release note update for 2.2.1

add compatible version of arpa/nameser.h for Windows
add check for inet_pton, nudge minimum win32 compat to 0x0501
2015-07-02 17:49:51 -05:00 · 2015-07-02 17:49:03 -05:00 · 2015-07-02 00:19:53 -05:00 · 2015-07-01 03:19:21 -05:00 · 2015-06-29 23:05:09 -05:00 · 2015-06-29 22:49:37 -05:00
72 changed files with 4006 additions and 1809 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -38,6 +38,7 @@ Makefile.in
 *.lo
 *.la
 *.def
 *.pc
 # tests
@@ -46,51 +47,51 @@ test-driver
 *.trs
 tests/aes_wrap*
 tests/arc4random_fork*
 tests/cipher*
 tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
 tests/timingsafe*
 tests/*test
 tests/tests.h
 tests/*test.c
 tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
 !tests/optionstest.c
 # ctags stuff
 TAGS
-## The initial / makes these files only get ignored in particular directories.
+autom4te.cache
 /autom4te.cache
 # Libtool adds these, at least sometimes
 INSTALL
-/m4/libtool.m4
+/COPYING
-/m4/ltoptions.m4
+m4/l*
-/m4/ltsugar.m4
+!m4/check*.m4
 /m4/ltversion.m4
 /m4/lt~obsolete.m4
-/aclocal.m4
+aclocal.m4
-/compile
+compile
-/doxygen
+doxygen
-/config.guess
+config.guess
-/config.log
+config.log
-/config.status
+config.status
-/config.sub
+config.sub
-/configure
+configure
-/depcomp
+depcomp
-/config.h
+config.h
-/config.h.in
+config.h.in
-/install-sh
+install-sh
-/libtool
+libtool
-/ltmain.sh
+ltmain.sh
-/missing
+missing
-/stamp-h1
+stamp-h1
-/stamp-h2
+stamp-h2
 include/openssl/Makefile.am
 tests/Makefile.am
 crypto/VERSION
 ssl/VERSION
@@ -104,96 +105,39 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 include/openssl/*.he
 apps/*.h
 apps/*.c
 apps/openssl
 apps/openssl.cnf
 !apps/apps_win.c
 !apps/poll_win.c
-crypto/compat/arc4random.c
+/apps/*.h
-crypto/compat/chacha_private.h
+/apps/*.c
-crypto/compat/explicit_bzero.c
+/apps/openssl
-crypto/compat/getentropy_*.c
+/apps/openssl.cnf
-crypto/compat/reallocarray.c
+!/apps/apps_win.c
-crypto/compat/strlcat.c
+!/apps/poll_win.c
-crypto/compat/strlcpy.c
+!/apps/certhash_disabled.c
-crypto/compat/strndup.c
+
-crypto/compat/strnlen.c
+/crypto
-crypto/compat/timingsafe_bcmp.c
+!/crypto/Makefile.am.*
-crypto/compat/timingsafe_memcmp.c
+!/crypto/compat/arc4random.h
-crypto/compat/arc4random_*.h
+!/crypto/compat/b_win.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
 !/crypto/compat/ui_openssl_win.c
 /libtls-standalone/include/*.h
 /libtls-standalone/src/*.c
 /libtls-standalone/src/*.h
 /libtls-standalone/src
 /libtls-standalone/tests/test
 /libtls-standalone/compat
 !/libtls-standalone/compat/Makefile.am
 /libtls-standalone/VERSION
 /libtls-standalone/m4
 /libtls-standalone/man
 crypto/aes/
 crypto/asn1/
 crypto/bf/
 crypto/bio/
 crypto/bn/
 crypto/buffer/
 crypto/camellia/
 crypto/cast/
 crypto/camellia/
 crypto/chacha/
 crypto/cmac/
 crypto/comp/
 crypto/conf/
 crypto/cpt_err.c
 crypto/cryptlib.c
 crypto/cryptlib.h
 crypto/cversion.c
 crypto/des/
 crypto/dh/
 crypto/dsa/
 crypto/dso/
 crypto/ec/
 crypto/ecdh/
 crypto/ecdsa/
 crypto/engine/
 crypto/err/
 crypto/evp/
 crypto/ex_data.c
 crypto/gost/
 crypto/hmac/
 crypto/idea/
 crypto/krb5/
 crypto/lhash/
 crypto/malloc-wrapper.c
 crypto/md32_common.h
 crypto/md4/
 crypto/md5/
 crypto/mdc2/
 crypto/mem_clr.c
 crypto/mem_dbg.c
 crypto/modes/
 crypto/o_init.c
 crypto/o_str.c
 crypto/o_time.c
 crypto/o_time.h
 crypto/objects
 crypto/ocsp/
 crypto/pem/
 crypto/pkcs12/
 crypto/pkcs7/
 crypto/poly1305/
 crypto/pqueue/
 crypto/rand/
 crypto/rc2/
 crypto/rc4/
 crypto/ripemd/
 crypto/rsa/
 crypto/sha/
 crypto/stack/
 crypto/ts/
 crypto/txt_db/
 crypto/ui/
 crypto/whrlpool/
 crypto/x509/
 crypto/x509v3/
 openbsd/
 *.tar.gz
 apps/*.1*
 man/*.3
 man/*.1
 man/Makefile.am
 .gitmodules
 COPYING
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,24 @@
 language: c
 matrix:
        include:
                - compiler: clang
                  os: osx
                  env: ARCH=native
                - compiler: gcc
                  os: osx
                  env: ARCH=native
                - compiler: clang
                  os: linux
                  env: ARCH=native
                - compiler: gcc
                  os: linux
                  env: ARCH=native
                - compiler: gcc
                  os: linux
                  env: ARCH=mingw32
                - compiler: gcc
                  os: linux
                  env: ARCH=mingw64
 script:
        "./scripts/travis"
--- a/194
+++ b/194
@@ -10,7 +10,7 @@ generation are here:
 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
-A new simplified SSL wrapper library is here:
+A simplified TLS wrapper library is here:
 	http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
@@ -19,15 +19,203 @@ with relevant portions of the C library, to a Git repository. This makes it
 easier to follow all of the relevant changes to the upstream project in a
 single place:
-	https://github.com/libressl-portable/openbsd/commits/master
+	https://github.com/libressl-portable/openbsd
 The portable bits of the project are largely maintained out-of-tree, and their
 history is also available from Git.
-	https://github.com/libressl-portable/portable/commits/master
+	https://github.com/libressl-portable/portable
 LibreSSL Portable Release Notes:
 This release primarily addresses a number of security issues in coordination
 with the OpenSSL project.
 2.2.1 - Build fixes, feature added, features removed
 	* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
 	* Initial support for Windows 2009, 2003, XP
 	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
 	* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
 	* Removed Dynamic Engine support
 	* Removed unused and obsolete MDC-2DES cipher
 	* Removed workarounds for obsolete SSL implementations
 2.2.0 - Build cleanups and new OS support, Security Updates
 	* AIX Support - thanks to Michael Felt
 	* Cygwin Support - thanks to Corinna Vinschen
 	* Refactored build macros, support packaging libtls independently.
 	  There are more pieces required to support building and using OpenSSL
 	  with libtls, but this is an initial start at providing an
 	  independent package for people to start hacking on.
 	* Removal of OPENSSL_issetugid and all library getenv calls.
 	  Applications can and should no longer rely on environment variables
 	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
 	  supported with the openssl(1) command.
 	* libtls API and documentation additions
 	* Various bug fixes and simplifications to libssl and libcrypto
 	* Fixes for the following issues are integrated into LibreSSL 2.2.0:
 	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
 	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
 	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
 	* The following CVEs did not apply to LibreSSL or were fixed in
 	  earlier releases:
 	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
 	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
 	 - CVE-2014-8176 - Invalid free in DTLS
 	* Fixes for the following CVEs are still in review for LibreSSL
 	 - CVE-2015-1791 - Race condition handling NewSessionTicket
 2.1.6 - Security update
 	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
 	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
 	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
 	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption
 	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
 	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences
 	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
 	  is integrated for safety, but LibreSSL is not vulnerable.
 	* Libtls is now built by default. The --enable-libtls
 	  configuration option is no longer required.
 	  The libtls API is now stable for the 2.1.x series.
 2.1.5 - Bug fixes and a security update
 	* Fix incorrect comparison function in openssl(1) certhash command.
 	  Thanks to Christian Neukirchen / Void Linux.
 	* Windows port improvements and bug fixes.
 	  - Removed a dependency on libgcc in 32-bit dynamic libraries.
 	  - Correct a hang in openssl(1) reading from stdin on an connection.
 	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
 	    any other network-related commands to function properly.
 	* Reject all server DH keys smaller than 1024 bits.
 2.1.4 - Security and feature updates
 	* Improvements to libtls:
 	  - a new API for loading CA chains directly from memory instead of a
 	    file, allowing verification with privilege separation in a chroot
 	    without direct access to CA certificate files.
 	  - Ciphers default to TLSv1.2 with AEAD and PFS.
 	  - Improved error handling and message generation
 	  - New APIs and improved documentation
 	* Added X509_STORE_load_mem API for loading certificates from memory.
 	  This facilitates accessing certificates from a chrooted environment.
 	* New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
 	  using 'TLSv1.2+AEAD' as the cipher selection string.
 	* Dead and disabled code removal including MD5, Netscape workarounds,
 	  non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
 	* ASN1 macro maze expanded to aid reading and searching the code.
 	* NULL pointer asserts removed in favor of letting the OS/signal
 	  handler catch them.
 	* Refactored argument handling in openssl(1) for consistency and
 	  maintainability.
 	* New openssl(1) command 'certhash' replaces the c_rehash script.
 	* Support for building with OPENSSL_NO_DEPRECATED
 	* Server-side support for TLS_FALLBACK_SCSV for compatibility with
 	  various auditor and vulnerability scanners.
 	* Dozens of issues found with the Coverity scanner fixed.
 	* Security Updates:
 	  - Fix a minor information leak that was introduced in t1_lib.c
 	    r1.71, whereby an additional 28 bytes of .rodata (or .data) is
 	    provided to the network. In most cases this is a non-issue since
 	    the memory content is already public. Issue found and reported by
 	    Felix Groebert of the Google Security Team.
 	  - Fixes for the following low-severity issues were integrated into
 	    LibreSSL from OpenSSL 1.0.1k:
 	     CVE-2015-0205 - DH client certificates accepted without
 	                     verification
 	     CVE-2014-3570 - Bignum squaring may produce incorrect results
 	     CVE-2014-8275 - Certificate fingerprints can be modified
 	     CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
 	     Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
 	    The following CVEs were fixed in earlier LibreSSL releases:
 	     CVE-2015-0206 - Memory leak handling repeated DLTS records
 	     CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
 	    The following CVEs did not apply to LibreSSL:
 	     CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
 	     CVE-2014-3569 - no-ssl3 configuration sets method to NULL
 	     CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
 2.1.3 - Security update and OS support improvements
 	* Fixed various memory leaks in DTLS, including fixes for
 	  CVE-2015-0206.
 	* Added Application-Layer Protocol Negotiation (ALPN) support.
 	* Removed GOST R 34.10-94 signature authentication.
 	* Removed nonfunctional Netscape browser-hang workaround code.
 	* Simplfied and refactored SSL/DTLS handshake code.
 	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
 	* Hide timing info about padding errors during handshakes.
 	* Improved libtls support for non-blocking sockets, added randomized
 	  session ID contexts. Work is ongoing with this library - feedback
 	  and potential use-cases are welcome.
 	* Support building Windows DLLs.
 	  Thanks to Jan Engelhard.
 	* Packaged config wrapper for better compatibility with OpenSSL-based
 	  build systems.
 	  Thanks to @technion from github
 	* Ensure the stack is marked non-executable for assembly sections.
 	  Thanks to Anthony G. Bastile.
 	* Enable extra compiler hardening flags by default, where applicable.
 	  The default set of hardening features can vary by OS to OS, so
 	  feedback is welcome on this. To disable the default hardening flags,
 	  specify '--disable-hardening' during configure.
 	  Thanks to Jim Barlow
 	* Initial HP-UX support, tested with HP-UX 11.31 ia64
 	  Thanks to Kinichiro Inoguchi
 	* Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
 	  Imported from OpenNTPD, thanks to @gitisihara from github
 2.1.2 - Many new features and improvements
 	* Added reworked GOST cipher suite support
 	   thanks to Dmitry Eremin-Solenikov
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,10 +2,6 @@ SUBDIRS = crypto ssl tls include apps tests man
 ACLOCAL_AMFLAGS = -I m4
 pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libcrypto.pc libssl.pc openssl.pc
+pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
-if ENABLE_LIBTLS
+EXTRA_DIST = README.md README.windows VERSION config scripts
 pkgconfig_DATA += libtls.pc
 endif
 EXTRA_DIST = VERSION
--- a/Makefile.am.common
+++ b/Makefile.am.common
@@ -1,2 +1,2 @@
-AM_CPPFLAGS = -I$(top_srcdir)/include
+AM_CFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS += -DLIBRESSL_INTERNAL
+AM_CPPFLAGS = -DLIBRESSL_INTERNAL
--- a/46
+++ b/46
@@ -1,46 +0,0 @@
 This package is the official portable version of LibreSSL
 	(http://www.libressl.org).
 LibreSSL is a fork of OpenSSL developed by the OpenBSD project
 (http://www.openbsd.org). LibreSSL is developed on OpenBSD. This
 package then adds portability shims for other operating systems.
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory LibreSSL, e.g.:
 	http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
 although we suggest that you use a mirror:
 	http://www.openbsd.org/ftp.html
 The LibreSSL portable build framework is also mirrored in Github:
 	https://github.com/libressl-portable/portable
 If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 1. ensure you have the following packages installed:
 	automake, autoconf, bash, git, libtool, perl, pod2man
 2. run './autogen.sh' to prepare the source tree for building
    or run './dist.sh' to prepare a tarball.
 Once you have a source tree from Git or FTP, run these commands to build and
 install the package:
  ./configure   # see ./configure --help for configuration options
  make check    # runs builtin unit tests
  make install  # set DESTDIR= to install to an alternate location
 The resulting library and 'openssl' utility is largely API-compatible with
 OpenSSL 1.0.1. However, it is not ABI compatible - you will need to relink your
 programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
 to 1.0.1.
