camellia.h
+noinst_HEADERS += camellia/cmll_locl.h
+
+# cast
+libcrypto_la_SOURCES += cast/c_cfb64.c
+libcrypto_la_SOURCES += cast/c_ecb.c
+libcrypto_la_SOURCES += cast/c_enc.c
+libcrypto_la_SOURCES += cast/c_ofb64.c
+libcrypto_la_SOURCES += cast/c_skey.c
+noinst_HEADERS += cast/cast_lcl.h
+noinst_HEADERS += cast/cast_s.h
+
+# chacha
+EXTRA_libcrypto_la_SOURCES += chacha/chacha-merged.c
+libcrypto_la_SOURCES += chacha/chacha.c
+
+# cmac
+libcrypto_la_SOURCES += cmac/cm_ameth.c
+libcrypto_la_SOURCES += cmac/cm_pmeth.c
+libcrypto_la_SOURCES += cmac/cmac.c
+
+# comp
+libcrypto_la_SOURCES += comp/c_rle.c
+libcrypto_la_SOURCES += comp/c_zlib.c
+libcrypto_la_SOURCES += comp/comp_err.c
+libcrypto_la_SOURCES += comp/comp_lib.c
+
+# conf
+libcrypto_la_SOURCES += conf/conf_api.c
+libcrypto_la_SOURCES += conf/conf_def.c
+libcrypto_la_SOURCES += conf/conf_err.c
+libcrypto_la_SOURCES += conf/conf_lib.c
+libcrypto_la_SOURCES += conf/conf_mall.c
+libcrypto_la_SOURCES += conf/conf_mod.c
+libcrypto_la_SOURCES += conf/conf_sap.c
+noinst_HEADERS += conf/conf_def.h
+
+# des
+libcrypto_la_SOURCES += des/cbc_cksm.c
+libcrypto_la_SOURCES += des/cbc_enc.c
+libcrypto_la_SOURCES += des/cfb64ede.c
+libcrypto_la_SOURCES += des/cfb64enc.c
+libcrypto_la_SOURCES += des/cfb_enc.c
+libcrypto_la_SOURCES += des/des_enc.c
+libcrypto_la_SOURCES += des/ecb3_enc.c
+libcrypto_la_SOURCES += des/ecb_enc.c
+libcrypto_la_SOURCES += des/ede_cbcm_enc.c
+libcrypto_la_SOURCES += des/enc_read.c
+libcrypto_la_SOURCES += des/enc_writ.c
+libcrypto_la_SOURCES += des/fcrypt.c
+libcrypto_la_SOURCES += des/fcrypt_b.c
+EXTRA_libcrypto_la_SOURCES += des/ncbc_enc.c
+libcrypto_la_SOURCES += des/ofb64ede.c
+libcrypto_la_SOURCES += des/ofb64enc.c
+libcrypto_la_SOURCES += des/ofb_enc.c
+libcrypto_la_SOURCES += des/pcbc_enc.c
+libcrypto_la_SOURCES += des/qud_cksm.c
+libcrypto_la_SOURCES += des/rand_key.c
+libcrypto_la_SOURCES += des/set_key.c
+libcrypto_la_SOURCES += des/str2key.c
+libcrypto_la_SOURCES += des/xcbc_enc.c
+noinst_HEADERS += des/des_locl.h
+noinst_HEADERS += des/spr.h
+
+# dh
+libcrypto_la_SOURCES += dh/dh_ameth.c
+libcrypto_la_SOURCES += dh/dh_asn1.c
+libcrypto_la_SOURCES += dh/dh_check.c
+libcrypto_la_SOURCES += dh/dh_depr.c
+libcrypto_la_SOURCES += dh/dh_err.c
+libcrypto_la_SOURCES += dh/dh_gen.c
+libcrypto_la_SOURCES += dh/dh_key.c
+libcrypto_la_SOURCES += dh/dh_lib.c
+libcrypto_la_SOURCES += dh/dh_pmeth.c
+libcrypto_la_SOURCES += dh/dh_prn.c
+
+# dsa
+libcrypto_la_SOURCES += dsa/dsa_ameth.c
+libcrypto_la_SOURCES += dsa/dsa_asn1.c
+libcrypto_la_SOURCES += dsa/dsa_depr.c
+libcrypto_la_SOURCES += dsa/dsa_err.c
+libcrypto_la_SOURCES += dsa/dsa_gen.c
+libcrypto_la_SOURCES += dsa/dsa_key.c
+libcrypto_la_SOURCES += dsa/dsa_lib.c
+libcrypto_la_SOURCES += dsa/dsa_ossl.c
+libcrypto_la_SOURCES += dsa/dsa_pmeth.c
+libcrypto_la_SOURCES += dsa/dsa_prn.c
+libcrypto_la_SOURCES += dsa/dsa_sign.c
+libcrypto_la_SOURCES += dsa/dsa_vrf.c
+noinst_HEADERS += dsa/dsa_locl.h
+
+# dso
+libcrypto_la_SOURCES += dso/dso_dlfcn.c
+libcrypto_la_SOURCES += dso/dso_err.c
+libcrypto_la_SOURCES += dso/dso_lib.c
+libcrypto_la_SOURCES += dso/dso_null.c
+libcrypto_la_SOURCES += dso/dso_openssl.c
+
+# ec
+libcrypto_la_SOURCES += ec/ec2_mult.c
+libcrypto_la_SOURCES += ec/ec2_oct.c
+libcrypto_la_SOURCES += ec/ec2_smpl.c
+libcrypto_la_SOURCES += ec/ec_ameth.c
+libcrypto_la_SOURCES += ec/ec_asn1.c
+libcrypto_la_SOURCES += ec/ec_check.c
+libcrypto_la_SOURCES += ec/ec_curve.c
+libcrypto_la_SOURCES += ec/ec_cvt.c
+libcrypto_la_SOURCES += ec/ec_err.c
+libcrypto_la_SOURCES += ec/ec_key.c
+libcrypto_la_SOURCES += ec/ec_lib.c
+libcrypto_la_SOURCES += ec/ec_mult.c
+libcrypto_la_SOURCES += ec/ec_oct.c
+libcrypto_la_SOURCES += ec/ec_pmeth.c
+libcrypto_la_SOURCES += ec/ec_print.c
+libcrypto_la_SOURCES += ec/eck_prn.c
+libcrypto_la_SOURCES += ec/ecp_mont.c
+libcrypto_la_SOURCES += ec/ecp_nist.c
+libcrypto_la_SOURCES += ec/ecp_oct.c
+libcrypto_la_SOURCES += ec/ecp_smpl.c
+noinst_HEADERS += ec/ec_lcl.h
+
+# ecdh
+libcrypto_la_SOURCES += ecdh/ech_err.c
+libcrypto_la_SOURCES += ecdh/ech_key.c
+libcrypto_la_SOURCES += ecdh/ech_lib.c
+libcrypto_la_SOURCES += ecdh/ech_ossl.c
+noinst_HEADERS += ecdh/ech_locl.h
+
+# ecdsa
+libcrypto_la_SOURCES += ecdsa/ecs_asn1.c
+libcrypto_la_SOURCES += ecdsa/ecs_err.c
+libcrypto_la_SOURCES += ecdsa/ecs_lib.c
+libcrypto_la_SOURCES += ecdsa/ecs_ossl.c
+libcrypto_la_SOURCES += ecdsa/ecs_sign.c
+libcrypto_la_SOURCES += ecdsa/ecs_vrf.c
+noinst_HEADERS += ecdsa/ecs_locl.h
+
+# engine
+libcrypto_la_SOURCES += engine/eng_all.c
+libcrypto_la_SOURCES += engine/eng_cnf.c
+libcrypto_la_SOURCES += engine/eng_ctrl.c
+libcrypto_la_SOURCES += engine/eng_dyn.c
+libcrypto_la_SOURCES += engine/eng_err.c
+libcrypto_la_SOURCES += engine/eng_fat.c
+libcrypto_la_SOURCES += engine/eng_init.c
+libcrypto_la_SOURCES += engine/eng_lib.c
+libcrypto_la_SOURCES += engine/eng_list.c
+libcrypto_la_SOURCES += engine/eng_openssl.c
+libcrypto_la_SOURCES += engine/eng_pkey.c
+libcrypto_la_SOURCES += engine/eng_rsax.c
+libcrypto_la_SOURCES += engine/eng_table.c
+libcrypto_la_SOURCES += engine/tb_asnmth.c
+libcrypto_la_SOURCES += engine/tb_cipher.c
+libcrypto_la_SOURCES += engine/tb_dh.c
+libcrypto_la_SOURCES += engine/tb_digest.c
+libcrypto_la_SOURCES += engine/tb_dsa.c
+libcrypto_la_SOURCES += engine/tb_ecdh.c
+libcrypto_la_SOURCES += engine/tb_ecdsa.c
+libcrypto_la_SOURCES += engine/tb_pkmeth.c
+libcrypto_la_SOURCES += engine/tb_rand.c
+libcrypto_la_SOURCES += engine/tb_rsa.c
+libcrypto_la_SOURCES += engine/tb_store.c
+noinst_HEADERS += engine/eng_int.h
+
+# err
+libcrypto_la_SOURCES += err/err.c
+libcrypto_la_SOURCES += err/err_all.c
+libcrypto_la_SOURCES += err/err_prn.c
+
+# evp
+libcrypto_la_SOURCES += evp/bio_b64.c
+libcrypto_la_SOURCES += evp/bio_enc.c
+libcrypto_la_SOURCES += evp/bio_md.c
+libcrypto_la_SOURCES += evp/c_all.c
+libcrypto_la_SOURCES += evp/digest.c
+libcrypto_la_SOURCES += evp/e_aes.c
+libcrypto_la_SOURCES += evp/e_aes_cbc_hmac_sha1.c
+libcrypto_la_SOURCES += evp/e_bf.c
+libcrypto_la_SOURCES += evp/e_camellia.c
+libcrypto_la_SOURCES += evp/e_cast.c
+libcrypto_la_SOURCES += evp/e_chacha.c
+libcrypto_la_SOURCES += evp/e_chacha20poly1305.c
+libcrypto_la_SOURCES += evp/e_des.c
+libcrypto_la_SOURCES += evp/e_des3.c
+libcrypto_la_SOURCES += evp/e_gost2814789.c
+libcrypto_la_SOURCES += evp/e_idea.c
+libcrypto_la_SOURCES += evp/e_null.c
+libcrypto_la_SOURCES += evp/e_old.c
+libcrypto_la_SOURCES += evp/e_rc2.c
+libcrypto_la_SOURCES += evp/e_rc4.c
+libcrypto_la_SOURCES += evp/e_rc4_hmac_md5.c
+libcrypto_la_SOURCES += evp/e_xcbc_d.c
+libcrypto_la_SOURCES += evp/encode.c
+libcrypto_la_SOURCES += evp/evp_aead.c
+libcrypto_la_SOURCES += evp/evp_enc.c
+libcrypto_la_SOURCES += evp/evp_err.c
+libcrypto_la_SOURCES += evp/evp_key.c
+libcrypto_la_SOURCES += evp/evp_lib.c
+libcrypto_la_SOURCES += evp/evp_pbe.c
+libcrypto_la_SOURCES += evp/evp_pkey.c
+libcrypto_la_SOURCES += evp/m_dss.c
+libcrypto_la_SOURCES += evp/m_dss1.c
+libcrypto_la_SOURCES += evp/m_ecdsa.c
+libcrypto_la_SOURCES += evp/m_gost2814789.c
+libcrypto_la_SOURCES += evp/m_gostr341194.c
+libcrypto_la_SOURCES += evp/m_md4.c
+libcrypto_la_SOURCES += evp/m_md5.c
+libcrypto_la_SOURCES += evp/m_mdc2.c
+libcrypto_la_SOURCES += evp/m_null.c
+libcrypto_la_SOURCES += evp/m_ripemd.c
+libcrypto_la_SOURCES += evp/m_sha.c
+libcrypto_la_SOURCES += evp/m_sha1.c
+libcrypto_la_SOURCES += evp/m_sigver.c
+libcrypto_la_SOURCES += evp/m_streebog.c
+libcrypto_la_SOURCES += evp/m_wp.c
+libcrypto_la_SOURCES += evp/names.c
+libcrypto_la_SOURCES += evp/p5_crpt.c
+libcrypto_la_SOURCES += evp/p5_crpt2.c
+libcrypto_la_SOURCES += evp/p_dec.c
+libcrypto_la_SOURCES += evp/p_enc.c
+libcrypto_la_SOURCES += evp/p_lib.c
+libcrypto_la_SOURCES += evp/p_open.c
+libcrypto_la_SOURCES += evp/p_seal.c
+libcrypto_la_SOURCES += evp/p_sign.c
+libcrypto_la_SOURCES += evp/p_verify.c
+libcrypto_la_SOURCES += evp/pmeth_fn.c
+libcrypto_la_SOURCES += evp/pmeth_gn.c
+libcrypto_la_SOURCES += evp/pmeth_lib.c
+noinst_HEADERS += evp/evp_locl.h
+
+# gost
+libcrypto_la_SOURCES += gost/gost2814789.c
+libcrypto_la_SOURCES += gost/gost89_keywrap.c
+libcrypto_la_SOURCES += gost/gost89_params.c
+libcrypto_la_SOURCES += gost/gost89imit_ameth.c
+libcrypto_la_SOURCES += gost/gost89imit_pmeth.c
+libcrypto_la_SOURCES += gost/gost_asn1.c
+libcrypto_la_SOURCES += gost/gost_err.c
+libcrypto_la_SOURCES += gost/gostr341001.c
+libcrypto_la_SOURCES += gost/gostr341001_ameth.c
+libcrypto_la_SOURCES += gost/gostr341001_key.c
+libcrypto_la_SOURCES += gost/gostr341001_params.c
+libcrypto_la_SOURCES += gost/gostr341001_pmeth.c
+libcrypto_la_SOURCES += gost/gostr341194.c
+libcrypto_la_SOURCES += gost/streebog.c
+noinst_HEADERS += gost/gost.h
+noinst_HEADERS += gost/gost_asn1.h
