update Changelog

Without this, we actually fail to build a library that includes the
bultin getentropy when compiling for 10.11 on 10.12.

.gitignore

@@ -41,62 +41,70 @@ Makefile.in
 *.def
 *.pc
 
+# man pages
+*.1
+*.3
+
 # tests
 test-driver
 *.log
 *.trs
 tests/aes_wrap*
 tests/arc4random_fork*
+tests/asn1time*
+tests/cipher*
 tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
+tests/rfc5280time*
 tests/timingsafe*
 tests/*test
+tests/tests.h
 tests/*test.c
 tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+!tests/optionstest.c
+!tests/*.test
 
 # ctags stuff
 TAGS
 
-## The initial / makes these files only get ignored in particular directories.
-/autom4te.cache
+autom4te.cache
 
 # Libtool adds these, at least sometimes
 INSTALL
-/m4/libtool.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
+/COPYING
+!m4/check*.m4
+m4/l*
 
-/aclocal.m4
-/compile
-/doxygen
-/config.guess
-/config.log
-/config.status
-/config.sub
-/configure
-/depcomp
-/config.h
-/config.h.in
-/install-sh
-/libtool
-/ltmain.sh
-/missing
-/stamp-h1
-/stamp-h2
+aclocal.m4
+compile
+doxygen
+config.guess
+config.log
+config.status
+config.sub
+configure
+depcomp
+config.h
+config.h.in
+install-sh
+libtool
+ltmain.sh
+missing
+stamp-h1
+stamp-h2
 
 include/openssl/Makefile.am
-tests/Makefile.am
 
+VERSION
 crypto/VERSION
 ssl/VERSION
 tls/VERSION
+libtls-standalone/VERSION
 
 ssl/*.c
 ssl/*.h
@@ -105,98 +113,44 @@ tls/*.h
 include/pqueue.h
 include/tls.h
 include/openssl/*.h
-include/openssl/*.he
-apps/*.h
-apps/*.c
-apps/openssl
-apps/openssl.cnf
-!apps/apps_win.c
-!apps/poll_win.c
-!apps/certhash_disabled.c
 
-crypto/compat/arc4random.c
-crypto/compat/chacha_private.h
-crypto/compat/explicit_bzero.c
-crypto/compat/getentropy_*.c
-crypto/compat/reallocarray.c
-crypto/compat/strlcat.c
-crypto/compat/strlcpy.c
-crypto/compat/strndup.c
-crypto/compat/strnlen.c
-crypto/compat/timingsafe_bcmp.c
-crypto/compat/timingsafe_memcmp.c
-crypto/compat/arc4random_*.h
+/apps/nc/*.h
+/apps/nc/*.c
+/apps/nc/nc*
+!/apps/nc/readpassphrase.c
+/apps/openssl/*.h
+/apps/openssl/*.c
+/apps/openssl/*.cnf
+/apps/openssl/*.pem
+/apps/openssl/openssl
+/apps/openssl/compat/strtonum.c
+!/apps/openssl/apps_win.c
+!/apps/openssl/certhash_win.c
+
+!/crypto/Makefile.am.*
+!/crypto/compat/arc4random.h
+!/crypto/compat/b_win.c
+!/crypto/compat/explicit_bzero_win.c
+!/crypto/compat/posix_win.c
+!/crypto/compat/bsd_asprintf.c
+!/crypto/compat/inet_pton.c
+!/crypto/compat/timegm.c
+!/crypto/compat/ui_openssl_win.c
+!/crypto/CMakeLists.txt
+/crypto
+
+!/libtls-standalone/compat/Makefile.am
+/libtls-standalone/include/*.h
+/libtls-standalone/src/*.c
+/libtls-standalone/src/*.h
+/libtls-standalone/src
+/libtls-standalone/tests/test
+/libtls-standalone/compat
+/libtls-standalone/VERSION
+/libtls-standalone/m4
+/libtls-standalone/man
 
-crypto/aes/
-crypto/asn1/
-crypto/bf/
-crypto/bio/
-crypto/bn/
-crypto/buffer/
-crypto/camellia/
-crypto/cast/
-crypto/camellia/
-crypto/chacha/
-crypto/cmac/
-crypto/comp/
-crypto/conf/
-crypto/cpt_err.c
-crypto/cryptlib.c
-crypto/cryptlib.h
-crypto/cversion.c
-crypto/des/
-crypto/dh/
-crypto/dsa/
-crypto/dso/
-crypto/ec/
-crypto/ecdh/
-crypto/ecdsa/
-crypto/engine/
-crypto/err/
-crypto/evp/
-crypto/ex_data.c
-crypto/gost/
-crypto/hmac/
-crypto/idea/
-crypto/krb5/
-crypto/lhash/
-crypto/malloc-wrapper.c
-crypto/md32_common.h
-crypto/md4/
-crypto/md5/
-crypto/mdc2/
-crypto/mem_clr.c
-crypto/mem_dbg.c
-crypto/modes/
-crypto/o_init.c
-crypto/o_str.c
-crypto/o_time.c
-crypto/o_time.h
-crypto/objects
-crypto/ocsp/
-crypto/pem/
-crypto/pkcs12/
-crypto/pkcs7/
-crypto/poly1305/
-crypto/pqueue/
-crypto/rand/
-crypto/rc2/
-crypto/rc4/
-crypto/ripemd/
-crypto/rsa/
-crypto/sha/
-crypto/stack/
-crypto/ts/
-crypto/txt_db/
-crypto/ui/
-crypto/whrlpool/
-crypto/x509/
-crypto/x509v3/
 openbsd/
+
 *.tar.gz
-apps/*.1*
-man/*.3
-man/*.1
 man/Makefile.am
-.gitmodules
-COPYING

.travis.yml

@@ -1,24 +1,24 @@
 language: c
 matrix:
-        include:
-                - compiler: clang
-                  os: osx
-                  env: ARCH=native
-                - compiler: gcc
-                  os: osx
-                  env: ARCH=native
-                - compiler: clang
-                  os: linux
-                  env: ARCH=native
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=native
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=mingw32
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=mingw64
+  include:
+    - compiler: clang
+      os: osx
+      env: ARCH=native
+    - compiler: gcc
+      os: osx
+      env: ARCH=native
+    - compiler: clang
+      os: linux
+      env: ARCH=native
+    - compiler: gcc
+      os: linux
+      env: ARCH=native
+    - compiler: gcc
+      os: linux
+      env: ARCH=mingw32
+    - compiler: gcc
+      os: linux
+      env: ARCH=mingw64
 
 script:
-        "./scripts/travis"
+  "./scripts/travis"

CMakeLists.txt

@@ -0,0 +1,268 @@
+cmake_minimum_required (VERSION 2.8.8)
+include(CheckFunctionExists)
+include(CheckLibraryExists)
+include(CheckIncludeFiles)
+include(CheckTypeSize)
+
+project (LibreSSL C)
+
+enable_testing()
+
+file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+string(STRIP ${SSL_VERSION} SSL_VERSION)
+string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
+string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
+
+file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
+string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
+string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
+
+file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+string(STRIP ${TLS_VERSION} TLS_VERSION)
+string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
+string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
+
+option(ENABLE_ASM "Enable assembly" ON)
+option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
+option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
+set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
+
+set(BUILD_NC true)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
+	add_definitions(-fno-common)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
+	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_definitions(-D_DEFAULT_SOURCE)
+	add_definitions(-D_BSD_SOURCE)
+	add_definitions(-D_POSIX_SOURCE)
+	add_definitions(-D_GNU_SOURCE)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
+	set(BUILD_NC false)
+endif()
+
+if(MSVC)
+	set(BUILD_NC false)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	if(CMAKE_C_COMPILER MATCHES "gcc")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
+	else()
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
+	endif()
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
+endif()
+
+add_definitions(-DLIBRESSL_INTERNAL)
+add_definitions(-DOPENSSL_NO_HW_PADLOCK)
+
+set(CMAKE_POSITION_INDEPENDENT_CODE true)
+
+if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
+	add_definitions(-Wno-pointer-sign)
+endif()
+
+if(MSVC)
+	add_definitions(-Dinline=__inline)
+	add_definitions(-Drestrict)
+	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
+	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
+	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
+	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+
+	set(MSVC_DISABLED_WARNINGS_LIST
+		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
+		        # indirection to slightly different base types from 'char [2]'
+		"C4100" # 'exarg' : unreferenced formal parameter
+		"C4127" # conditional expression is constant
+		"C4242" # 'function' : conversion from 'int' to 'uint8_t',
+		        # possible loss of data
+		"C4244" # 'function' : conversion from 'int' to 'uint8_t',
+		        # possible loss of data
+		"C4706" # assignment within conditional expression
+		"C4820" # 'bytes' bytes padding added after construct 'member_name'
+		"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
+		        # use the ISO C++ conformant name: _read.
+	)
+	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
+		${MSVC_DISABLED_WARNINGS_LIST})
+	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+endif()
+
+check_function_exists(asprintf HAVE_ASPRINTF)
+if(HAVE_ASPRINTF)
+	add_definitions(-DHAVE_ASPRINTF)
+endif()
+
+check_function_exists(inet_pton HAVE_INET_PTON)
+if(HAVE_INET_PTON)
+	add_definitions(-DHAVE_INET_PTON)
+endif()
+
+check_function_exists(reallocarray HAVE_REALLOCARRAY)
+if(HAVE_REALLOCARRAY)
+	add_definitions(-DHAVE_REALLOCARRAY)
+endif()
+
+check_function_exists(strcasecmp HAVE_STRCASECMP)
+if(HAVE_STRCASECMP)
+	add_definitions(-DHAVE_STRCASECMP)
+endif()
+
+check_function_exists(strlcat HAVE_STRLCAT)
+if(HAVE_STRLCAT)
+	add_definitions(-DHAVE_STRLCAT)
+endif()
+
+check_function_exists(strlcpy HAVE_STRLCPY)
+if(HAVE_STRLCPY)
+	add_definitions(-DHAVE_STRLCPY)
+endif()
+
+check_function_exists(strndup HAVE_STRNDUP)
+if(HAVE_STRNDUP)
+	add_definitions(-DHAVE_STRNDUP)
+endif()
+
+if(MSVC)
+	set(HAVE_STRNLEN true)
+	add_definitions(-DHAVE_STRNLEN)
+else()
+	check_function_exists(strnlen HAVE_STRNLEN)
+	if(HAVE_STRNLEN)
+		add_definitions(-DHAVE_STRNLEN)
+	endif()
+endif()
+
+check_function_exists(strsep HAVE_STRSEP)
+if(HAVE_STRSEP)
+	add_definitions(-DHAVE_STRSEP)
+endif()
+
+check_function_exists(timegm HAVE_TIMEGM)
+if(HAVE_TIMEGM)
+	add_definitions(-DHAVE_TIMEGM)
+endif()
+
+check_function_exists(arc4random_buf HAVE_ARC4RANDOM_BUF)
+if(HAVE_ARC4RANDOM_BUF)
+	add_definitions(-DHAVE_ARC4RANDOM_BUF)
+endif()
+
+check_function_exists(arc4random_uniform HAVE_ARC4RANDOM_UNIFORM)
+if(HAVE_ARC4RANDOM_UNIFORM)
+	add_definitions(-DHAVE_ARC4RANDOM_UNIFORM)
+endif()
+
+check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
+if(HAVE_EXPLICIT_BZERO)
+	add_definitions(-DHAVE_EXPLICIT_BZERO)
+endif()
+
+check_function_exists(getauxval HAVE_GETAUXVAL)
+if(HAVE_GETAUXVAL)
+	add_definitions(-DHAVE_GETAUXVAL)
+endif()
+
+check_function_exists(getentropy HAVE_GETENTROPY)
+if(HAVE_GETENTROPY)
+	add_definitions(-DHAVE_GETENTROPY)
+endif()
+
+check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
+if(HAVE_TIMINGSAFE_BCMP)
+	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
+endif()
+
+check_function_exists(timingsafe_memcmp HAVE_TIMINGSAFE_MEMCMP)
+if(HAVE_MEMCMP)
+	add_definitions(-DHAVE_MEMCMP)
+endif()
+
+check_function_exists(memmem HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+	add_definitions(-DHAVE_MEMMEM)
+endif()
+
+check_include_files(err.h HAVE_ERR_H)
+if(HAVE_ERR_H)
+	add_definitions(-DHAVE_ERR_H)
+endif()
+
+if(ENABLE_ASM)
+	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
+		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
+			set(HOST_ASM_ELF_X86_64 true)
+		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+			set(HOST_ASM_ELF_X86_64 true)
+		endif()
+	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
+		set(HOST_ASM_MACOSX_X86_64 true)
+	endif()
+endif()
+
+set(OPENSSL_LIBS ssl crypto)
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
+endif()
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
+	if (HAVE_CLOCK_GETTIME)
+		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
+	endif()
+endif()
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+endif()
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
+endif()
+
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|MINGW|CYGWIN)" OR MSVC))
+	set(BUILD_SHARED true)
+endif()
+
+check_type_size(time_t SIZEOF_TIME_T)
+if(SIZEOF_TIME_T STREQUAL "4")
+	set(SMALL_TIME_T true)
+	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
+	                " ** It will behave incorrectly when handling valid RFC5280 dates")
+endif()
+add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
+
+add_subdirectory(crypto)
+add_subdirectory(ssl)
+add_subdirectory(apps)
+add_subdirectory(tls)
+add_subdirectory(include)
+if(NOT MSVC)
+	add_subdirectory(man)
+	add_subdirectory(tests)
+endif()
+
+configure_file(
+	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
+	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+	IMMEDIATE @ONLY)
+
+add_custom_target(uninstall
+	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

ChangeLog

@@ -28,12 +28,438 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.4.5  - Security and compatibility fixes
+
+	* Avoid a side-channel cache-timing attack that can leak the ECDSA
+	  private keys when signing. This is due to BN_mod_inverse() being
+	  used without the constant time flag being set.
+
+	  This issue was reported by Cesar Pereida Garcia and Billy Brumley
+	  (Tampere University of Technology). The fix was developed by Cesar
+	  Pereida Garcia.
+
+	* iOS and MacOS compatibility updates from Simone Basso and Jacob
+	  Berkman.
+
+2.4.4 - Reliability improvements
+
+	* Avoid continual processing of an unlimited number of TLS records,
+	  which can cause a denial-of-service condition.
+
+	* In X509_cmp_time(), pass asn1_time_parse() the tag of the field
+	  being parsed so that a malformed GeneralizedTime field is recognized as
+	  an error instead of potentially being interpreted as if it was a valid
+	  UTCTime.
+
+	* Improve ticket validity checking when tlsext_ticket_key_cb()
+	  callback chooses a different HMAC algorithm.
+
+	* Check for packets with a truncated DTLS cookie.
+
+	* Detect zero-length encrypted session data early, instead of when
+	  malloc(0) fails or the HMAC check fails.
+
+	* Check for and handle failure of HMAC_{Update,Final} or
+	  EVP_DecryptUpdate()
+
+2.4.3 - Bug fixes and reliability improvements
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.4.2 - Bug fixes and improvements
+
+	* Fixed loading default certificate locations with openssl s_client.
+
+	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
+
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
+2.4.1 - Security fix
+
+	* Correct a problem that prevents the DSA signing algorithm from
+	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
+	  This issue was reported by Cesar Pereida (Aalto University), Billy
+	  Brumley (Tampere University of Technology), and Yuval Yarom (The
+	  University of Adelaide and NICTA). The fix was developed by Cesar
+	  Pereida.
+
+2.4.0 - Build improvements, new features
+
+	* Many improvements to the CMake build infrastructure, including
+	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
+	  Inoguchi for this work.
+
+	* Added missing error handling around bn_wexpand() calls.
+
+	* Added explicit_bzero calls for freed ASN.1 objects.
+
+	* Fixed X509_*set_object functions to return 0 on allocation failure.
+
+	* Implemented the IETF ChaCha20-Poly1305 cipher suites.
+
+	* Changed default EVP_aead_chacha20_poly1305() implementation to the
+	  IETF version, which is now the default.
+
+	* Fixed password prompts from openssl(1) to properly handle ^C.
+
+	* Reworked error handling in libtls so that configuration errors are
+	  visible.
+
+	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
+
+	* Manpage fixes and updates
+
+2.3.5 - Reliability fix
+
+	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
+
+2.3.4 - Security Update
+
+	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
+	From OpenSSL.
+
+	* Minor build fixes
+
+2.3.3 - OpenBSD 5.9 release branch tagged
+
+	* Reworked build scripts to better sync with OpenNTPD-portable
+
+	* Fixed broken manpage links
+
+	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
+
+	* Fixed HP-UX builds
+
+	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
+	  binary builds
+
+	* cert.pem has been reorganized and synced with Mozilla's certificate store
+
+2.3.2 - Compatibility and Reliability fixes
+
+	* Changed format of LIBRESSL_VERSION_NUMBER to match that of
+	  OPENSSL_VERSION_NUMBER, see:
+	  https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
+
+	* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
+	  construction introduced in RFC 7539, which is different than that
+	  already used in TLS with EVP_aead_chacha20_poly1305()
+
+	* Avoid a potential undefined C99+ behavior due to shift overflow in
+	  AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
+
+	* More man pages converted from pod to mdoc format
+
+	* Added COMODO RSA Certification Authority and QuoVadis
+	  root certificates to cert.pem
+
+	* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
+	  Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
+	  certificate from cert.pem
+
+	* Added support for building nc(1) on Solaris
+
+	* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
+
+	* Improved console handling with openssl(1) on Windows
+
+	* Ensure the network stack is enabled on Windows when running
+	  tls_init()
+
+	* Fixed incorrect TLS certificate loading by nc(1)
+
+	* Added support for Solaris 11.3's getentropy(2) system call
+
+	* Enabled support for using NetBSD 7.0's arc4random(3) implementation
+
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
+
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+	                   squaring procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint
+	                   data.
+
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
+
+2.3.1 - ASN.1 and time handling cleanups
+
+	* ASN.1 cleanups and RFC5280 compliance fixes.
+
+	* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
+	  now checks if the host OS supports 64-bit time_t.
+
+	* Fixed a leak in SSL_new in the error path.
+
+	* Support always extracting the peer cipher and version with libtls.
+
+	* Added ability to check certificate validity times with libtls,
+	  tls_peer_cert_notbefore and tls_peer_cert_notafter.
+
+	* Changed tls_connect_servername to use the first address that resolves with
+	  getaddrinfo().
+
+	* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
+	  initial commit in 2004).
+
+	* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
+	  by Qualys Security.
+
+	* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
+	  sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
+
+	* Reject too small bits value in BN_generate_prime_ex(), so that it does
+	  not risk becoming negative in probable_prime_dh_safe(), reported by
+		Franck Denis.
+
+	* Enable nc(1) builds on more platforms.
+
+2.3.0 - SSLv3 removed, libtls API changes, portability improvements
+
+	* SSLv3 is now permanently removed from the tree.
+
+	* The libtls API is changed from the 2.2.x series.
+
+	  The read/write functions work correctly with external event
+	  libraries.  See the tls_init man page for examples of using libtls
+	  correctly in asynchronous mode.
+
+	  Client-side verification is now supported, with the client supplying
+	  the certificate to the server.
+
+	  Also, when using tls_connect_fds, tls_connect_socket or
+	  tls_accept_fds, libtls no longer implicitly closes the passed in
+	  sockets. The caller is responsible for closing them in this case.
+
+	* When loading a DSA key from an raw (without DH parameters) ASN.1
+	  serialization, perform some consistency checks on its `p' and `q'
+	  values, and return an error if the checks failed.
+
+	  Thanks for Georgi Guninski (guninski at guninski dot com) for
+	  mentioning the possibility of a weak (non prime) q value and
+	  providing a test case.
+
+	  See
+	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
+	  for a longer discussion.
+
+	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
+	  of the result key without error. A coding error could cause software
+	  to use much shorter keys than intended.
+
+	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
+	  longer supported.
+
+	* The engine command and parameters are removed from the openssl(1).
+	  Previous releases removed dynamic and builtin engine support
+	  already.
+
+	* SHA-0 is removed, which was withdrawn shortly after publication 20
+	  years ago.
+
+	* Added Certplus CA root certificate to the default cert.pem file.
+
+	* New interface OPENSSL_cpu_caps is provided that does not allow
+	  software to inadvertently modify cpu capability flags.
+	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+
+	* The out_len argument of AEAD changed from ssize_t to size_t.
+
+	* Deduplicated DTLS code, sharing bugfixes and improvements with
+	  TLS.
+
+	* Converted 'nc' to use libtls for client and server operations; it is
+	  included in the libressl-portable distribution as an example of how
+	  to use the library.
+
+2.2.3 - Bug fixes, build enhancements
+
+	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
+	  include TLS extensions, resulting in such handshakes being aborted.
+	  This release corrects the handling of such messages. Thanks to
+	  Ligushka from github for reporting the issue.
+
+	* Added install target for cmake builds. Thanks to TheNietsnie from
+	  github.
+
+	* Updated pkgconfig files to correctly report the release version
+	  number, not the individual library ABI version numbers. Thanks to
+	  Jan Engelhardt for reporting the issue.
+
+2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
+
+	* Switched 'openssl dhparam' default from 512 to 2048 bits
+
+	* Reworked openssl(1) option handling
+
+	* More CRYPTO ByteString (CBC) packet parsing conversions
+
+	* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
+
+	* Fixed dozens of Coverity issues including dead code, memory leaks,
+	  logic errors and more.
+
+	* Ensure that openssl(1) restores terminal echo state after reading a
+	  password.
+
+	* Incorporated fix for OpenSSL Issue #3683
+
+	* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
+	  for each portable release.
+
+	* Removed workarounds for TLS client padding bugs.
+
+	* No longer disable ECDHE-ECDSA on OS X
+
+	* Removed SSLv3 support from openssl(1)
+
+	* Removed IE 6 SSLv3 workarounds.
+
+	* Modified tls_write in libtls to allow partial writes, clarified with
+	  examples in the documentation.
+
+	* Removed RSAX engine
+
+	* Tested SSLv3 removal with the OpenBSD ports tree and found several
+	  applications that were not ready to build without SSLv3 yet. For
+	  now, building a program that intentionally uses SSLv3 will result in
+	  a linker warning.
+
+	* Added TLS_method, TLS_client_method and TLS_server_method as a
+	  replacement for the SSLv23_*method calls.
+
+	* Added initial cmake build support, including support for building with
+	  Visual Studio, currently tested with Visual Studio 2013 Community
+	  Edition.
+
+	* --with-enginesdir is removed as a configuration parameter
+
+	* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
+	  installed under $sysconfdir/ssl or the directory specified by
+	  --with-openssldir. Previous versions of LibreSSL left these empty.
+
+2.2.1 - Build fixes, feature added, features removed
+
+	* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
+
+	* Initial support for Windows Embedded 2009, Server 2003, XP
+
+	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
+
+	* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
+
+	* Removed Dynamic Engine support
+
+	* Removed unused and obsolete MDC-2DES cipher
+
+	* Removed workarounds for obsolete SSL implementations
+
+2.2.0 - Build cleanups and new OS support, Security Updates
+
+	* AIX Support - thanks to Michael Felt
+
+	* Cygwin Support - thanks to Corinna Vinschen
+
+	* Refactored build macros, support packaging libtls independently.
+	  There are more pieces required to support building and using OpenSSL
+	  with libtls, but this is an initial start at providing an
+	  independent package for people to start hacking on.
+
+	* Removal of OPENSSL_issetugid and all library getenv calls.
+	  Applications can and should no longer rely on environment variables
+	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
+	  supported with the openssl(1) command.
+
+	* libtls API and documentation additions
+
+	* Various bug fixes and simplifications to libssl and libcrypto
+
+	* Fixes for the following issues are integrated into LibreSSL 2.2.0:
+	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
+	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
+	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+	* The following CVEs did not apply to LibreSSL or were fixed in
+	  earlier releases:
+	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
+	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
+	 - CVE-2014-8176 - Invalid free in DTLS
+
+	* Fixes for the following CVEs are still in review for LibreSSL
+	 - CVE-2015-1791 - Race condition handling NewSessionTicket
+
+2.1.6 - Security update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.6:
+	  - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
+	  - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
+	  - CVE-2015-0287 - ASN.1 structure reuse memory corruption
+	  - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
+	  - CVE-2015-0289 - PKCS7 NULL pointer dereferences
+
+	* The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
+	  is integrated for safety, but LibreSSL is not vulnerable.
+
+	* Libtls is now built by default. The --enable-libtls
+	  configuration option is no longer required.
+	  The libtls API is now stable for the 2.1.x series.
+
 2.1.5 - Bug fixes and a security update
 	* Fix incorrect comparison function in openssl(1) certhash command.
+	  Thanks to Christian Neukirchen / Void Linux.
 