 The project attempts to provide working alternatives for operating systems with
 limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
 assists with improving OS-native implementations where possible.
 LibreSSL portable will build on any reasonably modern version of Linux,
 Solaris, or OSX with a standards-compliant compiler and C library.
--- a/README.md
+++ b/README.md
@@ -0,0 +1,98 @@
 ![LibreSSL image](http://www.libressl.org/images/libressl.jpg)
 ## Official portable version of [LibreSSL](http://www.libressl.org) ##
 LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
 [OpenBSD](http://www.openbsd.org) project.  Our goal is to modernize the codebase,
 improve security, and apply best practice development processes from OpenBSD.
 ## Compatibility with OpenSSL: ##
 LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
 new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
 present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
 LibreSSL it is not ABI compatible with any release of OpenSSL, or necessarily
 earlier releases of LibreSSL. You will need to relink your programs to
 LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
 LibreSSL's installed library version numbers are incremented to account for
 ABI and API changes.
 ## Compatibility with other operating systems: ##
 While primarily developed on and taking advantage of APIs available on OpenBSD,
 the LibreSSL portable project attempts to provide working alternatives for
 other operating systems, and assists with improving OS-native implementations
 where possible.
 At the time of this writing, LibreSSL is know to build and work on:
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
 * NetBSD (tested with 6.1.5)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)
 * AIX (5.3 and later)
 LibreSSL also supports the following Windows environments:
 * Microsoft Windows (Vista or higher, x86 and x64)
 * Wine (32-bit and 64-bit)
 * Builds with Mingw-w64 and Cygwin
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory
 [LibreSSL](http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/),
 although we suggest that you use a [mirror](http://www.openbsd.org/ftp.html).
 The LibreSSL portable build framework is also
 [mirrored](https://github.com/libressl-portable/portable) in Github.
 Please report bugs either to the public libressl@openbsd.org mailing list,
 or to the github
 [issue tracker](https://github.com/libressl-portable/portable/issues)
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.
 ## Prerequisites when building from git ##
 If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 1. Ensure you have the following packages installed:
   automake, autoconf, bash, git, libtool, perl, pod2man
 2. Run './autogen.sh' to prepare the source tree for building or
   run './dist.sh' to prepare a tarball.
 ## Building LibreSSL ##
 Once you have a source tree from Git or FTP, run these commands to build and
 install the package on most systems.
 ```sh
 ./configure   # see ./configure --help for configuration options
 make check    # runs builtin unit tests
 make install  # set DESTDIR= to install to an alternate location
 ```
 ### OS specific build information: ###
 #### HP-UX (11i) ####
 Set the UNIX_STD environment variable to '2003' before running 'configure'
 in order to build with the HP C/aC++ compiler. See the "standards(5)" man
 page for more details.
 ```sh
 export UNIX_STD=2003
 ./configure
 make
 ```
 #### Windows - Mingw-w64 ####
 LibreSSL builds against relatively recent versions of Mingw-w64, not to be
 confused with the original mingw.org project.  Mingw-w64 3.2 or later
 should work. See README.windows for more information
 [![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable)
--- a/README.windows
+++ b/README.windows
@@ -0,0 +1,42 @@
 # Building
 For Windows systems, LibreSSL supports the mingw-w64 toolchain, which can use
 GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
 32-bit and 64-bit build environments. If your project already uses mingw-w64,
 then LibreSSL should integrate very nicely. Old versions of the mingw-w64
 toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
 building LibreSSL. Please try it with a recent toolchain if you encounter
 troubles. If you are building under Cygwin, only builds with the mingw-w64
 compiler are supported, though you can easily use Cygwin to drive the build
 process.
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
 CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
 make
 make check
 For 64-bit builds, use these instead:
 CC=x86_64-w64-mingw32-gcc ./configure --host=x86_64-w64-mingw32
 make
 make check
 # Using Libressl with Visual Studio
 A script for generating ready-to-use .DLL and static .LIB files is included in
 the source repository at
 https://github.com/libressl-portable/portable/blob/master/dist-win.sh
 This script uses mingw-w64 to build LibreSSL and then uses Visual Studio tools
 to generate compatible library import files ready-to-use with Visual
 Studio projects. Static and dynamic libraries are included. The script uses
 cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
 tool developed for the D language and can be found here:
 https://github.com/rainers/cv2pdb
 Pre-built Windows binaries are available with LibreSSL releases if you do not
 have a mingw-w64 build environment. Mingw-w64 code is largely, but not 100%,
 compatible with code built from Visual Studio. Notably, FILE * pointers cannot
 be shared between code built for Mingw-w64 and Visual Studio.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.1.2
+2.2.1
--- a/apps/Makefile.am
+++ b/apps/Makefile.am
@@ -2,7 +2,6 @@ include $(top_srcdir)/Makefile.am.common
 bin_PROGRAMS = openssl
 openssl_CFLAGS = $(USER_CFLAGS)
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 openssl_LDADD += $(top_builddir)/ssl/libssl.la
 openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
@@ -57,6 +56,12 @@ openssl_SOURCES += verify.c
 openssl_SOURCES += version.c
 openssl_SOURCES += x509.c
 if BUILD_CERTHASH
 openssl_SOURCES += certhash.c
 else
 openssl_SOURCES += certhash_disabled.c
 endif
 if HOST_WIN
 openssl_SOURCES += apps_win.c
 else
--- a/apps/certhash_disabled.c
+++ b/apps/certhash_disabled.c
@@ -0,0 +1,13 @@
 /*
 * Public domain
 * certhash dummy implementation for platforms without symlinks
 */
 #include "apps.h"
 int
 certhash_main(int argc, char **argv)
 {
 	fprintf(stderr, "certhash is not enabled on this platform\n");
 	return (1);
 }
--- a/apps/poll_win.c
+++ b/apps/poll_win.c
@@ -44,6 +44,8 @@ conn_has_oob_data(int fd)
 static int
 is_socket(int fd)
 {
 	if (fd < 3)
 		return 0;
 	WSANETWORKEVENTS events;
 	return (WSAEnumNetworkEvents((SOCKET)fd, NULL, &events) == 0);
 }
@@ -160,10 +162,6 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	nfds_t i;
 	int timespent_ms, looptime_ms;
 #define FD_IS_SOCKET (1 << 0)
 	int fd_state[FD_SETSIZE];
 	int num_fds;
 	/*
 	 * select machinery
 	 */
@@ -190,14 +188,12 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	FD_ZERO(&rfds);
 	FD_ZERO(&wfds);
 	FD_ZERO(&efds);
 	num_fds = 0;
 	num_sockets = 0;
 	num_handles = 0;
 	for (i = 0; i < nfds; i++) {
-		if ((int)pfds[i].fd < 0) {
+		if ((int)pfds[i].fd < 0)
 			continue;
 		}
 		if (is_socket(pfds[i].fd)) {
 			if (num_sockets >= FD_SETSIZE) {
@@ -205,8 +201,6 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 				return -1;
 			}
 			fd_state[num_fds] = FD_IS_SOCKET;
 			FD_SET(pfds[i].fd, &efds);
 			if (pfds[i].events &
@@ -229,8 +223,6 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 			handles[num_handles++] =
 			    (HANDLE)_get_osfhandle(pfds[i].fd);
 		}
 		num_fds++;
 	}
 	/*
@@ -254,21 +246,22 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	 * than simply triggering if there is space available.
 	 */
 	timespent_ms = 0;
-	wait_rc = 0;
+	wait_rc = WAIT_FAILED;
-	if (timeout_ms < 0) {
+	if (timeout_ms < 0)
 		timeout_ms = INFINITE;
 	}
 	looptime_ms = timeout_ms > 100 ? 100 : timeout_ms;
 	do {
 		struct timeval tv = {0, looptime_ms * 1000};
 		int handle_signaled = 0;
 		/*
 		 * Check if any file handles have signaled
 		 */
 		if (num_handles) {
-			wait_rc = WaitForMultipleObjects(num_handles, handles, FALSE, 0);
+			wait_rc = WaitForMultipleObjects(num_handles, handles,
 					FALSE, 0);
 			if (wait_rc == WAIT_FAILED) {
 				/*
 				 * The documentation for WaitForMultipleObjects
@@ -285,18 +278,20 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 		/*
 		 * If we signaled on a file handle, don't wait on the sockets.
 		 */
-		if (wait_rc >= WAIT_OBJECT_0)
+		if (wait_rc >= WAIT_OBJECT_0 &&
 		    (wait_rc <= WAIT_OBJECT_0 + num_handles - 1)) {
 			tv.tv_usec = 0;
 			handle_signaled = 1;
 		}
 		/*
 		 * Check if any sockets have signaled
 		 */
 		rc = select(0, &rfds, &wfds, &efds, &tv);
-		if (rc == SOCKET_ERROR) {
+		if (!handle_signaled && rc == SOCKET_ERROR)
 			return wsa_select_errno(WSAGetLastError());
 		}
-		if (wait_rc >= WAIT_OBJECT_0 || (num_sockets && rc > 0))
+		if (handle_signaled || (num_sockets && rc > 0))
 			break;
 		timespent_ms += looptime_ms;
@@ -305,14 +300,14 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	rc = 0;
 	num_handles = 0;
 	num_fds = 0;
 	for (i = 0; i < nfds; i++) {
 		pfds[i].revents = 0;
 		if ((int)pfds[i].fd < 0)
 			continue;
-		if (fd_state[num_fds] & FD_IS_SOCKET) {
+		if (is_socket(pfds[i].fd)) {
 			pfds[i].revents = compute_select_revents(pfds[i].fd,
 			    pfds[i].events, &rfds, &wfds, &efds);
@@ -323,8 +318,6 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 			num_handles++;
 		}
 		num_fds++;
 		if (pfds[i].revents)
 			rc++;
 	}
--- a/autogen.sh
+++ b/autogen.sh
@@ -4,3 +4,8 @@ set -e
 ./update.sh
 mkdir -p m4
 autoreconf -i -f
 # Patch libtool 2.4.2 to pass -fstack-protector as a linker argument
 sed 's/-fuse-linker-plugin)/-fuse-linker-plugin|-fstack-protector*)/' \
  ltmain.sh > ltmain.sh.fixed
 mv -f ltmain.sh.fixed ltmain.sh
--- a/configure.ac
+++ b/configure.ac
@@ -1,143 +1,58 @@
 # Copyright (c) 2014-2015 Brent Cook
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([libressl], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBCRYPTO_VERSION], m4_esyscmd([tr -d '\n' < crypto/VERSION]))
 AC_SUBST([LIBSSL_VERSION], m4_esyscmd([tr -d '\n' < ssl/VERSION]))
 AC_SUBST([LIBTLS_VERSION], m4_esyscmd([tr -d '\n' < tls/VERSION]))
 AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects])
+AM_INIT_AUTOMAKE([subdir-objects foreign])
 AC_CONFIG_MACRO_DIR([m4])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-AC_SUBST([USER_CFLAGS], "-O2 $CFLAGS")
+# This must be saved before AC_PROG_CC
-CFLAGS="$CFLAGS -Wall -std=gnu99 -g"
+USER_CFLAGS="$CFLAGS"
 case $host_os in
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
 		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*linux*)
 		HOST_OS=linux
 		HOST_ABI=elf
 		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*openbsd*)
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
 		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -D__USE_MINGW_ANSI_STDIO"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
 		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;
 	*) ;;
 esac
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
 AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 AC_CHECK_FUNC([clock_gettime],,
 	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
 AC_CHECK_FUNC([dl_iterate_phdr],,
 	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 AM_PROG_AS
 AC_PROG_CC
 AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
 AC_PROG_LIBTOOL
 LT_INIT
-save_cflags="$CFLAGS"
+CHECK_OS_OPTIONS
 CFLAGS=-Wno-pointer-sign
 AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
 	[AC_MSG_RESULT([yes])]
 	[AM_CFLAGS=-Wno-pointer-sign],
 	[AC_MSG_RESULT([no])]
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
-AC_MSG_CHECKING([if compiling with clang])
+CHECK_C_HARDENING_OPTIONS
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
 #ifndef __clang__
 	not clang
 #endif
 	]])],
 	[AC_MSG_RESULT([yes])]
 	[CLANG_FLAGS=-Qunused-arguments],
 	[AC_MSG_RESULT([no])]
 )
 CFLAGS="$CFLAGS $CLANG_CFLAGS"
 LDFLAGS="$LDFLAGS $CLANG_FLAGS"
-AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
+DISABLE_AS_EXECUTABLE_STACK
-AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
+AM_PROG_AS
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strtonum])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
-# Share test results with automake
+DISABLE_COMPILER_WARNINGS
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
-# overrides for arc4random_buf implementations with known issues
+# Check if the certhash command should be built
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
+AC_CHECK_FUNCS([symlink])
-	[test "x$HOST_OS" != xdarwin -a "x$HOST_OS" != xfreebsd -a "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
-AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
+# Check if funopen exists
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+AC_CHECK_FUNC([funopen])
 #include <stdarg.h>
 va_list x,y;
 		]], [[ va_copy(x,y); ]])],
 	[ ac_cv_have_va_copy="yes" ],
 	[ ac_cv_have_va_copy="no"
 	])
 ])