+noinst_HEADERS += gost/gost_locl.h
+
+# hmac
+libcrypto_la_SOURCES += hmac/hm_ameth.c
+libcrypto_la_SOURCES += hmac/hm_pmeth.c
+libcrypto_la_SOURCES += hmac/hmac.c
+
+# idea
+libcrypto_la_SOURCES += idea/i_cbc.c
+libcrypto_la_SOURCES += idea/i_cfb64.c
+libcrypto_la_SOURCES += idea/i_ecb.c
+libcrypto_la_SOURCES += idea/i_ofb64.c
+libcrypto_la_SOURCES += idea/i_skey.c
+noinst_HEADERS += idea/idea_lcl.h
+
+# krb5
+libcrypto_la_SOURCES += krb5/krb5_asn.c
+
+# lhash
+libcrypto_la_SOURCES += lhash/lh_stats.c
+libcrypto_la_SOURCES += lhash/lhash.c
+
+# md4
+libcrypto_la_SOURCES += md4/md4_dgst.c
+libcrypto_la_SOURCES += md4/md4_one.c
+noinst_HEADERS += md4/md4_locl.h
+
+# md5
+libcrypto_la_SOURCES += md5/md5_dgst.c
+libcrypto_la_SOURCES += md5/md5_one.c
+noinst_HEADERS += md5/md5_locl.h
+
+# mdc2
+libcrypto_la_SOURCES += mdc2/mdc2_one.c
+libcrypto_la_SOURCES += mdc2/mdc2dgst.c
+
+# modes
+libcrypto_la_SOURCES += modes/cbc128.c
+libcrypto_la_SOURCES += modes/ccm128.c
+libcrypto_la_SOURCES += modes/cfb128.c
+libcrypto_la_SOURCES += modes/ctr128.c
+libcrypto_la_SOURCES += modes/cts128.c
+libcrypto_la_SOURCES += modes/gcm128.c
+libcrypto_la_SOURCES += modes/ofb128.c
+libcrypto_la_SOURCES += modes/xts128.c
+noinst_HEADERS += modes/modes_lcl.h
+
+# objects
+libcrypto_la_SOURCES += objects/o_names.c
+libcrypto_la_SOURCES += objects/obj_dat.c
+libcrypto_la_SOURCES += objects/obj_err.c
+libcrypto_la_SOURCES += objects/obj_lib.c
+libcrypto_la_SOURCES += objects/obj_xref.c
+noinst_HEADERS += objects/obj_dat.h
+noinst_HEADERS += objects/obj_xref.h
+
+# ocsp
+libcrypto_la_SOURCES += ocsp/ocsp_asn.c
+libcrypto_la_SOURCES += ocsp/ocsp_cl.c
+libcrypto_la_SOURCES += ocsp/ocsp_err.c
+libcrypto_la_SOURCES += ocsp/ocsp_ext.c
+libcrypto_la_SOURCES += ocsp/ocsp_ht.c
+libcrypto_la_SOURCES += ocsp/ocsp_lib.c
+libcrypto_la_SOURCES += ocsp/ocsp_prn.c
+libcrypto_la_SOURCES += ocsp/ocsp_srv.c
+libcrypto_la_SOURCES += ocsp/ocsp_vfy.c
+
+# pem
+libcrypto_la_SOURCES += pem/pem_all.c
+libcrypto_la_SOURCES += pem/pem_err.c
+libcrypto_la_SOURCES += pem/pem_info.c
+libcrypto_la_SOURCES += pem/pem_lib.c
+libcrypto_la_SOURCES += pem/pem_oth.c
+libcrypto_la_SOURCES += pem/pem_pk8.c
+libcrypto_la_SOURCES += pem/pem_pkey.c
+libcrypto_la_SOURCES += pem/pem_seal.c
+libcrypto_la_SOURCES += pem/pem_sign.c
+libcrypto_la_SOURCES += pem/pem_x509.c
+libcrypto_la_SOURCES += pem/pem_xaux.c
+libcrypto_la_SOURCES += pem/pvkfmt.c
+
+# pkcs12
+libcrypto_la_SOURCES += pkcs12/p12_add.c
+libcrypto_la_SOURCES += pkcs12/p12_asn.c
+libcrypto_la_SOURCES += pkcs12/p12_attr.c
+libcrypto_la_SOURCES += pkcs12/p12_crpt.c
+libcrypto_la_SOURCES += pkcs12/p12_crt.c
+libcrypto_la_SOURCES += pkcs12/p12_decr.c
+libcrypto_la_SOURCES += pkcs12/p12_init.c
+libcrypto_la_SOURCES += pkcs12/p12_key.c
+libcrypto_la_SOURCES += pkcs12/p12_kiss.c
+libcrypto_la_SOURCES += pkcs12/p12_mutl.c
+libcrypto_la_SOURCES += pkcs12/p12_npas.c
+libcrypto_la_SOURCES += pkcs12/p12_p8d.c
+libcrypto_la_SOURCES += pkcs12/p12_p8e.c
+libcrypto_la_SOURCES += pkcs12/p12_utl.c
+libcrypto_la_SOURCES += pkcs12/pk12err.c
+
+# pkcs7
+libcrypto_la_SOURCES += pkcs7/bio_pk7.c
+libcrypto_la_SOURCES += pkcs7/pk7_asn1.c
+libcrypto_la_SOURCES += pkcs7/pk7_attr.c
+libcrypto_la_SOURCES += pkcs7/pk7_doit.c
+libcrypto_la_SOURCES += pkcs7/pk7_lib.c
+libcrypto_la_SOURCES += pkcs7/pk7_mime.c
+libcrypto_la_SOURCES += pkcs7/pk7_smime.c
+libcrypto_la_SOURCES += pkcs7/pkcs7err.c
+
+# poly1305
+EXTRA_libcrypto_la_SOURCES += poly1305/poly1305-donna.c
+libcrypto_la_SOURCES += poly1305/poly1305.c
+
+# rand
+libcrypto_la_SOURCES += rand/rand_err.c
+libcrypto_la_SOURCES += rand/rand_lib.c
+libcrypto_la_SOURCES += rand/randfile.c
+
+# rc2
+libcrypto_la_SOURCES += rc2/rc2_cbc.c
+libcrypto_la_SOURCES += rc2/rc2_ecb.c
+libcrypto_la_SOURCES += rc2/rc2_skey.c
+libcrypto_la_SOURCES += rc2/rc2cfb64.c
+libcrypto_la_SOURCES += rc2/rc2ofb64.c
+noinst_HEADERS += rc2/rc2_locl.h
+
+# rc4
+noinst_HEADERS += rc4/rc4_locl.h
+
+# ripemd
+libcrypto_la_SOURCES += ripemd/rmd_dgst.c
+libcrypto_la_SOURCES += ripemd/rmd_one.c
+noinst_HEADERS += ripemd/rmd_locl.h
+noinst_HEADERS += ripemd/rmdconst.h
+
+# rsa
+libcrypto_la_SOURCES += rsa/rsa_ameth.c
+libcrypto_la_SOURCES += rsa/rsa_asn1.c
+libcrypto_la_SOURCES += rsa/rsa_chk.c
+libcrypto_la_SOURCES += rsa/rsa_crpt.c
+libcrypto_la_SOURCES += rsa/rsa_depr.c
+libcrypto_la_SOURCES += rsa/rsa_eay.c
+libcrypto_la_SOURCES += rsa/rsa_err.c
+libcrypto_la_SOURCES += rsa/rsa_gen.c
+libcrypto_la_SOURCES += rsa/rsa_lib.c
+libcrypto_la_SOURCES += rsa/rsa_none.c
+libcrypto_la_SOURCES += rsa/rsa_oaep.c
+libcrypto_la_SOURCES += rsa/rsa_pk1.c
+libcrypto_la_SOURCES += rsa/rsa_pmeth.c
+libcrypto_la_SOURCES += rsa/rsa_prn.c
+libcrypto_la_SOURCES += rsa/rsa_pss.c
+libcrypto_la_SOURCES += rsa/rsa_saos.c
+libcrypto_la_SOURCES += rsa/rsa_sign.c
+libcrypto_la_SOURCES += rsa/rsa_ssl.c
+libcrypto_la_SOURCES += rsa/rsa_x931.c
+noinst_HEADERS += rsa/rsa_locl.h
+
+# sha
+libcrypto_la_SOURCES += sha/sha1_one.c
+libcrypto_la_SOURCES += sha/sha1dgst.c
+libcrypto_la_SOURCES += sha/sha256.c
+libcrypto_la_SOURCES += sha/sha512.c
+libcrypto_la_SOURCES += sha/sha_dgst.c
+libcrypto_la_SOURCES += sha/sha_one.c
+noinst_HEADERS += sha/sha_locl.h
+
+# stack
+libcrypto_la_SOURCES += stack/stack.c
+
+# ts
+libcrypto_la_SOURCES += ts/ts_asn1.c
+libcrypto_la_SOURCES += ts/ts_conf.c
+libcrypto_la_SOURCES += ts/ts_err.c
+libcrypto_la_SOURCES += ts/ts_lib.c
+libcrypto_la_SOURCES += ts/ts_req_print.c
+libcrypto_la_SOURCES += ts/ts_req_utils.c
+libcrypto_la_SOURCES += ts/ts_rsp_print.c
+libcrypto_la_SOURCES += ts/ts_rsp_sign.c
+libcrypto_la_SOURCES += ts/ts_rsp_utils.c
+libcrypto_la_SOURCES += ts/ts_rsp_verify.c
+libcrypto_la_SOURCES += ts/ts_verify_ctx.c
+
+# txt_db
+libcrypto_la_SOURCES += txt_db/txt_db.c
+
+# ui
+libcrypto_la_SOURCES += ui/ui_err.c
+libcrypto_la_SOURCES += ui/ui_lib.c
+if !HOST_WIN
+libcrypto_la_SOURCES += ui/ui_openssl.c
+endif
+if HOST_WIN
+libcrypto_la_SOURCES += ui/ui_openssl_win.c
+endif
+libcrypto_la_SOURCES += ui/ui_util.c
+noinst_HEADERS += ui/ui_locl.h
+
+# whrlpool
+libcrypto_la_SOURCES += whrlpool/wp_dgst.c
+noinst_HEADERS += whrlpool/wp_locl.h
+
+# x509
+libcrypto_la_SOURCES += x509/by_dir.c
+libcrypto_la_SOURCES += x509/by_file.c
+libcrypto_la_SOURCES += x509/by_mem.c
+libcrypto_la_SOURCES += x509/x509_att.c
+libcrypto_la_SOURCES += x509/x509_cmp.c
+libcrypto_la_SOURCES += x509/x509_d2.c
+libcrypto_la_SOURCES += x509/x509_def.c
+libcrypto_la_SOURCES += x509/x509_err.c
+libcrypto_la_SOURCES += x509/x509_ext.c
+libcrypto_la_SOURCES += x509/x509_lu.c
+libcrypto_la_SOURCES += x509/x509_obj.c
+libcrypto_la_SOURCES += x509/x509_r2x.c
+libcrypto_la_SOURCES += x509/x509_req.c
+libcrypto_la_SOURCES += x509/x509_set.c
+libcrypto_la_SOURCES += x509/x509_trs.c
+libcrypto_la_SOURCES += x509/x509_txt.c
+libcrypto_la_SOURCES += x509/x509_v3.c
+libcrypto_la_SOURCES += x509/x509_vfy.c
+libcrypto_la_SOURCES += x509/x509_vpm.c
+libcrypto_la_SOURCES += x509/x509cset.c
+libcrypto_la_SOURCES += x509/x509name.c
+libcrypto_la_SOURCES += x509/x509rset.c
+libcrypto_la_SOURCES += x509/x509spki.c
+libcrypto_la_SOURCES += x509/x509type.c
+libcrypto_la_SOURCES += x509/x_all.c
+noinst_HEADERS += x509/x509_lcl.h
+
+# x509v3
+libcrypto_la_SOURCES += x509v3/pcy_cache.c
+libcrypto_la_SOURCES += x509v3/pcy_data.c
+libcrypto_la_SOURCES += x509v3/pcy_lib.c
+libcrypto_la_SOURCES += x509v3/pcy_map.c
+libcrypto_la_SOURCES += x509v3/pcy_node.c
+libcrypto_la_SOURCES += x509v3/pcy_tree.c
+libcrypto_la_SOURCES += x509v3/v3_akey.c
+libcrypto_la_SOURCES += x509v3/v3_akeya.c
+libcrypto_la_SOURCES += x509v3/v3_alt.c
+libcrypto_la_SOURCES += x509v3/v3_bcons.c
+libcrypto_la_SOURCES += x509v3/v3_bitst.c
+libcrypto_la_SOURCES += x509v3/v3_conf.c
+libcrypto_la_SOURCES += x509v3/v3_cpols.c
+libcrypto_la_SOURCES += x509v3/v3_crld.c
+libcrypto_la_SOURCES += x509v3/v3_enum.c
+libcrypto_la_SOURCES += x509v3/v3_extku.c
+libcrypto_la_SOURCES += x509v3/v3_genn.c
+libcrypto_la_SOURCES += x509v3/v3_ia5.c
+libcrypto_la_SOURCES += x509v3/v3_info.c
+libcrypto_la_SOURCES += x509v3/v3_int.c
+libcrypto_la_SOURCES += x509v3/v3_lib.c
+libcrypto_la_SOURCES += x509v3/v3_ncons.c
+libcrypto_la_SOURCES += x509v3/v3_ocsp.c
+libcrypto_la_SOURCES += x509v3/v3_pci.c
+libcrypto_la_SOURCES += x509v3/v3_pcia.c
+libcrypto_la_SOURCES += x509v3/v3_pcons.c
+libcrypto_la_SOURCES += x509v3/v3_pku.c
+libcrypto_la_SOURCES += x509v3/v3_pmaps.c
+libcrypto_la_SOURCES += x509v3/v3_prn.c
+libcrypto_la_SOURCES += x509v3/v3_purp.c
+libcrypto_la_SOURCES += x509v3/v3_skey.c
+libcrypto_la_SOURCES += x509v3/v3_sxnet.c
+libcrypto_la_SOURCES += x509v3/v3_utl.c
+libcrypto_la_SOURCES += x509v3/v3err.c
+noinst_HEADERS += x509v3/ext_dat.h
+noinst_HEADERS += x509v3/pcy_int.h