 	* Windows port improvements and bug fixes.
+	  - Removed a dependency on libgcc in 32-bit dynamic libraries.
+	  - Correct a hang in openssl(1) reading from stdin on an connection.
+	  - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
+	    any other network-related commands to function properly.
 
-	* Reject server ephemeral DH keys smaller than 1024 bits.
+	* Reject all server DH keys smaller than 1024 bits.
 
 2.1.4 - Security and feature updates
 	* Improvements to libtls:

Makefile.am

@@ -2,10 +2,10 @@ SUBDIRS = crypto ssl tls include apps tests man
 ACLOCAL_AMFLAGS = -I m4
 
 pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libcrypto.pc libssl.pc openssl.pc
+pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
-if ENABLE_LIBTLS
-pkgconfig_DATA += libtls.pc
-endif
+EXTRA_DIST = README.md README.windows VERSION config scripts
+EXTRA_DIST += CMakeLists.txt cmake_uninstall.cmake.in
 
-EXTRA_DIST = README README.windows VERSION config scripts
+.PHONY: install_sw
+install_sw: install

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CPPFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS += -DLIBRESSL_INTERNAL
+AM_CFLAGS =
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL

OPENBSD_BRANCH

@@ -1 +1 @@
-OPENBSD_5_7
+OPENBSD_6_0

README

@@ -1,50 +0,0 @@
-This package is the official portable version of LibreSSL
-	(http://www.libressl.org).
-
-LibreSSL is a fork of OpenSSL developed by the OpenBSD project
-(http://www.openbsd.org). LibreSSL is developed on OpenBSD. This
-package then adds portability shims for other operating systems.
-
-Official release tarballs are available at your friendly neighborhood
-OpenBSD mirror in directory LibreSSL, e.g.:
-
-	http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
-
-although we suggest that you use a mirror:
-
-	http://www.openbsd.org/ftp.html
-
-The LibreSSL portable build framework is also mirrored in Github:
-
-	https://github.com/libressl-portable/portable
-
-Please report bugs either to tech@openbsd.org, or to the github issue tracker:
-
-	https://github.com/libressl-portable/portable/issues
-
-If you have checked this source using Git, follow these initial steps to
-prepare the source tree for building:
-
- 1. ensure you have the following packages installed:
-	automake, autoconf, bash, git, libtool, perl, pod2man
- 2. run './autogen.sh' to prepare the source tree for building
-    or run './dist.sh' to prepare a tarball.
-
-Once you have a source tree from Git or FTP, run these commands to build and
-install the package:
-
-  ./configure   # see ./configure --help for configuration options
-  make check    # runs builtin unit tests
-  make install  # set DESTDIR= to install to an alternate location
-
-The resulting library and 'openssl' utility is largely API-compatible with
-OpenSSL 1.0.1. However, it is not ABI compatible - you will need to relink your
-programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
-to 1.0.1.
-
-The project attempts to provide working alternatives for operating systems with
-limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
-assists with improving OS-native implementations where possible.
-
-LibreSSL portable will build on any reasonably modern version of Linux,
-Solaris, or OSX with a standards-compliant compiler and C library.

README.md

@@ -0,0 +1,133 @@
+![LibreSSL image](http://www.libressl.org/images/libressl.jpg)
+## Official portable version of [LibreSSL](http://www.libressl.org) ##
+
+[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable)
+
+LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
+[OpenBSD](http://www.openbsd.org) project.  Our goal is to modernize the codebase,
+improve security, and apply best practice development processes from OpenBSD.
+
+## Compatibility with OpenSSL: ##
+
+LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
+new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
+present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
+
+LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily
+earlier releases of LibreSSL. You will need to relink your programs to
+LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
+LibreSSL's installed library version numbers are incremented to account for
+ABI and API changes.
+
+## Compatibility with other operating systems: ##
+
+While primarily developed on and taking advantage of APIs available on OpenBSD,
+the LibreSSL portable project attempts to provide working alternatives for
+other operating systems, and assists with improving OS-native implementations
+where possible.
+
+At the time of this writing, LibreSSL is know to build and work on:
+
+* Linux (kernel 3.17 or later recommended)
+* FreeBSD (tested with 9.2 and later)
+* NetBSD (7.0 or later recommended)
+* HP-UX (11i)
+* Solaris (11 and later preferred)
+* Mac OS X (tested with 10.8 and later)
+* AIX (5.3 and later)
+
+LibreSSL also supports the following Windows environments:
+* Microsoft Windows (XP or higher, x86 and x64)
+* Wine (32-bit and 64-bit)
+* Builds with Mingw-w64, Cygwin, and Visual Studio
+
+Official release tarballs are available at your friendly neighborhood
+OpenBSD mirror in directory
+[LibreSSL](http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/),
+although we suggest that you use a [mirror](http://www.openbsd.org/ftp.html).
+
+The LibreSSL portable build framework is also
+[mirrored](https://github.com/libressl-portable/portable) in Github.
+
+Please report bugs either to the public libressl@openbsd.org mailing list,
+or to the github
+[issue tracker](https://github.com/libressl-portable/portable/issues)
+
+Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
+sent to the core team at libressl-security@openbsd.org.
+
+## Prerequisites when building from git ##
+
+If you have checked this source using Git, follow these initial steps to
+prepare the source tree for building:
+
+1. Ensure you have the following packages installed:
+   automake, autoconf, git, libtool, perl, pod2man
+2. Run './autogen.sh' to prepare the source tree for building or
+   run './dist.sh' to prepare a tarball.
+
+## Building LibreSSL ##
+
+Once you have a source tree from Git or FTP, run these commands to build and
+install the package on most systems:
+
+```sh
+./configure   # see ./configure --help for configuration options
+make check    # runs builtin unit tests
+make install  # set DESTDIR= to install to an alternate location
+```
+
+If you wish to use the CMake build system, use these commands:
+
+```sh
+mkdir build
+cd build
+cmake ..
+make
+make test
+```
+
+For faster builds, you can use Ninja as well:
+
+```sh
+mkdir build-ninja
+cd build-ninja
+cmake -G"Ninja" ..
+ninja
+ninja test
+```
+
+### OS specific build information: ###
+
+#### HP-UX (11i) ####
+
+Set the UNIX_STD environment variable to '2003' before running 'configure'
+in order to build with the HP C/aC++ compiler. See the "standards(5)" man
+page for more details.
+
+```sh
+export UNIX_STD=2003
+./configure
+make
+```
+
+#### Windows - Mingw-w64 ####
+
+LibreSSL builds against relatively recent versions of Mingw-w64, not to be
+confused with the original mingw.org project.  Mingw-w64 3.2 or later
+should work. See README.windows for more information
+
+#### Windows - Visual Studio ####
+
+LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
+against older/newer targets as well. To generate a Visual Studio project,
+install CMake, enter the LibreSSL source directory and run:
+
+```sh
+ mkdir build-vs2013
+ cd build-vs2013
+ cmake -G"Visual Studio 12 2013" ..
+```
+
+This will generate a LibreSSL.sln file that you can incorporate into other
+projects or build by itself.

README.windows

@@ -6,9 +6,8 @@ GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
 then LibreSSL should integrate very nicely. Old versions of the mingw-w64
 toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
 building LibreSSL. Please try it with a recent toolchain if you encounter
-troubles. If you are building under Cygwin, only builds with the mingw-w64
-compiler are supported, though you can easily use Cygwin to drive the build
-process.
+troubles. Cygwin provides an easy method of installing the latest mingw-w64
+cross compilers on Windows.
 
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
@@ -36,5 +35,11 @@ cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
 tool developed for the D language and can be found here:
 https://github.com/rainers/cv2pdb
 
-Pre-build Windows binaries are available with the LibreSSL release for your
-convenience.
+Pre-built Windows binaries are available with LibreSSL releases if you do not
+have a mingw-w64 build environment. Mingw-w64 code is largely, but not 100%,
+compatible with code built from Visual Studio. Notably, FILE * pointers cannot
+be shared between code built for Mingw-w64 and Visual Studio.
+
+As of LibreSSL 2.2.2, Visual Studio Native builds can be produced using CMake.
+This produces ABI-compatible libraries for linking with native code generated
+by Visual Studio.

VERSION

@@ -1 +0,0 @@
-2.1.5

apps/CMakeLists.txt

@@ -0,0 +1,2 @@
+add_subdirectory(openssl)
+add_subdirectory(nc)

apps/Makefile.am

@@ -1,88 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-bin_PROGRAMS = openssl
+SUBDIRS = openssl nc
 
-openssl_CFLAGS = $(USER_CFLAGS)
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES = apps.c
-openssl_SOURCES += asn1pars.c
-openssl_SOURCES += ca.c
-openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
-openssl_SOURCES += crl.c
-openssl_SOURCES += crl2p7.c
-openssl_SOURCES += dgst.c
-openssl_SOURCES += dh.c
-openssl_SOURCES += dhparam.c
-openssl_SOURCES += dsa.c
-openssl_SOURCES += dsaparam.c
-openssl_SOURCES += ec.c
-openssl_SOURCES += ecparam.c
-openssl_SOURCES += enc.c
-openssl_SOURCES += engine.c
-openssl_SOURCES += errstr.c
-openssl_SOURCES += gendh.c
-openssl_SOURCES += gendsa.c
-openssl_SOURCES += genpkey.c
-openssl_SOURCES += genrsa.c
-openssl_SOURCES += nseq.c
-openssl_SOURCES += ocsp.c
-openssl_SOURCES += openssl.c
-openssl_SOURCES += passwd.c
-openssl_SOURCES += pkcs12.c
-openssl_SOURCES += pkcs7.c
-openssl_SOURCES += pkcs8.c
-openssl_SOURCES += pkey.c
-openssl_SOURCES += pkeyparam.c
-openssl_SOURCES += pkeyutl.c
-openssl_SOURCES += prime.c
-openssl_SOURCES += rand.c
-openssl_SOURCES += req.c
-openssl_SOURCES += rsa.c
-openssl_SOURCES += rsautl.c
-openssl_SOURCES += s_cb.c
-openssl_SOURCES += s_client.c
-openssl_SOURCES += s_server.c
-openssl_SOURCES += s_socket.c
-openssl_SOURCES += s_time.c
-openssl_SOURCES += sess_id.c
-openssl_SOURCES += smime.c
-openssl_SOURCES += speed.c
-openssl_SOURCES += spkac.c
-openssl_SOURCES += ts.c
-openssl_SOURCES += verify.c
-openssl_SOURCES += version.c
-openssl_SOURCES += x509.c
-
-if BUILD_CERTHASH
-openssl_SOURCES += certhash.c
-else
-openssl_SOURCES += certhash_disabled.c
-endif
-
-if HOST_WIN
-openssl_SOURCES += apps_win.c
-else
-openssl_SOURCES += apps_posix.c
-endif
-
-if !HAVE_POLL
-if HOST_WIN
-openssl_SOURCES += poll_win.c
-endif
-endif
-
-if !HAVE_STRTONUM
-openssl_SOURCES += strtonum.c
-endif
-
-noinst_HEADERS = apps.h
-noinst_HEADERS += progs.h
-noinst_HEADERS += s_apps.h
-noinst_HEADERS += testdsa.h
-noinst_HEADERS += testrsa.h
-noinst_HEADERS += timeouts.h
-noinst_HEADERS += openssl.cnf
+EXTRA_DIST = CMakeLists.txt

apps/apps_win.c

@@ -1,29 +0,0 @@
-/*
- * Public domain
- *
- * Dongsheng Song <dongsheng.song@gmail.com>
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <windows.h>
-
-#include "apps.h"
-
-double
-app_tminterval(int stop, int usertime)
-{
-	static unsigned __int64 tmstart;
-	union {
-		unsigned __int64 u64;
-		FILETIME ft;
-	} ct, et, kt, ut;
-
-	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
-}

apps/nc/CMakeLists.txt

@@ -0,0 +1,60 @@
+if(BUILD_NC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	NC_SRC
+	atomicio.c
+	netcat.c
+	socks.c
+	compat/socket.c
+)
+
+check_function_exists(b64_ntop HAVE_B64_NTOP)
+if(HAVE_B64_NTOP)
+	add_definitions(-DHAVE_B64_NTOP)
+else()
+	set(NC_SRC ${NC_SRC} compat/base64.c)
+endif()
+
+check_function_exists(accept4 HAVE_ACCEPT4)
+if(HAVE_ACCEPT4)
+	add_definitions(-DHAVE_ACCEPT4)
+else()
+	set(NC_SRC ${NC_SRC} compat/accept4.c)
+endif()
+
+check_function_exists(readpassphrase HAVE_READPASSPHRASE)
+if(HAVE_READPASSPHRASE)
+	add_definitions(-DHAVE_READPASSPHRASE)
+else()
+	set(NC_SRC ${NC_SRC} compat/readpassphrase.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(NC_SRC ${NC_SRC} compat/strtonum.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(nc ${NC_SRC})
+target_link_libraries(nc tls ${OPENSSL_LIBS})
+
+if(ENABLE_NC)
+	install(TARGETS nc DESTINATION bin)
+	install(FILES nc.1 DESTINATION share/man/man1)
+endif()
+
+endif()

apps/nc/Makefile.am

@@ -0,0 +1,50 @@
+include $(top_srcdir)/Makefile.am.common
+
+if BUILD_NC
+
+if ENABLE_NC
+bin_PROGRAMS = nc
+else
+noinst_PROGRAMS = nc
+endif
+
+EXTRA_DIST = nc.1
+EXTRA_DIST += CMakeLists.txt
+
+nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
+nc_LDADD += $(abs_top_builddir)/tls/libtls.la
+
+AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+if OPENSSLDIR_DEFINED
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
+else
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
+endif
+
+nc_SOURCES = atomicio.c
+nc_SOURCES += netcat.c
+nc_SOURCES += socks.c
+noinst_HEADERS = atomicio.h
+noinst_HEADERS += compat/sys/socket.h
+
+nc_SOURCES += compat/socket.c
+
+if !HAVE_B64_NTOP
+nc_SOURCES += compat/base64.c
+endif
+
+if !HAVE_ACCEPT4
+nc_SOURCES += compat/accept4.c
+endif
+
+if !HAVE_READPASSPHRASE
+nc_SOURCES += compat/readpassphrase.c
+endif
+
+if !HAVE_STRTONUM
+nc_SOURCES += compat/strtonum.c
+endif
+
+endif