 if test "x$ac_cv_have_va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
 fi
-AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
+CHECK_LIBC_COMPAT
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+CHECK_LIBC_CRYPTO_COMPAT
-#include <stdarg.h>
+CHECK_VA_COPY
 va_list x,y;
 		]], [[ __va_copy(x,y); ]])],
 	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
 	])
 ])
 if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
-AC_CHECK_HEADERS([sys/sysctl.h err.h])
+AC_CHECK_HEADERS([err.h])
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
@@ -151,22 +66,42 @@ AC_ARG_WITH([enginesdir],
 	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
 )
 AC_ARG_ENABLE([extratests],
 	AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms]))
 AM_CONDITIONAL([ENABLE_EXTRATESTS], [test "x$enable_extratests" = xyes])
 # Add CPU-specific alignment flags
 old_cflags=$CFLAGS
 CFLAGS="$CFLAGS -I$srcdir/include"
 AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT])
 AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       [int a = 0; BSWAP4(a);],
 	       AC_MSG_RESULT([yes])
 	       BSWAP4=yes,
 	       AC_MSG_RESULT([no])
 	       BSWAP4=no)
 CFLAGS="$old_cflags"
 case $host_cpu in
 	*sparc*)
 		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
 		;;
 	*arm*)
 		AS_IF([test "x$BSWAP4" = "xyes"],,
 		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
 esac
 AC_ARG_ENABLE([asm],
 	AS_HELP_STRING([--disable-asm], [Disable assembly]))
 AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
 # Conditionally enable assembly by default
 AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
    [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
    [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AC_ARG_ENABLE([libtls],
 	AS_HELP_STRING([--enable-libtls], [Enable building the libtls library]))
 AM_CONDITIONAL([ENABLE_LIBTLS], [test "x$enable_libtls" = xyes])
 AM_COND_IF([ENABLE_LIBTLS], [AC_CONFIG_FILES([libtls.pc])])
 LT_INIT
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile
@@ -179,6 +114,7 @@ AC_CONFIG_FILES([
 	man/Makefile
 	libcrypto.pc
 	libssl.pc
 	libtls.pc
 	openssl.pc
 ])
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -1,22 +1,21 @@
 include $(top_srcdir)/Makefile.am.common
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CFLAGS += -I$(top_srcdir)/crypto/modes
 lib_LTLIBRARIES = libcrypto.la
 EXTRA_DIST = VERSION
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libcrypto_la_CPPFLAGS = -DOPENSSL_NO_HW_PADLOCK
 libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 else
 if HOST_WIN
-libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 endif
 endif
@@ -31,7 +30,6 @@ libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
 endif
 # other compatibility functions
 libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
@@ -55,6 +53,10 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
 if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
@@ -67,46 +69,11 @@ if !HAVE_TIMINGSAFE_BCMP
 libcompat_la_SOURCES += compat/timingsafe_bcmp.c
 endif
 if !HAVE_ARC4RANDOM_BUF
 libcompat_la_SOURCES += compat/arc4random.c
 if !HAVE_GETENTROPY
 if HOST_FREEBSD
 libcompat_la_SOURCES += compat/getentropy_freebsd.c
 endif
 if HOST_LINUX
 libcompat_la_SOURCES += compat/getentropy_linux.c
 endif
 if HOST_DARWIN
 libcompat_la_SOURCES += compat/getentropy_osx.c
 endif
 if HOST_SOLARIS
 libcompat_la_SOURCES += compat/getentropy_solaris.c
 endif
 if HOST_WIN
-libcompat_la_SOURCES += compat/getentropy_win.c
+libcompat_la_SOURCES += compat/posix_win.c
 endif
 endif
-endif
+include Makefile.am.arc4random
 if !HAVE_ISSETUGID
 if HOST_LINUX
 libcompat_la_SOURCES += compat/issetugid_linux.c
 endif
 if HOST_WIN
 libcompat_la_SOURCES += compat/issetugid_win.c
 endif
 endif
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_freebsd.h
 noinst_HEADERS += compat/arc4random_linux.h
 noinst_HEADERS += compat/arc4random_osx.h
 noinst_HEADERS += compat/arc4random_solaris.h
 noinst_HEADERS += compat/arc4random_win.h
 noinst_HEADERS += compat/chacha_private.h
 libcrypto_la_SOURCES =
 EXTRA_libcrypto_la_SOURCES =
@@ -484,8 +451,6 @@ libcrypto_la_SOURCES += evp/bio_b64.c
 libcrypto_la_SOURCES += evp/bio_enc.c
 libcrypto_la_SOURCES += evp/bio_md.c
 libcrypto_la_SOURCES += evp/c_all.c
 libcrypto_la_SOURCES += evp/c_allc.c
 libcrypto_la_SOURCES += evp/c_alld.c
 libcrypto_la_SOURCES += evp/digest.c
 libcrypto_la_SOURCES += evp/e_aes.c
 libcrypto_la_SOURCES += evp/e_aes_cbc_hmac_sha1.c
@@ -519,7 +484,6 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_mdc2.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha.c
@@ -591,10 +555,6 @@ libcrypto_la_SOURCES += md5/md5_dgst.c
 libcrypto_la_SOURCES += md5/md5_one.c
 noinst_HEADERS += md5/md5_locl.h
 # mdc2
 libcrypto_la_SOURCES += mdc2/mdc2_one.c
 libcrypto_la_SOURCES += mdc2/mdc2dgst.c
 # modes
 libcrypto_la_SOURCES += modes/cbc128.c
 libcrypto_la_SOURCES += modes/ccm128.c
@@ -762,6 +722,7 @@ noinst_HEADERS += whrlpool/wp_locl.h
 # x509
 libcrypto_la_SOURCES += x509/by_dir.c
 libcrypto_la_SOURCES += x509/by_file.c
 libcrypto_la_SOURCES += x509/by_mem.c
 libcrypto_la_SOURCES += x509/x509_att.c
 libcrypto_la_SOURCES += x509/x509_cmp.c
 libcrypto_la_SOURCES += x509/x509_d2.c
--- a/crypto/Makefile.am.arc4random
+++ b/crypto/Makefile.am.arc4random
@@ -0,0 +1,45 @@
 if !HAVE_ARC4RANDOM_BUF
 libcompat_la_SOURCES += compat/arc4random.c
 if !HAVE_GETENTROPY
 if HOST_AIX
 libcompat_la_SOURCES += compat/getentropy_aix.c
 endif
 if HOST_FREEBSD
 libcompat_la_SOURCES += compat/getentropy_freebsd.c
 endif
 if HOST_HPUX
 libcompat_la_SOURCES += compat/getentropy_hpux.c
 endif
 if HOST_LINUX
 libcompat_la_SOURCES += compat/getentropy_linux.c
 endif
 if HOST_NETBSD
 libcompat_la_SOURCES += compat/getentropy_netbsd.c
 endif
 if HOST_DARWIN
 libcompat_la_SOURCES += compat/getentropy_osx.c
 endif
 if HOST_SOLARIS
 libcompat_la_SOURCES += compat/getentropy_solaris.c
 endif
 if HOST_WIN
 libcompat_la_SOURCES += compat/getentropy_win.c
 endif
 endif
 endif
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_aix.h
 noinst_HEADERS += compat/arc4random_freebsd.h
 noinst_HEADERS += compat/arc4random_hpux.h
 noinst_HEADERS += compat/arc4random_linux.h
 noinst_HEADERS += compat/arc4random_netbsd.h
 noinst_HEADERS += compat/arc4random_osx.h
 noinst_HEADERS += compat/arc4random_solaris.h
 noinst_HEADERS += compat/arc4random_win.h
 noinst_HEADERS += compat/chacha_private.h
--- a/crypto/Makefile.am.elf-x86_64
+++ b/crypto/Makefile.am.elf-x86_64
@@ -22,20 +22,20 @@ ASM_X86_64_ELF += cpuid-elf-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_ELF)
 if HOST_ASM_ELF_X86_64
-libcrypto_la_CFLAGS += -DAES_ASM
+libcrypto_la_CPPFLAGS += -DAES_ASM
-libcrypto_la_CFLAGS += -DBSAES_ASM
+libcrypto_la_CPPFLAGS += -DBSAES_ASM
-libcrypto_la_CFLAGS += -DVPAES_ASM
+libcrypto_la_CPPFLAGS += -DVPAES_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CFLAGS += -DMD5_ASM
+libcrypto_la_CPPFLAGS += -DMD5_ASM
-libcrypto_la_CFLAGS += -DGHASH_ASM
+libcrypto_la_CPPFLAGS += -DGHASH_ASM
-libcrypto_la_CFLAGS += -DRSA_ASM
+libcrypto_la_CPPFLAGS += -DRSA_ASM
-libcrypto_la_CFLAGS += -DSHA1_ASM
+libcrypto_la_CPPFLAGS += -DSHA1_ASM
-libcrypto_la_CFLAGS += -DSHA256_ASM
+libcrypto_la_CPPFLAGS += -DSHA256_ASM
-libcrypto_la_CFLAGS += -DSHA512_ASM
+libcrypto_la_CPPFLAGS += -DSHA512_ASM
-libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_ELF)
 endif
--- a/crypto/Makefile.am.macosx-x86_64
+++ b/crypto/Makefile.am.macosx-x86_64
@@ -22,20 +22,20 @@ ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_MACOSX)
 if HOST_ASM_MACOSX_X86_64
-libcrypto_la_CFLAGS += -DAES_ASM
+libcrypto_la_CPPFLAGS += -DAES_ASM
-libcrypto_la_CFLAGS += -DBSAES_ASM
+libcrypto_la_CPPFLAGS += -DBSAES_ASM
-libcrypto_la_CFLAGS += -DVPAES_ASM
+libcrypto_la_CPPFLAGS += -DVPAES_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CFLAGS += -DMD5_ASM
+libcrypto_la_CPPFLAGS += -DMD5_ASM
-libcrypto_la_CFLAGS += -DGHASH_ASM
+libcrypto_la_CPPFLAGS += -DGHASH_ASM
-libcrypto_la_CFLAGS += -DRSA_ASM
+libcrypto_la_CPPFLAGS += -DRSA_ASM
-libcrypto_la_CFLAGS += -DSHA1_ASM
+libcrypto_la_CPPFLAGS += -DSHA1_ASM
-libcrypto_la_CFLAGS += -DSHA256_ASM
+libcrypto_la_CPPFLAGS += -DSHA256_ASM
-libcrypto_la_CFLAGS += -DSHA512_ASM
+libcrypto_la_CPPFLAGS += -DSHA512_ASM
-libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_MACOSX)
 endif
--- a/crypto/compat/arc4random.h
+++ b/crypto/compat/arc4random.h
@@ -3,12 +3,21 @@
 #include <sys/param.h>
-#if defined(__FreeBSD__)
+#if defined(_AIX)
 #include "arc4random_aix.h"
 #elif defined(__FreeBSD__)
 #include "arc4random_freebsd.h"
 #elif defined(__hpux)
 #include "arc4random_hpux.h"
 #elif defined(__linux__)
 #include "arc4random_linux.h"
 #elif defined(__NetBSD__)
 #include "arc4random_netbsd.h"
 #elif defined(__APPLE__)
 #include "arc4random_osx.h"
--- a/crypto/compat/inet_pton.c
+++ b/crypto/compat/inet_pton.c
@@ -0,0 +1,212 @@
 /*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
 /* Copyright (c) 1996 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
 * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
 * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 * SOFTWARE.
 */
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <arpa/nameser.h>
 #include <string.h>
 #include <errno.h>
 /*
 * WARNING: Don't even consider trying to compile this on a system where
 * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
 */
 static int	inet_pton4(const char *src, u_char *dst);
 static int	inet_pton6(const char *src, u_char *dst);
 /* int
 * inet_pton(af, src, dst)
 *	convert from presentation format (which usually means ASCII printable)
 *	to network format (which is usually some kind of binary format).
 * return:
 *	1 if the address was valid for the specified address family
 *	0 if the address wasn't valid (`dst' is untouched in this case)
 *	-1 if some other error occurred (`dst' is untouched in this case, too)
 * author:
 *	Paul Vixie, 1996.
 */
 int
 inet_pton(int af, const char *src, void *dst)
 {
 	switch (af) {
 	case AF_INET:
 		return (inet_pton4(src, dst));
 	case AF_INET6:
 		return (inet_pton6(src, dst));
 	default:
 		errno = EAFNOSUPPORT;
 		return (-1);
 	}
 	/* NOTREACHED */
 }
 /* int
 * inet_pton4(src, dst)
 *	like inet_aton() but without all the hexadecimal and shorthand.
 * return:
 *	1 if `src' is a valid dotted quad, else 0.
 * notice:
 *	does not touch `dst' unless it's returning 1.
 * author:
 *	Paul Vixie, 1996.
 */
 static int
 inet_pton4(const char *src, u_char *dst)
 {
 	static const char digits[] = "0123456789";
 	int saw_digit, octets, ch;
 	u_char tmp[INADDRSZ], *tp;
 	saw_digit = 0;
 	octets = 0;
 	*(tp = tmp) = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
 		if ((pch = strchr(digits, ch)) != NULL) {
 			u_int new = *tp * 10 + (pch - digits);
 			if (new > 255)
 				return (0);
 			if (! saw_digit) {
 				if (++octets > 4)
 					return (0);
 				saw_digit = 1;
 			}
 			*tp = new;
 		} else if (ch == '.' && saw_digit) {
 			if (octets == 4)
 				return (0);
 			*++tp = 0;
 			saw_digit = 0;
 		} else
 			return (0);
 	}
 	if (octets < 4)
 		return (0);
 	memcpy(dst, tmp, INADDRSZ);
 	return (1);
 }
 /* int
 * inet_pton6(src, dst)
 *	convert presentation level address to network order binary form.
 * return:
 *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
 * notice:
 *	does not touch `dst' unless it's returning 1.
 * credit:
 *	inspired by Mark Andrews.
 * author:
 *	Paul Vixie, 1996.
 */
 static int
 inet_pton6(const char *src, u_char *dst)
 {
 	static const char xdigits_l[] = "0123456789abcdef",
 			  xdigits_u[] = "0123456789ABCDEF";
 	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
 	const char *xdigits, *curtok;
 	int ch, saw_xdigit, count_xdigit;
 	u_int val;
 	memset((tp = tmp), '\0', IN6ADDRSZ);
 	endp = tp + IN6ADDRSZ;
 	colonp = NULL;
 	/* Leading :: requires some special handling. */
 	if (*src == ':')
 		if (*++src != ':')
 			return (0);
 	curtok = src;
 	saw_xdigit = count_xdigit = 0;
 	val = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
 		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
 			pch = strchr((xdigits = xdigits_u), ch);
 		if (pch != NULL) {
 			if (count_xdigit >= 4)
 				return (0);
 			val <<= 4;
 			val |= (pch - xdigits);
 			if (val > 0xffff)
 				return (0);
 			saw_xdigit = 1;
 			count_xdigit++;
 			continue;
 		}
 		if (ch == ':') {
 			curtok = src;
 			if (!saw_xdigit) {
 				if (colonp)
 					return (0);
 				colonp = tp;
 				continue;
 			} else if (*src == '\0') {
 				return (0);
 			}
 			if (tp + INT16SZ > endp)
 				return (0);
 			*tp++ = (u_char) (val >> 8) & 0xff;
 			*tp++ = (u_char) val & 0xff;
 			saw_xdigit = 0;
 			count_xdigit = 0;
 			val = 0;
 			continue;
 		}
 		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
 		    inet_pton4(curtok, tp) > 0) {
 			tp += INADDRSZ;
 			saw_xdigit = 0;
 			count_xdigit = 0;
 			break;	/* '\0' was seen by inet_pton4(). */
 		}
 		return (0);
 	}
 	if (saw_xdigit) {
 		if (tp + INT16SZ > endp)
 			return (0);
 		*tp++ = (u_char) (val >> 8) & 0xff;
 		*tp++ = (u_char) val & 0xff;
 	}
 	if (colonp != NULL) {
 		/*
 		 * Since some memmove()'s erroneously fail to handle
 		 * overlapping regions, we'll do the shift by hand.