crypto/Makefile.am.elf-x86_64

@@ -0,0 +1,41 @@
+
+ASM_X86_64_ELF = aes/aes-elf-x86_64.s
+ASM_X86_64_ELF += aes/bsaes-elf-x86_64.s
+ASM_X86_64_ELF += aes/vpaes-elf-x86_64.s
+ASM_X86_64_ELF += aes/aesni-elf-x86_64.s
+ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.s
+ASM_X86_64_ELF += bn/modexp512-elf-x86_64.s
+ASM_X86_64_ELF += bn/mont-elf-x86_64.s
+ASM_X86_64_ELF += bn/mont5-elf-x86_64.s
+ASM_X86_64_ELF += bn/gf2m-elf-x86_64.s
+ASM_X86_64_ELF += camellia/cmll-elf-x86_64.s
+ASM_X86_64_ELF += md5/md5-elf-x86_64.s
+ASM_X86_64_ELF += modes/ghash-elf-x86_64.s
+ASM_X86_64_ELF += rc4/rc4-elf-x86_64.s
+ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.s
+ASM_X86_64_ELF += sha/sha1-elf-x86_64.s
+ASM_X86_64_ELF += sha/sha256-elf-x86_64.S
+ASM_X86_64_ELF += sha/sha512-elf-x86_64.S
+ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.s
+ASM_X86_64_ELF += cpuid-elf-x86_64.S
+
+EXTRA_DIST += $(ASM_X86_64_ELF)
+
+if HOST_ASM_ELF_X86_64
+libcrypto_la_CFLAGS += -DAES_ASM
+libcrypto_la_CFLAGS += -DBSAES_ASM
+libcrypto_la_CFLAGS += -DVPAES_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CFLAGS += -DMD5_ASM
+libcrypto_la_CFLAGS += -DGHASH_ASM
+libcrypto_la_CFLAGS += -DRSA_ASM
+libcrypto_la_CFLAGS += -DSHA1_ASM
+libcrypto_la_CFLAGS += -DSHA256_ASM
+libcrypto_la_CFLAGS += -DSHA512_ASM
+libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_SOURCES += $(ASM_X86_64_ELF)
+endif

crypto/Makefile.am.macosx-x86_64

@@ -0,0 +1,41 @@
+
+ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.s
+ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.s
+ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.s
+ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.s
+ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.s
+ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.s
+ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX += sha/sha256-macosx-x86_64.S
+ASM_X86_64_MACOSX += sha/sha512-macosx-x86_64.S
+ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.s
+ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
+
+EXTRA_DIST += $(ASM_X86_64_MACOSX)
+
+if HOST_ASM_MACOSX_X86_64
+libcrypto_la_CFLAGS += -DAES_ASM
+libcrypto_la_CFLAGS += -DBSAES_ASM
+libcrypto_la_CFLAGS += -DVPAES_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CFLAGS += -DMD5_ASM
+libcrypto_la_CFLAGS += -DGHASH_ASM
+libcrypto_la_CFLAGS += -DRSA_ASM
+libcrypto_la_CFLAGS += -DSHA1_ASM
+libcrypto_la_CFLAGS += -DSHA256_ASM
+libcrypto_la_CFLAGS += -DSHA512_ASM
+libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_SOURCES += $(ASM_X86_64_MACOSX)
+endif

crypto/Makefile.am.tpl

@@ -1,94 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
-
-lib_LTLIBRARIES = libcrypto.la
-
-libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_LDFLAGS = -version-info libcrypto-version
-libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS) -DOPENSSL_NO_HW_PADLOCK
-
-noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
-
-# compatibility functions that need to be built without optimizations
-libcompatnoopt_la_CFLAGS = -O0
-libcompatnoopt_la_SOURCES =
-
-if NO_EXPLICIT_BZERO
-libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
-endif
-
-# other compatibility functions
-libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libcompat_la_SOURCES =
-libcompat_la_LIBADD = $(PLATFORM_LDADD)
-
-if NO_STRLCAT
-libcompat_la_SOURCES += compat/strlcat.c
-endif
-
-if NO_STRLCPY
-libcompat_la_SOURCES += compat/strlcpy.c
-endif
-
-if NO_STRNDUP
-libcompat_la_SOURCES += compat/strndup.c
-libcompat_la_SOURCES += compat/strnlen.c
-endif
-
-if NO_ASPRINTF
-libcompat_la_SOURCES += compat/bsd-asprintf.c
-endif
-
-if NO_REALLOCARRAY
-libcompat_la_SOURCES += compat/reallocarray.c
-endif
-
-if NO_TIMINGSAFE_MEMCMP
-libcompat_la_SOURCES += compat/timingsafe_memcmp.c
-endif
-
-if NO_TIMINGSAFE_BCMP
-libcompat_la_SOURCES += compat/timingsafe_bcmp.c
-endif
-
-if NO_ARC4RANDOM_BUF
-libcompat_la_SOURCES += compat/arc4random.c
-
-if NO_GETENTROPY
-if HOST_LINUX
-libcompat_la_SOURCES += compat/getentropy_linux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/getentropy_osx.c
-endif
-if HOST_SOLARIS
-libcompat_la_SOURCES += compat/getentropy_solaris.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/getentropy_win.c
-endif
-endif
-
-endif
-
-if NO_ISSETUGID
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
-noinst_HEADERS = des/ncbc_enc.c
-noinst_HEADERS += compat/arc4random.h
-noinst_HEADERS += compat/arc4random_linux.h
-noinst_HEADERS += compat/arc4random_osx.h
-noinst_HEADERS += compat/arc4random_solaris.h
-noinst_HEADERS += compat/arc4random_win.h
-noinst_HEADERS += compat/chacha_private.h
-libcrypto_la_SOURCES =
-EXTRA_libcrypto_la_SOURCES =

crypto/compat/arc4random.h

@@ -1,13 +1,27 @@
-#if defined(__linux__)
+#ifndef LIBCRYPTOCOMPAT_ARC4RANDOM_H
+#define LIBCRYPTOCOMPAT_ARC4RANDOM_H
+
+#include <sys/param.h>
+
+#if defined(__FreeBSD__)
+#include "arc4random_freebsd.h"
+
+#elif defined(__hpux)
+#include "arc4random_hpux.h"
+
+#elif defined(__linux__)
 #include "arc4random_linux.h"
 
+#elif defined(__NetBSD__)
+#include "arc4random_netbsd.h"
+
 #elif defined(__APPLE__)
 #include "arc4random_osx.h"
 
 #elif defined(__sun)
 #include "arc4random_solaris.h"
 
-#elif defined(__WIN32)
+#elif defined(_WIN32)
 #include "arc4random_win.h"
 
 #else
@@ -15,3 +29,4 @@
 
 #endif
 
+#endif

crypto/compat/b_win.c

@@ -0,0 +1,54 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <ws2tcpip.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+int
+BIO_sock_init(void)
+{
+	/*
+	 * WSAStartup loads the winsock .dll and initializes the networking
+	 * stack on Windows, or simply increases the reference count.
+	 */
+	static struct WSAData wsa_state = {0};
+	WORD version_requested = MAKEWORD(2, 2);
+	static int wsa_init_done = 0;
+	if (!wsa_init_done) {
+		if (WSAStartup(version_requested, &wsa_state) != 0) {
+			int err = WSAGetLastError();
+			SYSerr(SYS_F_WSASTARTUP, err);
+			BIOerr(BIO_F_BIO_SOCK_INIT, BIO_R_WSASTARTUP);
+			return (-1);
+		}
+		wsa_init_done = 1;
+	}
+ 	return (1);
+}
+
+void
+BIO_sock_cleanup(void)
+{
+	/*
+	 * We could call WSACleanup here, but it is easy to get it wrong. Since
+	 * this API provides no way to even tell if it failed, there is no safe
+	 * way to expose that functionality here.
+	 *
+	 * The cost of leaving the networking DLLs loaded may have been large
+	 * during the Windows 3.1/win32s era, but it is small in modern
+	 * contexts, so don't bother.
+	 */
+}
+
+int
+BIO_socket_nbio(int s, int mode)
+{
+	u_long value = mode;
+	return ioctlsocket(s, FIONBIO, &value) != SOCKET_ERROR;
+}

crypto/compat/bsd-asprintf.c

@@ -17,7 +17,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#ifndef HAVE_VASPRINTF
+#ifndef HAVE_ASPRINTF
 
 #include <errno.h>
 #include <limits.h> /* for INT_MAX */
@@ -80,9 +80,7 @@ fail:
 	errno = ENOMEM;
 	return (-1);
 }
-#endif
 