apps/nc/compat/accept4.c

@@ -0,0 +1,17 @@
+#include <sys/socket.h>
+#include <fcntl.h>
+
+int
+accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
+{
+	int rets = accept(s, addr, addrlen);
+	if (rets == -1)
+		return s;
+
+	if (flags & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	return rets;
+}

apps/nc/compat/base64.c

@@ -0,0 +1,315 @@
+/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+static const char Base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+	   output will be an integral multiple of 4 characters
+	   with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+	   characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+	   characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(src, srclength, target, targsize)
+	u_char const *src;
+	size_t srclength;
+	char *target;
+	size_t targsize;
+{
+	size_t datalength = 0;
+	u_char input[3];
+	u_char output[4];
+	int i;
+
+	while (2 < srclength) {
+		input[0] = *src++;
+		input[1] = *src++;
+		input[2] = *src++;
+		srclength -= 3;
+
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		output[3] = input[2] & 0x3f;
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		target[datalength++] = Base64[output[2]];
+		target[datalength++] = Base64[output[3]];
+	}
+    
+	/* Now we worry about padding. */
+	if (0 != srclength) {
+		/* Get what's left. */
+		input[0] = input[1] = input[2] = '\0';
+		for (i = 0; i < srclength; i++)
+			input[i] = *src++;
+	
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		if (srclength == 1)
+			target[datalength++] = Pad64;
+		else
+			target[datalength++] = Base64[output[2]];
+		target[datalength++] = Pad64;
+	}
+	if (datalength >= targsize)
+		return (-1);
+	target[datalength] = '\0';	/* Returned value doesn't count \0. */
+	return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(src, target, targsize)
+	char const *src;
+	u_char *target;
+	size_t targsize;
+{
+	int tarindex, state, ch;
+	u_char nextbyte;
+	char *pos;
+
+	state = 0;
+	tarindex = 0;
+
+	while ((ch = (unsigned char)*src++) != '\0') {
+		if (isspace(ch))	/* Skip whitespace anywhere. */
+			continue;
+
+		if (ch == Pad64)
+			break;
+
+		pos = strchr(Base64, ch);
+		if (pos == 0) 		/* A non-base64 character. */
+			return (-1);
+
+		switch (state) {
+		case 0:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] = (pos - Base64) << 2;
+			}
+			state = 1;
+			break;
+		case 1:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 4;
+				nextbyte = ((pos - Base64) & 0x0f) << 4;
+				if (tarindex + 1 < targsize)
+					target[tarindex+1] = nextbyte;
+				else if (nextbyte)
+					return (-1);
+			}
+			tarindex++;
+			state = 2;
+			break;
+		case 2:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 2;
+				nextbyte = ((pos - Base64) & 0x03) << 6;
+				if (tarindex + 1 < targsize)
+					target[tarindex+1] = nextbyte;
+				else if (nextbyte)
+					return (-1);
+			}
+			tarindex++;
+			state = 3;
+			break;
+		case 3:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] |= (pos - Base64);
+			}
+			tarindex++;
+			state = 0;
+			break;
+		}
+	}
+
+	/*
+	 * We are done decoding Base-64 chars.  Let's see if we ended
+	 * on a byte boundary, and/or with erroneous trailing characters.
+	 */
+
+	if (ch == Pad64) {			/* We got a pad char. */
+		ch = (unsigned char)*src++;	/* Skip it, get next. */
+		switch (state) {
+		case 0:		/* Invalid = in first position */
+		case 1:		/* Invalid = in second position */
+			return (-1);
+
+		case 2:		/* Valid, means one byte of info */
+			/* Skip any number of spaces. */
+			for (; ch != '\0'; ch = (unsigned char)*src++)
+				if (!isspace(ch))
+					break;
+			/* Make sure there is another trailing = sign. */
+			if (ch != Pad64)
+				return (-1);
+			ch = (unsigned char)*src++;		/* Skip the = */
+			/* Fall through to "single trailing =" case. */
+			/* FALLTHROUGH */
+
+		case 3:		/* Valid, means two bytes of info */
+			/*
+			 * We know this char is an =.  Is there anything but
+			 * whitespace after it?
+			 */
+			for (; ch != '\0'; ch = (unsigned char)*src++)
+				if (!isspace(ch))
+					return (-1);
+
+			/*
+			 * Now make sure for cases 2 and 3 that the "extra"
+			 * bits that slopped past the last full byte were
+			 * zeros.  If we don't check them, they become a
+			 * subliminal channel.
+			 */
+			if (target && tarindex < targsize &&
+			    target[tarindex] != 0)
+				return (-1);
+		}
+	} else {
+		/*
+		 * We ended by seeing the end of the string.  Make sure we
+		 * have no partial bytes lying around.
+		 */
+		if (state != 0)
+			return (-1);
+	}
+
+	return (tarindex);
+}

apps/nc/compat/readpassphrase.c

@@ -0,0 +1,205 @@
+/*	$OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $	*/
+
+/*
+ * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
+
+#include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <readpassphrase.h>
+
+#ifndef _PATH_TTY
+# define _PATH_TTY "/dev/tty"
+#endif
+
+#ifdef TCSASOFT
+# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
+#else
+# define _T_FLUSH	(TCSAFLUSH)
+#endif
+
+/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
+#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
+#  define _POSIX_VDISABLE       VDISABLE
+#endif
+
+#ifndef _NSIG
+# ifdef NSIG
+#  define _NSIG NSIG
+# else
+#  define _NSIG 128
+# endif
+#endif
+
+static volatile sig_atomic_t signo[_NSIG];
+
+static void handler(int);
+
+char *
+readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
+{
+	ssize_t bytes_written = 0;
+	ssize_t nr;
+	int input, output, save_errno, i, need_restart;
+	char ch, *p, *end;
+	struct termios term, oterm;
+	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
+	struct sigaction savetstp, savettin, savettou, savepipe;
+
+	/* I suppose we could alloc on demand in this case (XXX). */
+	if (bufsiz == 0) {
+		errno = EINVAL;
+		return(NULL);
+	}
+
+restart:
+	for (i = 0; i < _NSIG; i++)
+		signo[i] = 0;
+	nr = -1;
+	save_errno = 0;
+	need_restart = 0;
+	/*
+	 * Read and write to /dev/tty if available.  If not, read from
+	 * stdin and write to stderr unless a tty is required.
+	 */
+	if ((flags & RPP_STDIN) ||
+	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
+		if (flags & RPP_REQUIRE_TTY) {
+			errno = ENOTTY;
+			return(NULL);
+		}
+		input = STDIN_FILENO;
+		output = STDERR_FILENO;
+	}
+
+	/*
+	 * Catch signals that would otherwise cause the user to end
+	 * up with echo turned off in the shell.  Don't worry about
+	 * things like SIGXCPU and SIGVTALRM for now.
+	 */
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;		/* don't restart system calls */
+	sa.sa_handler = handler;
+	(void)sigaction(SIGALRM, &sa, &savealrm);
+	(void)sigaction(SIGHUP, &sa, &savehup);
+	(void)sigaction(SIGINT, &sa, &saveint);
+	(void)sigaction(SIGPIPE, &sa, &savepipe);
+	(void)sigaction(SIGQUIT, &sa, &savequit);
+	(void)sigaction(SIGTERM, &sa, &saveterm);
+	(void)sigaction(SIGTSTP, &sa, &savetstp);
+	(void)sigaction(SIGTTIN, &sa, &savettin);
+	(void)sigaction(SIGTTOU, &sa, &savettou);
+
+	/* Turn off echo if possible. */
+	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
+		memcpy(&term, &oterm, sizeof(term));
+		if (!(flags & RPP_ECHO_ON))
+			term.c_lflag &= ~(ECHO | ECHONL);
+#ifdef VSTATUS
+		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
+			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
+#endif
+		(void)tcsetattr(input, _T_FLUSH, &term);
+	} else {
+		memset(&term, 0, sizeof(term));
+		term.c_lflag |= ECHO;
+		memset(&oterm, 0, sizeof(oterm));
+		oterm.c_lflag |= ECHO;
+	}
+
+	/* No I/O if we are already backgrounded. */
+	if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
+		if (!(flags & RPP_STDIN))
+			bytes_written = write(output, prompt, strlen(prompt));
+		end = buf + bufsiz - 1;
+		p = buf;
+		while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
+			if (p < end) {
+				if ((flags & RPP_SEVENBIT))
+					ch &= 0x7f;
+				if (isalpha((unsigned char)ch)) {
+					if ((flags & RPP_FORCELOWER))
+						ch = (char)tolower((unsigned char)ch);
+					if ((flags & RPP_FORCEUPPER))
+						ch = (char)toupper((unsigned char)ch);
+				}
+				*p++ = ch;
+			}
+		}
+		*p = '\0';
+		save_errno = errno;
+		if (!(term.c_lflag & ECHO))
+			bytes_written = write(output, "\n", 1);
+	}
+
+	(void) bytes_written;
+
+	/* Restore old terminal settings and signals. */
+	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
+		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
+		    errno == EINTR)
+			continue;
+	}
+	(void)sigaction(SIGALRM, &savealrm, NULL);
+	(void)sigaction(SIGHUP, &savehup, NULL);
+	(void)sigaction(SIGINT, &saveint, NULL);
+	(void)sigaction(SIGQUIT, &savequit, NULL);
+	(void)sigaction(SIGPIPE, &savepipe, NULL);
+	(void)sigaction(SIGTERM, &saveterm, NULL);
+	(void)sigaction(SIGTSTP, &savetstp, NULL);
+	(void)sigaction(SIGTTIN, &savettin, NULL);
+	(void)sigaction(SIGTTOU, &savettou, NULL);
+	if (input != STDIN_FILENO)
+		(void)close(input);
+
+	/*
+	 * If we were interrupted by a signal, resend it to ourselves
+	 * now that we have restored the signal handlers.
+	 */
+	for (i = 0; i < _NSIG; i++) {
+		if (signo[i]) {
+			kill(getpid(), i);
+			switch (i) {
+			case SIGTSTP:
+			case SIGTTIN:
+			case SIGTTOU:
+				need_restart = 1;
+			}
+		}
+	}
+	if (need_restart)
+		goto restart;
+
+	if (save_errno)
+		errno = save_errno;
+	return(nr == -1 ? NULL : buf);
+}
+
+static void handler(int s)
+{
+	signo[s] = 1;
+}

apps/nc/compat/socket.c

@@ -0,0 +1,29 @@
+#define SOCKET_FLAGS_PRIV
+
+#include <sys/socket.h>
+
+#ifdef NEED_SOCKET_FLAGS
+
+#include <fcntl.h>
+
+int
+_socket(int domain, int type, int protocol)
+{
+	int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
+	int flags;
+	if (s == -1)
+		return s;
+
+	if (type & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(s, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	if (type & SOCK_NONBLOCK) {
+		flags = fcntl(s, F_GETFL);
+		fcntl(s, F_SETFL, flags | O_NONBLOCK);
+	}
+	return s;
+}
+
+#endif

apps/nc/compat/strtonum.c

@@ -0,0 +1,65 @@
+/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define	INVALID		1
+#define	TOOSMALL	2
+#define	TOOLARGE	3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+	long long ll = 0;
+	int error = 0;
+	char *ep;
+	struct errval {
+		const char *errstr;
+		int err;
+	} ev[4] = {
+		{ NULL,		0 },
+		{ "invalid",	EINVAL },
+		{ "too small",	ERANGE },
+		{ "too large",	ERANGE },
+	};
+
+	ev[0].err = errno;
+	errno = 0;
+	if (minval > maxval) {
+		error = INVALID;
+	} else {
+		ll = strtoll(numstr, &ep, 10);
+		if (numstr == ep || *ep != '\0')
+			error = INVALID;
+		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+			error = TOOSMALL;
+		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+			error = TOOLARGE;
+	}
+	if (errstrp != NULL)
+		*errstrp = ev[error].errstr;
+	errno = ev[error].err;
+	if (error)
+		ll = 0;
+
+	return (ll);
+}

apps/nc/compat/sys/socket.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/socket.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/socket.h>
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
+int _socket(int domain, int type, int protocol);
+#ifndef SOCKET_FLAGS_PRIV
+#define socket(d, t, p) _socket(d, t, p)
+#endif
+#endif
+
+#ifndef SOCK_NONBLOCK
+#define	SOCK_NONBLOCK		0x4000	/* set O_NONBLOCK */
+#endif
+
+#ifndef SOCK_CLOEXEC
+#define	SOCK_CLOEXEC		0x8000	/* set FD_CLOEXEC */
+#endif
+
+#ifndef HAVE_ACCEPT4
+int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
+#endif
+
+#else
+#include <win32netcompat.h>
+#endif

apps/openssl/CMakeLists.txt

@@ -0,0 +1,89 @@
+include_directories(
+	.
+	../../include
+	../../include/compat
+)
+
+set(
+	OPENSSL_SRC
+	apps.c
+	asn1pars.c
+	ca.c
+	ciphers.c
+	cms.c
+	crl.c
+	crl2p7.c
+	dgst.c
+	dh.c
+	dhparam.c
+	dsa.c
+	dsaparam.c
+	ec.c
+	ecparam.c
+	enc.c
+	errstr.c
+	gendh.c
+	gendsa.c
+	genpkey.c
+	genrsa.c
+	nseq.c
+	ocsp.c
+	openssl.c
+	passwd.c
+	pkcs12.c
+	pkcs7.c
+	pkcs8.c
+	pkey.c
+	pkeyparam.c
+	pkeyutl.c
+	prime.c
+	rand.c
+	req.c
+	rsa.c
+	rsautl.c
+	s_cb.c
+	s_client.c
+	s_server.c
+	s_socket.c
+	s_time.c
+	sess_id.c
+	smime.c
+	speed.c
+	spkac.c
+	ts.c
+	verify.c
+	version.c
+	x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)
+install(FILES openssl.1 DESTINATION share/man/man1)
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	set(CONF_DIR "${OPENSSLDIR}")
+else()
+	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
+endif()
+install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+install(DIRECTORY DESTINATION ${CONF_DIR}/cert)

apps/openssl/Makefile.am

@@ -0,0 +1,119 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = openssl
+
+dist_man_MANS = openssl.1
+
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += certhash_win.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += compat/poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += compat/strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+
+EXTRA_DIST = cert.pem
+EXTRA_DIST += openssl.cnf
+EXTRA_DIST += x509v3.cnf
+EXTRA_DIST += CMakeLists.txt
+
+install-exec-hook:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	mkdir -p "$$OPENSSLDIR/certs"; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+		else \
+			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
+		fi \
+	done
+
+uninstall-local:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+			rm -f "$$OPENSSLDIR/$$i"; \
+		fi \
+	done

apps/openssl/apps_win.c

@@ -0,0 +1,60 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include <io.h>
+#include <fcntl.h>
+
+#include "apps.h"
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}
+
+int
+setup_ui(void)
+{
+	ui_method = UI_create_method("OpenSSL application user interface");
+	UI_method_set_opener(ui_method, ui_open);
+	UI_method_set_reader(ui_method, ui_read);
+	UI_method_set_writer(ui_method, ui_write);
+	UI_method_set_closer(ui_method, ui_close);
+
+	/*
+	 * Set STDIO to binary
+	 */
+	_setmode(_fileno(stdin), _O_BINARY);
+	_setmode(_fileno(stdout), _O_BINARY);
+	_setmode(_fileno(stderr), _O_BINARY);
+
+	return 0;
+}
+
+void
+destroy_ui(void)
+{
+	if (ui_method) {
+		UI_destroy_method(ui_method);
+		ui_method = NULL;
+	}
+}

autogen.sh

@@ -4,3 +4,12 @@ set -e
 ./update.sh
 mkdir -p m4
 autoreconf -i -f
+
+# Patch libtool 2.4.2 to pass -fstack-protector as a linker argument
+sed 's/-fuse-linker-plugin)/-fuse-linker-plugin|-fstack-protector*)/' \
+  ltmain.sh > ltmain.sh.fixed
+mv -f ltmain.sh.fixed ltmain.sh
+
+# Update config scripts and fixup permissions
+find . ! -perm -u=w -exec chmod u+w {} \;
+cp scripts/config.* .

check-release.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+set -e
+
+ver=$1
+dir=libressl-$ver
+tarball=$dir.tar.gz
+tag=v$ver
+
+if [ -z "$LIBRESSL_SSH" ]; then
+	if ! curl -v 1>/dev/null 2>&1; then
+		download="curl -O"
+	elif echo quit | ftp 1>/dev/null 2>&1; then
+		download=ftp
+	else
+		echo "need 'ftp' or 'curl' to verify"
+		exit
+	fi
+fi
+
+if [ "$ver" = "" ]; then
+	echo "please specify a version to check, e.g. $0 2.1.2"
+	exit
+fi
+
+if [ ! -e releases/$tarball ]; then
+	mkdir -p releases
+	rm -f $tarball
+	if [ -z "$LIBRESSL_SSH" ]; then
+		$download http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$tarball releases/
+		mv $tarball releases
+	else
+		scp $LIBRESSL_SSH/$tarball releases
+	fi
+	(cd releases; tar zxvf $tarball)
+fi
+
+if [ ! -e gen-releases/$tarball ]; then
+	rm -fr tests man include ssl crypto libtls-standalone/VERSION INSTALL
+	git checkout OPENBSD_BRANCH update.sh tests man include ssl crypto
+	git checkout $tag
+	echo "libressl-$tag" > OPENBSD_BRANCH
+	sed -i 's/git pull --rebase//' update.sh
+	./autogen.sh
+	./configure --enable-libtls
+	make dist
+
+	mkdir -p gen-releases
+	mv $tarball gen-releases
+
+	git checkout OPENBSD_BRANCH update.sh
+	git checkout master
+fi
+
+(cd gen-releases; rm -fr $dir; tar zxf $tarball)
+(cd releases; rm -fr $dir; tar zxf $tarball)
+
+echo "differences between release and regenerated release tag:"
+diff -urN \
+	-x *.3 \
+	-x Makefile.in \
+	-x aclocal.m4 \
+	-x compile \
+	-x config.guess \
+	-x config.sub \
+	-x configure \
+	-x depcomp \
+	-x install-sh \
+	-x missing \
+	-x test-driver \
+	releases/$dir gen-releases/$dir

cmake_uninstall.cmake.in

@@ -0,0 +1,21 @@
+if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+	message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+
+file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
+string(REGEX REPLACE "\n" ";" files "${files}")
+foreach(file ${files})
+	message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
+	if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		exec_program(
+			"@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
+			OUTPUT_VARIABLE rm_out
+			RETURN_VALUE rm_retval
+			)
+		if(NOT "${rm_retval}" STREQUAL 0)
+			message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
+		endif(NOT "${rm_retval}" STREQUAL 0)
+	else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
+	endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+endforeach(file)

configure.ac

@@ -1,291 +1,74 @@
+# Copyright (c) 2014-2015 Brent Cook
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
 AC_INIT([libressl], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBCRYPTO_VERSION], m4_esyscmd([tr -d '\n' < crypto/VERSION]))
 AC_SUBST([LIBSSL_VERSION], m4_esyscmd([tr -d '\n' < ssl/VERSION]))
 AC_SUBST([LIBTLS_VERSION], m4_esyscmd([tr -d '\n' < tls/VERSION]))
 
 AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects])
+AM_INIT_AUTOMAKE([subdir-objects foreign])
 AC_CONFIG_MACRO_DIR([m4])
 
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
-AC_SUBST([USER_CFLAGS], "$CFLAGS")
-CFLAGS="-Wall -std=gnu99 -g -O2"
-
-case $host_os in
-	*darwin*)
-		HOST_OS=darwin
-		HOST_ABI=macosx
-		;;
-	*freebsd*)
-		HOST_OS=freebsd
-		HOST_ABI=elf
-		AC_SUBST([PROG_LDADD], ['-lthr'])
-		;;
-	*hpux*)
-		HOST_OS=hpux;
-		CFLAGS="$CFLAGS -mlp64 -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
-		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
-		;;
-	*linux*)
-		HOST_OS=linux
-		HOST_ABI=elf
-		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-		;;
-	*netbsd*)
-		HOST_OS=netbsd
-		;;
-	*openbsd*)
-		HOST_ABI=elf
-		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
-		;;
-	*mingw*)
-		HOST_OS=win
-		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -DNO_SYSLOG -D__USE_MINGW_ANSI_STDIO -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
-		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
-		;;
-	*solaris*)
-		HOST_OS=solaris
-		HOST_ABI=elf
-		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
-		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
-		;;
-	*) ;;
-esac
-
-AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
-AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
-AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
-AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
-AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
-AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
-AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
-
-AC_CHECK_FUNC([clock_gettime],,
-	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-
-AC_CHECK_FUNC([dl_iterate_phdr],,
-	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+# This must be saved before AC_PROG_CC
+USER_CFLAGS="$CFLAGS"
 
 AC_PROG_CC
-AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
+AC_PROG_LIBTOOL
+LT_INIT
 
-AC_MSG_CHECKING([if compiling with clang])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
-#ifndef __clang__
-	not clang
-#endif
-	]])],
-	[CLANG=yes],
-	[CLANG=no]
-)
-AC_MSG_RESULT([$CLANG])
-AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
+CHECK_OS_OPTIONS
 
-# We want to check for compiler flag support. Prior to clang v5.1, there was no
-# way to make clang's "argument unused" warning fatal.  So we invoke the
-# compiler through a wrapper script that greps for this message.
-saved_CC="$CC"
-saved_LD="$LD"
-flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
-CC="$flag_wrap $CC"
-LD="$flag_wrap $LD"
+CHECK_C_HARDENING_OPTIONS
 
-AC_ARG_ENABLE([hardening],
-	[AS_HELP_STRING([--disable-hardening],
-			[Disable options to frustrate memory corruption exploits])],
-	[], [enable_hardening=yes])
-
-AC_ARG_ENABLE([windows-ssp],
-	[AS_HELP_STRING([--enable-windows-ssp],
-			[Enable building the stack smashing protection on
-			 Windows. This currently distributing libssp-0.dll.])])
-
-AC_DEFUN([CHECK_CFLAG], [
-	 AC_LANG_ASSERT(C)
-	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
-	 old_cflags="$CFLAGS"
-	 CFLAGS="$1 -Wall -Werror"
-	 AC_TRY_LINK([
-		      #include <stdio.h>
-		      ],
-		     [printf("Hello")],
-		     AC_MSG_RESULT([yes])
-		     CFLAGS=$old_cflags
-		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
-		     AC_MSG_RESULT([no])
-		     CFLAGS=$old_cflags
-		     [$2])
-])
-
-AC_DEFUN([CHECK_LDFLAG], [
-	 AC_LANG_ASSERT(C)
-	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
-	 old_ldflags="$LDFLAGS"
-	 LDFLAGS="$1 -Wall -Werror"
-	 AC_TRY_LINK([
-		      #include <stdio.h>
-		      ],
-		     [printf("Hello")],
-		     AC_MSG_RESULT([yes])
-		     LDFLAGS=$old_ldflags
-		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
-		     AC_MSG_RESULT([no])
-		     LDFLAGS=$old_ldflags
-		     [$2])
-])
-
-AS_IF([test "x$enable_hardening" = "xyes"], [
-	# Tell GCC to NOT optimize based on signed arithmetic overflow
-	CHECK_CFLAG([[-fno-strict-overflow]])
-
-	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
-	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
-
-	# Enable read only relocations
-	CHECK_LDFLAG([[-Wl,-z,relro]])
-	CHECK_LDFLAG([[-Wl,-z,now]])
-
-	# Windows security flags
-	AS_IF([test "x$HOST_OS" = "xwin"], [
-		CHECK_LDFLAG([[-Wl,--nxcompat]])
-		CHECK_LDFLAG([[-Wl,--dynamicbase]])
-		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
-	])
-
-	# Use stack-protector-strong if available; if not, fallback to
-	# stack-protector-all which is considered to be overkill
-	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
-		CHECK_CFLAG([[-fstack-protector-strong]],
-			CHECK_CFLAG([[-fstack-protector-all]],
-				AC_MSG_WARN([compiler does not appear to support stack protection])
-			)
-		)
-		AS_IF([test "x$HOST_OS" = "xwin"], [
-			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
-		])
-	])
-])
-
-
-# Restore CC, LD
-CC="$saved_CC"
-LD="$saved_LD"
-
-CFLAGS="$CFLAGS $HARDEN_CFLAGS"
-LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
-
-# Removing the dependency on -Wno-pointer-sign should be a goal
-save_cflags="$CFLAGS"
-CFLAGS=-Wno-pointer-sign
-AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-	[AC_MSG_RESULT([yes])]
-	[AM_CFLAGS=-Wno-pointer-sign],
-	[AC_MSG_RESULT([no])]
-)
-CFLAGS="$save_cflags $AM_CFLAGS"
-
-save_cflags="$CFLAGS"
-CFLAGS=
-AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
-	[AC_MSG_RESULT([yes])]
-	[AM_CFLAGS=-DHAVE_GNU_STACK],
-	[AC_MSG_RESULT([no])]
-)
-CFLAGS="$save_cflags $AM_CFLAGS"
+DISABLE_AS_EXECUTABLE_STACK
 AM_PROG_AS
 
-CFLAGS="$CFLAGS $CLANG_CFLAGS"
-LDFLAGS="$LDFLAGS $CLANG_FLAGS"
+DISABLE_COMPILER_WARNINGS
 
-AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
-AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
-AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+# Check if the certhash command should be built
 AC_CHECK_FUNCS([symlink])
-AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
-
-# Share test results with automake
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
-AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
-AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
-AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
-AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
-AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
-AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
-AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
-AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
-AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
-AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
-AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
-AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
-AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
-AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
-AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
 AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
 
-# overrides for arc4random_buf implementations with known issues
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$HOST_OS" != xdarwin \
-	   -a "x$HOST_OS" != xfreebsd \
-	   -a "x$HOST_OS" != xnetbsd \
-	   -a "x$ac_cv_func_arc4random_buf" = xyes])
+# Check if funopen exists
+AC_CHECK_FUNC([funopen])
 
-# overrides for issetugid implementations with known issues
-AM_CONDITIONAL([HAVE_ISSETUGID],
-       [test "x$HOST_OS" != xdarwin \
-	  -a "x$ac_cv_func_issetugid" = xyes])
-
-AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ va_copy(x,y); ]])],
-	[ ac_cv_have_va_copy="yes" ],
-	[ ac_cv_have_va_copy="no"
-	])
-])
-if test "x$ac_cv_have_va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
-fi
-
-AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ __va_copy(x,y); ]])],
-	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
-	])
-])
-if test "x$ac_cv_have___va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
-fi
-
-AC_CHECK_HEADERS([sys/sysctl.h err.h])
+CHECK_LIBC_COMPAT
+CHECK_SYSCALL_COMPAT
+CHECK_CRYPTO_COMPAT
+CHECK_VA_COPY
+CHECK_B64_NTOP
 
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
-	AC_DEFINE_UNQUOTED(OPENSSLDIR, "$withval")
+	OPENSSLDIR="$withval"
+	AC_SUBST(OPENSSLDIR)
 )
+AM_CONDITIONAL([OPENSSLDIR_DEFINED], [test x$with_openssldir != x])
 
-AC_ARG_WITH([enginesdir],
-	AS_HELP_STRING([--with-enginesdir],
-		       [Set the default engines directory (use with openssldir)]),
-	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
-)
-
-AC_ARG_ENABLE([asm],
-	AS_HELP_STRING([--disable-asm], [Disable assembly]))
-AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
+AC_ARG_ENABLE([extratests],
+	AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms]))
+AM_CONDITIONAL([ENABLE_EXTRATESTS], [test "x$enable_extratests" = xyes])
 
+# Add CPU-specific alignment flags
 old_cflags=$CFLAGS
-CFLAGS="$USER_CFLAGS -I$srcdir/include"
+CFLAGS="$CFLAGS -I$srcdir/include"
 AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT])
 AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       [int a = 0; BSWAP4(a);],
@@ -297,25 +80,42 @@ CFLAGS="$old_cflags"
 
 case $host_cpu in
 	*sparc*)
-		CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT"
+		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
 		;;
 	*arm*)
 		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT")
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
+	*amd64*)
+		host_cpu=x86_64
+		;;
+
 esac
 
+AC_MSG_CHECKING([if .gnu.warning accepts long strings])
+AC_LINK_IFELSE([AC_LANG_SOURCE([[
+extern void SSLv3_method();
+__asm__(".section .gnu.warning.SSLv3_method; .ascii \"SSLv3_method is insecure\" ; .text");
+int main() {return 0;}
+]])], [
+    AC_DEFINE(HAS_GNU_WARNING_LONG, 1, [Define if .gnu.warning accepts long strings.])
+    AC_MSG_RESULT(yes)
+], [
+   AC_MSG_RESULT(no)
+])
+
+AC_ARG_ENABLE([asm],
+	AS_HELP_STRING([--disable-asm], [Disable assembly]))
+AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
+
+# Conditionally enable assembly by default
 AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
     [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
     [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 
-AC_ARG_ENABLE([libtls],
-	AS_HELP_STRING([--enable-libtls], [Enable building the libtls library]))
-AM_CONDITIONAL([ENABLE_LIBTLS], [test "x$enable_libtls" = xyes])
-AM_COND_IF([ENABLE_LIBTLS], [AC_CONFIG_FILES([libtls.pc])])
-
-LT_INIT
+# Check if time_t is sized correctly
+AC_CHECK_SIZEOF([time_t], [time.h])
 
 AC_CONFIG_FILES([
 	Makefile
@@ -326,10 +126,21 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/openssl/Makefile
+	apps/nc/Makefile
 	man/Makefile
 	libcrypto.pc
 	libssl.pc
+	libtls.pc
 	openssl.pc
 ])
 
+AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
+if test "$ac_cv_sizeof_time_t" = "4"; then
+    echo " ** Warning, this system is unable to represent times past 2038"
+    echo " ** It will behave incorrectly when handling valid RFC5280 dates"
+fi
+
+AC_REQUIRE_AUX_FILE([tap-driver.sh])
+
 AC_OUTPUT