 		 */
 		const int n = tp - colonp;
 		int i;
 		if (tp == endp)
 			return (0);
 		for (i = 1; i <= n; i++) {
 			endp[- i] = colonp[n - i];
 			colonp[n - i] = 0;
 		}
 		tp = endp;
 	}
 	if (tp != endp)
 		return (0);
 	memcpy(dst, tmp, IN6ADDRSZ);
 	return (1);
 }
--- a/crypto/compat/issetugid_linux.c
+++ b/crypto/compat/issetugid_linux.c
@@ -1,47 +0,0 @@
 /*
 * issetugid implementation for Linux
 * Public domain
 */
 #include <errno.h>
 #include <gnu/libc-version.h>
 #include <string.h>
 #include <sys/types.h>
 #include <unistd.h>
 /*
 * Linux-specific glibc 2.16+ interface for determining if a process was
 * launched setuid/setgid or with additional capabilities.
 */
 #ifdef HAVE_GETAUXVAL
 #include <sys/auxv.h>
 #endif
 int issetugid(void)
 {
 #ifdef HAVE_GETAUXVAL
 	/*
 	 * The API for glibc < 2.19 does not indicate if there is an error with
 	 * getauxval. While it should not be the case that any 2.6 or greater
 	 * kernel ever does not supply AT_SECURE, an emulated software environment
 	 * might rewrite the aux vector.
 	 *
 	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
 	 *
 	 * Perhaps this code should just read the aux vector itself, so we have
 	 * backward-compatibility and error handling in older glibc versions.
 	 * info: http://lwn.net/Articles/519085/
 	 *
 	 */
 	const char *glcv = gnu_get_libc_version();
 	if (strverscmp(glcv, "2.19") >= 0) {
 		errno = 0;
 		if (getauxval(AT_SECURE) == 0) {
 			if (errno != ENOENT) {
 				return 0;
 			}
 		}
 	}
 #endif
 	return 1;
 }
--- a/crypto/compat/issetugid_win.c
+++ b/crypto/compat/issetugid_win.c
@@ -1,26 +0,0 @@
 /*
 * issetugid implementation for Windows
 * Public domain
 */
 #include <unistd.h>
 /*
 * Windows does not have a native setuid/setgid functionality.
 * A user must enter credentials each time a process elevates its
 * privileges.
 *
 * So, in theory, this could always return 0, given what I know currently.
 * However, it makes sense to stub out initially in 'safe' mode until we
 * understand more (and determine if any disabled functionality is actually
 * useful on Windows anyway).
 *
 * Future versions of this function that are made more 'open' should thoroughly
 * consider the case of this code running as a privileged service with saved
 * user credentials or privilege escalations by other means (e.g. the old
 * RunAsEx utility.)
 */
 int issetugid(void)
 {
 	return 1;
 }
--- a/crypto/compat/posix_win.c
+++ b/crypto/compat/posix_win.c
@@ -0,0 +1,168 @@
 /*
 * Public domain
 *
 * BSD socket emulation code for Winsock2
 * File IO compatibility shims
 * Brent Cook <bcook@openbsd.org>
 */
 #define NO_REDEF_POSIX_FUNCTIONS
 #include <windows.h>
 #include <ws2tcpip.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 void
 posix_perror(const char *s)
 {
 	fprintf(stderr, "%s: %s\n", s, strerror(errno));
 }
 FILE *
 posix_fopen(const char *path, const char *mode)
 {
 	if (strchr(mode, 'b') == NULL) {
 		char *bin_mode = NULL;
 		if (asprintf(&bin_mode, "%sb", mode) == -1)
 			return NULL;
 		FILE *f = fopen(path, bin_mode);
 		free(bin_mode);
 		return f;
 	}
 	return fopen(path, mode);
 }
 int
 posix_rename(const char *oldpath, const char *newpath)
 {
 	return MoveFileEx(oldpath, newpath, MOVEFILE_REPLACE_EXISTING) ? 0 : -1;
 }
 static int
 wsa_errno(int err)
 {
 	switch (err) {
 	case WSAENOBUFS:
 		errno = ENOMEM;
 		break;
 	case WSAEACCES:
 		errno = EACCES;
 		break;
 	case WSANOTINITIALISED:
 		errno = EPERM;
 		break;
 	case WSAEHOSTUNREACH:
 	case WSAENETDOWN:
 		errno = EIO;
 		break;
 	case WSAEFAULT:
 		errno = EFAULT;
 		break;
 	case WSAEINTR:
 		errno = EINTR;
 		break;
 	case WSAEINVAL:
 		errno = EINVAL;
 		break;
 	case WSAEINPROGRESS:
 		errno = EINPROGRESS;
 		break;
 	case WSAEWOULDBLOCK:
 		errno = EAGAIN;
 		break;
 	case WSAEOPNOTSUPP:
 		errno = ENOTSUP;
 		break;
 	case WSAEMSGSIZE:
 		errno = EFBIG;
 		break;
 	case WSAENOTSOCK:
 		errno = ENOTSOCK;
 		break;
 	case WSAENOPROTOOPT:
 		errno = ENOPROTOOPT;
 		break;
 	case WSAECONNREFUSED:
 		errno = ECONNREFUSED;
 		break;
 	case WSAEAFNOSUPPORT:
 		errno = EAFNOSUPPORT;
 		break;
 	case WSAENETRESET:
 	case WSAENOTCONN:
 	case WSAECONNABORTED:
 	case WSAECONNRESET:
 	case WSAESHUTDOWN:
 	case WSAETIMEDOUT:
 		errno = EPIPE;
 		break;
 	}
 	return -1;
 }
 int
 posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
 {
 	int rc = connect(sockfd, addr, addrlen);
 	if (rc == SOCKET_ERROR)
 		return wsa_errno(WSAGetLastError());
 	return rc;
 }
 int
 posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
 		int err = WSAGetLastError();
 		return err == WSAENOTSOCK ?
 			close(fd) : wsa_errno(err);
 	}
 	return 0;
 }
 ssize_t
 posix_read(int fd, void *buf, size_t count)
 {
 	ssize_t rc = recv(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
 		return err == WSAENOTSOCK ?
 			read(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
 }
 ssize_t
 posix_write(int fd, const void *buf, size_t count)
 {
 	ssize_t rc = send(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
 		return err == WSAENOTSOCK ?
 			write(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
 }
 int
 posix_getsockopt(int sockfd, int level, int optname,
 	void *optval, socklen_t *optlen)
 {
 	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
 int
 posix_setsockopt(int sockfd, int level, int optname,
 	const void *optval, socklen_t optlen)
 {
 	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
--- a/dist-win.sh
+++ b/dist-win.sh
@@ -0,0 +1,57 @@
 #!/bin/bash
 set -e
 #set -x
 export PATH=/cygdrive/c/Program\ Files\ \(x86\)/Microsoft\ Visual\ Studio\ 12.0/VC/bin:$PATH
 VERSION=`cat VERSION`
 DIST=libressl-$VERSION-windows
 rm -fr $DIST
 mkdir -p $DIST
 autoreconf -i
 for ARCH in X86 X64; do
 	if [ $ARCH = X86 ]; then
 		HOST=i686-w64-mingw32
 		ARCHDIR=x86
 	else
 		HOST=x86_64-w64-mingw32
 		ARCHDIR=x64
 	fi
 	echo Building for $HOST
 	CC=$HOST-gcc ./configure --host=$HOST
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 	mkdir -p $DIST/$ARCHDIR
 	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
 		cp -a stage-$ARCHDIR/usr/local/include $DIST
 		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
 		       $DIST/include/openssl/*.h $DIST/include/*.h
 		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
 		       $DIST/include/openssl/*.h $DIST/include/*.h
 		sed -i -e "s/__attr.*;/;/"  \
 		       -e "s/sys\/time.h/winsock2.h/" \
 		       $DIST/include/openssl/*.h $DIST/include/*.h
 	fi
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
 	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)
 		echo EXPORTS > $DLL.def
 		dumpbin /exports $DIST/$ARCHDIR/$DLL.dll | \
 		    awk '{print $4}' | awk 'NF' |tail -n +9 >> $DLL.def
 		lib /MACHINE:$ARCH /def:$DLL.def /out:$DIST/$ARCHDIR/$DLL.lib
 		cv2pdb $DIST/$ARCHDIR/$DLL.dll
 	done
 done
 zip -r $DIST.zip $DIST
--- a/dist.sh
+++ b/dist.sh
@@ -3,5 +3,5 @@ set -e
 rm -f man/*.1 man/*.3
 ./autogen.sh
-./configure --enable-libtls
+./configure
 make distcheck
--- a/gen-coverage-report.sh
+++ b/gen-coverage-report.sh
@@ -0,0 +1,43 @@
 #!/bin/sh
 VERSION=$(cat VERSION)
 DESTDIR=libressl-coverage-$VERSION
 echo "This will generate a code coverage report under $DESTDIR"
 echo
 if [ "x$(which lcov)" = "x" ]; then
 	echo "'lcov' is required but not found!"
 	exit 1
 fi
 if [ "x$(which genhtml)" = "x" ]; then
 	echo "'genhtml' is required but not found!"
 	exit 1
 fi
 find -name '*.gcda' -o -name '*.gcno' -delete
 rm -fr $DESTDIR
 echo "Configuring to build with code coverage support"
 ./configure CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
 echo "Running all code paths"
 make clean
 make check
 echo "Generating report"
 mkdir -p $DESTDIR
 find tests -name '*.gcda' -o -name '*.gcno' -delete
 lcov --capture --output-file $DESTDIR/coverage.tmp \
 	--rc lcov_branch_coverage=1 \
 	--directory crypto \
 	--directory ssl \
 	--directory tls \
    --test-name "LibreSSL $VERSION"
 genhtml --prefix . --output-directory $DESTDIR \
 	--branch-coverage --function-coverage \
 	--rc lcov_branch_coverage=1 \
    --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
 echo "Code coverage report is available under $DESTDIR"
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -14,6 +14,7 @@ noinst_HEADERS += unistd.h
 noinst_HEADERS += win32netcompat.h
 noinst_HEADERS += arpa/inet.h
 noinst_HEADERS += arpa/nameser.h
 noinst_HEADERS += machine/endian.h
@@ -26,7 +27,6 @@ noinst_HEADERS += sys/select.h
 noinst_HEADERS += sys/socket.h
 noinst_HEADERS += sys/times.h
 noinst_HEADERS += sys/types.h
 noinst_HEADERS += sys/uio.h
 if ENABLE_LIBTLS
 include_HEADERS = tls.h
 endif
--- a/include/arpa/inet.h
+++ b/include/arpa/inet.h
@@ -7,4 +7,13 @@
 #include_next <arpa/inet.h>
 #else
 #include <win32netcompat.h>
 #ifndef AI_ADDRCONFIG
 #define AI_ADDRCONFIG               0x00000400
 #endif
 #endif
 #ifndef HAVE_INET_PTON
 int inet_pton(int af, const char * restrict src, void * restrict dst);
 #endif
--- a/include/arpa/nameser.h
+++ b/include/arpa/nameser.h
@@ -0,0 +1,23 @@
 /*
 * Public domain
 * arpa/inet.h compatibility shim
 */
 #ifndef _WIN32
 #include_next <arpa/nameser.h>
 #else
 #include <win32netcompat.h>
 #ifndef INADDRSZ
 #define INADDRSZ 4
 #endif
 #ifndef IN6ADDRSZ
 #define IN6ADDRSZ 16
 #endif
 #ifndef INT16SZ
 #define INT16SZ	2
 #endif
 #endif
--- a/include/stdio.h
+++ b/include/stdio.h
@@ -15,16 +15,17 @@ int asprintf(char **str, const char *fmt, ...);
 #endif
 #ifdef _WIN32
 #include <errno.h>
 #include <string.h>
-static inline void
+void posix_perror(const char *s);
-posix_perror(const char *s)
+FILE * posix_fopen(const char *path, const char *mode);
-{
+int posix_rename(const char *oldpath, const char *newpath);
 	fprintf(stderr, "%s: %s\n", s, strerror(errno));
 }
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define perror(errnum) posix_perror(errnum)
 #define fopen(path, mode) posix_fopen(path, mode)
 #define rename(oldpath, newpath) posix_rename(oldpath, newpath)
 #endif
 #endif
 #endif
--- a/include/string.h
+++ b/include/string.h
@@ -33,6 +33,10 @@ size_t strnlen(const char *str, size_t maxlen);
 #endif
 #endif
 #ifndef HAVE_STRSEP
 char *strsep(char **stringp, const char *delim);
 #endif
 #ifndef HAVE_EXPLICIT_BZERO
 void explicit_bzero(void *, size_t);
 #endif
--- a/include/sys/uio.h
+++ b/include/sys/uio.h
@@ -0,0 +1,17 @@
 /*
 * Public domain
 * sys/select.h compatibility shim
 */
 #ifndef _WIN32
 #include_next <sys/uio.h>
 #else
 #include <sys/types.h>
 struct iovec {
 	void *iov_base;
 	size_t iov_len;
 };
 #endif
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -12,8 +12,4 @@
 int getentropy(void *buf, size_t buflen);
 #endif
 #ifndef HAVE_ISSETUGID
 int issetugid(void);
 #endif
 #endif
--- a/include/win32netcompat.h
+++ b/include/win32netcompat.h
@@ -19,142 +19,29 @@
 #include <errno.h>
 #include <unistd.h>
-static int
+int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 wsa_errno(int err)
 {
 	switch (err) {
 	case WSAENOBUFS:
 		errno = ENOMEM;
 		break;
 	case WSAEACCES:
 		errno = EACCES;
 		break;
 	case WSANOTINITIALISED:
 		errno = EPERM;
 		break;
 	case WSAEHOSTUNREACH:
 	case WSAENETDOWN:
 		errno = EIO;
 		break;
 	case WSAEFAULT:
 		errno = EFAULT;
 		break;
 	case WSAEINTR:
 		errno = EINTR;
 		break;
 	case WSAEINVAL:
 		errno = EINVAL;
 		break;
 	case WSAEINPROGRESS:
 		errno = EINPROGRESS;
 		break;
 	case WSAEWOULDBLOCK:
 		errno = EAGAIN;
 		break;
 	case WSAEOPNOTSUPP:
 		errno = ENOTSUP;
 		break;
 	case WSAEMSGSIZE:
 		errno = EFBIG;
 		break;
 	case WSAENOTSOCK:
 		errno = ENOTSOCK;
 		break;
 	case WSAENOPROTOOPT:
 		errno = ENOPROTOOPT;
 		break;
 	case WSAECONNREFUSED:
 		errno = ECONNREFUSED;
 		break;
 	case WSAEAFNOSUPPORT:
 		errno = EAFNOSUPPORT;
 		break;
 	case WSAENETRESET:
 	case WSAENOTCONN:
 	case WSAECONNABORTED:
 	case WSAECONNRESET:
 	case WSAESHUTDOWN:
 	case WSAETIMEDOUT:
 		errno = EPIPE;
 		break;
 	}
 	return -1;
 }
-static inline int
+int posix_close(int fd);
-posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
+ssize_t posix_read(int fd, void *buf, size_t count);
 {
 	int rc = connect(sockfd, addr, addrlen);
 	if (rc == SOCKET_ERROR)
 		return wsa_errno(WSAGetLastError());
 	return rc;
 }
 ssize_t posix_write(int fd, const void *buf, size_t count);
 int posix_getsockopt(int sockfd, int level, int optname,
 	void *optval, socklen_t *optlen);
 int posix_setsockopt(int sockfd, int level, int optname,
 	const void *optval, socklen_t optlen);
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
 static inline int
 posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
 		int err = WSAGetLastError();
 		return err == WSAENOTSOCK ?