-#ifndef HAVE_ASPRINTF
 int asprintf(char **str, const char *fmt, ...)
 {
 	va_list ap;

crypto/compat/issetugid_hpux.c

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/pstat.h>
+
+/*
+ * HP-UX does not have issetugid().
+ * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
+ * cannot be used, assume we must be running in a privileged environment.
+ */
+int issetugid(void)
+{
+	struct pst_status buf;
+	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
+	    !(buf.pst_flag & PS_CHANGEDPRIV))
+		return 0;
+	return 1;
+}

crypto/compat/issetugid_osx.c

@@ -0,0 +1,16 @@
+/*
+ * issetugid implementation for OS X
+ * Public domain
+ */
+
+#include <unistd.h>
+
+/*
+ * OS X has issetugid, but it is not fork-safe as of version 10.10.
+ * See this Solaris report for test code that fails similarly:
+ * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
+ */
+int issetugid(void)
+{
+	return 1;
+}

crypto/compat/ui_openssl_win.c

@@ -0,0 +1,367 @@
+/* $OpenBSD: ui_openssl.c,v 1.22 2014/07/11 08:44:49 jsing Exp $ */
+/* Written by Richard Levitte (richard@levitte.org) and others
+ * for the OpenSSL project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* The lowest level part of this file was previously in crypto/des/read_pwd.c,
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <sys/ioctl.h>
+
+#include <openssl/opensslconf.h>
+
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "ui_locl.h"
+
+#ifndef NX509_SIG
+#define NX509_SIG 32
+#endif
+
+/* Define globals.  They are protected by a lock */
+static void (*savsig[NX509_SIG])(int );
+
+static FILE *tty_in, *tty_out;
+static int is_a_tty;
+
+/* Declare static functions */
+static int read_till_nl(FILE *);
+static void recsig(int);
+static void pushsig(void);
+static void popsig(void);
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl);
+
+static int read_string(UI *ui, UI_STRING *uis);
+static int write_string(UI *ui, UI_STRING *uis);
+
+static int open_console(UI *ui);
+static int echo_console(UI *ui);
+static int noecho_console(UI *ui);
+static int close_console(UI *ui);
+
+static UI_METHOD ui_openssl = {
+	.name = "OpenSSL default user interface",
+	.ui_open_session = open_console,
+	.ui_write_string = write_string,
+	.ui_read_string = read_string,
+	.ui_close_session = close_console,
+};
+
+/* The method with all the built-in thingies */
+UI_METHOD *
+UI_OpenSSL(void)
+{
+	return &ui_openssl;
+}
+
+/* The following function makes sure that info and error strings are printed
+   before any prompt. */
+static int
+write_string(UI *ui, UI_STRING *uis)
+{
+	switch (UI_get_string_type(uis)) {
+	case UIT_ERROR:
+	case UIT_INFO:
+		fputs(UI_get0_output_string(uis), tty_out);
+		fflush(tty_out);
+		break;
+	default:
+		break;
+	}
+	return 1;
+}
+
+static int
+read_string(UI *ui, UI_STRING *uis)
+{
+	int ok = 0;
+
+	switch (UI_get_string_type(uis)) {
+	case UIT_BOOLEAN:
+		fputs(UI_get0_output_string(uis), tty_out);
+		fputs(UI_get0_action_string(uis), tty_out);
+		fflush(tty_out);
+		return read_string_inner(ui, uis,
+		    UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 0);
+	case UIT_PROMPT:
+		fputs(UI_get0_output_string(uis), tty_out);
+		fflush(tty_out);
+		return read_string_inner(ui, uis,
+		    UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1);
+	case UIT_VERIFY:
+		fprintf(tty_out, "Verifying - %s",
+		    UI_get0_output_string(uis));
+		fflush(tty_out);
+		if ((ok = read_string_inner(ui, uis, UI_get_input_flags(uis) &
+		    UI_INPUT_FLAG_ECHO, 1)) <= 0)
+			return ok;
+		if (strcmp(UI_get0_result_string(uis),
+		    UI_get0_test_string(uis)) != 0) {
+			fprintf(tty_out, "Verify failure\n");
+			fflush(tty_out);
+			return 0;
+		}
+		break;
+	default:
+		break;
+	}
+	return 1;
+}
+
+
+/* Internal functions to read a string without echoing */
+static int
+read_till_nl(FILE *in)
+{
+#define SIZE 4
+	char buf[SIZE + 1];
+
+	do {
+		if (!fgets(buf, SIZE, in))
+			return 0;
+	} while (strchr(buf, '\n') == NULL);
+	return 1;
+}
+
+static volatile sig_atomic_t intr_signal;
+
+static int
+read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
+{
+	static int ps;
+	int ok;
+	char result[BUFSIZ];
+	int maxsize = BUFSIZ - 1;
+	char *p;
+
+	intr_signal = 0;
+	ok = 0;
+	ps = 0;
+
+	pushsig();
+
+	ps = 1;
+
+	if (!echo && !noecho_console(ui))
+		goto error;
+	ps = 2;
+
+	result[0] = '\0';
+	p = fgets(result, maxsize, tty_in);
+	if (!p)
+		goto error;
+	if (feof(tty_in))
+		goto error;
+	if (ferror(tty_in))
+		goto error;
+	if ((p = strchr(result, '\n')) != NULL) {
+		if (strip_nl)
+			*p = '\0';
+	} else if (!read_till_nl(tty_in))
+		goto error;
+	if (UI_set_result(ui, uis, result) >= 0)
+		ok = 1;
+
+error:
+	if (intr_signal == SIGINT)
+		ok = -1;
+	if (!echo)
+		fprintf(tty_out, "\n");
+	if (ps >= 2 && !echo && !echo_console(ui))
+		ok = 0;
+
+	if (ps >= 1)
+		popsig();
+
+	OPENSSL_cleanse(result, BUFSIZ);
+	return ok;
+}
+
+
+/* Internal functions to open, handle and close a channel to the console.  */
+static int
+open_console(UI *ui)
+{
+	CRYPTO_w_lock(CRYPTO_LOCK_UI);
+	is_a_tty = 1;
+
+	tty_in = stdin;
+	tty_out = stderr;
+
+	return 1;
+}
+
+static int
+noecho_console(UI *ui)
+{
+	DWORD mode = 0;
+	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
+	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
+		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode & (~ENABLE_ECHO_INPUT));
+	}
+	return 0;
+}
+
+static int
+echo_console(UI *ui)
+{
+	DWORD mode = 0;
+	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
+	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
+		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode | ENABLE_ECHO_INPUT);
+	}
+	return 0;
+}
+
+static int
+close_console(UI *ui)
+{
+	if (tty_in != stdin)
+		fclose(tty_in);
+	if (tty_out != stderr)
+		fclose(tty_out);
+	CRYPTO_w_unlock(CRYPTO_LOCK_UI);
+
+	return 1;
+}
+
+/* Internal functions to handle signals and act on them */
+static void
+pushsig(void)
+{
+	savsig[SIGABRT] = signal(SIGABRT, recsig);
+	savsig[SIGFPE]  = signal(SIGFPE,  recsig);
+	savsig[SIGILL]  = signal(SIGILL,  recsig);
+	savsig[SIGINT]  = signal(SIGINT,  recsig);
+	savsig[SIGSEGV] = signal(SIGSEGV, recsig);
+	savsig[SIGTERM] = signal(SIGTERM, recsig);
+}
+
+static void
+popsig(void)
+{
+	signal(SIGABRT, savsig[SIGABRT]);
+	signal(SIGFPE,  savsig[SIGFPE]);
+	signal(SIGILL,  savsig[SIGILL]);
+	signal(SIGINT,  savsig[SIGINT]);
+	signal(SIGSEGV, savsig[SIGSEGV]);
+	signal(SIGTERM, savsig[SIGTERM]);
+}
+
+static void
+recsig(int i)
+{
+	intr_signal = i;
+}

dist-win.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+set -e
+#set -x
+
+export PATH=/cygdrive/c/Program\ Files\ \(x86\)/Microsoft\ Visual\ Studio\ 12.0/VC/bin:$PATH
+VERSION=`cat VERSION`
+DIST=libressl-$VERSION-windows
+
+rm -fr $DIST
+mkdir -p $DIST
+autoreconf -i
+
+for ARCH in X86 X64; do
+
+	if [ $ARCH = X86 ]; then
+		HOST=i686-w64-mingw32
+		ARCHDIR=x86
+	else
+		HOST=x86_64-w64-mingw32
+		ARCHDIR=x64
+	fi
+
+	echo Building for $HOST
+
+	CC=$HOST-gcc ./configure --host=$HOST
+	make clean
+	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
+	   make -j 4 check
+	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
+
+	mkdir -p $DIST/$ARCHDIR
+	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
+	if [ ! -e $DIST/include ]; then
+		cp -a stage-$ARCHDIR/usr/local/include $DIST
+		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e "s/__attr.*;/;/"  \
+		       -e "s/sys\/time.h/winsock2.h/" \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+	fi
+
+	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
+	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
+
+	for i in libcrypto libssl libtls; do
+		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)
+		echo EXPORTS > $DLL.def
+		dumpbin /exports $DIST/$ARCHDIR/$DLL.dll | \
+		    awk '{print $4}' | awk 'NF' |tail -n +9 >> $DLL.def
+		lib /MACHINE:$ARCH /def:$DLL.def /out:$DIST/$ARCHDIR/$DLL.lib
+		cv2pdb $DIST/$ARCHDIR/$DLL.dll
+	done
+done
+
+zip -r $DIST.zip $DIST

dist.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 set -e
 
+rm -f man/*.1 man/*.3
 ./autogen.sh
 ./configure
-make dist
+make distcheck

gen-coverage-report.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+VERSION=$(cat VERSION)
+DESTDIR=libressl-coverage-$VERSION
+
+echo "This will generate a code coverage report under $DESTDIR"
+echo
+
+if [ "x$(which lcov)" = "x" ]; then
+	echo "'lcov' is required but not found!"
+	exit 1
+fi
+
+if [ "x$(which genhtml)" = "x" ]; then
+	echo "'genhtml' is required but not found!"
+	exit 1
+fi
+
+find -name '*.gcda' -o -name '*.gcno' -delete
+rm -fr $DESTDIR
+
+echo "Configuring to build with code coverage support"
+./configure CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
+
+echo "Running all code paths"
+make clean
+make check
+
+echo "Generating report"
+mkdir -p $DESTDIR
+find tests -name '*.gcda' -o -name '*.gcno' -delete
+lcov --directory . --capture --output-file $DESTDIR/coverage.tmp \
+    --test-name "LibreSSL $VERSION"
+genhtml --prefix . --output-directory $DESTDIR \
+    --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
+
+echo "Code coverage report is available under $DESTDIR"

include/Makefile.am

@@ -1,11 +1,31 @@
+include $(top_srcdir)/Makefile.am.common
+
 SUBDIRS = openssl
 
 noinst_HEADERS = err.h
+noinst_HEADERS += netdb.h
+noinst_HEADERS += poll.h
 noinst_HEADERS += pqueue.h
 noinst_HEADERS += stdio.h
 noinst_HEADERS += stdlib.h
 noinst_HEADERS += string.h
+noinst_HEADERS += syslog.h
 noinst_HEADERS += unistd.h
+noinst_HEADERS += win32netcompat.h
+
+noinst_HEADERS += arpa/inet.h
+
 noinst_HEADERS += machine/endian.h
+
+noinst_HEADERS += netinet/in.h
+noinst_HEADERS += netinet/tcp.h
+
+noinst_HEADERS += sys/ioctl.h
 noinst_HEADERS += sys/mman.h
+noinst_HEADERS += sys/select.h
+noinst_HEADERS += sys/socket.h
+noinst_HEADERS += sys/times.h
 noinst_HEADERS += sys/types.h
+noinst_HEADERS += sys/uio.h
+
+include_HEADERS = tls.h

include/arpa/inet.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * arpa/inet.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <arpa/inet.h>
+#else
+#include <win32netcompat.h>
+#endif

include/err.h

@@ -1,3 +1,8 @@
+/*
+ * Public domain
+ * err.h compatibility shim
+ */
+
 #ifdef HAVE_ERR_H
 
 #include_next <err.h>

include/machine/endian.h

@@ -1,7 +1,12 @@
+/*
+ * Public domain
+ * machine/endian.h compatibility shim
+ */
+
 #ifndef LIBCRYPTOCOMPAT_BYTE_ORDER_H_
 #define LIBCRYPTOCOMPAT_BYTE_ORDER_H_
 
-#if defined(__WIN32)
+#if defined(_WIN32)
 