crypto/CMakeLists.txt

@@ -0,0 +1,766 @@
+include_directories(
+	.
+	../include
+	../include/compat
+	asn1
+	dsa
+	evp
+	modes
+)
+
+if(HOST_ASM_ELF_X86_64)
+	set(
+		ASM_X86_64_ELF_SRC
+		aes/aes-elf-x86_64.s
+		aes/bsaes-elf-x86_64.s
+		aes/vpaes-elf-x86_64.s
+		aes/aesni-elf-x86_64.s
+		aes/aesni-sha1-elf-x86_64.s
+		bn/modexp512-elf-x86_64.s
+		bn/mont-elf-x86_64.s
+		bn/mont5-elf-x86_64.s
+		bn/gf2m-elf-x86_64.s
+		camellia/cmll-elf-x86_64.s
+		md5/md5-elf-x86_64.s
+		modes/ghash-elf-x86_64.s
+		rc4/rc4-elf-x86_64.s
+		rc4/rc4-md5-elf-x86_64.s
+		sha/sha1-elf-x86_64.s
+		sha/sha256-elf-x86_64.S
+		sha/sha512-elf-x86_64.S
+		whrlpool/wp-elf-x86_64.s
+		cpuid-elf-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_ELF_SRC})
+	set_property(SOURCE ${ASM_X86_64_ELF_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if(HOST_ASM_MACOSX_X86_64)
+	set(
+		ASM_X86_64_MACOSX_SRC
+		aes/aes-macosx-x86_64.s
+		aes/bsaes-macosx-x86_64.s
+		aes/vpaes-macosx-x86_64.s
+		aes/aesni-macosx-x86_64.s
+		aes/aesni-sha1-macosx-x86_64.s
+		bn/modexp512-macosx-x86_64.s
+		bn/mont-macosx-x86_64.s
+		bn/mont5-macosx-x86_64.s
+		bn/gf2m-macosx-x86_64.s
+		camellia/cmll-macosx-x86_64.s
+		md5/md5-macosx-x86_64.s
+		modes/ghash-macosx-x86_64.s
+		rc4/rc4-macosx-x86_64.s
+		rc4/rc4-md5-macosx-x86_64.s
+		sha/sha1-macosx-x86_64.s
+		sha/sha256-macosx-x86_64.S
+		sha/sha512-macosx-x86_64.S
+		whrlpool/wp-macosx-x86_64.s
+		cpuid-macosx-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
+	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
+	set(
+		CRYPTO_SRC
+		${CRYPTO_SRC}
+		aes/aes_cbc.c
+		aes/aes_core.c
+		camellia/camellia.c
+		camellia/cmll_cbc.c
+		rc4/rc4_enc.c
+		rc4/rc4_skey.c
+		whrlpool/wp_block.c
+	)
+endif()
+
+set(
+	CRYPTO_SRC
+	${CRYPTO_SRC}
+	cpt_err.c
+	cryptlib.c
+	cversion.c
+	ex_data.c
+	malloc-wrapper.c
+	mem_clr.c
+	mem_dbg.c
+	o_init.c
+	o_str.c
+	o_time.c
+	aes/aes_cfb.c
+	aes/aes_ctr.c
+	aes/aes_ecb.c
+	aes/aes_ige.c
+	aes/aes_misc.c
+	aes/aes_ofb.c
+	aes/aes_wrap.c
+	asn1/a_bitstr.c
+	asn1/a_bool.c
+	asn1/a_bytes.c
+	asn1/a_d2i_fp.c
+	asn1/a_digest.c
+	asn1/a_dup.c
+	asn1/a_enum.c
+	asn1/a_i2d_fp.c
+	asn1/a_int.c
+	asn1/a_mbstr.c
+	asn1/a_object.c
+	asn1/a_octet.c
+	asn1/a_print.c
+	asn1/a_set.c
+	asn1/a_sign.c
+	asn1/a_strex.c
+	asn1/a_strnid.c
+	asn1/a_time.c
+	asn1/a_time_tm.c
+	asn1/a_type.c
+	asn1/a_utf8.c
+	asn1/a_verify.c
+	asn1/ameth_lib.c
+	asn1/asn1_err.c
+	asn1/asn1_gen.c
+	asn1/asn1_lib.c
+	asn1/asn1_par.c
+	asn1/asn_mime.c
+	asn1/asn_moid.c
+	asn1/asn_pack.c
+	asn1/bio_asn1.c
+	asn1/bio_ndef.c
+	asn1/d2i_pr.c
+	asn1/d2i_pu.c
+	asn1/evp_asn1.c
+	asn1/f_enum.c
+	asn1/f_int.c
+	asn1/f_string.c
+	asn1/i2d_pr.c
+	asn1/i2d_pu.c
+	asn1/n_pkey.c
+	asn1/nsseq.c
+	asn1/p5_pbe.c
+	asn1/p5_pbev2.c
+	asn1/p8_pkey.c
+	asn1/t_bitst.c
+	asn1/t_crl.c
+	asn1/t_pkey.c
+	asn1/t_req.c
+	asn1/t_spki.c
+	asn1/t_x509.c
+	asn1/t_x509a.c
+	asn1/tasn_dec.c
+	asn1/tasn_enc.c
+	asn1/tasn_fre.c
+	asn1/tasn_new.c
+	asn1/tasn_prn.c
+	asn1/tasn_typ.c
+	asn1/tasn_utl.c
+	asn1/x_algor.c
+	asn1/x_attrib.c
+	asn1/x_bignum.c
+	asn1/x_crl.c
+	asn1/x_exten.c
+	asn1/x_info.c
+	asn1/x_long.c
+	asn1/x_name.c
+	asn1/x_nx509.c
+	asn1/x_pkey.c
+	asn1/x_pubkey.c
+	asn1/x_req.c
+	asn1/x_sig.c
+	asn1/x_spki.c
+	asn1/x_val.c
+	asn1/x_x509.c
+	asn1/x_x509a.c
+	bf/bf_cfb64.c
+	bf/bf_ecb.c
+	bf/bf_enc.c
+	bf/bf_ofb64.c
+	bf/bf_skey.c
+	bio/b_dump.c
+	bio/b_print.c
+	bio/b_sock.c
+	bio/bf_buff.c
+	bio/bf_nbio.c
+	bio/bf_null.c
+	bio/bio_cb.c
+	bio/bio_err.c
+	bio/bio_lib.c
+	bio/bss_acpt.c
+	bio/bss_bio.c
+	bio/bss_conn.c
+	bio/bss_dgram.c
+	bio/bss_fd.c
+	bio/bss_file.c
+	bio/bss_mem.c
+	bio/bss_null.c
+	bio/bss_sock.c
+	bn/bn_add.c
+	bn/bn_asm.c
+	bn/bn_blind.c
+	bn/bn_const.c
+	bn/bn_ctx.c
+	bn/bn_depr.c
+	bn/bn_div.c
+	bn/bn_err.c
+	bn/bn_exp.c
+	bn/bn_exp2.c
+	bn/bn_gcd.c
+	bn/bn_gf2m.c
+	bn/bn_kron.c
+	bn/bn_lib.c
+	bn/bn_mod.c
+	bn/bn_mont.c
+	bn/bn_mpi.c
+	bn/bn_mul.c
+	bn/bn_nist.c
+	bn/bn_prime.c
+	bn/bn_print.c
+	bn/bn_rand.c
+	bn/bn_recp.c
+	bn/bn_shift.c
+	bn/bn_sqr.c
+	bn/bn_sqrt.c
+	bn/bn_word.c
+	bn/bn_x931p.c
+	buffer/buf_err.c
+	buffer/buf_str.c
+	buffer/buffer.c
+	camellia/cmll_cfb.c
+	camellia/cmll_ctr.c
+	camellia/cmll_ecb.c
+	camellia/cmll_misc.c
+	camellia/cmll_ofb.c
+	cast/c_cfb64.c
+	cast/c_ecb.c
+	cast/c_enc.c
+	cast/c_ofb64.c
+	cast/c_skey.c
+	chacha/chacha.c
+	cmac/cm_ameth.c
+	cmac/cm_pmeth.c
+	cmac/cmac.c
+	comp/c_rle.c
+	comp/c_zlib.c
+	comp/comp_err.c
+	comp/comp_lib.c
+	conf/conf_api.c
+	conf/conf_def.c
+	conf/conf_err.c
+	conf/conf_lib.c
+	conf/conf_mall.c
+	conf/conf_mod.c
+	conf/conf_sap.c
+	des/cbc_cksm.c
+	des/cbc_enc.c
+	des/cfb64ede.c
+	des/cfb64enc.c
+	des/cfb_enc.c
+	des/des_enc.c
+	des/ecb3_enc.c
+	des/ecb_enc.c
+	des/ede_cbcm_enc.c
+	des/enc_read.c
+	des/enc_writ.c
+	des/fcrypt.c
+	des/fcrypt_b.c
+	des/ofb64ede.c
+	des/ofb64enc.c
+	des/ofb_enc.c
+	des/pcbc_enc.c
+	des/qud_cksm.c
+	des/rand_key.c
+	des/set_key.c
+	des/str2key.c
+	des/xcbc_enc.c
+	dh/dh_ameth.c
+	dh/dh_asn1.c
+	dh/dh_check.c
+	dh/dh_depr.c
+	dh/dh_err.c
+	dh/dh_gen.c
+	dh/dh_key.c
+	dh/dh_lib.c
+	dh/dh_pmeth.c
+	dh/dh_prn.c
+	dsa/dsa_ameth.c
+	dsa/dsa_asn1.c
+	dsa/dsa_depr.c
+	dsa/dsa_err.c
+	dsa/dsa_gen.c
+	dsa/dsa_key.c
+	dsa/dsa_lib.c
+	dsa/dsa_ossl.c
+	dsa/dsa_pmeth.c
+	dsa/dsa_prn.c
+	dsa/dsa_sign.c
+	dsa/dsa_vrf.c
+	dso/dso_dlfcn.c
+	dso/dso_err.c
+	dso/dso_lib.c
+	dso/dso_null.c
+	dso/dso_openssl.c
+	ec/ec2_mult.c
+	ec/ec2_oct.c
+	ec/ec2_smpl.c
+	ec/ec_ameth.c
+	ec/ec_asn1.c
+	ec/ec_check.c
+	ec/ec_curve.c
+	ec/ec_cvt.c
+	ec/ec_err.c
+	ec/ec_key.c
+	ec/ec_lib.c
+	ec/ec_mult.c
+	ec/ec_oct.c
+	ec/ec_pmeth.c
+	ec/ec_print.c
+	ec/eck_prn.c
+	ec/ecp_mont.c
+	ec/ecp_nist.c
+	ec/ecp_oct.c
+	ec/ecp_smpl.c
+	ecdh/ech_err.c
+	ecdh/ech_key.c
+	ecdh/ech_lib.c
+	ecdsa/ecs_asn1.c
+	ecdsa/ecs_err.c
+	ecdsa/ecs_lib.c
+	ecdsa/ecs_ossl.c
+	ecdsa/ecs_sign.c
+	ecdsa/ecs_vrf.c
+	engine/eng_all.c
+	engine/eng_cnf.c
+	engine/eng_ctrl.c
+	engine/eng_dyn.c
+	engine/eng_err.c
+	engine/eng_fat.c
+	engine/eng_init.c
+	engine/eng_lib.c
+	engine/eng_list.c
+	engine/eng_openssl.c
+	engine/eng_pkey.c
+	engine/eng_table.c
+	engine/tb_asnmth.c
+	engine/tb_cipher.c
+	engine/tb_dh.c
+	engine/tb_digest.c
+	engine/tb_dsa.c
+	engine/tb_ecdh.c
+	engine/tb_ecdsa.c
+	engine/tb_pkmeth.c
+	engine/tb_rand.c
+	engine/tb_rsa.c
+	engine/tb_store.c
+	err/err.c
+	err/err_all.c
+	err/err_prn.c
+	evp/bio_b64.c
+	evp/bio_enc.c
+	evp/bio_md.c
+	evp/c_all.c
+	evp/digest.c
+	evp/e_aes.c
+	evp/e_aes_cbc_hmac_sha1.c
+	evp/e_bf.c
+	evp/e_camellia.c
+	evp/e_cast.c
+	evp/e_chacha.c
+	evp/e_chacha20poly1305.c
+	evp/e_des.c
+	evp/e_des3.c
+	evp/e_gost2814789.c
+	evp/e_idea.c
+	evp/e_null.c
+	evp/e_old.c
+	evp/e_rc2.c
+	evp/e_rc4.c
+	evp/e_rc4_hmac_md5.c
+	evp/e_xcbc_d.c
+	evp/encode.c
+	evp/evp_aead.c
+	evp/evp_enc.c
+	evp/evp_err.c
+	evp/evp_key.c
+	evp/evp_lib.c
+	evp/evp_pbe.c
+	evp/evp_pkey.c
+	evp/m_dss.c
+	evp/m_dss1.c
+	evp/m_ecdsa.c
+	evp/m_gost2814789.c
+	evp/m_gostr341194.c
+	evp/m_md4.c
+	evp/m_md5.c
+	evp/m_null.c
+	evp/m_ripemd.c
+	evp/m_sha1.c
+	evp/m_sigver.c
+	evp/m_streebog.c
+	evp/m_wp.c
+	evp/names.c
+	evp/p5_crpt.c
+	evp/p5_crpt2.c
+	evp/p_dec.c
+	evp/p_enc.c
+	evp/p_lib.c
+	evp/p_open.c
+	evp/p_seal.c
+	evp/p_sign.c
+	evp/p_verify.c
+	evp/pmeth_fn.c
+	evp/pmeth_gn.c
+	evp/pmeth_lib.c
+	gost/gost2814789.c
+	gost/gost89_keywrap.c
+	gost/gost89_params.c
+	gost/gost89imit_ameth.c
+	gost/gost89imit_pmeth.c
+	gost/gost_asn1.c
+	gost/gost_err.c
+	gost/gostr341001.c
+	gost/gostr341001_ameth.c
+	gost/gostr341001_key.c
+	gost/gostr341001_params.c
+	gost/gostr341001_pmeth.c
+	gost/gostr341194.c
+	gost/streebog.c
+	hmac/hm_ameth.c
+	hmac/hm_pmeth.c
+	hmac/hmac.c
+	idea/i_cbc.c
+	idea/i_cfb64.c
+	idea/i_ecb.c
+	idea/i_ofb64.c
+	idea/i_skey.c
+	krb5/krb5_asn.c
+	lhash/lh_stats.c
+	lhash/lhash.c
+	md4/md4_dgst.c
+	md4/md4_one.c
+	md5/md5_dgst.c
+	md5/md5_one.c
+	modes/cbc128.c
+	modes/ccm128.c
+	modes/cfb128.c
+	modes/ctr128.c
+	modes/cts128.c
+	modes/gcm128.c
+	modes/ofb128.c
+	modes/xts128.c
+	objects/o_names.c
+	objects/obj_dat.c
+	objects/obj_err.c
+	objects/obj_lib.c
+	objects/obj_xref.c
+	ocsp/ocsp_asn.c
+	ocsp/ocsp_cl.c
+	ocsp/ocsp_err.c
+	ocsp/ocsp_ext.c
+	ocsp/ocsp_ht.c
+	ocsp/ocsp_lib.c
+	ocsp/ocsp_prn.c
+	ocsp/ocsp_srv.c
+	ocsp/ocsp_vfy.c
+	pem/pem_all.c
+	pem/pem_err.c
+	pem/pem_info.c
+	pem/pem_lib.c
+	pem/pem_oth.c
+	pem/pem_pk8.c
+	pem/pem_pkey.c
+	pem/pem_seal.c
+	pem/pem_sign.c
+	pem/pem_x509.c
+	pem/pem_xaux.c
+	pem/pvkfmt.c
+	pkcs12/p12_add.c
+	pkcs12/p12_asn.c
+	pkcs12/p12_attr.c
+	pkcs12/p12_crpt.c
+	pkcs12/p12_crt.c
+	pkcs12/p12_decr.c
+	pkcs12/p12_init.c
+	pkcs12/p12_key.c
+	pkcs12/p12_kiss.c
+	pkcs12/p12_mutl.c
+	pkcs12/p12_npas.c
+	pkcs12/p12_p8d.c
+	pkcs12/p12_p8e.c
+	pkcs12/p12_utl.c
+	pkcs12/pk12err.c
+	pkcs7/bio_pk7.c
+	pkcs7/pk7_asn1.c
+	pkcs7/pk7_attr.c
+	pkcs7/pk7_doit.c
+	pkcs7/pk7_lib.c
+	pkcs7/pk7_mime.c
+	pkcs7/pk7_smime.c
+	pkcs7/pkcs7err.c
+	poly1305/poly1305.c
+	rand/rand_err.c
+	rand/rand_lib.c
+	rand/randfile.c
+	rc2/rc2_cbc.c
+	rc2/rc2_ecb.c
+	rc2/rc2_skey.c
+	rc2/rc2cfb64.c
+	rc2/rc2ofb64.c
+	ripemd/rmd_dgst.c
+	ripemd/rmd_one.c
+	rsa/rsa_ameth.c
+	rsa/rsa_asn1.c
+	rsa/rsa_chk.c
+	rsa/rsa_crpt.c
+	rsa/rsa_depr.c
+	rsa/rsa_eay.c
+	rsa/rsa_err.c
+	rsa/rsa_gen.c
+	rsa/rsa_lib.c
+	rsa/rsa_none.c
+	rsa/rsa_oaep.c
+	rsa/rsa_pk1.c
+	rsa/rsa_pmeth.c
+	rsa/rsa_prn.c
+	rsa/rsa_pss.c
+	rsa/rsa_saos.c
+	rsa/rsa_sign.c
+	rsa/rsa_ssl.c
+	rsa/rsa_x931.c
+	sha/sha1_one.c
+	sha/sha1dgst.c
+	sha/sha256.c
+	sha/sha512.c
+	stack/stack.c
+	ts/ts_asn1.c
+	ts/ts_conf.c
+	ts/ts_err.c
+	ts/ts_lib.c
+	ts/ts_req_print.c
+	ts/ts_req_utils.c
+	ts/ts_rsp_print.c
+	ts/ts_rsp_sign.c
+	ts/ts_rsp_utils.c
+	ts/ts_rsp_verify.c
+	ts/ts_verify_ctx.c
+	txt_db/txt_db.c
+	ui/ui_err.c
+	ui/ui_lib.c
+	ui/ui_util.c
+	whrlpool/wp_dgst.c
+	x509/by_dir.c
+	x509/by_file.c
+	x509/by_mem.c
+	x509/x509_att.c
+	x509/x509_cmp.c
+	x509/x509_d2.c
+	x509/x509_def.c
+	x509/x509_err.c
+	x509/x509_ext.c
+	x509/x509_lu.c
+	x509/x509_obj.c
+	x509/x509_r2x.c
+	x509/x509_req.c
+	x509/x509_set.c
+	x509/x509_trs.c
+	x509/x509_txt.c
+	x509/x509_v3.c
+	x509/x509_vfy.c
+	x509/x509_vpm.c
+	x509/x509cset.c
+	x509/x509name.c
+	x509/x509rset.c
+	x509/x509spki.c
+	x509/x509type.c
+	x509/x_all.c
+	x509v3/pcy_cache.c
+	x509v3/pcy_data.c
+	x509v3/pcy_lib.c
+	x509v3/pcy_map.c
+	x509v3/pcy_node.c
+	x509v3/pcy_tree.c
+	x509v3/v3_akey.c
+	x509v3/v3_akeya.c
+	x509v3/v3_alt.c
+	x509v3/v3_bcons.c
+	x509v3/v3_bitst.c
+	x509v3/v3_conf.c
+	x509v3/v3_cpols.c
+	x509v3/v3_crld.c
+	x509v3/v3_enum.c
+	x509v3/v3_extku.c
+	x509v3/v3_genn.c
+	x509v3/v3_ia5.c
+	x509v3/v3_info.c
+	x509v3/v3_int.c
+	x509v3/v3_lib.c
+	x509v3/v3_ncons.c
+	x509v3/v3_ocsp.c
+	x509v3/v3_pci.c
+	x509v3/v3_pcia.c
+	x509v3/v3_pcons.c
+	x509v3/v3_pku.c
+	x509v3/v3_pmaps.c
+	x509v3/v3_prn.c
+	x509v3/v3_purp.c
+	x509v3/v3_skey.c
+	x509v3/v3_sxnet.c
+	x509v3/v3_utl.c
+	x509v3/v3err.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_posix.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} bio/bss_log.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
+endif()
+
+if(NOT HAVE_ASPRINTF)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
+endif()
+
+if(NOT HAVE_INET_PTON)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
+endif()
+
+if(NOT HAVE_REALLOCARRAY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
+endif()
+
+if(NOT HAVE_STRCASECMP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
+endif()
+
+if(NOT HAVE_STRLCAT)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
+endif()
+
+if(NOT HAVE_STRLCPY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
+endif()
+
+if(NOT HAVE_STRNDUP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
+	if(NOT HAVE_STRNLEN)
+		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
+	endif()
+endif()
+
+if(NOT HAVE_TIMEGM)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
+endif()
+
+if(NOT HAVE_EXPLICIT_BZERO)
+	if(CMAKE_HOST_WIN32)
+		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero_win.c)
+	else()
+		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
+		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
+	endif()
+endif()
+
+if(NOT HAVE_ARC4RANDOM_BUF)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+
+	if(NOT HAVE_GETENTROPY)
+		if(CMAKE_HOST_WIN32)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_win.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "AIX")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_hpux.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
+		endif()
+	endif()
+endif()
+
+if(NOT HAVE_ARC4RANDOM_UNIFORM)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
+endif()
+
+if(NOT HAVE_TIMINGSAFE_BCMP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
+endif()
+
+if(NOT HAVE_TIMINGSAFE_MEMCMP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
+endif()
+
+if(NOT ENABLE_ASM)
+	add_definitions(-DOPENSSL_NO_ASM)
+else()
+	if(CMAKE_HOST_WIN32)
+		add_definitions(-DOPENSSL_NO_ASM)
+	endif()
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\")
+else()
+	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
+endif()
+
+if (BUILD_SHARED)
+	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
+	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
+	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	if (MSVC)
+		target_link_libraries(crypto-shared crypto Ws2_32.lib)
+	endif()
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	set_target_properties(crypto-shared PROPERTIES VERSION
+		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
+	install(TARGETS crypto crypto-shared DESTINATION lib)
+else()
+	add_library(crypto STATIC ${CRYPTO_SRC})
+	install(TARGETS crypto DESTINATION lib)
+endif()
+

crypto/Makefile.am

@@ -3,35 +3,55 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto
 
 lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
+EXTRA_DIST += CMakeLists.txt
+
+# needed for a CMake target
+EXTRA_DIST += compat/strcasecmp.c
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
-libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
+libcrypto_la_LIBADD = libcompat.la
+if !HAVE_EXPLICIT_BZERO
+libcrypto_la_LIBADD += libcompatnoopt.la
+endif
+libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
+libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 else
 if HOST_WIN
-libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 endif
 endif
 
-noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
+if OPENSSLDIR_DEFINED
+libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"@OPENSSLDIR@\"
+else
+libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"$(sysconfdir)/ssl\"
+endif
+
+noinst_LTLIBRARIES = libcompat.la
 
 # compatibility functions that need to be built without optimizations
+if !HAVE_EXPLICIT_BZERO
+noinst_LTLIBRARIES += libcompatnoopt.la
+
 libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 
-if !HAVE_EXPLICIT_BZERO
+if HOST_WIN
+libcompatnoopt_la_SOURCES += compat/explicit_bzero_win.c
+else
 libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
 endif
+endif
 
 # other compatibility functions
-libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
 
@@ -55,6 +75,14 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
+if !HAVE_INET_PTON
+libcompat_la_SOURCES += compat/inet_pton.c
+endif
+
+if !HAVE_TIMEGM
+libcompat_la_SOURCES += compat/timegm.c
+endif
+
 if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
@@ -67,60 +95,11 @@ if !HAVE_TIMINGSAFE_BCMP
 libcompat_la_SOURCES += compat/timingsafe_bcmp.c
 endif
 
-if !HAVE_ARC4RANDOM_BUF
-libcompat_la_SOURCES += compat/arc4random.c
-
-if !HAVE_GETENTROPY
-if HOST_FREEBSD
-libcompat_la_SOURCES += compat/getentropy_freebsd.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/getentropy_hpux.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/getentropy_linux.c
-endif
-if HOST_NETBSD
-libcompat_la_SOURCES += compat/getentropy_netbsd.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/getentropy_osx.c
-endif
-if HOST_SOLARIS
-libcompat_la_SOURCES += compat/getentropy_solaris.c
-endif
 if HOST_WIN
-libcompat_la_SOURCES += compat/getentropy_win.c
-endif
+libcompat_la_SOURCES += compat/posix_win.c
 endif
 
-endif
-
-if !HAVE_ISSETUGID
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/issetugid_hpux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/issetugid_osx.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
-noinst_HEADERS =
-noinst_HEADERS += compat/arc4random.h
-noinst_HEADERS += compat/arc4random_freebsd.h
-noinst_HEADERS += compat/arc4random_hpux.h
-noinst_HEADERS += compat/arc4random_linux.h
-noinst_HEADERS += compat/arc4random_netbsd.h
-noinst_HEADERS += compat/arc4random_osx.h
-noinst_HEADERS += compat/arc4random_solaris.h
-noinst_HEADERS += compat/arc4random_win.h
-noinst_HEADERS += compat/chacha_private.h
+include Makefile.am.arc4random
 
 libcrypto_la_SOURCES =
 EXTRA_libcrypto_la_SOURCES =
@@ -150,6 +129,7 @@ libcrypto_la_SOURCES += mem_dbg.c
 libcrypto_la_SOURCES += o_init.c
 libcrypto_la_SOURCES += o_str.c
 libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
@@ -172,7 +152,6 @@ libcrypto_la_SOURCES += asn1/a_d2i_fp.c
 libcrypto_la_SOURCES += asn1/a_digest.c
 libcrypto_la_SOURCES += asn1/a_dup.c
 libcrypto_la_SOURCES += asn1/a_enum.c
-libcrypto_la_SOURCES += asn1/a_gentm.c
 libcrypto_la_SOURCES += asn1/a_i2d_fp.c
 libcrypto_la_SOURCES += asn1/a_int.c
 libcrypto_la_SOURCES += asn1/a_mbstr.c
@@ -184,8 +163,8 @@ libcrypto_la_SOURCES += asn1/a_sign.c
 libcrypto_la_SOURCES += asn1/a_strex.c
 libcrypto_la_SOURCES += asn1/a_strnid.c
 libcrypto_la_SOURCES += asn1/a_time.c
+libcrypto_la_SOURCES += asn1/a_time_tm.c
 libcrypto_la_SOURCES += asn1/a_type.c
-libcrypto_la_SOURCES += asn1/a_utctm.c
 libcrypto_la_SOURCES += asn1/a_utf8.c
 libcrypto_la_SOURCES += asn1/a_verify.c
 libcrypto_la_SOURCES += asn1/ameth_lib.c
@@ -276,7 +255,9 @@ libcrypto_la_SOURCES += bio/bss_conn.c
 libcrypto_la_SOURCES += bio/bss_dgram.c
 libcrypto_la_SOURCES += bio/bss_fd.c
 libcrypto_la_SOURCES += bio/bss_file.c
+if !HOST_WIN
 libcrypto_la_SOURCES += bio/bss_log.c
+endif
 libcrypto_la_SOURCES += bio/bss_mem.c
 libcrypto_la_SOURCES += bio/bss_null.c
 libcrypto_la_SOURCES += bio/bss_sock.c
@@ -449,7 +430,6 @@ noinst_HEADERS += ec/ec_lcl.h
 libcrypto_la_SOURCES += ecdh/ech_err.c
 libcrypto_la_SOURCES += ecdh/ech_key.c
 libcrypto_la_SOURCES += ecdh/ech_lib.c
-libcrypto_la_SOURCES += ecdh/ech_ossl.c
 noinst_HEADERS += ecdh/ech_locl.h
 