 			close(fd) : wsa_errno(err);
 	}
 	return 0;
 }
 #define close(fd) posix_close(fd)
 static inline ssize_t
 posix_read(int fd, void *buf, size_t count)
 {
 	ssize_t rc = recv(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
 		return err == WSAENOTSOCK ?
 			read(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
 }
 #define read(fd, buf, count) posix_read(fd, buf, count)
 static inline ssize_t
 posix_write(int fd, const void *buf, size_t count)
 {
 	ssize_t rc = send(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
 		return err == WSAENOTSOCK ?
 			write(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
 }
 #define write(fd, buf, count) posix_write(fd, buf, count)
 static inline int
 posix_getsockopt(int sockfd, int level, int optname,
 	void *optval, socklen_t *optlen)
 {
 	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
 #define getsockopt(sockfd, level, optname, optval, optlen) \
 	posix_getsockopt(sockfd, level, optname, optval, optlen)
 static inline int
 posix_setsockopt(int sockfd, int level, int optname,
 	const void *optval, socklen_t optlen)
 {
 	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
 #define setsockopt(sockfd, level, optname, optval, optlen) \
 	posix_setsockopt(sockfd, level, optname, optval, optlen)
 #endif
 #endif
--- a/libcrypto.pc.in
+++ b/libcrypto.pc.in
@@ -7,7 +7,7 @@ includedir=@includedir@
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBCRYPTO_VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
--- a/libssl.pc.in
+++ b/libssl.pc.in
@@ -7,7 +7,7 @@ includedir=@includedir@
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBSSL_VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:
--- a/libtls-standalone/AUTHORS
+++ b/libtls-standalone/AUTHORS
--- a/libtls-standalone/COPYING
+++ b/libtls-standalone/COPYING
@@ -0,0 +1,13 @@
 libtls is ISC licensed as per OpenBSD's normal licensing policy.
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--- a/libtls-standalone/ChangeLog
+++ b/libtls-standalone/ChangeLog
--- a/libtls-standalone/Makefile.am
+++ b/libtls-standalone/Makefile.am
@@ -0,0 +1,7 @@
 SUBDIRS = include compat src tests man
 ACLOCAL_AMFLAGS = -I m4
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libtls.pc
 EXTRA_DIST = README VERSION
--- a/libtls-standalone/NEWS
+++ b/libtls-standalone/NEWS
--- a/libtls-standalone/README
+++ b/libtls-standalone/README
--- a/libtls-standalone/VERSION
+++ b/libtls-standalone/VERSION
@@ -0,0 +1 @@
 4.0.0
--- a/libtls-standalone/compat/Makefile.am
+++ b/libtls-standalone/compat/Makefile.am
@@ -0,0 +1,45 @@
 #
 # Copyright (c) 2014-2015 Brent Cook
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
 noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
 # compatibility functions that need to be built without optimizations
 libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 if !HAVE_EXPLICIT_BZERO
 libcompatnoopt_la_SOURCES += explicit_bzero.c
 endif
 # other compatibility functions
 libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
 if !HAVE_ASPRINTF
 libcompat_la_SOURCES += bsd-asprintf.c
 endif
 if !HAVE_STRLCPY
 libcompat_la_SOURCES += strlcpy.c
 endif
 if !HAVE_STRSEP
 libcompat_la_SOURCES += strsep.c
 endif
 include Makefile.am.arc4random
--- a/libtls-standalone/configure.ac
+++ b/libtls-standalone/configure.ac
@@ -0,0 +1,52 @@
 # Copyright (c) 2014-2015 Brent Cook
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBTLS_VERSION], m4_esyscmd([sed -e 's/\./:/g' VERSION | tr -d '\n']))
 AC_CANONICAL_HOST
 AM_INIT_AUTOMAKE([subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 # This must be called before AC_PROG_CC
 USER_CFLAGS="$CFLAGS"
 AC_PROG_CC
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
 AC_PROG_LIBTOOL
 LT_INIT
 CHECK_OS_OPTIONS
 CHECK_C_HARDENING_OPTIONS
 DISABLE_COMPILER_WARNINGS
 CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile
 	compat/Makefile
 	man/Makefile
 	src/Makefile
 	tests/Makefile
 	libtls.pc
 ])
 AC_OUTPUT
--- a/libtls-standalone/include/Makefile.am
+++ b/libtls-standalone/include/Makefile.am
@@ -0,0 +1,5 @@
 noinst_HEADERS = stdlib.h
 noinst_HEADERS += string.h
 noinst_HEADERS += unistd.h
 include_HEADERS = tls.h
--- a/libtls-standalone/include/string.h
+++ b/libtls-standalone/include/string.h
@@ -0,0 +1,73 @@
 /*
 * Public domain
 * string.h compatibility shim
 */
 #include_next <string.h>
 #ifndef LIBCRYPTOCOMPAT_STRING_H
 #define LIBCRYPTOCOMPAT_STRING_H
 #include <sys/types.h>
 #if defined(__sun) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
 * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
 */
 #include <strings.h>
 #endif
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif
 #ifndef HAVE_STRLCAT
 size_t strlcat(char *dst, const char *src, size_t siz);
 #endif
 #ifndef HAVE_STRNDUP
 char * strndup(const char *str, size_t maxlen);
 /* the only user of strnlen is strndup, so only build it if needed */
 #ifndef HAVE_STRNLEN
 size_t strnlen(const char *str, size_t maxlen);
 #endif
 #endif
 #ifndef HAVE_STRSEP
 char *strsep(char **stringp, const char *delim);
 #endif
 #ifndef HAVE_EXPLICIT_BZERO
 void explicit_bzero(void *, size_t);
 #endif
 #ifndef HAVE_TIMINGSAFE_BCMP
 int timingsafe_bcmp(const void *b1, const void *b2, size_t n);
 #endif
 #ifndef HAVE_TIMINGSAFE_MEMCMP
 int timingsafe_memcmp(const void *b1, const void *b2, size_t len);
 #endif
 #ifndef HAVE_MEMMEM
 void * memmem(const void *big, size_t big_len, const void *little,
 	size_t little_len);
 #endif
 #ifdef _WIN32
 #include <errno.h>
 static inline char  *
 posix_strerror(int errnum)
 {
 	if (errnum == ECONNREFUSED) {
 		return "Connection refused";
 	}
 	return strerror(errnum);
 }
 #define strerror(errnum) posix_strerror(errnum)
 #endif
 #endif
--- a/libtls-standalone/libtls.pc.in
+++ b/libtls-standalone/libtls.pc.in
@@ -0,0 +1,16 @@
 #libtls pkg-config source file
 prefix=@prefix@
 exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
 Version: @LIBTLS_VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
 Libs.private: @LIBS@ -lcrypto -lssl
 Cflags: -I${includedir}
--- a/libtls-standalone/src/Makefile.am
+++ b/libtls-standalone/src/Makefile.am
@@ -0,0 +1,16 @@
 AM_CFLAGS = -I$(top_srcdir)/include
 lib_LTLIBRARIES = libtls.la
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
 libtls_la_LIBADD = -lcrypto -lssl -lcrypto $(PLATFORM_LDADD)
 libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
--- a/libtls-standalone/tests/Makefile.am
+++ b/libtls-standalone/tests/Makefile.am
@@ -0,0 +1,7 @@
 AM_CFLAGS = -I$(top_srcdir)/include
 check_PROGRAMS = test
 TESTS = test
 test_SOURCES = test.c
 test_LDADD = -lcrypto -lssl $(top_builddir)/src/libtls.la
--- a/libtls-standalone/tests/test.c
+++ b/libtls-standalone/tests/test.c
@@ -0,0 +1,51 @@
 #include <stdio.h>
 #include <tls.h>
 int main()
 {
 	struct tls *tls;
 	struct tls_config *tls_config;
 	size_t written, read;
 	char buf[4096];
 	if (tls_init() != 0) {
 		fprintf(stderr, "tls_init failed");
 		return 1;
 	}
 	if ((tls = tls_client()) == NULL)
 		goto err;
 	if ((tls_config = tls_config_new()) == NULL)
 		goto err;
 	if (tls_config_set_ciphers(tls_config, "compat") != 0)
 		goto err;
 	tls_config_insecure_noverifycert(tls_config);
 	tls_config_insecure_noverifyname(tls_config);
 	if (tls_configure(tls, tls_config) != 0)
 		goto err;
 	if (tls_connect(tls, "google.com", "443") != 0)
 		goto err;
 	if (tls_write(tls, "GET /\r\n", 7, &written) != 0)
 		goto err;
 	if (tls_read(tls, buf, sizeof(buf), &read) != 0)
 		goto err;
 	buf[read - 1] = '\0';
 	puts(buf);
 	if (tls_close(tls) != 0)
 		goto err;
 	return 0;
 err:
 	fprintf(stderr, "%s\n", tls_error(tls));
 	return 1;
 }
--- a/libtls.pc.in
+++ b/libtls.pc.in
@@ -7,7 +7,7 @@ includedir=@includedir@
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
-Version: @VERSION@
+Version: @LIBTLS_VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:
--- a/m4/check-hardening-options.m4
+++ b/m4/check-hardening-options.m4
@@ -0,0 +1,109 @@
 AC_DEFUN([CHECK_CFLAG], [
 	 AC_LANG_ASSERT(C)
 	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
 	 old_cflags="$CFLAGS"
 	 CFLAGS="$1 -Wall -Werror"
 	 AC_TRY_LINK([
 		      #include <stdio.h>
 		      ],
 		     [printf("Hello")],
 		     AC_MSG_RESULT([yes])
 		     CFLAGS=$old_cflags
 		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
 		     AC_MSG_RESULT([no])
 		     CFLAGS=$old_cflags
 		     [$2])
 ])
 AC_DEFUN([CHECK_LDFLAG], [
 	 AC_LANG_ASSERT(C)
 	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
 	 old_ldflags="$LDFLAGS"
 	 LDFLAGS="$1 -Wall -Werror"
 	 AC_TRY_LINK([
 		      #include <stdio.h>
 		      ],
 		     [printf("Hello")],
 		     AC_MSG_RESULT([yes])
 		     LDFLAGS=$old_ldflags
 		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
 		     AC_MSG_RESULT([no])
 		     LDFLAGS=$old_ldflags
 		     [$2])
 ])
 AC_DEFUN([DISABLE_AS_EXECUTABLE_STACK], [
 	save_cflags="$CFLAGS"
 	CFLAGS=
 	AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
 	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 	__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
 		[AC_MSG_RESULT([yes])]
 		[AM_CFLAGS=-DHAVE_GNU_STACK],
 		[AC_MSG_RESULT([no])]
 	)
 	CFLAGS="$save_cflags $AM_CFLAGS"
 ])
 AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [
 	AC_ARG_ENABLE([hardening],
 		[AS_HELP_STRING([--disable-hardening],
 				[Disable options to frustrate memory corruption exploits])],
 		[], [enable_hardening=yes])
 	AC_ARG_ENABLE([windows-ssp],
 		[AS_HELP_STRING([--enable-windows-ssp],
 				[Enable building the stack smashing protection on
 				 Windows. This currently distributing libssp-0.dll.])])