 #define LITTLE_ENDIAN  1234
 #define BIG_ENDIAN 4321

include/netdb.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * netdb.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <netdb.h>
+#else
+#include <win32netcompat.h>
+#endif

include/netinet/in.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * netinet/in.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <netinet/in.h>
+#else
+#include <win32netcompat.h>
+#endif

include/netinet/tcp.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * netinet/tcp.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <netinet/tcp.h>
+#else
+#include <win32netcompat.h>
+#endif

include/poll.h

@@ -0,0 +1,63 @@
+/*
+ * Public domain
+ *
+ * poll(2) emulation for Windows
+ *
+ * This emulates just-enough poll functionality on Windows to work in the
+ * context of the openssl(1) program. This is not a replacement for
+ * POSIX.1-2001 poll(2).
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#ifndef LIBCRYPTOCOMPAT_POLL_H
+#define LIBCRYPTOCOMPAT_POLL_H
+
+#ifdef HAVE_POLL
+#include_next <poll.h>
+#else
+
+#include <winsock2.h>
+
+/* Type used for the number of file descriptors. */
+typedef unsigned long int nfds_t;
+
+#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0600)
+/* Data structure describing a polling request. */
+struct pollfd {
+	int fd; /* file descriptor */
+	short events; /* requested events */
+	short revents; /* returned events */
+};
+
+/* Event types that can be polled */
+#define POLLIN 0x001 /* There is data to read. */
+#define POLLPRI 0x002 /* There is urgent data to read. */
+#define POLLOUT 0x004 /* Writing now will not block. */
+
+# define POLLRDNORM 0x040 /* Normal data may be read. */
+# define POLLRDBAND 0x080 /* Priority data may be read. */
+# define POLLWRNORM 0x100 /* Writing now will not block. */
+# define POLLWRBAND 0x200 /* Priority data may be written. */
+
+/* Event types always implicitly polled. */
+#define POLLERR 0x008 /* Error condition. */
+#define POLLHUP 0x010 /* Hung up. */
+#define POLLNVAL 0x020 /* Invalid polling request. */
+
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int poll(struct pollfd *pfds, nfds_t nfds, int timeout);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HAVE_POLL */
+
+#endif /* LIBCRYPTOCOMPAT_POLL_H */

include/stdio.h

@@ -1,11 +1,30 @@
+/*
+ * Public domain
+ * stdio.h compatibility shim
+ */
+
 #include_next <stdio.h>
 
 #ifndef LIBCRYPTOCOMPAT_STDIO_H
 #define LIBCRYPTOCOMPAT_STDIO_H
 
-#ifdef NO_ASPRINTF
+#ifndef HAVE_ASPRINTF
+#include <stdarg.h>
 int vasprintf(char **str, const char *fmt, va_list ap);
 int asprintf(char **str, const char *fmt, ...);
 #endif
 
+#ifdef _WIN32
+#include <errno.h>
+#include <string.h>
+
+static inline void
+posix_perror(const char *s)
+{
+	fprintf(stderr, "%s: %s\n", s, strerror(errno));
+}
+
+#define perror(errnum) posix_perror(errnum)
+#endif
+
 #endif

include/stdlib.h

@@ -1,3 +1,8 @@
+/*
+ * stdlib.h compatibility shim
+ * Public domain
+ */
+
 #include_next <stdlib.h>
 
 #ifndef LIBCRYPTOCOMPAT_STDLIB_H
@@ -7,16 +12,16 @@
 #include <sys/time.h>
 #include <stdint.h>
 
-#ifdef NO_ARC4RANDOM_BUF
+#ifndef HAVE_ARC4RANDOM_BUF
 uint32_t arc4random(void);
 void arc4random_buf(void *_buf, size_t n);
 #endif
 
-#ifdef NO_REALLOCARRAY
+#ifndef HAVE_REALLOCARRAY
 void *reallocarray(void *, size_t, size_t);
 #endif
 
-#ifdef NO_STRTONUM
+#ifndef HAVE_STRTONUM
 long long strtonum(const char *nptr, long long minval,
 		long long maxval, const char **errstr);
 #endif

include/string.h

@@ -1,3 +1,8 @@
+/*
+ * Public domain
+ * string.h compatibility shim
+ */
+
 #include_next <string.h>
 
 #ifndef LIBCRYPTOCOMPAT_STRING_H
@@ -5,41 +10,64 @@
 
 #include <sys/types.h>
 
-#ifdef __sun
+#if defined(__sun) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris.
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
  */
 #include <strings.h>
 #endif
 
-#ifdef NO_STRLCPY
+#ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif
 
-#ifdef NO_STRLCAT
+#ifndef HAVE_STRLCAT
 size_t strlcat(char *dst, const char *src, size_t siz);
 #endif
 
-#ifdef NO_STRNDUP
+#ifndef HAVE_STRNDUP
 char * strndup(const char *str, size_t maxlen);
+/* the only user of strnlen is strndup, so only build it if needed */
+#ifndef HAVE_STRNLEN
 size_t strnlen(const char *str, size_t maxlen);
 #endif
+#endif
 
-#ifdef NO_EXPLICIT_BZERO
+#ifndef HAVE_STRSEP
+char *strsep(char **stringp, const char *delim);
+#endif
+
+#ifndef HAVE_EXPLICIT_BZERO
 void explicit_bzero(void *, size_t);
 #endif
 
-#ifdef NO_TIMINGSAFE_BCMP
+#ifndef HAVE_TIMINGSAFE_BCMP
 int timingsafe_bcmp(const void *b1, const void *b2, size_t n);
 #endif
 
-#ifdef NO_TIMINGSAFE_MEMCMP
+#ifndef HAVE_TIMINGSAFE_MEMCMP
 int timingsafe_memcmp(const void *b1, const void *b2, size_t len);
 #endif
 
-#ifdef NO_MEMMEM
+#ifndef HAVE_MEMMEM
 void * memmem(const void *big, size_t big_len, const void *little,
 	size_t little_len);
 #endif
 
+#ifdef _WIN32
+#include <errno.h>
+
+static inline char  *
+posix_strerror(int errnum)
+{
+	if (errnum == ECONNREFUSED) {
+		return "Connection refused";
+	}
+	return strerror(errnum);
+}
+
+#define strerror(errnum) posix_strerror(errnum)
+
+#endif
+
 #endif

include/sys/ioctl.h

@@ -0,0 +1,11 @@
+/*
+ * Public domain
+ * sys/ioctl.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/ioctl.h>
+#else
+#include <win32netcompat.h>
+#define ioctl(fd, type, arg) ioctlsocket(fd, type, arg)
+#endif

include/sys/mman.h

@@ -1,3 +1,8 @@
+/*
+ * Public domain
+ * sys/mman.h compatibility shim
+ */
+
 #include_next <sys/mman.h>
 
 #ifndef LIBCRYPTOCOMPAT_MMAN_H

include/sys/select.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * sys/select.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/select.h>
+#else
+#include <win32netcompat.h>
+#endif

include/sys/socket.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * sys/socket.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/socket.h>
+#else
+#include <win32netcompat.h>
+#endif

include/sys/times.h

@@ -0,0 +1,10 @@
+/*
+ * Public domain
+ * sys/times.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/times.h>
+#else
+#include <win32netcompat.h>
+#endif

include/sys/types.h

@@ -1,3 +1,8 @@
+/*
+ * Public domain
+ * sys/types.h compatibility shim
+ */
+
 #include_next <sys/types.h>
 
 #ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H

include/sys/uio.h

@@ -0,0 +1,17 @@
+/*
+ * Public domain
+ * sys/select.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/uio.h>
+#else
+
+#include <sys/types.h>
+
+struct iovec {
+	void *iov_base;
+	size_t iov_len;
+};
+
+#endif

include/syslog.h

@@ -0,0 +1,38 @@
+/*
+ * Public domain
+ * syslog.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYSLOG_H
+#define LIBCRYPTOCOMPAT_SYSLOG_H
+
+#ifndef _WIN32
+#include_next <syslog.h>
+#else
+
+/* priorities */
+#define LOG_EMERG 0
+#define LOG_ALERT 1
+#define LOG_CRIT 2
+#define LOG_ERR 3
+#define LOG_WARNING 4
+#define LOG_NOTICE 5
+#define LOG_INFO 6
+#define LOG_DEBUG 7
+
+/* facility codes */
+#define LOG_KERN (0<<3)
+#define LOG_USER (1<<3)
+#define LOG_DAEMON (3<<3)
+
+/* flags for openlog */
+#define LOG_PID 0x01
+#define LOG_CONS 0x02
+
+extern void openlog(const char *ident, int option, int facility);
+extern void syslog(int priority, const char *fmt, ...)
+	__attribute__ ((__format__ (__printf__, 2, 3)));
+extern void closelog (void);
+#endif
+
+#endif /* LIBCRYPTOCOMPAT_SYSLOG_H */

include/unistd.h

@@ -1,13 +1,18 @@
+/*
+ * Public domain
+ * unistd.h compatibility shim
+ */
+
 #include_next <unistd.h>
 
 #ifndef LIBCRYPTOCOMPAT_UNISTD_H
 #define LIBCRYPTOCOMPAT_UNISTD_H
 
-#ifdef NO_GETENTROPY
+#ifndef HAVE_GETENTROPY
 int getentropy(void *buf, size_t buflen);
 #endif
 
-#ifdef NO_ISSETUGID
+#ifndef HAVE_ISSETUGID
 int issetugid(void);
 #endif
 

include/win32netcompat.h

@@ -0,0 +1,161 @@
+/*
+ * Public domain
+ *
+ * BSD socket emulation code for Winsock2
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#ifndef LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
+#define LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
+
+#ifdef _WIN32
+
+#include <ws2tcpip.h>
+
+#define SHUT_RDWR SD_BOTH
+#define SHUT_RD   SD_RECEIVE
+#define SHUT_WR   SD_SEND
+
+#include <errno.h>
+#include <unistd.h>
+
+static int
+wsa_errno(int err)
+{
+	switch (err) {
+	case WSAENOBUFS:
+		errno = ENOMEM;
+		break;
+	case WSAEACCES:
+		errno = EACCES;
+		break;
+	case WSANOTINITIALISED:
+		errno = EPERM;
+		break;
+	case WSAEHOSTUNREACH:
+	case WSAENETDOWN:
+		errno = EIO;
+		break;
+	case WSAEFAULT:
+		errno = EFAULT;
+		break;
+	case WSAEINTR:
+		errno = EINTR;
+		break;
+	case WSAEINVAL:
+		errno = EINVAL;
+		break;
+	case WSAEINPROGRESS:
+		errno = EINPROGRESS;
+		break;
+	case WSAEWOULDBLOCK:
+		errno = EAGAIN;
+		break;
+	case WSAEOPNOTSUPP:
+		errno = ENOTSUP;
+		break;
+	case WSAEMSGSIZE:
+		errno = EFBIG;
+		break;
+	case WSAENOTSOCK:
+		errno = ENOTSOCK;
+		break;
+	case WSAENOPROTOOPT:
+		errno = ENOPROTOOPT;
+		break;
+	case WSAECONNREFUSED:
+		errno = ECONNREFUSED;
+		break;
+	case WSAEAFNOSUPPORT:
+		errno = EAFNOSUPPORT;
+		break;
+	case WSAENETRESET:
+	case WSAENOTCONN:
+	case WSAECONNABORTED:
+	case WSAECONNRESET:
+	case WSAESHUTDOWN:
+	case WSAETIMEDOUT:
+		errno = EPIPE;
+		break;
+	}
+	return -1;
+}
+
+static inline int
+posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
+{
+	int rc = connect(sockfd, addr, addrlen);
+	if (rc == SOCKET_ERROR)
+		return wsa_errno(WSAGetLastError());
+	return rc;
+}
+
+#define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
+
+static inline int
+posix_close(int fd)
+{
+	if (closesocket(fd) == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			close(fd) : wsa_errno(err);
+	}
+	return 0;
+}
+
+#define close(fd) posix_close(fd)
+
+static inline ssize_t
+posix_read(int fd, void *buf, size_t count)
+{
+	ssize_t rc = recv(fd, buf, count, 0);
+	if (rc == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			read(fd, buf, count) : wsa_errno(err);
+	}
+	return rc;
+}
+
+#define read(fd, buf, count) posix_read(fd, buf, count)
+
+static inline ssize_t
+posix_write(int fd, const void *buf, size_t count)
+{
+	ssize_t rc = send(fd, buf, count, 0);
+	if (rc == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			write(fd, buf, count) : wsa_errno(err);
+	}
+	return rc;
+}
+
+#define write(fd, buf, count) posix_write(fd, buf, count)
+
+static inline int
+posix_getsockopt(int sockfd, int level, int optname,
+	void *optval, socklen_t *optlen)
+{
+	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
+	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
+
+}
+
+#define getsockopt(sockfd, level, optname, optval, optlen) \
+	posix_getsockopt(sockfd, level, optname, optval, optlen)
+
+static inline int
+posix_setsockopt(int sockfd, int level, int optname,
+	const void *optval, socklen_t optlen)
+{
+	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
+	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
+}
+
+#define setsockopt(sockfd, level, optname, optval, optlen) \
+	posix_setsockopt(sockfd, level, optname, optval, optlen)
+
+#endif
+
+#endif