 # ecdsa
@@ -473,7 +453,6 @@ libcrypto_la_SOURCES += engine/eng_lib.c
 libcrypto_la_SOURCES += engine/eng_list.c
 libcrypto_la_SOURCES += engine/eng_openssl.c
 libcrypto_la_SOURCES += engine/eng_pkey.c
-libcrypto_la_SOURCES += engine/eng_rsax.c
 libcrypto_la_SOURCES += engine/eng_table.c
 libcrypto_la_SOURCES += engine/tb_asnmth.c
 libcrypto_la_SOURCES += engine/tb_cipher.c
@@ -531,10 +510,8 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
-libcrypto_la_SOURCES += evp/m_mdc2.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
-libcrypto_la_SOURCES += evp/m_sha.c
 libcrypto_la_SOURCES += evp/m_sha1.c
 libcrypto_la_SOURCES += evp/m_sigver.c
 libcrypto_la_SOURCES += evp/m_streebog.c
@@ -603,10 +580,6 @@ libcrypto_la_SOURCES += md5/md5_dgst.c
 libcrypto_la_SOURCES += md5/md5_one.c
 noinst_HEADERS += md5/md5_locl.h
 
-# mdc2
-libcrypto_la_SOURCES += mdc2/mdc2_one.c
-libcrypto_la_SOURCES += mdc2/mdc2dgst.c
-
 # modes
 libcrypto_la_SOURCES += modes/cbc128.c
 libcrypto_la_SOURCES += modes/ccm128.c
@@ -732,8 +705,6 @@ libcrypto_la_SOURCES += sha/sha1_one.c
 libcrypto_la_SOURCES += sha/sha1dgst.c
 libcrypto_la_SOURCES += sha/sha256.c
 libcrypto_la_SOURCES += sha/sha512.c
-libcrypto_la_SOURCES += sha/sha_dgst.c
-libcrypto_la_SOURCES += sha/sha_one.c
 noinst_HEADERS += sha/sha_locl.h
 
 # stack

crypto/Makefile.am.arc4random

@@ -0,0 +1,46 @@
+if !HAVE_ARC4RANDOM_BUF
+libcompat_la_SOURCES += compat/arc4random.c
+libcompat_la_SOURCES += compat/arc4random_uniform.c
+
+if !HAVE_GETENTROPY
+if HOST_AIX
+libcompat_la_SOURCES += compat/getentropy_aix.c
+endif
+if HOST_FREEBSD
+libcompat_la_SOURCES += compat/getentropy_freebsd.c
+endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/getentropy_hpux.c
+endif
+if HOST_LINUX
+libcompat_la_SOURCES += compat/getentropy_linux.c
+endif
+if HOST_NETBSD
+libcompat_la_SOURCES += compat/getentropy_netbsd.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/getentropy_osx.c
+endif
+if HOST_SOLARIS
+libcompat_la_SOURCES += compat/getentropy_solaris.c
+endif
+if HOST_WIN
+libcompat_la_SOURCES += compat/getentropy_win.c
+endif
+endif
+
+endif
+
+noinst_HEADERS =
+noinst_HEADERS += compat/arc4random.h
+noinst_HEADERS += compat/arc4random_aix.h
+noinst_HEADERS += compat/arc4random_freebsd.h
+noinst_HEADERS += compat/arc4random_hpux.h
+noinst_HEADERS += compat/arc4random_linux.h
+noinst_HEADERS += compat/arc4random_netbsd.h
+noinst_HEADERS += compat/arc4random_osx.h
+noinst_HEADERS += compat/arc4random_solaris.h
+noinst_HEADERS += compat/arc4random_win.h
+noinst_HEADERS += compat/chacha_private.h
+
+

crypto/Makefile.am.elf-x86_64

@@ -22,20 +22,20 @@ ASM_X86_64_ELF += cpuid-elf-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_ELF)
 
 if HOST_ASM_ELF_X86_64
-libcrypto_la_CFLAGS += -DAES_ASM
-libcrypto_la_CFLAGS += -DBSAES_ASM
-libcrypto_la_CFLAGS += -DVPAES_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CFLAGS += -DMD5_ASM
-libcrypto_la_CFLAGS += -DGHASH_ASM
-libcrypto_la_CFLAGS += -DRSA_ASM
-libcrypto_la_CFLAGS += -DSHA1_ASM
-libcrypto_la_CFLAGS += -DSHA256_ASM
-libcrypto_la_CFLAGS += -DSHA512_ASM
-libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CPPFLAGS += -DAES_ASM
+libcrypto_la_CPPFLAGS += -DBSAES_ASM
+libcrypto_la_CPPFLAGS += -DVPAES_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CPPFLAGS += -DMD5_ASM
+libcrypto_la_CPPFLAGS += -DGHASH_ASM
+libcrypto_la_CPPFLAGS += -DRSA_ASM
+libcrypto_la_CPPFLAGS += -DSHA1_ASM
+libcrypto_la_CPPFLAGS += -DSHA256_ASM
+libcrypto_la_CPPFLAGS += -DSHA512_ASM
+libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_ELF)
 endif

crypto/Makefile.am.macosx-x86_64

@@ -22,20 +22,20 @@ ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_MACOSX)
 
 if HOST_ASM_MACOSX_X86_64
-libcrypto_la_CFLAGS += -DAES_ASM
-libcrypto_la_CFLAGS += -DBSAES_ASM
-libcrypto_la_CFLAGS += -DVPAES_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CFLAGS += -DMD5_ASM
-libcrypto_la_CFLAGS += -DGHASH_ASM
-libcrypto_la_CFLAGS += -DRSA_ASM
-libcrypto_la_CFLAGS += -DSHA1_ASM
-libcrypto_la_CFLAGS += -DSHA256_ASM
-libcrypto_la_CFLAGS += -DSHA512_ASM
-libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CPPFLAGS += -DAES_ASM
+libcrypto_la_CPPFLAGS += -DBSAES_ASM
+libcrypto_la_CPPFLAGS += -DVPAES_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CPPFLAGS += -DMD5_ASM
+libcrypto_la_CPPFLAGS += -DGHASH_ASM
+libcrypto_la_CPPFLAGS += -DRSA_ASM
+libcrypto_la_CPPFLAGS += -DSHA1_ASM
+libcrypto_la_CPPFLAGS += -DSHA256_ASM
+libcrypto_la_CPPFLAGS += -DSHA512_ASM
+libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_MACOSX)
 endif

crypto/compat/arc4random.h

@@ -3,7 +3,10 @@
 
 #include <sys/param.h>
 
-#if defined(__FreeBSD__)
+#if defined(_AIX)
+#include "arc4random_aix.h"
+
+#elif defined(__FreeBSD__)
 #include "arc4random_freebsd.h"
 
 #elif defined(__hpux)

crypto/compat/explicit_bzero_win.c

@@ -0,0 +1,13 @@
+/*
+ * Public domain.
+ * Win32 explicit_bzero compatibility shim.
+ */
+
+#include <windows.h>
+#include <string.h>
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+	SecureZeroMemory(buf, len);
+}

crypto/compat/inet_pton.c

@@ -0,0 +1,212 @@
+/*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
+
+/* Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <string.h>
+#include <errno.h>
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int	inet_pton4(const char *src, u_char *dst);
+static int	inet_pton6(const char *src, u_char *dst);
+
+/* int
+ * inet_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+inet_pton(int af, const char *src, void *dst)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(const char *src, u_char *dst)
+{
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	u_char tmp[INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			u_int new = *tp * 10 + (pch - digits);
+
+			if (new > 255)
+				return (0);
+			if (! saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+			*tp = new;
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+
+	memcpy(dst, tmp, INADDRSZ);
+	return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(const char *src, u_char *dst)
+{
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit, count_xdigit;
+	u_int val;
+
+	memset((tp = tmp), '\0', IN6ADDRSZ);
+	endp = tp + IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = count_xdigit = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			if (count_xdigit >= 4)
+				return (0);
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			count_xdigit++;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			} else if (*src == '\0') {
+				return (0);
+			}
+			if (tp + INT16SZ > endp)
+				return (0);
+			*tp++ = (u_char) (val >> 8) & 0xff;
+			*tp++ = (u_char) val & 0xff;
+			saw_xdigit = 0;
+			count_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += INADDRSZ;
+			saw_xdigit = 0;
+			count_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (saw_xdigit) {
+		if (tp + INT16SZ > endp)
+			return (0);
+		*tp++ = (u_char) (val >> 8) & 0xff;
+		*tp++ = (u_char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			return (0);
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memcpy(dst, tmp, IN6ADDRSZ);
+	return (1);
+}

crypto/compat/issetugid_hpux.c

@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/pstat.h>
-
-/*
- * HP-UX does not have issetugid().
- * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
- * cannot be used, assume we must be running in a privileged environment.
- */
-int issetugid(void)
-{
-	struct pst_status buf;
-	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
-	    !(buf.pst_flag & PS_CHANGEDPRIV))
-		return 0;
-	return 1;
-}

crypto/compat/issetugid_linux.c

@@ -1,47 +0,0 @@
-/*
- * issetugid implementation for Linux
- * Public domain
- */
-
-#include <errno.h>
-#include <gnu/libc-version.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Linux-specific glibc 2.16+ interface for determining if a process was
- * launched setuid/setgid or with additional capabilities.
- */
-#ifdef HAVE_GETAUXVAL
-#include <sys/auxv.h>
-#endif
-
-int issetugid(void)
-{
-#ifdef HAVE_GETAUXVAL
-	/*
-	 * The API for glibc < 2.19 does not indicate if there is an error with
-	 * getauxval. While it should not be the case that any 2.6 or greater
-	 * kernel ever does not supply AT_SECURE, an emulated software environment
-	 * might rewrite the aux vector.
-	 *
-	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
-	 *
-	 * Perhaps this code should just read the aux vector itself, so we have
-	 * backward-compatibility and error handling in older glibc versions.
-	 * info: http://lwn.net/Articles/519085/
-	 *
-	 */
-	const char *glcv = gnu_get_libc_version();
-	if (strverscmp(glcv, "2.19") >= 0) {
-		errno = 0;
-		if (getauxval(AT_SECURE) == 0) {
-			if (errno != ENOENT) {
-				return 0;
-			}
-		}
-	}
-#endif
-	return 1;
-}

crypto/compat/issetugid_osx.c

@@ -1,16 +0,0 @@
-/*
- * issetugid implementation for OS X
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * OS X has issetugid, but it is not fork-safe as of version 10.10.
- * See this Solaris report for test code that fails similarly:
- * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
- */
-int issetugid(void)
-{
-	return 1;
-}

crypto/compat/issetugid_win.c

@@ -1,26 +0,0 @@
-/*
- * issetugid implementation for Windows
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * Windows does not have a native setuid/setgid functionality.
- * A user must enter credentials each time a process elevates its
- * privileges.
- *
- * So, in theory, this could always return 0, given what I know currently.
- * However, it makes sense to stub out initially in 'safe' mode until we
- * understand more (and determine if any disabled functionality is actually
- * useful on Windows anyway).
- *
- * Future versions of this function that are made more 'open' should thoroughly
- * consider the case of this code running as a privileged service with saved
- * user credentials or privilege escalations by other means (e.g. the old
- * RunAsEx utility.)
- */
-int issetugid(void)
-{
-	return 1;
-}

crypto/compat/posix_win.c

@@ -2,23 +2,63 @@
  * Public domain
  *
  * BSD socket emulation code for Winsock2
+ * File IO compatibility shims
  * Brent Cook <bcook@openbsd.org>
  */
 
-#ifndef LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
-#define LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
-
-#ifdef _WIN32
+#define NO_REDEF_POSIX_FUNCTIONS
 
+#include <windows.h>
 #include <ws2tcpip.h>
 
-#define SHUT_RDWR SD_BOTH
-#define SHUT_RD   SD_RECEIVE
-#define SHUT_WR   SD_SEND
-
 #include <errno.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 #include <unistd.h>
 
+void
+posix_perror(const char *s)
+{
+	fprintf(stderr, "%s: %s\n", s, strerror(errno));
+}
+
+FILE *
+posix_fopen(const char *path, const char *mode)
+{
+	if (strchr(mode, 'b') == NULL) {
+		char *bin_mode = NULL;
+		if (asprintf(&bin_mode, "%sb", mode) == -1)
+			return NULL;
+		FILE *f = fopen(path, bin_mode);
+		free(bin_mode);
+		return f;
+	}
+
+	return fopen(path, mode);
+}
+
+char *
+posix_fgets(char *s, int size, FILE *stream)
+{
+	char *ret = fgets(s, size, stream);
+	if (ret != NULL) {
+		size_t end = strlen(ret);
+		if (end >= 2 && ret[end - 2] == '\r' && ret[end - 1] == '\n') {
+			ret[end - 2] = '\n';
+			ret[end - 1] = '\0';
+		}
+	}
+	return ret;
+}
+
+int
+posix_rename(const char *oldpath, const char *newpath)
+{
+	return MoveFileEx(oldpath, newpath, MOVEFILE_REPLACE_EXISTING) ? 0 : -1;
+}
+
 static int
 wsa_errno(int err)
 {
@@ -81,7 +121,7 @@ wsa_errno(int err)
 	return -1;
 }
 
-static inline int
+int
 posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
 {
 	int rc = connect(sockfd, addr, addrlen);
@@ -90,9 +130,7 @@ posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
 	return rc;
 }
 
-#define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
-
-static inline int
+int
 posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
@@ -103,9 +141,7 @@ posix_close(int fd)
 	return 0;
 }
 
-#define close(fd) posix_close(fd)
-
-static inline ssize_t
+ssize_t
 posix_read(int fd, void *buf, size_t count)
 {
 	ssize_t rc = recv(fd, buf, count, 0);
@@ -117,9 +153,7 @@ posix_read(int fd, void *buf, size_t count)
 	return rc;
 }
 
-#define read(fd, buf, count) posix_read(fd, buf, count)
-
-static inline ssize_t
+ssize_t
 posix_write(int fd, const void *buf, size_t count)
 {
 	ssize_t rc = send(fd, buf, count, 0);
@@ -131,9 +165,7 @@ posix_write(int fd, const void *buf, size_t count)
 	return rc;
 }
 
-#define write(fd, buf, count) posix_write(fd, buf, count)
-
-static inline int
+int
 posix_getsockopt(int sockfd, int level, int optname,
 	void *optval, socklen_t *optlen)
 {
@@ -142,10 +174,7 @@ posix_getsockopt(int sockfd, int level, int optname,
 
 }
 
-#define getsockopt(sockfd, level, optname, optval, optlen) \
-	posix_getsockopt(sockfd, level, optname, optval, optlen)
-
-static inline int
+int
 posix_setsockopt(int sockfd, int level, int optname,
 	const void *optval, socklen_t optlen)
 {
@@ -153,9 +182,33 @@ posix_setsockopt(int sockfd, int level, int optname,
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
 
-#define setsockopt(sockfd, level, optname, optval, optlen) \
-	posix_setsockopt(sockfd, level, optname, optval, optlen)
-
-#endif
+#ifdef _MSC_VER
+int gettimeofday(struct timeval * tp, struct timezone * tzp)
+{
+	/*
+	 * Note: some broken versions only have 8 trailing zero's, the correct
+	 * epoch has 9 trailing zero's
+	 */
+	static const uint64_t EPOCH = ((uint64_t) 116444736000000000ULL);
+
+	SYSTEMTIME  system_time;
+	FILETIME    file_time;
+	uint64_t    time;
+
+	GetSystemTime(&system_time);
+	SystemTimeToFileTime(&system_time, &file_time);
+	time = ((uint64_t)file_time.dwLowDateTime);
+	time += ((uint64_t)file_time.dwHighDateTime) << 32;
+
+	tp->tv_sec = (long)((time - EPOCH) / 10000000L);
+	tp->tv_usec = (long)(system_time.wMilliseconds * 1000);
+	return 0;
+}
+
+unsigned int sleep(unsigned int seconds)
+{
+	Sleep(seconds * 1000);
+	return seconds;
+}
 