 	# We want to check for compiler flag support. Prior to clang v5.1, there was no
 	# way to make clang's "argument unused" warning fatal.  So we invoke the
 	# compiler through a wrapper script that greps for this message.
 	saved_CC="$CC"
 	saved_LD="$LD"
 	flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
 	CC="$flag_wrap $CC"
 	LD="$flag_wrap $LD"
 	AS_IF([test "x$enable_hardening" = "xyes"], [
 		# Tell GCC to NOT optimize based on signed arithmetic overflow
 		CHECK_CFLAG([[-fno-strict-overflow]])
 		# _FORTIFY_SOURCE replaces builtin functions with safer versions.
 		CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
 		# Enable read only relocations
 		CHECK_LDFLAG([[-Wl,-z,relro]])
 		CHECK_LDFLAG([[-Wl,-z,now]])
 		# Windows security flags
 		AS_IF([test "x$HOST_OS" = "xwin"], [
 			CHECK_LDFLAG([[-Wl,--nxcompat]])
 			CHECK_LDFLAG([[-Wl,--dynamicbase]])
 			CHECK_LDFLAG([[-Wl,--high-entropy-va]])
 		])
 		# Use stack-protector-strong if available; if not, fallback to
 		# stack-protector-all which is considered to be overkill
 		AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
 			CHECK_CFLAG([[-fstack-protector-strong]],
 				CHECK_CFLAG([[-fstack-protector-all]],
 					AC_MSG_WARN([compiler does not appear to support stack protection])
 				)
 			)
 			AS_IF([test "x$HOST_OS" = "xwin"], [
 				AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
 			])
 		])
 	])
 	# Restore CC, LD
 	CC="$saved_CC"
 	LD="$saved_LD"
 	CFLAGS="$CFLAGS $HARDEN_CFLAGS"
 	LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
 ])
--- a/m4/check-libc.m4
+++ b/m4/check-libc.m4
@@ -0,0 +1,66 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for general libc functions
 AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
 AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
 ])
 AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
 # Check crypto-related libc functions
 AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
 	[test "x$HOST_OS" != xdarwin \
 	   -a "x$HOST_OS" != xfreebsd \
 	   -a "x$HOST_OS" != xnetbsd \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 # Check for getentropy fallback dependencies
 AC_CHECK_FUNC([getauxval])
 AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
 AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 ])
 AC_DEFUN([CHECK_VA_COPY], [
 AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
 va_list x,y;
 		]], [[ va_copy(x,y); ]])],
 	[ ac_cv_have_va_copy="yes" ],
 	[ ac_cv_have_va_copy="no"
 	])
 ])
 if test "x$ac_cv_have_va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
 fi
 AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
 va_list x,y;
 		]], [[ __va_copy(x,y); ]])],
 	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
 	])
 ])
 if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
--- a/m4/check-os-options.m4
+++ b/m4/check-os-options.m4
@@ -0,0 +1,77 @@
 # This must be called before AC_PROG_CC
 AC_DEFUN([CHECK_OS_OPTIONS], [
 CFLAGS="$CFLAGS -Wall -std=gnu99"
 case $host_os in
 	*aix*)
 		HOST_OS=aix
 		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
 			CFLAGS="$USER_CFLAGS"
 		fi
 		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
 		;;
 	*cygwin*)
 		HOST_OS=cygwin
 		;;
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
 		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
 		HOST_OS=hpux;
 		if test "`echo $CC | cut -d ' ' -f 1`" = "gcc" ; then
 			CFLAGS="$CFLAGS -mlp64"
 		else
 			CFLAGS="-g -O2 +DD64 $USER_CFLAGS"
 		fi
 		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG"
 		CFLAGS="$CFLAGS -static-libgcc"
 		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;
 	*) ;;
 esac
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
 AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])
--- a/m4/disable-compiler-warnings.m4
+++ b/m4/disable-compiler-warnings.m4
@@ -0,0 +1,29 @@
 AC_DEFUN([DISABLE_COMPILER_WARNINGS], [
 # Clang throws a lot of warnings when it does not understand a flag. Disable
 # this warning for now so other warnings are visible.
 AC_MSG_CHECKING([if compiling with clang])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
 #ifndef __clang__
 	not clang
 #endif
 	]])],
 	[CLANG=yes],
 	[CLANG=no]
 )
 AC_MSG_RESULT([$CLANG])
 AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
 CFLAGS="$CFLAGS $CLANG_FLAGS"
 LDFLAGS="$LDFLAGS $CLANG_FLAGS"
 # Removing the dependency on -Wno-pointer-sign should be a goal. These are
 # largely unsigned char */char* mismatches in asn1 functions.
 save_cflags="$CFLAGS"
 CFLAGS=-Wno-pointer-sign
 AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
 	[AC_MSG_RESULT([yes])]
 	[AM_CFLAGS=-Wno-pointer-sign],
 	[AC_MSG_RESULT([no])]
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
 ])
--- a/man/Makefile.am.tpl
+++ b/man/Makefile.am.tpl
@@ -1,2 +0,0 @@
 include $(top_srcdir)/Makefile.am.common
 dist_man_MANS=
--- a/man/links
+++ b/man/links
--- a/man/update_links.sh
+++ b/man/update_links.sh
@@ -0,0 +1,18 @@
 #!/bin/sh
 # Run this periodically to ensure that the manpage links are up to date
 echo "# This is an auto-generated file by $0" > links
 sudo makewhatis
 for i in `ls -1 *.3`; do
  name=`echo $i|cut -d. -f1`
  links=`sqlite3 /usr/share/man/mandoc.db \
    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
  for j in $links; do
    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
    if [ $a != $b ]; then
      echo $name.3,$j.3 >> links
    fi
  done
 done
--- a/patches/openssl.c.patch
+++ b/patches/openssl.c.patch
@@ -0,0 +1,29 @@
 --- apps/openssl.c.orig	2015-06-05 03:42:12.956112944 -0500
 +++ apps/openssl.c	2015-06-05 03:41:54.215381908 -0500
@@ -130,6 +130,18 @@
 #include <openssl/engine.h>
 #endif
 +#ifdef _WIN32
 +#include <fcntl.h>
 +static void set_stdio_binary(void)
 +{
 +	_setmode(_fileno(stdin), _O_BINARY);
 +	_setmode(_fileno(stdout), _O_BINARY);
 +	_setmode(_fileno(stderr), _O_BINARY);
 +}
 +#else
 +static void set_stdio_binary(void) {};
 +#endif
 +
 #include "progs.h"
 #include "s_apps.h"
@@ -216,6 +228,7 @@
 #endif
 	setup_ui_method();
 +	set_stdio_binary();
 }
 static void
--- a/scripts/travis
+++ b/scripts/travis
@@ -0,0 +1,33 @@
 #!/bin/sh
 set -e
 ./autogen.sh
 if [ "x$ARCH" = "xnative" ]; then
 	./configure
 	if [ `uname` = "Darwin" ]; then
 		# OS X runs out of resources if we run 'make -j check'
 		make check
 	else
 		make -j distcheck
 	fi
 else
 	CPU=i686
 	if [ "x$ARCH" = "xmingw64" ]; then
 		CPU=x86_64
 	fi
 	export CC=$CPU-w64-mingw32-gcc
 	if [ -z $(which $CC) ]; then
 		# Update Ubuntu 12.04 with current mingw toolchain
 		sudo apt-get update
 		sudo apt-get install -y python-software-properties
 		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
 		sudo apt-get update
 		sudo apt-get install -y $ARCH-x-gcc make
 		export PATH=$PATH:/opt/$ARCH/bin
 	fi
 	./configure --host=$CPU-w64-mingw32
 	make -j
 fi
--- a/scripts/wrap-compiler-for-flag-check
+++ b/scripts/wrap-compiler-for-flag-check
@@ -0,0 +1,31 @@
 #!/bin/sh
 # This file is in the public domain.
 # https://github.com/kmcallister/autoharden/blob/c5c7842f39c2f8d19836bb5427d6479db4436d62/LICENSE
 #
 # From kmcallister: 
 # https://github.com/kmcallister/autoharden/blob/efaf5a16612589808c276a11536ea9a47071f74b/scripts/wrap-compiler-for-flag-check
 # Prior to clang v5.1, there was no way to make
 # clang's "argument unused" warning fatal.  This
 # wrapper script that greps for this warning message. Newer clang's have no issues.
 #
 # Ideally the search string would also include 'clang: ' but this output might
 # depend on clang's argv[0].
 #
 set -o errexit
 set -o nounset
 if out=`"$@" 2>&1`; then
  echo "$out"
  if echo "$out" | grep 'warning: argument unused' >/dev/null; then
    echo "$0: found clang warning"
    exit 1
  else
    exit 0
  fi
 else
  code=$?
  echo "$out"
  exit $code
 fi
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@@ -4,10 +4,13 @@ lib_LTLIBRARIES = libssl.la
 EXTRA_DIST = VERSION
-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
-libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libssl_la_LIBADD = ../crypto/libcrypto.la