libcrypto.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBCRYPTO_VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto

libssl.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBSSL_VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:

libtls.pc.in

@@ -0,0 +1,16 @@
+#libtls pkg-config source file
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: LibreSSL-libtls
+Description: Secure communications using the TLS socket protocol.
+Version: @LIBTLS_VERSION@
+Requires:
+Requires.private: libcrypto libssl
+Conflicts:
+Libs: -L${libdir} -ltls
+Libs.private: @LIBS@ -lcrypto -lssl
+Cflags: -I${includedir}

man/Makefile.am.tpl

@@ -1,3 +1,2 @@
 include $(top_srcdir)/Makefile.am.common
 dist_man_MANS=
-

patches/win_bio_sock_init.diff

@@ -0,0 +1,44 @@
+diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
+index e7dd11c..cfd4593 100644
+--- a/src/usr.bin/openssl/openssl.c
++++ b/src/usr.bin/openssl/openssl.c
+@@ -253,6 +253,11 @@ main(int argc, char **argv)
+ 	arg.data = NULL;
+ 	arg.count = 0;
+ 
++	if (BIO_sock_init() != 1) {
++		fprintf(stderr, "BIO_sock_init failed\n");
++		exit(1);
++	}
++
+ 	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ 	if (bio_err == NULL) {
+ 		fprintf(stderr, "openssl: failed to initialise bio_err\n");
+diff --git a/src/usr.bin/openssl/s_socket.c b/src/usr.bin/openssl/s_socket.c
+index 3b96b1a..2ce31eb 100644
+--- a/src/usr.bin/openssl/s_socket.c
++++ b/src/usr.bin/openssl/s_socket.c
+@@ -85,11 +85,6 @@ init_client(int *sock, char *host, char *port, int type, int af)
+ 	struct addrinfo hints, *ai_top, *ai;
+ 	int i, s;
+ 
+-	if (BIO_sock_init() != 1) {
+-		BIO_printf(bio_err, "BIO_sock_init failed\n");
+-		return (0);
+-	}
+-
+ 	memset(&hints, '\0', sizeof(hints));
+ 	hints.ai_family = af;
+ 	hints.ai_socktype = type;
+@@ -181,11 +176,6 @@ init_server_long(int *sock, int port, char *ip, int type)
+ 	struct sockaddr_in server;
+ 	int s = -1;
+ 
+-	if (BIO_sock_init() != 1) {
+-		BIO_printf(bio_err, "BIO_sock_init failed\n");
+-		return (0);
+-	}
+-
+ 	memset((char *) &server, 0, sizeof(server));
+ 	server.sin_family = AF_INET;
+ 	server.sin_port = htons((unsigned short) port);

scripts/travis

@@ -0,0 +1,33 @@
+#!/bin/sh
+set -e
+
+./autogen.sh
+
+if [ "x$ARCH" = "xnative" ]; then
+	./configure
+	if [ `uname` = "Darwin" ]; then
+		# OS X runs out of resources if we run 'make -j check'
+		make check
+	else
+		make -j distcheck
+	fi
+else
+	CPU=i686
+	if [ "x$ARCH" = "xmingw64" ]; then
+		CPU=x86_64
+	fi
+	export CC=$CPU-w64-mingw32-gcc
+
+	if [ -z $(which $CC) ]; then
+		# Update Ubuntu 12.04 with current mingw toolchain
+		sudo apt-get update
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
+		sudo apt-get update
+		sudo apt-get install -y $ARCH-x-gcc make
+		export PATH=$PATH:/opt/$ARCH/bin
+	fi
+
+	./configure --host=$CPU-w64-mingw32
+	make -j
+fi

scripts/wrap-compiler-for-flag-check

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# This file is in the public domain.
+# https://github.com/kmcallister/autoharden/blob/c5c7842f39c2f8d19836bb5427d6479db4436d62/LICENSE
+#
+# From kmcallister: 
+# https://github.com/kmcallister/autoharden/blob/efaf5a16612589808c276a11536ea9a47071f74b/scripts/wrap-compiler-for-flag-check
+
+# Prior to clang v5.1, there was no way to make
+# clang's "argument unused" warning fatal.  This
+# wrapper script that greps for this warning message. Newer clang's have no issues.
+#
+# Ideally the search string would also include 'clang: ' but this output might
+# depend on clang's argv[0].
+#
+set -o errexit
+set -o nounset
+
+if out=`"$@" 2>&1`; then
+  echo "$out"
+  if echo "$out" | grep 'warning: argument unused' >/dev/null; then
+    echo "$0: found clang warning"
+    exit 1
+  else
+    exit 0
+  fi
+else
+  code=$?
+  echo "$out"
+  exit $code
+fi

ssl/Makefile.am

@@ -0,0 +1,57 @@
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES = libssl.la
+
+EXTRA_DIST = VERSION
+
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
+libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libssl_la_LIBADD = ../crypto/libcrypto.la
+
+libssl_la_SOURCES = bio_ssl.c
+libssl_la_SOURCES += bs_ber.c
+libssl_la_SOURCES += bs_cbb.c
+libssl_la_SOURCES += bs_cbs.c
+libssl_la_SOURCES += d1_both.c
+libssl_la_SOURCES += d1_clnt.c
+libssl_la_SOURCES += d1_enc.c
+libssl_la_SOURCES += d1_lib.c
+libssl_la_SOURCES += d1_meth.c
+libssl_la_SOURCES += d1_pkt.c
+libssl_la_SOURCES += d1_srtp.c
+libssl_la_SOURCES += d1_srvr.c
+libssl_la_SOURCES += pqueue.c
+libssl_la_SOURCES += s23_clnt.c
+libssl_la_SOURCES += s23_lib.c
+libssl_la_SOURCES += s23_meth.c
+libssl_la_SOURCES += s23_pkt.c
+libssl_la_SOURCES += s23_srvr.c
+libssl_la_SOURCES += s3_both.c
+libssl_la_SOURCES += s3_cbc.c
+libssl_la_SOURCES += s3_clnt.c
+libssl_la_SOURCES += s3_enc.c
+libssl_la_SOURCES += s3_lib.c
+libssl_la_SOURCES += s3_meth.c
+libssl_la_SOURCES += s3_pkt.c
+libssl_la_SOURCES += s3_srvr.c
+libssl_la_SOURCES += ssl_algs.c
+libssl_la_SOURCES += ssl_asn1.c
+libssl_la_SOURCES += ssl_cert.c
+libssl_la_SOURCES += ssl_ciph.c
+libssl_la_SOURCES += ssl_err.c
+libssl_la_SOURCES += ssl_err2.c
+libssl_la_SOURCES += ssl_lib.c
+libssl_la_SOURCES += ssl_rsa.c
+libssl_la_SOURCES += ssl_sess.c
+libssl_la_SOURCES += ssl_stat.c
+libssl_la_SOURCES += ssl_txt.c
+libssl_la_SOURCES += t1_clnt.c
+libssl_la_SOURCES += t1_enc.c
+libssl_la_SOURCES += t1_lib.c
+libssl_la_SOURCES += t1_meth.c
+libssl_la_SOURCES += t1_reneg.c
+libssl_la_SOURCES += t1_srvr.c
+
+noinst_HEADERS = srtp.h
+noinst_HEADERS += ssl_locl.h
+noinst_HEADERS += bytestring.h

ssl/Makefile.am.tpl

@@ -1,9 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-lib_LTLIBRARIES = libssl.la
-
-libssl_la_LDFLAGS = -version-info libssl-version
-
-libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libssl_la_SOURCES =
-noinst_HEADERS =

tests/Makefile.am.tpl

@@ -2,11 +2,14 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I $(top_srcdir)/ssl
+
+LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+LDADD += $(top_builddir)/ssl/libssl.la
+LDADD += $(top_builddir)/crypto/libcrypto.la
 
 TESTS =
 check_PROGRAMS =
 EXTRA_DIST =
+DISTCLEANFILES = pidwraptest.txt
 
-if !NO_ARC4RANDOM_BUF
-TESTS += pidwraptest.sh
-endif

tests/aeadtest.sh

@@ -1,3 +1,7 @@
 #!/bin/sh
 set -e
-./aeadtest $srcdir/aeadtests.txt
+TEST=./aeadtest
+if [ -e ./aeadtest.exe ]; then
+	TEST=./aeadtest.exe
+fi
+$TEST $srcdir/aeadtests.txt

tests/evptest.sh

@@ -1,3 +1,7 @@
 #!/bin/sh
 set -e
-./evptest $srcdir/evptests.txt
+TEST=./evptest
+if [ -e ./evptest.exe ]; then
+	TEST=./evptest.exe
+fi
+$TEST $srcdir/evptests.txt

tests/pidwraptest.c

@@ -6,6 +6,7 @@
  * Original source: https://gist.github.com/AGWA/eb84e55ca25a7da1deb0
  */
 
+#undef LIBRESSL_INTERNAL
 #include <openssl/rand.h>
 #include <stdio.h>
 #include <stdlib.h>

tests/pq_test.sh

@@ -1,3 +1,7 @@
 #!/bin/sh
 set -e
-./pq_test | cmp $srcdir/pq_expected.txt -
+TEST=./pq_test
+if [ -e ./pq_test.exe ]; then
+	TEST=./pq_test.exe
+fi
+$TEST | diff -b $srcdir/pq_expected.txt -

tests/ssltest.sh

@@ -1,5 +1,19 @@
 #!/bin/sh
 set -e
-PATH=../apps:$PATH
-export PATH
-$srcdir/testssl $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem
+
+ssltest_bin=./ssltest
+if [ -e ./ssltest.exe ]; then
+	ssltest_bin=./ssltest.exe
+fi
+
+openssl_bin=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	openssl_bin=../apps/openssl.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$srcdir/testssl $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem \
+	$ssltest_bin $openssl_bin

tls/Makefile.am

@@ -0,0 +1,21 @@
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES = libtls.la
+
+EXTRA_DIST = VERSION
+
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
+
+libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_config.c
+libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_util.c
+libtls_la_SOURCES += tls_verify.c
+noinst_HEADERS = tls_internal.h
+
+if !HAVE_STRSEP
+libtls_la_SOURCES += strsep.c
+endif

update.sh

@@ -1,68 +1,67 @@
 #!/usr/bin/env bash
 set -e
 
-# resync this library with the upstream project, remove old submodule dirs
-if [ -d openbsd ]; then
-	(cd openbsd
-	 git checkout master
-	 git pull)
-else
+openbsd_branch=`cat OPENBSD_BRANCH`
+libressl_version=`cat VERSION`
+
+# pull in latest upstream code
+echo "pulling upstream openbsd source"
+if [ ! -d openbsd ]; then
 	if [ -z "$LIBRESSL_GIT" ]; then
 		git clone https://github.com/libressl-portable/openbsd.git
 	else
 		git clone $LIBRESSL_GIT/openbsd
 	fi
 fi
+(cd openbsd
+ git checkout $openbsd_branch
+ git pull --rebase)
 
-dir=`pwd`
-libssl_src=$dir/openbsd/src/lib/libssl
-libssl_regress=$dir/openbsd/src/regress/lib/libssl
-libc_src=$dir/openbsd/src/lib/libc
-libc_regress=$dir/openbsd/src/regress/lib/libc
-libcrypto_src=$dir/openbsd/src/lib/libcrypto
-openssl_cmd_src=$dir/openbsd/src/usr.sbin/openssl
-libcrypto_regress=$dir/openbsd/src/regress/lib/libcrypto
+# setup source paths
+CWD=`pwd`
+libc_src=$CWD/openbsd/src/lib/libc
+libc_regress=$CWD/openbsd/src/regress/lib/libc
+libcrypto_src=$CWD/openbsd/src/lib/libcrypto
+libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
+libssl_src=$CWD/openbsd/src/lib/libssl
+libssl_regress=$CWD/openbsd/src/regress/lib/libssl
+libtls_src=$CWD/openbsd/src/lib/libtls
+openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
 