 #endif

crypto/compat/timegm.c

@@ -0,0 +1,220 @@
+/*
+ * ----------------------------------------------------------------------
+ * Copyright © 2005-2014 Rich Felker, et al.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ * ----------------------------------------------------------------------
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <time.h>
+
+/* 2000-03-01 (mod 400 year, immediately after feb29 */
+#define LEAPOCH (946684800LL + 86400*(31+29))
+
+#define DAYS_PER_400Y (365*400 + 97)
+#define DAYS_PER_100Y (365*100 + 24)
+#define DAYS_PER_4Y   (365*4   + 1)
+
+static int __month_to_secs(int month, int is_leap)
+{
+	static const int secs_through_month[] = {
+		0, 31*86400, 59*86400, 90*86400,
+		120*86400, 151*86400, 181*86400, 212*86400,
+		243*86400, 273*86400, 304*86400, 334*86400 };
+	int t = secs_through_month[month];
+	if (is_leap && month >= 2) t+=86400;
+	return t;
+}
+
+static long long __year_to_secs(long long year, int *is_leap)
+{
+	if (year-2ULL <= 136) {
+		int y = year;
+		int leaps = (y-68)>>2;
+		if (!((y-68)&3)) {
+			leaps--;
+			if (is_leap) *is_leap = 1;
+		} else if (is_leap) *is_leap = 0;
+		return 31536000*(y-70) + 86400*leaps;
+	}
+
+	int cycles, centuries, leaps, rem;
+
+	if (!is_leap) is_leap = &(int){0};
+	cycles = (year-100) / 400;
+	rem = (year-100) % 400;
+	if (rem < 0) {
+		cycles--;
+		rem += 400;
+	}
+	if (!rem) {
+		*is_leap = 1;
+		centuries = 0;
+		leaps = 0;
+	} else {
+		if (rem >= 200) {
+			if (rem >= 300) centuries = 3, rem -= 300;
+			else centuries = 2, rem -= 200;
+		} else {
+			if (rem >= 100) centuries = 1, rem -= 100;
+			else centuries = 0;
+		}
+		if (!rem) {
+			*is_leap = 0;
+			leaps = 0;
+		} else {
+			leaps = rem / 4U;
+			rem %= 4U;
+			*is_leap = !rem;
+		}
+	}
+
+	leaps += 97*cycles + 24*centuries - *is_leap;
+
+	return (year-100) * 31536000LL + leaps * 86400LL + 946684800 + 86400;
+}
+
+static long long __tm_to_secs(const struct tm *tm)
+{
+	int is_leap;
+	long long year = tm->tm_year;
+	int month = tm->tm_mon;
+	if (month >= 12 || month < 0) {
+		int adj = month / 12;
+		month %= 12;
+		if (month < 0) {
+			adj--;
+			month += 12;
+		}
+		year += adj;
+	}
+	long long t = __year_to_secs(year, &is_leap);
+	t += __month_to_secs(month, is_leap);
+	t += 86400LL * (tm->tm_mday-1);
+	t += 3600LL * tm->tm_hour;
+	t += 60LL * tm->tm_min;
+	t += tm->tm_sec;
+	return t;
+}
+
+static int __secs_to_tm(long long t, struct tm *tm)
+{
+	long long days, secs;
+	int remdays, remsecs, remyears;
+	int qc_cycles, c_cycles, q_cycles;
+	int years, months;
+	int wday, yday, leap;
+	static const char days_in_month[] = {31,30,31,30,31,31,30,31,30,31,31,29};
+
+	/* Reject time_t values whose year would overflow int */
+	if (t < INT_MIN * 31622400LL || t > INT_MAX * 31622400LL)
+		return -1;
+
+	secs = t - LEAPOCH;
+	days = secs / 86400;
+	remsecs = secs % 86400;
+	if (remsecs < 0) {
+		remsecs += 86400;
+		days--;
+	}
+
+	wday = (3+days)%7;
+	if (wday < 0) wday += 7;
+
+	qc_cycles = days / DAYS_PER_400Y;
+	remdays = days % DAYS_PER_400Y;
+	if (remdays < 0) {
+		remdays += DAYS_PER_400Y;
+		qc_cycles--;
+	}
+
+	c_cycles = remdays / DAYS_PER_100Y;
+	if (c_cycles == 4) c_cycles--;
+	remdays -= c_cycles * DAYS_PER_100Y;
+
+	q_cycles = remdays / DAYS_PER_4Y;
+	if (q_cycles == 25) q_cycles--;
+	remdays -= q_cycles * DAYS_PER_4Y;
+
+	remyears = remdays / 365;
+	if (remyears == 4) remyears--;
+	remdays -= remyears * 365;
+
+	leap = !remyears && (q_cycles || !c_cycles);
+	yday = remdays + 31 + 28 + leap;
+	if (yday >= 365+leap) yday -= 365+leap;
+
+	years = remyears + 4*q_cycles + 100*c_cycles + 400*qc_cycles;
+
+	for (months=0; days_in_month[months] <= remdays; months++)
+		remdays -= days_in_month[months];
+
+	if (years+100 > INT_MAX || years+100 < INT_MIN)
+		return -1;
+
+	tm->tm_year = years + 100;
+	tm->tm_mon = months + 2;
+	if (tm->tm_mon >= 12) {
+		tm->tm_mon -=12;
+		tm->tm_year++;
+	}
+	tm->tm_mday = remdays + 1;
+	tm->tm_wday = wday;
+	tm->tm_yday = yday;
+
+	tm->tm_hour = remsecs / 3600;
+	tm->tm_min = remsecs / 60 % 60;
+	tm->tm_sec = remsecs % 60;
+
+	return 0;
+}
+
+#ifdef _WIN32
+struct tm *__gmtime_r(const time_t *t, struct tm *tm)
+{
+	if (__secs_to_tm(*t, tm) < 0) {
+		errno = EOVERFLOW;
+		return 0;
+	}
+	tm->tm_isdst = 0;
+	return tm;
+}
+#endif
+
+time_t timegm(struct tm *tm)
+{
+	struct tm new;
+	long long t = __tm_to_secs(tm);
+	if (__secs_to_tm(t, &new) < 0) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+#if SIZEOF_TIME_T != 8
+	if (t > (long long)INT_MAX || t < (long long)INT_MIN) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+#endif
+	*tm = new;
+	tm->tm_isdst = 0;
+	return t;
+}

crypto/compat/ui_openssl_win.c

@@ -133,6 +133,7 @@
 /* Define globals.  They are protected by a lock */
 static void (*savsig[NX509_SIG])(int );
 
+DWORD console_mode;
 static FILE *tty_in, *tty_out;
 static int is_a_tty;
 
@@ -285,7 +286,7 @@ error:
 	if (ps >= 1)
 		popsig();
 
-	OPENSSL_cleanse(result, BUFSIZ);
+	explicit_bzero(result, BUFSIZ);
 	return ok;
 }
 
@@ -300,16 +301,25 @@ open_console(UI *ui)
 	tty_in = stdin;
 	tty_out = stderr;
 
-	return 1;
+	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
+			return GetConsoleMode(handle, &console_mode);
+		else
+			return 1;
+	}
+	return 0;
 }
 
 static int
 noecho_console(UI *ui)
 {
-	DWORD mode = 0;
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
-		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode & (~ENABLE_ECHO_INPUT));
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
+			return SetConsoleMode(handle, console_mode & ~ENABLE_ECHO_INPUT);
+		else
+			return 1;
 	}
 	return 0;
 }
@@ -317,10 +327,12 @@ noecho_console(UI *ui)
 static int
 echo_console(UI *ui)
 {
-	DWORD mode = 0;
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
-		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode | ENABLE_ECHO_INPUT);
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
+			return SetConsoleMode(handle, console_mode);
+		else
+			return 1;
 	}
 	return 0;
 }

dist-win.sh

@@ -22,27 +22,18 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST --enable-libtls
+	CC=$HOST-gcc ./configure --host=$HOST --with-openssldir=c:/libressl/ssl
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 
 	mkdir -p $DIST/$ARCHDIR
-	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
-		cp -a stage-$ARCHDIR/usr/local/include $DIST
-		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e "s/__attr.*;/;/"  \
-		       -e "s/sys\/time.h/winsock2.h/" \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
+		cp -r stage-$ARCHDIR/usr/local/include $DIST
 	fi
 
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
-	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3
+rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
-./configure --enable-libtls
+./configure
 make distcheck

gen-coverage-report.sh

@@ -20,7 +20,7 @@ find -name '*.gcda' -o -name '*.gcno' -delete
 rm -fr $DESTDIR
 
 echo "Configuring to build with code coverage support"
-./configure --enable-libtls CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
+./configure CFLAGS='-O0 -fprofile-arcs -ftest-coverage'
 
 echo "Running all code paths"
 make clean
@@ -29,9 +29,15 @@ make check
 echo "Generating report"
 mkdir -p $DESTDIR
 find tests -name '*.gcda' -o -name '*.gcno' -delete
-lcov --directory . --capture --output-file $DESTDIR/coverage.tmp \
+lcov --capture --output-file $DESTDIR/coverage.tmp \
+	--rc lcov_branch_coverage=1 \
+	--directory crypto \
+	--directory ssl \
+	--directory tls \
     --test-name "LibreSSL $VERSION"
 genhtml --prefix . --output-directory $DESTDIR \
+	--branch-coverage --function-coverage \
+	--rc lcov_branch_coverage=1 \
     --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
 
 echo "Code coverage report is available under $DESTDIR"

gen-openbsd-tags.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+for tag in `git tag`; do
+	branch=master
+	if [[ $tag = v2.0* ]]; then
+		branch=OPENBSD_5_6
+	elif [[ $tag = v2.1* ]]; then
+		branch=OPENBSD_5_7
+	elif [[ $tag = v2.2* ]]; then
+		branch=OPENBSD_5_8
+	elif [[ $tag = v2.3* ]]; then
+		branch=OPENBSD_5_9
+	fi
+	# adjust for 9 hour timezone delta between trees
+	release_ts=$((`git show -s --format=%ct $tag|tail -n1` + 32400))
+	commit=`git -C openbsd rev-list -n 1 --before=$release_ts $branch`
+	git -C openbsd tag -f libressl-$tag $commit
+	echo Tagged $tag as $commit in openbsd
+done

include/CMakeLists.txt

@@ -0,0 +1,5 @@
+install(DIRECTORY .
+        DESTINATION include
+        PATTERN "CMakeLists.txt" EXCLUDE
+        PATTERN "compat" EXCLUDE
+        PATTERN "Makefile*" EXCLUDE)

include/Makefile.am

@@ -1,33 +1,43 @@
 include $(top_srcdir)/Makefile.am.common
 
+EXTRA_DIST = CMakeLists.txt
+
 SUBDIRS = openssl
 
-noinst_HEADERS = err.h
-noinst_HEADERS += netdb.h
-noinst_HEADERS += poll.h
-noinst_HEADERS += pqueue.h
-noinst_HEADERS += stdio.h
-noinst_HEADERS += stdlib.h
-noinst_HEADERS += string.h
-noinst_HEADERS += syslog.h
-noinst_HEADERS += unistd.h
-noinst_HEADERS += win32netcompat.h
+noinst_HEADERS = pqueue.h
+noinst_HEADERS += compat/dirent.h
+noinst_HEADERS += compat/dirent_msvc.h
+noinst_HEADERS += compat/err.h
+noinst_HEADERS += compat/limits.h
+noinst_HEADERS += compat/netdb.h
+noinst_HEADERS += compat/poll.h
+noinst_HEADERS += compat/readpassphrase.h
+noinst_HEADERS += compat/resolv.h
+noinst_HEADERS += compat/stdio.h
+noinst_HEADERS += compat/stdlib.h
+noinst_HEADERS += compat/string.h
+noinst_HEADERS += compat/time.h
+noinst_HEADERS += compat/unistd.h
+noinst_HEADERS += compat/win32netcompat.h
 
-noinst_HEADERS += arpa/inet.h
+noinst_HEADERS += compat/arpa/inet.h
+noinst_HEADERS += compat/arpa/nameser.h
 
-noinst_HEADERS += machine/endian.h
+noinst_HEADERS += compat/machine/endian.h
 
-noinst_HEADERS += netinet/in.h
-noinst_HEADERS += netinet/tcp.h
+noinst_HEADERS += compat/netinet/in.h
+noinst_HEADERS += compat/netinet/ip.h
+noinst_HEADERS += compat/netinet/tcp.h
 
-noinst_HEADERS += sys/ioctl.h
-noinst_HEADERS += sys/mman.h
-noinst_HEADERS += sys/select.h
-noinst_HEADERS += sys/socket.h
-noinst_HEADERS += sys/times.h
-noinst_HEADERS += sys/types.h
-noinst_HEADERS += sys/uio.h
+noinst_HEADERS += compat/sys/cdefs.h
+noinst_HEADERS += compat/sys/ioctl.h
+noinst_HEADERS += compat/sys/mman.h
+noinst_HEADERS += compat/sys/param.h
+noinst_HEADERS += compat/sys/select.h
+noinst_HEADERS += compat/sys/socket.h
+noinst_HEADERS += compat/sys/stat.h
+noinst_HEADERS += compat/sys/time.h
+noinst_HEADERS += compat/sys/types.h
+noinst_HEADERS += compat/sys/uio.h
 
-if ENABLE_LIBTLS
 include_HEADERS = tls.h
-endif

include/arpa/inet.h

@@ -1,10 +0,0 @@
-/*
- * Public domain
- * arpa/inet.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <arpa/inet.h>
-#else
-#include <win32netcompat.h>
-#endif

include/compat/arpa/inet.h

@@ -0,0 +1,19 @@
+/*
+ * Public domain
+ * arpa/inet.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <arpa/inet.h>
+#else
+#include <win32netcompat.h>
+
+#ifndef AI_ADDRCONFIG
+#define AI_ADDRCONFIG               0x00000400
+#endif
+
+#endif
+
+#ifndef HAVE_INET_PTON
+int inet_pton(int af, const char * src, void * dst);
+#endif

include/compat/arpa/nameser.h

@@ -0,0 +1,23 @@
+/*
+ * Public domain
+ * arpa/inet.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <arpa/nameser.h>
+#else
+#include <win32netcompat.h>
+
+#ifndef INADDRSZ
+#define INADDRSZ 4
+#endif
+
+#ifndef IN6ADDRSZ
+#define IN6ADDRSZ 16
+#endif
+
+#ifndef INT16SZ
+#define INT16SZ	2
+#endif
+
+#endif

include/compat/dirent.h

@@ -0,0 +1,17 @@
+/*
+ * Public domain
+ * dirent.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_DIRENT_H
+#define LIBCRYPTOCOMPAT_DIRENT_H
+
+#ifdef _MSC_VER
+#include <windows.h>
+#include <dirent_msvc.h>
+#else
+#include_next <dirent.h>
+#endif
+
+#endif
+