 libssl_la_SOURCES = bio_ssl.c
 libssl_la_SOURCES += bs_ber.c
 libssl_la_SOURCES += bs_cbb.c
 libssl_la_SOURCES += bs_cbs.c
 libssl_la_SOURCES += d1_both.c
 libssl_la_SOURCES += d1_clnt.c
 libssl_la_SOURCES += d1_enc.c
@@ -50,3 +53,4 @@ libssl_la_SOURCES += t1_srvr.c
 noinst_HEADERS = srtp.h
 noinst_HEADERS += ssl_locl.h
 noinst_HEADERS += bytestring.h
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -0,0 +1,302 @@
 include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
 TESTS =
 check_PROGRAMS =
 EXTRA_DIST =
 DISTCLEANFILES = pidwraptest.txt
 # aeadtest
 TESTS += aeadtest.sh
 check_PROGRAMS += aeadtest
 aeadtest_SOURCES = aeadtest.c
 EXTRA_DIST += aeadtest.sh
 EXTRA_DIST += aeadtests.txt
 # aes_wrap
 TESTS += aes_wrap
 check_PROGRAMS += aes_wrap
 aes_wrap_SOURCES = aes_wrap.c
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
 if !HOST_WIN
 TESTS += arc4randomforktest.sh
 check_PROGRAMS += arc4randomforktest
 arc4randomforktest_SOURCES = arc4randomforktest.c
 endif
 EXTRA_DIST += arc4randomforktest.sh
 # asn1test
 TESTS += asn1test
 check_PROGRAMS += asn1test
 asn1test_SOURCES = asn1test.c
 # base64test
 TESTS += base64test
 check_PROGRAMS += base64test
 base64test_SOURCES = base64test.c
 # bftest
 TESTS += bftest
 check_PROGRAMS += bftest
 bftest_SOURCES = bftest.c
 # biotest
 # the BIO tests rely on resolver results that are OS and environment-specific
 if ENABLE_EXTRATESTS
 TESTS += biotest
 check_PROGRAMS += biotest
 biotest_SOURCES = biotest.c
 endif
 # bntest
 TESTS += bntest
 check_PROGRAMS += bntest
 bntest_SOURCES = bntest.c
 # bytestringtest
 TESTS += bytestringtest
 check_PROGRAMS += bytestringtest
 bytestringtest_SOURCES = bytestringtest.c
 # casttest
 TESTS += casttest
 check_PROGRAMS += casttest
 casttest_SOURCES = casttest.c
 # chachatest
 TESTS += chachatest
 check_PROGRAMS += chachatest
 chachatest_SOURCES = chachatest.c
 # cipher_list
 TESTS += cipher_list
 check_PROGRAMS += cipher_list
 cipher_list_SOURCES = cipher_list.c
 noinst_HEADERS = tests.h
 # cipherstest
 TESTS += cipherstest
 check_PROGRAMS += cipherstest
 cipherstest_SOURCES = cipherstest.c
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
 cts128test_SOURCES = cts128test.c
 # destest
 TESTS += destest
 check_PROGRAMS += destest
 destest_SOURCES = destest.c
 # dhtest
 TESTS += dhtest
 check_PROGRAMS += dhtest
 dhtest_SOURCES = dhtest.c
 # dsatest
 TESTS += dsatest
 check_PROGRAMS += dsatest
 dsatest_SOURCES = dsatest.c
 # ecdhtest
 TESTS += ecdhtest
 check_PROGRAMS += ecdhtest
 ecdhtest_SOURCES = ecdhtest.c
 # ecdsatest
 TESTS += ecdsatest
 check_PROGRAMS += ecdsatest
 ecdsatest_SOURCES = ecdsatest.c
 # ectest
 TESTS += ectest
 check_PROGRAMS += ectest
 ectest_SOURCES = ectest.c
 # enginetest
 TESTS += enginetest
 check_PROGRAMS += enginetest
 enginetest_SOURCES = enginetest.c
 # evptest
 TESTS += evptest.sh
 check_PROGRAMS += evptest
 evptest_SOURCES = evptest.c
 EXTRA_DIST += evptest.sh
 EXTRA_DIST += evptests.txt
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if !HOST_WIN
 if !HOST_CYGWIN
 TESTS += explicit_bzero
 check_PROGRAMS += explicit_bzero
 explicit_bzero_SOURCES = explicit_bzero.c
 if !HAVE_MEMMEM
 explicit_bzero_SOURCES += memmem.c
 endif
 endif
 endif
 # exptest
 TESTS += exptest
 check_PROGRAMS += exptest
 exptest_SOURCES = exptest.c
 # gcm128test
 TESTS += gcm128test
 check_PROGRAMS += gcm128test
 gcm128test_SOURCES = gcm128test.c
 # gost2814789t
 TESTS += gost2814789t
 check_PROGRAMS += gost2814789t
 gost2814789t_SOURCES = gost2814789t.c
 # hmactest
 TESTS += hmactest
 check_PROGRAMS += hmactest
 hmactest_SOURCES = hmactest.c
 # ideatest
 TESTS += ideatest
 check_PROGRAMS += ideatest
 ideatest_SOURCES = ideatest.c
 # igetest
 TESTS += igetest
 check_PROGRAMS += igetest
 igetest_SOURCES = igetest.c
 # md4test
 TESTS += md4test
 check_PROGRAMS += md4test
 md4test_SOURCES = md4test.c
 # md5test
 TESTS += md5test
 check_PROGRAMS += md5test
 md5test_SOURCES = md5test.c
 # mont
 TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest
 optionstest_SOURCES = optionstest.c
 # pbkdf2
 TESTS += pbkdf2
 check_PROGRAMS += pbkdf2
 pbkdf2_SOURCES = pbkdf2.c
 # pidwraptest
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
 if ENABLE_EXTRATESTS
 TESTS += pidwraptest
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
 endif
 # pkcs7test
 TESTS += pkcs7test
 check_PROGRAMS += pkcs7test
 pkcs7test_SOURCES = pkcs7test.c
 # poly1305test
 TESTS += poly1305test
 check_PROGRAMS += poly1305test
 poly1305test_SOURCES = poly1305test.c
 # pq_test
 TESTS += pq_test.sh
 check_PROGRAMS += pq_test
 pq_test_SOURCES = pq_test.c
 EXTRA_DIST += pq_test.sh
 EXTRA_DIST += pq_expected.txt
 # randtest
 TESTS += randtest
 check_PROGRAMS += randtest
 randtest_SOURCES = randtest.c
 # rc2test
 TESTS += rc2test
 check_PROGRAMS += rc2test
 rc2test_SOURCES = rc2test.c
 # rc4test
 TESTS += rc4test
 check_PROGRAMS += rc4test
 rc4test_SOURCES = rc4test.c
 # rmdtest
 TESTS += rmdtest
 check_PROGRAMS += rmdtest
 rmdtest_SOURCES = rmdtest.c
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
 sha1test_SOURCES = sha1test.c
 # sha256test
 TESTS += sha256test
 check_PROGRAMS += sha256test
 sha256test_SOURCES = sha256test.c
 # sha512test
 TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 # shatest
 TESTS += shatest
 check_PROGRAMS += shatest
 shatest_SOURCES = shatest.c
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
 ssltest_SOURCES = ssltest.c
 EXTRA_DIST += ssltest.sh
 EXTRA_DIST += testssl ca.pem server.pem
 # testdsa
 TESTS += testdsa.sh
 EXTRA_DIST += testdsa.sh
 EXTRA_DIST += openssl.cnf
 # testenc
 TESTS += testenc.sh
 EXTRA_DIST += testenc.sh
 # testrsa
 TESTS += testrsa.sh
 EXTRA_DIST += testrsa.sh
 # timingsafe
 TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test
 utf8test_SOURCES = utf8test.c
--- a/tests/Makefile.am.tpl
+++ b/tests/Makefile.am.tpl
@@ -1,14 +0,0 @@
 include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
 TESTS =
 check_PROGRAMS =
 EXTRA_DIST =
 DISTCLEANFILES = pidwraptest.txt
--- a/tests/openssl.cnf
+++ b/tests/openssl.cnf
@@ -0,0 +1,29 @@
 #	$OpenBSD: openssl.cnf,v 1.1 2014/08/26 17:50:07 jsing Exp $
 #
 # SSLeay example configuration file.
 # This is mostly being used for generation of certificate requests.
 #
 # hacked by iang to do DSA certs - Server
 RANDFILE              = ./.rnd
 ####################################################################
 [ req ]
 distinguished_name    = req_distinguished_name
 encrypt_rsa_key               = no
 [ req_distinguished_name ]
 countryName                   = Country Name (2 letter code)
 countryName_default           = CA
 countryName_value             = CA
 organizationName                = Organization Name (eg, company)
 organizationName_value          = Shake it Vera 
 0.commonName                  = Common Name (eg, YOUR name)
 0.commonName_value            = Wastelandus
 1.commonName                  = Common Name (eg, YOUR name)
 1.commonName_value            = Maximus
--- a/tests/optionstest.c
+++ b/tests/optionstest.c
@@ -0,0 +1,382 @@
 /*	$OpenBSD: optionstest.c,v 1.8 2015/01/22 05:48:00 doug Exp $	*/
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/bio.h>
 #include <openssl/conf.h>
 #include <apps.h>
 #include <apps.c>
 #include <strtonum.c>
 /* Needed to keep apps.c happy... */
 BIO *bio_err;
 CONF *config;
 static int argfunc(char *arg);
 static int defaultarg(int argc, char **argv, int *argsused);
 static int multiarg(int argc, char **argv, int *argsused);
 static struct {
 	char *arg;
 	int flag;
 } test_config;
 static struct option test_options[] = {
 	{
 		.name = "arg",
 		.argname = "argname",
 		.type = OPTION_ARG,
 		.opt.arg = &test_config.arg,
 	},
 	{
 		.name = "argfunc",
 		.argname = "argname",
 		.type = OPTION_ARG_FUNC,
 		.opt.argfunc = argfunc,
 	},
 	{
 		.name = "flag",
 		.type = OPTION_FLAG,
 		.opt.flag = &test_config.flag,
 	},
 	{
 		.name = "multiarg",
 		.type = OPTION_ARGV_FUNC,
 		.opt.argvfunc = multiarg,
 	},
 	{
 		.name = NULL,
 		.type = OPTION_ARGV_FUNC,
 		.opt.argvfunc = defaultarg,
 	},
 	{ NULL },
 };
 char *args1[] = { "opts" };
 char *args2[] = { "opts", "-arg", "arg", "-flag" };
 char *args3[] = { "opts", "-arg", "arg", "-flag", "unnamed" };
 char *args4[] = { "opts", "-arg", "arg", "unnamed", "-flag" };
 char *args5[] = { "opts", "unnamed1", "-arg", "arg", "-flag", "unnamed2" };
 char *args6[] = { "opts", "-argfunc", "arg", "-flag" };
 char *args7[] = { "opts", "-arg", "arg", "-flag", "-", "-unnamed" };
 char *args8[] = { "opts", "-arg", "arg", "-flag", "file1", "file2", "file3" };
 char *args9[] = { "opts", "-arg", "arg", "-flag", "file1", "-file2", "file3" };
 char *args10[] = { "opts", "-arg", "arg", "-flag", "-", "file1", "file2" };
 char *args11[] = { "opts", "-arg", "arg", "-flag", "-", "-file1", "-file2" };
 char *args12[] = { "opts", "-multiarg", "arg1", "arg2", "-flag", "unnamed" };
 char *args13[] = { "opts", "-multiargz", "arg1", "arg2", "-flagz", "unnamed" };
 struct options_test {
 	int argc;
 	char **argv;
 	enum {
 		OPTIONS_TEST_NONE,
 		OPTIONS_TEST_UNNAMED,
 		OPTIONS_TEST_ARGSUSED,
 	} type;
 	char *unnamed;
 	int used;
 	int want;
 	char *wantarg;
 	int wantflag;
 };
 struct options_test options_tests[] = {
 	{
 		/* Test 1 - No arguments (only program name). */
 		.argc = 1,
 		.argv = args1,
 		.type = OPTIONS_TEST_NONE,
 		.want = 0,
 		.wantarg = NULL,
 		.wantflag = 0,
 	},
 	{
 		/* Test 2 - Named arguments (unnamed not permitted). */
 		.argc = 4,
 		.argv = args2,
 		.type = OPTIONS_TEST_NONE,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 3 - Named arguments (unnamed permitted). */
 		.argc = 4,
 		.argv = args2,
 		.type = OPTIONS_TEST_UNNAMED,
 		.unnamed = NULL,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 4 - Named and single unnamed (unnamed not permitted). */
 		.argc = 5,
 		.argv = args3,
 		.type = OPTIONS_TEST_NONE,
 		.want = 1,
 	},
 	{
 		/* Test 5 - Named and single unnamed (unnamed permitted). */
 		.argc = 5,
 		.argv = args3,
 		.type = OPTIONS_TEST_UNNAMED,
 		.unnamed = "unnamed",
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 6 - Named and single unnamed (different sequence). */
 		.argc = 5,
 		.argv = args4,
 		.type = OPTIONS_TEST_UNNAMED,
 		.unnamed = "unnamed",
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 7 - Multiple unnamed arguments (should fail). */
 		.argc = 6,
 		.argv = args5,
 		.type = OPTIONS_TEST_UNNAMED,
 		.want = 1,
 	},
 	{
 		/* Test 8 - Function. */
 		.argc = 4,
 		.argv = args6,
 		.type = OPTIONS_TEST_NONE,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 9 - Named and single unnamed (hyphen separated). */
 		.argc = 6,
 		.argv = args7,
 		.type = OPTIONS_TEST_UNNAMED,
 		.unnamed = "-unnamed",
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 10 - Named and multiple unnamed. */
 		.argc = 7,
 		.argv = args8,
 		.used = 4,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 11 - Named and multiple unnamed. */
 		.argc = 7,
 		.argv = args9,
 		.used = 4,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 12 - Named and multiple unnamed. */
 		.argc = 7,
 		.argv = args10,
 		.used = 5,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 13 - Named and multiple unnamed. */
 		.argc = 7,
 		.argv = args11,
 		.used = 5,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 14 - Named only. */
 		.argc = 4,
 		.argv = args2,
 		.used = 4,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = "arg",
 		.wantflag = 1,
 	},
 	{
 		/* Test 15 - Multiple argument callback. */
 		.argc = 6,
 		.argv = args12,
 		.unnamed = "unnamed",
 		.type = OPTIONS_TEST_UNNAMED,
 		.want = 0,
 		.wantarg = NULL,
 		.wantflag = 1,
 	},
 	{
 		/* Test 16 - Multiple argument callback. */
 		.argc = 6,
 		.argv = args12,
 		.used = 5,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = NULL,
 		.wantflag = 1,
 	},
 	{
 		/* Test 17 - Default callback. */
 		.argc = 6,
 		.argv = args13,
 		.unnamed = "unnamed",
 		.type = OPTIONS_TEST_UNNAMED,
 		.want = 0,
 		.wantarg = NULL,
 		.wantflag = 1,
 	},
 	{
 		/* Test 18 - Default callback. */
 		.argc = 6,
 		.argv = args13,
 		.used = 5,
 		.type = OPTIONS_TEST_ARGSUSED,
 		.want = 0,
 		.wantarg = NULL,
 		.wantflag = 1,
 	},
 };
 #define N_OPTIONS_TESTS \
    (sizeof(options_tests) / sizeof(*options_tests))
 static int
 argfunc(char *arg)
 {
 	test_config.arg = arg;
 	return (0);
 }
 static int
 defaultarg(int argc, char **argv, int *argsused)
 {
 	if (argc < 1)
 		return (1);
 	if (strcmp(argv[0], "-multiargz") == 0) {
 		if (argc < 3)
 			return (1);
 		*argsused = 3;
 		return (0);
 	} else if (strcmp(argv[0], "-flagz") == 0) {
 		test_config.flag = 1;
 		*argsused = 1;
 		return (0);
 	}
 	return (1);
 }
 static int
 multiarg(int argc, char **argv, int *argsused)
 {
 	if (argc < 3)
 		return (1);
 	*argsused = 3;
 	return (0);
 }
 static int
 do_options_test(int test_no, struct options_test *ot)
 {
 	int *argsused = NULL;
 	char *unnamed = NULL;
 	char **arg = NULL;
 	int used = 0;
 	int ret;
 	if (ot->type == OPTIONS_TEST_UNNAMED)
 		arg = &unnamed;
 	else if (ot->type == OPTIONS_TEST_ARGSUSED)
 		argsused = &used;
 	memset(&test_config, 0, sizeof(test_config));
 	ret = options_parse(ot->argc, ot->argv, test_options, arg, argsused);
 	if (ret != ot->want) {
 		fprintf(stderr, "FAIL: test %i options_parse() returned %i, "
 		    "want %i\n", test_no, ret, ot->want);
 		return (1);
 	}
 	if (ret != 0)
 		return (0);
 	if ((test_config.arg != NULL || ot->wantarg != NULL) &&
 	    (test_config.arg == NULL || ot->wantarg == NULL ||
 	     strcmp(test_config.arg, ot->wantarg) != 0)) {
 		fprintf(stderr, "FAIL: test %i got arg '%s', want '%s'\n",
 		    test_no, test_config.arg, ot->wantarg);
 		return (1);
 	}
 	if (test_config.flag != ot->wantflag) {
 		fprintf(stderr, "FAIL: test %i got flag %i, want %i\n",
 		    test_no, test_config.flag, ot->wantflag);
 		return (1);
 	}
 	if (ot->type == OPTIONS_TEST_UNNAMED &&
 	    (unnamed != NULL || ot->unnamed != NULL) &&
 	    (unnamed == NULL || ot->unnamed == NULL ||
 	     strcmp(unnamed, ot->unnamed) != 0)) {
 		fprintf(stderr, "FAIL: test %i got unnamed '%s', want '%s'\n",
 		    test_no, unnamed, ot->unnamed);
 		return (1);
 	}
 	if (ot->type == OPTIONS_TEST_ARGSUSED && used != ot->used) {
 		fprintf(stderr, "FAIL: test %i got used %i, want %i\n",
 		    test_no, used, ot->used);
 		return (1);
 	}
 	return (0);
 }
 int
 main(int argc, char **argv)
 {
 	int failed = 0;
 	size_t i;
 	for (i = 0; i < N_OPTIONS_TESTS; i++) {
 		printf("Test %d%s\n", (int)(i + 1), options_tests[i].want == 0 ?