-libressl_version=`cat VERSION`
+# load library versions
+source $libcrypto_src/crypto/shlib_version
+libcrypto_version=$major:$minor:0
+echo "libcrypto version $libcrypto_version"
+echo $libcrypto_version > crypto/VERSION
 
 source $libssl_src/ssl/shlib_version
 libssl_version=$major:$minor:0
-echo libssl version $libssl_version
+echo "libssl version $libssl_version"
+echo $libssl_version > ssl/VERSION
 
-source $libcrypto_src/crypto/shlib_version
-libcrypto_version=$major:$minor:0
-echo libcrypto version $libcrypto_version
-
-sed -e "s/VERSION/${libressl_version}/" configure.ac.tpl > configure.ac
+source $libtls_src/shlib_version
+libtls_version=$major:$minor:0
+echo "libtls version $libtls_version"
+echo $libtls_version > tls/VERSION
 
+do_mv() {
+	if ! cmp -s "$1" "$2"
+	then
+		mv "$1" "$2"
+	else
+		rm -f "$1"
+	fi
+}
 CP='cp -p'
-
-copy_src() {
-	mkdir -p $1
-	rm -f $1/*.c
-	for file in $2; do
-		$CP $libssl_src/src/$1/$file $1
-	done
-}
-
-copy_hdrs() {
-	for file in $2; do
-		$CP $libssl_src/src/$1/$file include/openssl
-	done
-}
-
-copy_crypto() {
-	copy_src crypto/$1 "$2"
-	crypto_subdirs="$crypto_subdirs $1"
-}
+MV='do_mv'
 
 $CP $libssl_src/src/LICENSE COPYING
-echo "Please see OpenBSD CVS logs" > ChangeLog
 
 $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
 $CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
+$CP $libtls_src/tls.h include
 
 for i in explicit_bzero.c strlcpy.c strlcat.c strndup.c strnlen.c \
 		timingsafe_bcmp.c timingsafe_memcmp.c; do
@@ -78,10 +77,16 @@ $CP $libcrypto_src/crypto/arc4random_*.h crypto/compat
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-mv $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
-mv $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h opensslv.h
+copy_hdrs() {
+	for file in $2; do
+		$CP $libssl_src/src/$1/$file include/openssl
+	done
+}
+
+copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
@@ -91,216 +96,129 @@ copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h opensslv.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
 	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h mdc2/mdc2.h
-	rc2/rc2.h rc4/rc4.h rc5/rc5.h ui/ui_compat.h txt_db/txt_db.h chacha/chacha.h evp/evp.h
-	poly1305/poly1305.h"
+	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
+	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
+	gost/gost.h"
 
 copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-for i in ssl/srtp.h \
-	ssl/ssl_locl.h; do
-	$CP $libssl_src/src/$i ssl
+sed -e "s/\"LibreSSL .*\"/\"LibreSSL ${libressl_version}\"/" \
+	$libssl_src/src/crypto/opensslv.h > include/openssl/opensslv.h.lcl
+$MV include/openssl/opensslv.h.lcl include/openssl/opensslv.h
+
+# copy libcrypto source
+echo copying libcrypto source
+rm -f crypto/*.c crypto/*.h
+for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
+	dir=`dirname $i`
+	mkdir -p crypto/$dir
+	if [ $dir != "compat" ]; then
+		if [ -e $libssl_src/src/crypto/$i ]; then
+			$CP $libssl_src/src/crypto/$i crypto/$i
+		fi
+	fi
+done
+$CP crypto/compat/b_win.c crypto/bio
+$CP crypto/compat/ui_openssl_win.c crypto/ui
+
+# generate assembly crypto algorithms
+asm_src=$libssl_src/src/crypto
+gen_asm_stdout() {
+	perl $asm_src/$2 $1 > $3.tmp
+	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	#if defined(HAVE_GNU_STACK)
+	.section .note.GNU-stack,"",%progbits
+	#endif
+	EOF
+	$MV $3.tmp $3
+}
+gen_asm() {
+	perl $asm_src/$2 $1 $3.tmp
+	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	#if defined(HAVE_GNU_STACK)
+	.section .note.GNU-stack,"",%progbits
+	#endif
+	EOF
+	$MV $3.tmp $3
+}
+for abi in elf macosx; do
+	echo generating ASM source for $abi
+	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.s
+	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.s
+	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.s
+	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.s
+	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.s
+	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.s
+	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.s
+	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha256-$abi-x86_64.S
+	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha512-$abi-x86_64.S
+	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.s
+	gen_asm        $abi x86_64cpuid.pl               crypto/cpuid-$abi-x86_64.S
 done
 
-copy_src ssl "s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c
-	s3_both.c s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c t1_meth.c
-	t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c d1_meth.c d1_srvr.c d1_clnt.c
-	d1_lib.c d1_pkt.c d1_both.c d1_enc.c d1_srtp.c ssl_lib.c ssl_err2.c
-	ssl_cert.c ssl_sess.c ssl_ciph.c ssl_stat.c ssl_rsa.c ssl_asn1.c ssl_txt.c
-	ssl_algs.c bio_ssl.c ssl_err.c t1_reneg.c s3_cbc.c pqueue.c"
-
-copy_src crypto "cryptlib.h cryptlib.c malloc-wrapper.c mem_clr.c mem_dbg.c cversion.c
-	ex_data.c cpt_err.c o_time.c o_time.h o_str.c o_init.c md32_common.h"
-
-copy_crypto aes "aes_cbc.c aes_core.c aes_misc.c aes_ecb.c aes_cfb.c aes_ofb.c aes_ctr.c
-	aes_ige.c aes_wrap.c aes_locl.h"
-
-copy_crypto asn1 "a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c
-	a_int.c a_octet.c a_print.c a_type.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_enum.c
-	a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c x_algor.c
-	x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c x_bignum.c x_long.c x_name.c
-	x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c x_nx509.c d2i_pu.c
-	d2i_pr.c i2d_pu.c i2d_pr.c t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c
-	t_spki.c t_bitst.c tasn_new.c tasn_fre.c tasn_enc.c tasn_dec.c tasn_utl.c
-	tasn_typ.c tasn_prn.c ameth_lib.c f_int.c f_string.c n_pkey.c f_enum.c
-	x_pkey.c a_bool.c x_exten.c bio_asn1.c bio_ndef.c asn_mime.c asn1_gen.c
-	asn1_par.c asn1_lib.c asn1_err.c a_bytes.c a_strnid.c evp_asn1.c asn_pack.c
-	p5_pbe.c p5_pbev2.c p8_pkey.c asn_moid.c a_set.c asn1_locl.h charmap.h"
-
-copy_crypto bf "bf_skey.c bf_ecb.c bf_enc.c bf_cfb64.c bf_ofb64.c bf_locl.h bf_pi.h"
-
-copy_crypto bio "bio_lib.c bio_cb.c bio_err.c bss_mem.c bss_null.c bss_fd.c
-	bss_file.c bss_sock.c bss_conn.c bf_null.c bf_buff.c b_dump.c
-	b_sock.c bss_acpt.c bf_nbio.c bss_log.c bss_bio.c bss_dgram.c b_print.c"
-
-copy_crypto bn "bn_add.c bn_asm.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c
-	bn_mod.c bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c bn_kron.c
-	bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_recp.c bn_mont.c
-	bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c bn_depr.c bn_const.c bn_x931p.c
-	bn_lcl.h bn_prime.h"
-
-copy_crypto buffer "buffer.c buf_err.c buf_str.c"
-
-copy_crypto cast "c_skey.c c_ecb.c c_enc.c c_cfb64.c c_ofb64.c cast_lcl.h
-	cast_s.h"
-
-copy_crypto chacha "chacha.c chacha-merged.c"
-
-copy_crypto cmac "cmac.c cm_ameth.c cm_pmeth.c"
-
-#copy_crypto cms "cms_lib.c cms_asn1.c cms_att.c cms_io.c cms_smime.c cms_err.c
-#	cms_sd.c cms_dd.c cms_cd.c cms_env.c cms_enc.c cms_ess.c cms_pwri.c cms.h cms_lcl.h"
-
-copy_crypto comp "comp_lib.c comp_err.c c_rle.c c_zlib.c"
-
-copy_crypto conf "conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c
-	conf_mall.c conf_sap.c conf_def.h"
-
-copy_crypto des "cbc_cksm.c cbc_enc.c cfb64enc.c cfb_enc.c ecb3_enc.c
-	ecb_enc.c  enc_read.c enc_writ.c fcrypt.c fcrypt_b.c ofb64enc.c ofb_enc.c
-	pcbc_enc.c qud_cksm.c rand_key.c set_key.c xcbc_enc.c str2key.c
-	cfb64ede.c ofb64ede.c ede_cbcm_enc.c des_enc.c des_locl.h ncbc_enc.c
-	spr.h"
-
-copy_crypto dh "dh_asn1.c dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c
-	dh_depr.c dh_ameth.c dh_pmeth.c dh_prn.c"
-
-copy_crypto dsa "dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c
-	dsa_sign.c dsa_err.c dsa_ossl.c dsa_depr.c dsa_ameth.c dsa_pmeth.c
-	dsa_prn.c dsa_locl.h"
-
-copy_crypto dso "dso_dlfcn.c dso_err.c dso_lib.c dso_null.c dso_openssl.c"
-
-copy_crypto ec "ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c
-	ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c ec2_smpl.c
-	ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c ecp_oct.c ec2_oct.c ec_oct.c
-	ec_lcl.h"
-
-copy_crypto ecdh "ech_lib.c ech_ossl.c ech_key.c ech_err.c ech_locl.h"
-
-copy_crypto ecdsa "ecs_lib.c ecs_asn1.c ecs_ossl.c ecs_sign.c ecs_vrf.c
-	ecs_err.c ecs_locl.h"
-
-# Engine interface is disabled
-copy_crypto engine "eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c
-	eng_table.c eng_pkey.c eng_fat.c eng_all.c tb_rsa.c tb_dsa.c tb_ecdsa.c
-	tb_dh.c tb_ecdh.c tb_rand.c tb_store.c tb_cipher.c tb_digest.c tb_pkmeth.c
-	tb_asnmth.c eng_openssl.c eng_cnf.c eng_dyn.c eng_rsax.c eng_int.h"
-
-copy_crypto err "err.c err_all.c err_prn.c"
-
-copy_crypto evp "encode.c digest.c evp_enc.c evp_key.c e_des.c e_bf.c
-	e_idea.c e_des3.c e_rc4.c e_aes.c names.c e_xcbc_d.c e_rc2.c e_cast.c
-	m_null.c m_md4.c m_md5.c m_sha.c m_sha1.c m_wp.c m_dss.c m_dss1.c m_mdc2.c
-	m_ripemd.c m_ecdsa.c p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c
-	p_dec.c bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c c_all.c c_allc.c
-	c_alld.c evp_lib.c evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
-	e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c e_aes_cbc_hmac_sha1.c
-	e_rc4_hmac_md5.c evp_locl.h e_chacha.c evp_aead.c e_chacha20poly1305.c"
-
-copy_crypto hmac "hmac.c hm_ameth.c hm_pmeth.c"
-
-copy_crypto idea "i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c i_skey.c idea_lcl.h"
-
-copy_crypto krb5 "krb5_asn.c"
-
-copy_crypto lhash "lhash.c lh_stats.c"
-
-copy_crypto md4 "md4_dgst.c md4_one.c md4_locl.h"
-
-copy_crypto md5 "md5_dgst.c md5_one.c md5_locl.h"
-
-copy_crypto mdc2 "mdc2dgst.c mdc2_one.c"
-
-copy_crypto modes "cbc128.c ctr128.c cts128.c cfb128.c ofb128.c gcm128.c
-	ccm128.c xts128.c modes_lcl.h"
-
-copy_crypto objects "o_names.c obj_dat.c obj_lib.c obj_err.c obj_xref.c obj_xref.h"
-
-copy_crypto ocsp "ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c
-	ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c"
-
-copy_crypto pem "pem_sign.c pem_seal.c pem_info.c pem_lib.c pem_all.c pem_err.c
-	pem_x509.c pem_xaux.c pem_oth.c pem_pk8.c pem_pkey.c pvkfmt.c"
-
-copy_crypto pkcs12 "p12_add.c p12_asn.c p12_attr.c p12_crpt.c p12_crt.c
-	p12_decr.c p12_init.c p12_key.c p12_kiss.c p12_mutl.c p12_utl.c p12_npas.c
-	pk12err.c p12_p8d.c p12_p8e.c"
-
-copy_crypto pkcs7 "pk7_asn1.c pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c
-	pk7_attr.c pk7_mime.c bio_pk7.c"
-
-copy_crypto poly1305 "poly1305-donna.c poly1305.c"
-
-copy_crypto rand "randfile.c rand_err.c rand_lib.c"
-
-copy_crypto rc2 "rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c rc2ofb64.c rc2_locl.h"
-
-copy_crypto rc4 "rc4_enc.c rc4_skey.c rc4_locl.h"
-
-copy_crypto ripemd "rmd_dgst.c rmd_one.c rmd_locl.h rmdconst.h"
-
-copy_crypto rsa "rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c
-	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c
-	rsa_x931.c rsa_asn1.c rsa_depr.c rsa_ameth.c rsa_prn.c rsa_pmeth.c
-	rsa_crpt.c rsa_locl.h"
-
-copy_crypto sha "sha_dgst.c sha1dgst.c sha_one.c sha1_one.c sha256.c sha512.c sha_locl.h"
-
-copy_crypto stack "stack.c"
-
-copy_crypto ts "ts_err.c ts_req_utils.c ts_req_print.c ts_rsp_utils.c
-	ts_rsp_print.c ts_rsp_sign.c ts_rsp_verify.c ts_verify_ctx.c ts_lib.c
-	ts_conf.c ts_asn1.c"
-
-copy_crypto txt_db "txt_db.c"
-
-copy_crypto ui "ui_err.c ui_lib.c ui_openssl.c ui_util.c ui_locl.h"
-
-copy_crypto whrlpool "wp_block.c wp_dgst.c wp_locl.h"
-
-copy_crypto x509 "x509_def.c x509_d2.c x509_r2x.c x509_cmp.c x509_obj.c
-	x509_req.c x509spki.c x509_vfy.c x509_set.c x509cset.c x509rset.c
-	x509_err.c x509name.c x509_v3.c x509_ext.c x509_att.c x509type.c x509_lu.c
-	x_all.c x509_txt.c x509_trs.c by_file.c by_dir.c x509_vpm.c x509_lcl.h"
-
-copy_crypto x509v3 "v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c
-	v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c
-	v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
-	v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c
-	pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
-	pcy_int.h ext_dat.h"
-
-copy_src apps "apps.c apps.h asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c
-	dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c
-	errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c openssl.c
-	openssl.cnf passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c
-	prime.c progs.h rand.c req.c rsa.c rsautl.c s_apps.h s_cb.c s_client.c
-	s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c spkac.c
-	testdsa.h testrsa.h timeouts.h ts.c verify.c version.c x509.c"
-
-for i in aead/aeadtest.c aeswrap/aes_wrap.c base64/base64test.c bf/bftest.c \
-	bio/biotest.c bn/general/bntest.c bn/mont/mont.c \
-	cast/casttest.c chacha/chachatest.c cts128/cts128test.c \
-	des/destest.c dh/dhtest.c dsa/dsatest.c ec/ectest.c ecdh/ecdhtest.c \
-	ecdsa/ecdsatest.c engine/enginetest.c evp/evptest.c exp/exptest.c \
-	gcm128/gcm128test.c hmac/hmactest.c idea/ideatest.c ige/igetest.c \
-	md4/md4test.c md5/md5test.c mdc2/mdc2test.c poly1305/poly1305test.c \
-	pkcs7/pkcs7test.c pqueue/pq_test.c rand/randtest.c rc2/rc2test.c \
-	rc4/rc4test.c rmd/rmdtest.c sha/shatest.c sha1/sha1test.c \
-	sha256/sha256test.c sha512/sha512test.c utf8/utf8test.c; do
-	 $CP $libcrypto_regress/$i tests
+# copy libtls source
+echo copying libtls source
+rm -f tls/*.c tls/*.h
+for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
+	if [ -e $libtls_src/$i ]; then
+		$CP $libtls_src/$i tls
+	else
+		$CP $libc_src/string/$i tls
+	fi
 done
+
+# copy openssl(1) source
+echo "copying openssl(1) source"
+$CP $libc_src/stdlib/strtonum.c apps
+$CP $libcrypto_src/openssl.cnf apps
+for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
+	if [ -e $openssl_app_src/$i ]; then
+		$CP $openssl_app_src/$i apps
+	fi
+done
+# patch for openssl(1) oscp on windows
+(cd apps; patch -p4 < $CWD/patches/win_bio_sock_init.diff)
+
+# copy libssl source
+echo "copying libssl source"
+rm -f ssl/*.c ssl/*.h
+for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
+	$CP $libssl_src/src/ssl/$i ssl
+done
+
+# copy libcrypto tests
+echo "copying tests"
+for i in `find $libcrypto_regress -name '*.c'`; do
+	 $CP "$i" tests
+done
+
+# the BIO tests rely on resolver results that are OS and environment-specific
+rm tests/biotest.c
+
+# copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
-for i in asn1/asn1test.c ssl/ssltest.c ssl/testssl certs/ca.pem certs/server.pem; do
-	$CP $libssl_regress/$i tests
+# copy libssl tests
+$CP $libssl_regress/ssl/testssl tests
+for i in `find $libssl_regress -name '*.c'`; do
+	 $CP "$i" tests
 done
+$CP $libssl_regress/certs/ca.pem tests
+$CP $libssl_regress/certs/server.pem tests
 
+# setup test drivers
 # do not directly run all test programs
 test_drivers=(
-	biotest
 	aeadtest
 	evptest
 	pq_test
@@ -308,9 +226,9 @@ test_drivers=(
 	arc4randomforktest
 	pidwraptest
 )
-# disabled by-default tests
-tests_disabled=(
-	biotest
+tests_posix_only=(
+	arc4randomforktest
+	explicit_bzero
 	pidwraptest
 )
 $CP $libc_src/string/memmem.c tests/
@@ -319,15 +237,23 @@ $CP $libc_src/string/memmem.c tests/
 
 	for i in `ls -1 *.c|sort|grep -v memmem.c`; do
 		TEST=`echo $i|sed -e "s/\.c//"`
+		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
+			echo "if !HOST_WIN" >> Makefile.am
+		fi
 		if ! [[ ${test_drivers[*]} =~ "$TEST" ]]; then
 			echo "TESTS += $TEST" >> Makefile.am
 		fi
 		echo "check_PROGRAMS += $TEST" >> Makefile.am
 		echo "${TEST}_SOURCES = $i" >> Makefile.am
-		echo "${TEST}_LDADD = \$(top_builddir)/ssl/libssl.la" >> Makefile.am
-		echo "${TEST}_LDADD += \$(top_builddir)/crypto/libcrypto.la" >> Makefile.am
+		if [[ ${TEST} = "explicit_bzero" ]]; then
+			echo "if !HAVE_MEMMEM" >> Makefile.am
+			echo "explicit_bzero_SOURCES += memmem.c" >> Makefile.am
+			echo "endif" >> Makefile.am
+		fi
+		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
+			echo "endif" >> Makefile.am
+		fi
 	done
-	echo "explicit_bzero_SOURCES += memmem.c" >> Makefile.am
 )
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
@@ -335,9 +261,15 @@ $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 chmod 755 tests/testssl
 for i in "${test_drivers[@]}"; do
 	if [ -e tests/${i}.sh ]; then
+		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
+			echo "if !HOST_WIN" >> tests/Makefile.am
+		fi
 		if ! [[ ${tests_disabled[*]} =~ "$i" ]]; then
 			echo "TESTS += ${i}.sh" >> tests/Makefile.am
 		fi
+		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
+			echo "endif" >> tests/Makefile.am
+		fi
 		echo "EXTRA_DIST += ${i}.sh" >> tests/Makefile.am
 	fi
 done
@@ -353,89 +285,60 @@ echo "EXTRA_DIST += testssl ca.pem server.pem" >> tests/Makefile.am
 	done
 )
 
-(cd ssl
-	sed -e "s/libssl-version/${libssl_version}/" Makefile.am.tpl > Makefile.am
-	for i in `ls -1 *.c|sort`; do
-		echo "libssl_la_SOURCES += $i" >> Makefile.am
-	done
-	for i in `ls -1 *.h|sort`; do
-		echo "noinst_HEADERS += $i" >> Makefile.am
-	done
-)
-
-# do not directly compile C files that are included in other C files
-crypto_excludes=(
-	des/ncbc_enc.c
-	chacha/chacha-merged.c
-	poly1305/poly1305-donna.c
-	)
-(cd crypto
-	sed -e "s/libcrypto-version/${libcrypto_version}/" Makefile.am.tpl > Makefile.am
-	for i in `ls -1 *.c|sort`; do
-		echo "libcrypto_la_SOURCES += $i" >> Makefile.am
-	done
-	for i in `ls -1 *.h|sort`; do
-		echo "noinst_HEADERS += $i" >> Makefile.am
-	done
-	for subdir in $crypto_subdirs; do
-		for i in `ls -1 $subdir/*.c|sort`; do
-			if ! [[ ${crypto_excludes[*]} =~ $i ]]; then
-				echo "libcrypto_la_SOURCES += $i" >> Makefile.am
-			fi
-		done
-		headers=`ls -1 $subdir/*.h 2>/dev/null |sort`
-		if [ "$headers" != "" ]; then
-			for i in $headers; do
-				echo "noinst_HEADERS += $i" >> Makefile.am
-			done
-		fi
-	done
-	for i in "${crypto_excludes[@]}"; do
-		echo "EXTRA_libcrypto_la_SOURCES += ${i}" >> Makefile.am
-	done
-)
-
-# conditional compiles
-$CP $libc_src/stdlib/strtonum.c apps/
-apps_excludes=(
-	strtonum.c
-	)
-(cd apps
-	$CP Makefile.am.tpl Makefile.am
-	for i in `ls -1 *.c|sort`; do
-		if ! [[ ${apps_excludes[*]} =~ $i ]]; then
-			echo "openssl_SOURCES += $i" >> Makefile.am
-		fi
-	done
-	for i in `ls -1 *.h|sort`; do
-		echo "noinst_HEADERS += $i" >> Makefile.am
-	done
-)
-
+echo "copying manpages"
+# copy manpages
 (cd man
 	$CP Makefile.am.tpl Makefile.am
-	for i in crypto,3 ssl,3 apps,1; do
-		IFS=","; set $i; unset IFS
-		for i in `ls -1 $libssl_src/src/doc/$1/*.pod | sort`; do
-			BASE=`echo $i|sed -e "s/\.pod//"`
-			NAME=`basename "$BASE"`
-			# reformat file if new
-			if [ ! -f $NAME.$2 -o $BASE.pod -nt $NAME.$2 -o ../VERSION -nt $NAME.$2 ]; then
-				echo processing $NAME
-				pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
-					--section=$2 $POD2MAN --name=$NAME < $BASE.pod > $NAME.$2
-			fi
-			echo "dist_man_MANS += $NAME.$2" >> Makefile.am
-		done
-	done
 
-	$CP $openssl_cmd_src/openssl.1 .
+	# update new-style manpages
+	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man_MANS += $NAME" >> Makefile.am
+	done
+	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man_MANS += $NAME" >> Makefile.am
+	done
+	$CP $openssl_app_src/openssl.1 .
 	echo "dist_man_MANS += openssl.1" >> Makefile.am
+	$CP $libtls_src/tls_init.3 .
+	echo "dist_man_MANS += tls_init.3" >> Makefile.am
+
+	# convert remaining POD manpages
+	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
+		BASE=`echo $i|sed -e "s/\.pod//"`
+		NAME=`basename "$BASE"`
+		# reformat file if new
+		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../VERSION -nt $NAME.3 ]; then
+			echo processing $NAME
+			pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
+				--section=3 $POD2MAN --name=$NAME < $BASE.pod > $NAME.3
+		fi
+		echo "dist_man_MANS += $NAME.3" >> Makefile.am
+	done
 
 	echo "install-data-hook:" >> Makefile.am
 	source ./links
-	for i in $MLINKS; do
+	for i in $SSL_MLINKS; do
 		IFS=","; set $i; unset IFS
-		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
+		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
+	for i in $TLS_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
+		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
+	echo "" >> Makefile.am
+	echo "uninstall-local:" >> Makefile.am
+	for i in $SSL_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
+	for i in $TLS_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
 )