 		    "" : " is expected to complain");
 		failed += do_options_test(i + 1, &options_tests[i]);
 	}
 	return (failed);
 }
--- a/tests/testdsa.sh
+++ b/tests/testdsa.sh
@@ -0,0 +1,38 @@
 #!/bin/sh
 #	$OpenBSD: testdsa.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 #Test DSA certificate generation of openssl
 cmd=../apps/openssl
 if [ -e ../apps/openssl.exe ]; then
 	cmd=../apps/openssl.exe
 fi
 if [ -z $srcdir ]; then
 	srcdir=.
 fi
 # Generate DSA paramter set
 $cmd dsaparam 512 -out dsa512.pem
 if [ $? != 0 ]; then
        exit 1;
 fi
 # Denerate a DSA certificate
 $cmd req -config $srcdir/openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
 if [ $? != 0 ]; then
        exit 1;
 fi
 # Now check the certificate
 $cmd x509 -text -in testdsa.pem
 if [ $? != 0 ]; then
        exit 1;
 fi
 rm testdsa.key dsa512.pem testdsa.pem
 exit 0
--- a/tests/testenc.sh
+++ b/tests/testenc.sh
@@ -0,0 +1,69 @@
 #!/bin/sh
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 test=p
 cmd=../apps/openssl
 if [ -e ../apps/openssl.exe ]; then
 	cmd=../apps/openssl.exe
 fi
 cat openssl.cnf >$test;
 echo cat
 $cmd enc < $test > $test.cipher
 $cmd enc < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
 	exit 1
 else
 	/bin/rm $test.cipher $test.clear
 fi
 echo base64
 $cmd enc -a -e < $test > $test.cipher
 $cmd enc -a -d < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
 	exit 1
 else
 	/bin/rm $test.cipher $test.clear
 fi
 for i in \
 	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8 \
 	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb \
 	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb \
 	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8 \
 	aes-256-ecb aes-256-ofb \
 	bf-cbc bf-cfb bf-ecb bf-ofb \
 	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb \
 	des-cbc des-cfb des-cfb8 des-ecb des-ede \
 	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 \
 	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc \
 	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb \
 	rc4 rc4-40
 do
 	echo $i
 	$cmd $i -e -k test < $test > $test.$i.cipher
 	$cmd $i -d -k test < $test.$i.cipher >$test.$i.clear
 	cmp $test $test.$i.clear
 	if [ $? != 0 ]
 	then
 		exit 1
 	else
 		/bin/rm $test.$i.cipher $test.$i.clear
 	fi
 	echo $i base64
 	$cmd $i -a -e -k test < $test > $test.$i.cipher
 	$cmd $i -a -d -k test < $test.$i.cipher >$test.$i.clear
 	cmp $test $test.$i.clear
 	if [ $? != 0 ]
 	then
 		exit 1
 	else
 		/bin/rm $test.$i.cipher $test.$i.clear
 	fi
 done
 rm -f $test
--- a/tests/testrsa.sh
+++ b/tests/testrsa.sh
@@ -0,0 +1,38 @@
 #!/bin/sh
 #	$OpenBSD: testrsa.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 #Test RSA certificate generation of openssl
 cmd=../apps/openssl
 if [ -e ../apps/openssl.exe ]; then
 	cmd=../apps/openssl.exe
 fi
 if [ -z $srcdir ]; then
 	srcdir=.
 fi
 # Generate RSA private key
 $cmd genrsa -out rsakey.pem
 if [ $? != 0 ]; then
        exit 1;
 fi
 # Generate an RSA certificate
 $cmd req -config $srcdir/openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
 if [ $? != 0 ]; then
        exit 1;
 fi
 # Now check the certificate
 $cmd x509 -text -in rsacert.pem
 if [ $? != 0 ]; then
        exit 1;
 fi
 rm -f rsacert.pem rsakey.pem
 exit 0
--- a/tls/Makefile.am
+++ b/tls/Makefile.am
@@ -1,12 +1,11 @@
 include $(top_srcdir)/Makefile.am.common
 if ENABLE_LIBTLS
 lib_LTLIBRARIES = libtls.la
 EXTRA_DIST = VERSION
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
@@ -15,4 +14,7 @@ libtls_la_SOURCES += tls_server.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
 if !HAVE_STRSEP
 libtls_la_SOURCES += strsep.c
 endif
--- a/update.sh
+++ b/update.sh
@@ -18,15 +18,15 @@ fi
 git pull --rebase)
 # setup source paths
-dir=`pwd`
+CWD=`pwd`
-libc_src=$dir/openbsd/src/lib/libc
+libc_src=$CWD/openbsd/src/lib/libc
-libc_regress=$dir/openbsd/src/regress/lib/libc
+libc_regress=$CWD/openbsd/src/regress/lib/libc
-libcrypto_src=$dir/openbsd/src/lib/libcrypto
+libcrypto_src=$CWD/openbsd/src/lib/libcrypto
-libcrypto_regress=$dir/openbsd/src/regress/lib/libcrypto
+libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
-libssl_src=$dir/openbsd/src/lib/libssl
+libssl_src=$CWD/openbsd/src/lib/libssl
-libssl_regress=$dir/openbsd/src/regress/lib/libssl
+libssl_regress=$CWD/openbsd/src/regress/lib/libssl
-libtls_src=$dir/openbsd/src/lib/libtls
+libtls_src=$CWD/openbsd/src/lib/libtls
-openssl_app_src=$dir/openbsd/src/usr.bin/openssl
+openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
 # load library versions
 source $libcrypto_src/crypto/shlib_version
@@ -43,6 +43,7 @@ source $libtls_src/shlib_version
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
 echo $major.$minor.0 > libtls-standalone/VERSION
 do_mv() {
 	if ! cmp -s "$1" "$2"
@@ -61,17 +62,34 @@ $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
 $CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 $CP $libtls_src/tls.h include
-for i in explicit_bzero.c strlcpy.c strlcat.c strndup.c strnlen.c \
+$CP $libtls_src/tls.h include
-		timingsafe_bcmp.c timingsafe_memcmp.c; do
+$CP $libtls_src/tls.h libtls-standalone/include
-	$CP $libc_src/string/$i crypto/compat
+
 for i in crypto/compat libtls-standalone/compat; do
 	$CP $libc_src/crypt/arc4random.c \
 		$libc_src/crypt/chacha_private.h \
 		$libc_src/string/explicit_bzero.c \
 		$libc_src/stdlib/reallocarray.c \
 		$libc_src/string/strlcpy.c \
 		$libc_src/string/strlcat.c \
 		$libc_src/string/strndup.c \
 		$libc_src/string/strnlen.c \
 		$libc_src/string/timingsafe_bcmp.c \
 		$libc_src/string/timingsafe_memcmp.c \
 		$libcrypto_src/crypto/getentropy_*.c \
 		$libcrypto_src/crypto/arc4random_*.h \
 		$i
 done
-$CP $libc_src/stdlib/reallocarray.c crypto/compat
+
-$CP $libc_src/crypt/arc4random.c crypto/compat
+$CP include/stdlib.h \
-$CP $libc_src/crypt/chacha_private.h crypto/compat
+	include/string.h \
-$CP $libcrypto_src/crypto/getentropy_*.c crypto/compat
+	include/unistd.h \
-$CP $libcrypto_src/crypto/arc4random_*.h crypto/compat
+	libtls-standalone/include
 $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 (cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
@@ -86,7 +104,7 @@ copy_hdrs() {
 	done
 }
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h opensslv.h
+copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
@@ -95,13 +113,17 @@ copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h opensslv.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
 	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
-	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h mdc2/mdc2.h
+	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
-	rc2/rc2.h rc4/rc4.h rc5/rc5.h ui/ui_compat.h txt_db/txt_db.h
+	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
 	gost/gost.h"
 copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 sed -e "s/\"LibreSSL .*\"/\"LibreSSL ${libressl_version}\"/" \
 	$libssl_src/src/crypto/opensslv.h > include/openssl/opensslv.h.lcl
 $MV include/openssl/opensslv.h.lcl include/openssl/opensslv.h
 # copy libcrypto source
 echo copying libcrypto source
 rm -f crypto/*.c crypto/*.h
@@ -121,10 +143,20 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui
 asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
 	#if defined(HAVE_GNU_STACK)
 	.section .note.GNU-stack,"",%progbits
 	#endif
 	EOF
 	$MV $3.tmp $3
 }
 gen_asm() {
 	perl $asm_src/$2 $1 $3.tmp
 	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
 	#if defined(HAVE_GNU_STACK)
 	.section .note.GNU-stack,"",%progbits
 	#endif
 	EOF
 	$MV $3.tmp $3
 }
 for abi in elf macosx; do
@@ -152,10 +184,21 @@ done
 # copy libtls source
 echo copying libtls source
-rm -f tls/*.c tls/*.h
+rm -f tls/*.c tls/*.h libtls/src/*.c libtls/src/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
-	$CP $libtls_src/$i tls
+	if [ -e $libtls_src/$i ]; then
 		$CP $libtls_src/$i tls
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
 $CP $libc_src/string/strsep.c tls
 $CP $libc_src/string/strsep.c libtls-standalone/compat
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
 	m4/disable*.m4 \
 	libtls-standalone/m4
 sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 	libtls-standalone/compat/Makefile.am.arc4random
 # copy openssl(1) source
 echo "copying openssl(1) source"
@@ -166,6 +209,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
 		$CP $openssl_app_src/$i apps
 	fi
 done
 patch -p0 < patches/openssl.c.patch
 # copy libssl source
 echo "copying libssl source"
@@ -176,95 +220,31 @@ done
 # copy libcrypto tests
 echo "copying tests"
-rm -f tests/biotest.c
+for i in `find $libcrypto_regress -name '*.c'`; do
-for i in aead/aeadtest.c aeswrap/aes_wrap.c base64/base64test.c bf/bftest.c \
+	 $CP "$i" tests
 	bn/general/bntest.c bn/mont/mont.c \
 	cast/casttest.c chacha/chachatest.c cts128/cts128test.c \
 	des/destest.c dh/dhtest.c dsa/dsatest.c ec/ectest.c ecdh/ecdhtest.c \
 	ecdsa/ecdsatest.c engine/enginetest.c evp/evptest.c exp/exptest.c \
 	gcm128/gcm128test.c hmac/hmactest.c idea/ideatest.c ige/igetest.c \
 	md4/md4test.c md5/md5test.c mdc2/mdc2test.c poly1305/poly1305test.c \
 	pkcs7/pkcs7test.c pqueue/pq_test.c rand/randtest.c rc2/rc2test.c \
 	rc4/rc4test.c rmd/rmdtest.c sha/shatest.c sha1/sha1test.c \
 	sha256/sha256test.c sha512/sha512test.c utf8/utf8test.c \
 	gost/gost2814789t.c ; do
 	 $CP $libcrypto_regress/$i tests
 done
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
 $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
 $CP $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 # copy libssl tests
 $CP $libssl_regress/asn1/asn1test.c tests
 $CP $libssl_regress/ssl/testssl tests
-$CP $libssl_regress/ssl/ssltest.c tests
+for i in `find $libssl_regress -name '*.c'`; do
 	 $CP "$i" tests
 done
 $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 # setup test drivers
 # do not directly run all test programs
 test_drivers=(
 	aeadtest
 	evptest
 	pq_test
 	ssltest
 	arc4randomforktest
 	pidwraptest
 )
 tests_posix_only=(
 	arc4randomforktest
 	explicit_bzero
 	pidwraptest
 )
 $CP $libc_src/string/memmem.c tests/
 (cd tests
 	$CP Makefile.am.tpl Makefile.am
 	for i in `ls -1 *.c|sort|grep -v memmem.c`; do
 		TEST=`echo $i|sed -e "s/\.c//"`
 		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
 			echo "if !HOST_WIN" >> Makefile.am
 		fi
 		if ! [[ ${test_drivers[*]} =~ "$TEST" ]]; then
 			echo "TESTS += $TEST" >> Makefile.am
 		fi
 		echo "check_PROGRAMS += $TEST" >> Makefile.am
 		echo "${TEST}_SOURCES = $i" >> Makefile.am
 		if [[ ${TEST} = "explicit_bzero" ]]; then
 			echo "if !HAVE_MEMMEM" >> Makefile.am
 			echo "explicit_bzero_SOURCES += memmem.c" >> Makefile.am
 			echo "endif" >> Makefile.am
 		fi
 		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
 			echo "endif" >> Makefile.am
 		fi
 	done
 )
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
 $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 chmod 755 tests/testssl
 for i in "${test_drivers[@]}"; do
 	if [ -e tests/${i}.sh ]; then
 		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
 			echo "if !HOST_WIN" >> tests/Makefile.am
 		fi
 		if ! [[ ${tests_disabled[*]} =~ "$i" ]]; then
 			echo "TESTS += ${i}.sh" >> tests/Makefile.am
 		fi
 		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
 			echo "endif" >> tests/Makefile.am
 		fi
 		echo "EXTRA_DIST += ${i}.sh" >> tests/Makefile.am
 	fi
 done
 echo "EXTRA_DIST += aeadtests.txt" >> tests/Makefile.am
 echo "EXTRA_DIST += evptests.txt" >> tests/Makefile.am
 echo "EXTRA_DIST += pq_expected.txt" >> tests/Makefile.am
 echo "EXTRA_DIST += testssl ca.pem server.pem" >> tests/Makefile.am
 # add headers
 (cd include/openssl
 	$CP Makefile.am.tpl Makefile.am
 	for i in `ls -1 *.h|sort`; do
@@ -272,23 +252,49 @@ echo "EXTRA_DIST += testssl ca.pem server.pem" >> tests/Makefile.am
 	done
 )
-echo "copying manpages"
+add_man_links() {
-# copy manpages
+	filter=$1
-(cd man
+	dest=$2
-	$CP Makefile.am.tpl Makefile.am
+	echo "install-data-hook:" >> $dest
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
 		fi
 	done
 	echo "" >> $dest
 	echo "uninstall-local:" >> $dest
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
 		fi
 	done
 }
 # copy manpages
 echo "copying manpages"
 echo dist_man_MANS= > man/Makefile.am
 $CP $openssl_app_src/openssl.1 man
 echo "dist_man_MANS += openssl.1" >> man/Makefile.am
 $CP $libtls_src/tls_init.3 man
 echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 (cd man
 	# update new-style manpages
 	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
-	$CP $openssl_app_src/openssl.1 .
+
-	echo "dist_man_MANS += openssl.1" >> Makefile.am
+	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
-	$CP $libtls_src/tls_init.3 .
+		NAME=`basename "$i"`
-	echo "if ENABLE_LIBTLS" >> Makefile.am
+		$CP $i .
-	echo "dist_man_MANS += tls_init.3" >> Makefile.am
+		echo "dist_man_MANS += $NAME" >> Makefile.am
-	echo "endif" >> Makefile.am
+	done
 	# convert remaining POD manpages
 	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
@@ -302,31 +308,12 @@ echo "copying manpages"
 		fi
 		echo "dist_man_MANS += $NAME.3" >> Makefile.am
 	done
 	echo "install-data-hook:" >> Makefile.am
 	source ./links
 	for i in $SSL_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
 		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
 	echo "if ENABLE_LIBTLS" >> Makefile.am
 	for i in $TLS_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
 		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
 	echo "endif" >> Makefile.am
 	echo "" >> Makefile.am
 	echo "uninstall-local:" >> Makefile.am
 	for i in $SSL_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
 	echo "if ENABLE_LIBTLS" >> Makefile.am
 	for i in $TLS_MLINKS; do
 		IFS=","; set $i; unset IFS
 		echo "	rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
 	done
 	echo "endif" >> Makefile.am
 )
 add_man_links . man/Makefile.am
 # standalone libtls manpages
 mkdir -p libtls-standalone/man
 echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
 $CP $libtls_src/tls_init.3 libtls-standalone/man
 add_man_links tls_init libtls-standalone/man/Makefile.am
`@@ -1,2 +1,2 @@`
	`AM_CPPFLAGS = -I$(top_srcdir)/include`	`AM_CFLAGS = -I$(top_srcdir)/include`
	`AM_CPPFLAGS += -DLIBRESSL_INTERNAL`	`AM_CPPFLAGS = -DLIBRESSL_INTERNAL`
		`@@ -1,2 +0,0 @@`
			`include $(top_srcdir)/Makefile.am.common`
			`dist_man_MANS=`