include/compat/dirent_msvc.h

@@ -0,0 +1,611 @@
+/*
+ * dirent.h - dirent API for Microsoft Visual Studio
+ *
+ * Copyright (C) 2006-2012 Toni Ronkko
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * ``Software''), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL TONI RONKKO BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * $Id: dirent.h,v 1.20 2014/03/19 17:52:23 tronkko Exp $
+ */
+#ifndef DIRENT_MSVC_H
+#define DIRENT_MSVC_H
+
+#include <windows.h>
+
+#if _MSC_VER >= 1900
+#include <../ucrt/stdio.h>
+#include <../ucrt/wchar.h>
+#include <../ucrt/string.h>
+#include <../ucrt/stdlib.h>
+#include <../ucrt/sys/types.h>
+#include <../ucrt/errno.h>
+#else
+#include <../include/stdio.h>
+#include <../include/wchar.h>
+#include <../include/string.h>
+#include <../include/stdlib.h>
+#include <../include/sys/types.h>
+#include <../include/errno.h>
+#endif
+
+#include <stdarg.h>
+#include <sys/stat.h>
+
+/* Indicates that d_type field is available in dirent structure */
+#define _DIRENT_HAVE_D_TYPE
+
+/* Indicates that d_namlen field is available in dirent structure */
+#define _DIRENT_HAVE_D_NAMLEN
+
+/* Maximum length of file name */
+#if !defined(PATH_MAX)
+#   define PATH_MAX MAX_PATH
+#endif
+#if !defined(FILENAME_MAX)
+#   define FILENAME_MAX MAX_PATH
+#endif
+#if !defined(NAME_MAX)
+#   define NAME_MAX FILENAME_MAX
+#endif
+
+/* Return the exact length of d_namlen without zero terminator */
+#define _D_EXACT_NAMLEN(p)((p)->d_namlen)
+
+/* Return number of bytes needed to store d_namlen */
+#define _D_ALLOC_NAMLEN(p)(PATH_MAX)
+
+/* Wide-character version */
+struct _wdirent {
+	long d_ino;                         /* Always zero */
+	unsigned short d_reclen;            /* Structure size */
+	size_t d_namlen;                    /* Length of name without \0 */
+	int d_type;                         /* File type */
+	wchar_t d_name[PATH_MAX];           /* File name */
+};
+typedef struct _wdirent _wdirent;
+
+struct _WDIR {
+	struct _wdirent ent;                /* Current directory entry */
+	WIN32_FIND_DATAW data;              /* Private file data */
+	int cached;                         /* True if data is valid */
+	HANDLE handle;                      /* Win32 search handle */
+	wchar_t *patt;                      /* Initial directory name */
+};
+typedef struct _WDIR _WDIR;
+
+static _WDIR *_wopendir(const wchar_t *dirname);
+static struct _wdirent *_wreaddir(_WDIR *dirp);
+static int _wclosedir(_WDIR *dirp);
+static void _wrewinddir(_WDIR* dirp);
+
+/* Multi-byte character versions */
+struct dirent {
+	long d_ino;                         /* Always zero */
+	unsigned short d_reclen;            /* Structure size */
+	size_t d_namlen;                    /* Length of name without \0 */
+	int d_type;                         /* File type */
+	char d_name[PATH_MAX];              /* File name */
+};
+typedef struct dirent dirent;
+
+struct DIR {
+	struct dirent ent;
+	struct _WDIR *wdirp;
+};
+typedef struct DIR DIR;
+
+static DIR *opendir(const char *dirname);
+static struct dirent *readdir(DIR *dirp);
+static int closedir(DIR *dirp);
+static void rewinddir(DIR* dirp);
+
+/* Internal utility functions */
+static WIN32_FIND_DATAW *dirent_first(_WDIR *dirp);
+static WIN32_FIND_DATAW *dirent_next(_WDIR *dirp);
+
+static int dirent_mbstowcs_s(
+	size_t *pReturnValue,
+	wchar_t *wcstr,
+	size_t sizeInWords,
+	const char *mbstr,
+	size_t count);
+
+static int dirent_wcstombs_s(
+	size_t *pReturnValue,
+	char *mbstr,
+	size_t sizeInBytes,
+	const wchar_t *wcstr,
+	size_t count);
+
+/*
+ * Open directory stream DIRNAME for read and return a pointer to the
+ * internal working area that is used to retrieve individual directory
+ * entries.
+ */
+static _WDIR*
+_wopendir(const wchar_t *dirname)
+{
+	_WDIR *dirp = NULL;
+	int error;
+
+	/* Must have directory name */
+	if (dirname == NULL  ||  dirname[0] == '\0') {
+		_set_errno(ENOENT);
+		return NULL;
+	}
+
+	/* Allocate new _WDIR structure */
+	dirp =(_WDIR*) malloc(sizeof(struct _WDIR));
+	if (dirp != NULL) {
+		DWORD n;
+
+		/* Reset _WDIR structure */
+		dirp->handle = INVALID_HANDLE_VALUE;
+		dirp->patt = NULL;
+		dirp->cached = 0;
+
+		/* Compute the length of full path plus zero terminator */
+		n = GetFullPathNameW(dirname, 0, NULL, NULL);
+
+		/* Allocate room for absolute directory name and search pattern */
+		dirp->patt =(wchar_t*) malloc(sizeof(wchar_t) * n + 16);
+		if (dirp->patt) {
+
+			/*
+			 * Convert relative directory name to an absolute one.  This
+			 * allows rewinddir() to function correctly even when current
+			 * working directory is changed between opendir() and rewinddir().
+			 */
+			n = GetFullPathNameW(dirname, n, dirp->patt, NULL);
+			if (n > 0) {
+				wchar_t *p;
+
+				/* Append search pattern \* to the directory name */
+				p = dirp->patt + n;
+				if (dirp->patt < p) {
+					switch(p[-1]) {
+					case '\\':
+					case '/':
+					case ':':
+						/* Directory ends in path separator, e.g. c:\temp\ */
+						/*NOP*/;
+						break;
+
+					default:
+						/* Directory name doesn't end in path separator */
+						*p++ = '\\';
+					}
+				}
+				*p++ = '*';
+				*p = '\0';
+
+				/* Open directory stream and retrieve the first entry */
+				if (dirent_first(dirp)) {
+					/* Directory stream opened successfully */
+					error = 0;
+				} else {
+					/* Cannot retrieve first entry */
+					error = 1;
+					_set_errno(ENOENT);
+				}
+
+			} else {
+				/* Cannot retrieve full path name */
+				_set_errno(ENOENT);
+				error = 1;
+			}
+
+		} else {
+			/* Cannot allocate memory for search pattern */
+			error = 1;
+		}
+
+	} else {
+		/* Cannot allocate _WDIR structure */
+		error = 1;
+	}
+
+	/* Clean up in case of error */
+	if (error  &&  dirp) {
+		_wclosedir(dirp);
+		dirp = NULL;
+	}
+
+	return dirp;
+}
+
+/*
+ * Read next directory entry.  The directory entry is returned in dirent
+ * structure in the d_name field.  Individual directory entries returned by
+ * this function include regular files, sub-directories, pseudo-directories
+ * "." and ".." as well as volume labels, hidden files and system files.
+ */
+static struct _wdirent*
+_wreaddir(_WDIR *dirp)
+{
+	WIN32_FIND_DATAW *datap;
+	struct _wdirent *entp;
+
+	/* Read next directory entry */
+	datap = dirent_next(dirp);
+	if (datap) {
+		size_t n;
+		DWORD attr;
+
+		/* Pointer to directory entry to return */
+		entp = &dirp->ent;
+
+		/*
+		 * Copy file name as wide-character string.  If the file name is too
+		 * long to fit in to the destination buffer, then truncate file name
+		 * to PATH_MAX characters and zero-terminate the buffer.
+		 */
+		n = 0;
+		while(n + 1 < PATH_MAX  &&  datap->cFileName[n] != 0) {
+			entp->d_name[n] = datap->cFileName[n];
+			n++;
+		}
+		dirp->ent.d_name[n] = 0;
+
+		/* Length of file name excluding zero terminator */
+		entp->d_namlen = n;
+
+		/* File type */
+		attr = datap->dwFileAttributes;
+		if ((attr & FILE_ATTRIBUTE_DEVICE) != 0) {
+			entp->d_type = DT_CHR;
+		} else if ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0) {
+			entp->d_type = DT_DIR;
+		} else {
+			entp->d_type = DT_REG;
+		}
+
+		/* Reset dummy fields */
+		entp->d_ino = 0;
+		entp->d_reclen = sizeof(struct _wdirent);
+
+	} else {
+
+		/* Last directory entry read */
+		entp = NULL;
+
+	}
+
+	return entp;
+}
+
+/*
+ * Close directory stream opened by opendir() function.  This invalidates the
+ * DIR structure as well as any directory entry read previously by
+ * _wreaddir().
+ */
+static int
+_wclosedir(_WDIR *dirp)
+{
+	int ok;
+	if (dirp) {
+
+		/* Release search handle */
+		if (dirp->handle != INVALID_HANDLE_VALUE) {
+			FindClose(dirp->handle);
+			dirp->handle = INVALID_HANDLE_VALUE;
+		}
+
+		/* Release search pattern */
+		if (dirp->patt) {
+			free(dirp->patt);
+			dirp->patt = NULL;
+		}
+
+		/* Release directory structure */
+		free(dirp);
+		ok = /*success*/0;
+
+	} else {
+		/* Invalid directory stream */
+		_set_errno(EBADF);
+		ok = /*failure*/-1;
+	}
+	return ok;
+}
+
+/*
+ * Rewind directory stream such that _wreaddir() returns the very first
+ * file name again.
+ */
+static void
+_wrewinddir(_WDIR* dirp)
+{
+	if (dirp) {
+		/* Release existing search handle */
+		if (dirp->handle != INVALID_HANDLE_VALUE) {
+			FindClose(dirp->handle);
+		}
+
+		/* Open new search handle */
+		dirent_first(dirp);
+	}
+}
+
+/* Get first directory entry(internal) */
+static WIN32_FIND_DATAW*
+dirent_first(_WDIR *dirp)
+{
+	WIN32_FIND_DATAW *datap;
+
+	/* Open directory and retrieve the first entry */
+	dirp->handle = FindFirstFileW(dirp->patt, &dirp->data);
+	if (dirp->handle != INVALID_HANDLE_VALUE) {
+
+		/* a directory entry is now waiting in memory */
+		datap = &dirp->data;
+		dirp->cached = 1;
+
+	} else {
+
+		/* Failed to re-open directory: no directory entry in memory */
+		dirp->cached = 0;
+		datap = NULL;
+
+	}
+	return datap;
+}
+
+/* Get next directory entry(internal) */
+static WIN32_FIND_DATAW*
+dirent_next(_WDIR *dirp)
+{
+	WIN32_FIND_DATAW *p;
+
+	/* Get next directory entry */
+	if (dirp->cached != 0) {
+
+		/* A valid directory entry already in memory */
+		p = &dirp->data;
+		dirp->cached = 0;
+
+	} else if (dirp->handle != INVALID_HANDLE_VALUE) {
+
+		/* Get the next directory entry from stream */
+		if (FindNextFileW(dirp->handle, &dirp->data) != FALSE) {
+			/* Got a file */
+			p = &dirp->data;
+		} else {
+			/* The very last entry has been processed or an error occured */
+			FindClose(dirp->handle);
+			dirp->handle = INVALID_HANDLE_VALUE;
+			p = NULL;
+		}
+
+	} else {
+
+		/* End of directory stream reached */
+		p = NULL;
+
+	}
+
+	return p;
+}
+
+/*
+ * Open directory stream using plain old C-string.
+ */
+static DIR*
+opendir(const char *dirname)
+{
+	struct DIR *dirp;
+	int error;
+
+	/* Must have directory name */
+	if (dirname == NULL  ||  dirname[0] == '\0') {
+		_set_errno(ENOENT);
+		return NULL;
+	}
+
+	/* Allocate memory for DIR structure */
+	dirp =(DIR*) malloc(sizeof(struct DIR));
+	if (dirp) {
+		wchar_t wname[PATH_MAX];
+		size_t n;
+
+		/* Convert directory name to wide-character string */
+		error = dirent_mbstowcs_s(&n, wname, PATH_MAX, dirname, PATH_MAX);
+		if (!error) {
+
+			/* Open directory stream using wide-character name */
+			dirp->wdirp = _wopendir(wname);
+			if (dirp->wdirp) {
+				/* Directory stream opened */
+				error = 0;
+			} else {
+				/* Failed to open directory stream */
+				error = 1;
+			}
+
+		} else {
+			/*
+			 * Cannot convert file name to wide-character string.  This
+			 * occurs if the string contains invalid multi-byte sequences or
+			 * the output buffer is too small to contain the resulting
+			 * string.
+			 */
+			error = 1;
+		}
+
+	} else {
+		/* Cannot allocate DIR structure */
+		error = 1;
+	}
+
+	/* Clean up in case of error */
+	if (error  &&  dirp) {
+		free(dirp);
+		dirp = NULL;
+	}
+
+	return dirp;
+}
+
+/*
+ * Read next directory entry.
+ *
+ * When working with text consoles, please note that file names returned by
+ * readdir() are represented in the default ANSI code page while any output to
+ * console is typically formatted on another code page.  Thus, non-ASCII
+ * characters in file names will not usually display correctly on console.  The
+ * problem can be fixed in two ways:(1) change the character set of console
+ * to 1252 using chcp utility and use Lucida Console font, or(2) use
+ * _cprintf function when writing to console.  The _cprinf() will re-encode
+ * ANSI strings to the console code page so many non-ASCII characters will
+ * display correcly.
+ */
+static struct dirent*
+readdir(DIR *dirp)
+{
+	WIN32_FIND_DATAW *datap;
+	struct dirent *entp;
+
+	/* Read next directory entry */
+	datap = dirent_next(dirp->wdirp);
+	if (datap) {
+		size_t n;
+		int error;
+
+		/* Attempt to convert file name to multi-byte string */
+		error = dirent_wcstombs_s(
+			&n, dirp->ent.d_name, PATH_MAX, datap->cFileName, PATH_MAX);
+
+		/*
+		 * If the file name cannot be represented by a multi-byte string,
+		 * then attempt to use old 8+3 file name.  This allows traditional
+		 * Unix-code to access some file names despite of unicode
+		 * characters, although file names may seem unfamiliar to the user.
+		 *
+		 * Be ware that the code below cannot come up with a short file
+		 * name unless the file system provides one.  At least
+		 * VirtualBox shared folders fail to do this.
+		 */
+		if (error && datap->cAlternateFileName[0] != '\0') {
+			error = dirent_wcstombs_s(
+			    &n, dirp->ent.d_name, PATH_MAX,
+			    datap->cAlternateFileName, PATH_MAX);
+		}
+
+		if (!error) {
+			DWORD attr;
+
+			/* Initialize directory entry for return */
+			entp = &dirp->ent;
+
+			/* Length of file name excluding zero terminator */
+			entp->d_namlen = n - 1;
+
+			/* File attributes */
+			attr = datap->dwFileAttributes;
+			if ((attr & FILE_ATTRIBUTE_DEVICE) != 0) {
+				entp->d_type = DT_CHR;
+			} else if ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0) {
+				entp->d_type = DT_DIR;
+			} else {
+				entp->d_type = DT_REG;
+			}
+
+			/* Reset dummy fields */
+			entp->d_ino = 0;
+			entp->d_reclen = sizeof(struct dirent);
+
+		} else {
+			/*
+			 * Cannot convert file name to multi-byte string so construct
+			 * an errornous directory entry and return that.  Note that
+			 * we cannot return NULL as that would stop the processing
+			 * of directory entries completely.
+			 */
+			entp = &dirp->ent;
+			entp->d_name[0] = '?';
+			entp->d_name[1] = '\0';
+			entp->d_namlen = 1;
+			entp->d_type = DT_UNKNOWN;
+			entp->d_ino = 0;
+			entp->d_reclen = 0;
+		}
+
+	} else {
+		/* No more directory entries */
+		entp = NULL;
+	}
+
+	return entp;
+}
+
+/*
+ * Close directory stream.
+ */
+static int
+closedir(DIR *dirp)
+{
+	int ok;
+	if (dirp) {
+
+		/* Close wide-character directory stream */
+		ok = _wclosedir(dirp->wdirp);
+		dirp->wdirp = NULL;
+
+		/* Release multi-byte character version */
+		free(dirp);
+
+	} else {
+
+		/* Invalid directory stream */
+		_set_errno(EBADF);
+		ok = /*failure*/-1;
+
+	}
+	return ok;
+}
+
+/*
+ * Rewind directory stream to beginning.
+ */
+static void
+rewinddir(DIR* dirp)
+{
+	/* Rewind wide-character string directory stream */
+	_wrewinddir(dirp->wdirp);
+}
+
+/* Convert multi-byte string to wide character string */
+static int
+dirent_mbstowcs_s(size_t *pReturnValue, wchar_t *wcstr,
+	size_t sizeInWords, const char *mbstr, size_t count)
+{
+	return mbstowcs_s(pReturnValue, wcstr, sizeInWords, mbstr, count);
+}
+
+/* Convert wide-character string to multi-byte string */
+static int
+dirent_wcstombs_s(size_t *pReturnValue, char *mbstr,
+	size_t sizeInBytes, /* max size of mbstr */
+	const wchar_t *wcstr, size_t count)
+{
+	return wcstombs_s(pReturnValue, mbstr, sizeInBytes, wcstr, count);
+}
+
+#endif /*DIRENT_H*/

include/compat/err.h

@@ -0,0 +1,79 @@
+/*
+ * Public domain
+ * err.h compatibility shim
+ */
+
+#ifdef HAVE_ERR_H
+
+#include_next <err.h>
+
+#else
+
+#ifndef LIBCRYPTOCOMPAT_ERR_H
+#define LIBCRYPTOCOMPAT_ERR_H
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+static inline void
+err(int eval, const char *fmt, ...)
+{
+	int sverrno = errno;
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, ": ");
+	}
+	fprintf(stderr, "%s\n", strerror(sverrno));
+	exit(eval);
+	va_end(ap);
+}
+
+static inline void
+errx(int eval, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL)
+		vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	exit(eval);
+	va_end(ap);
+}
+
+static inline void
+warn(const char *fmt, ...)
+{
+	int sverrno = errno;
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, ": ");
+	}
+	fprintf(stderr, "%s\n", strerror(sverrno));
+	va_end(ap);
+}
+
+static inline void
+warnx(const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL)
+		vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	va_end(ap);
+}
+
+#endif
+
+#endif

include/compat/limits.h

@@ -0,0 +1,17 @@
+/*
+ * Public domain
+ * limits.h compatibility shim
+ */
+
+#ifdef _MSC_VER
+#include <../include/limits.h>
+#else
+#include_next <limits.h>
+#endif
+
+#ifdef __hpux
+#include <sys/param.h>
+#ifndef PATH_MAX
+#define PATH_MAX MAXPATHLEN
+#endif
+#endif

include/compat/netinet/ip.h

@@ -0,0 +1,47 @@
+/*
+ * Public domain
+ * netinet/ip.h compatibility shim
+ */
+
+#if defined(__hpux)
+#include <netinet/in_systm.h>
+#endif
+
+#ifndef _WIN32
+#include_next <netinet/ip.h>
+#else
+#include <win32netcompat.h>
+#endif
+
+/*
+ * Definitions for DiffServ Codepoints as per RFC2474
+ */
+#ifndef IPTOS_DSCP_CS0
+#define	IPTOS_DSCP_CS0		0x00
+#define	IPTOS_DSCP_CS1		0x20
+#define	IPTOS_DSCP_CS2		0x40
+#define	IPTOS_DSCP_CS3		0x60
+#define	IPTOS_DSCP_CS4		0x80
+#define	IPTOS_DSCP_CS5		0xa0
+#define	IPTOS_DSCP_CS6		0xc0
+#define	IPTOS_DSCP_CS7		0xe0
+#endif
+
+#ifndef IPTOS_DSCP_AF11
+#define	IPTOS_DSCP_AF11		0x28
+#define	IPTOS_DSCP_AF12		0x30
+#define	IPTOS_DSCP_AF13		0x38
+#define	IPTOS_DSCP_AF21		0x48
+#define	IPTOS_DSCP_AF22		0x50
+#define	IPTOS_DSCP_AF23		0x58
+#define	IPTOS_DSCP_AF31		0x68
+#define	IPTOS_DSCP_AF32		0x70
+#define	IPTOS_DSCP_AF33		0x78
+#define	IPTOS_DSCP_AF41		0x88
+#define	IPTOS_DSCP_AF42		0x90
+#define	IPTOS_DSCP_AF43		0x98
+#endif
+
+#ifndef IPTOS_DSCP_EF
+#define	IPTOS_DSCP_EF		0xb8
+#endif

include/compat/poll.h

@@ -14,7 +14,7 @@
 #ifndef LIBCRYPTOCOMPAT_POLL_H
 #define LIBCRYPTOCOMPAT_POLL_H
 
-#ifdef HAVE_POLL
+#ifndef _WIN32
 #include_next <poll.h>
 #else
 

include/compat/readpassphrase.h

@@ -0,0 +1,44 @@
+/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
+
+/*
+ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+#ifdef HAVE_READPASSPHRASE_H
+
+#include_next <readpassphrase.h>
+
+#else
+
+#ifndef _READPASSPHRASE_H_
+#define _READPASSPHRASE_H_
+
+#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
+#define RPP_ECHO_ON     0x01		/* Leave echo on. */
+#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
+#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
+#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
+#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
+#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
+
+char * readpassphrase(const char *, char *, size_t, int);
+
+#endif /* !_READPASSPHRASE_H_ */
+
+#endif

include/compat/resolv.h

@@ -0,0 +1,24 @@
+/*
+ * Public domain
+ * resolv.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_RESOLV_H
+#define LIBCRYPTOCOMPAT_RESOLV_H
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/resolv.h>
+#else
+#include <../include/resolv.h>
+#endif
+#else
+#include_next <resolv.h>
+#endif
+
+#ifndef HAVE_B64_NTOP
+int b64_ntop(unsigned char const *, size_t, char *, size_t);
+int b64_pton(char const *, unsigned char *, size_t);
+#endif
+
+#endif

include/compat/stdio.h

@@ -0,0 +1,47 @@
+/*
+ * Public domain
+ * stdio.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_STDIO_H
+#define LIBCRYPTOCOMPAT_STDIO_H
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#include <../ucrt/corecrt_io.h>
+#include <../ucrt/stdio.h>
+#else
+#include <../include/stdio.h>
+#endif
+#else
+#include_next <stdio.h>
+#endif
+
+#ifndef HAVE_ASPRINTF
+#include <stdarg.h>
+int vasprintf(char **str, const char *fmt, va_list ap);
+int asprintf(char **str, const char *fmt, ...);
+#endif
+
+#ifdef _WIN32
+
+void posix_perror(const char *s);
+FILE * posix_fopen(const char *path, const char *mode);
+char * posix_fgets(char *s, int size, FILE *stream);
+int posix_rename(const char *oldpath, const char *newpath);
+
+#ifndef NO_REDEF_POSIX_FUNCTIONS
+#define perror(errnum) posix_perror(errnum)
+#define fopen(path, mode) posix_fopen(path, mode)
+#define fgets(s, size, stream) posix_fgets(s, size, stream)
+#define rename(oldpath, newpath) posix_rename(oldpath, newpath)
+#endif
+
+#ifdef _MSC_VER
+#define snprintf _snprintf
+#endif
+
+#endif
+
+#endif

include/compat/stdlib.h

@@ -3,18 +3,26 @@
  * Public domain
  */
 
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
+#include <../include/stdlib.h>
+#endif
+#else
 #include_next <stdlib.h>
+#endif
 
 #ifndef LIBCRYPTOCOMPAT_STDLIB_H
 #define LIBCRYPTOCOMPAT_STDLIB_H
 
-#include <sys/stat.h>
-#include <sys/time.h>
+#include <sys/types.h>
 #include <stdint.h>
 
 #ifndef HAVE_ARC4RANDOM_BUF
 uint32_t arc4random(void);
 void arc4random_buf(void *_buf, size_t n);
+uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
 #ifndef HAVE_REALLOCARRAY

include/compat/string.h

@@ -3,20 +3,34 @@
  * string.h compatibility shim
  */
 
-#include_next <string.h>
-
 #ifndef LIBCRYPTOCOMPAT_STRING_H
 #define LIBCRYPTOCOMPAT_STRING_H
 
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
+#include <../include/string.h>
+#endif
+#else
+#include_next <string.h>
+#endif
+
 #include <sys/types.h>
 
-#if defined(__sun) || defined(__hpux)
+#if defined(__sun) || defined(_AIX) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX,
+ * Solaris, and HPUX.
  */
 #include <strings.h>
 #endif
 
+#ifndef HAVE_STRCASECMP
+int strcasecmp(const char *s1, const char *s2);
+int strncasecmp(const char *s1, const char *s2, size_t len);
+#endif
+
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif

include/compat/sys/cdefs.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/cdefs.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
+#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
+
+#ifdef _WIN32
+
+#define __warn_references(sym,msg)
+
+#else
+
+#include_next <sys/cdefs.h>
+
+#ifndef __warn_references
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+
+#endif /* _WIN32 */
+
+#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/param.h

@@ -0,0 +1,15 @@
+/*
+ * Public domain
+ * sys/param.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_PARAM_H
+#define LIBCRYPTOCOMPAT_SYS_PARAM_H
+
+#ifdef _MSC_VER
+#include <winsock2.h>
+#else
+#include_next <sys/param.h>
+#endif
+
+#endif

include/compat/sys/stat.h

@@ -0,0 +1,100 @@
+/*
+ * Public domain
+ * sys/stat.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_STAT_H
+#define LIBCRYPTOCOMPAT_SYS_STAT_H
+
+#ifndef _MSC_VER
+#include_next <sys/stat.h>
+#else
+
+#include <windows.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/stat.h>
+#else
+#include <../include/sys/stat.h>
+#endif
+
+/* File type and permission flags for stat() */
+#if !defined(S_IFMT)
+#   define S_IFMT   _S_IFMT                     /* File type mask */
+#endif
+#if !defined(S_IFDIR)
+#   define S_IFDIR  _S_IFDIR                    /* Directory */
+#endif
+#if !defined(S_IFCHR)
+#   define S_IFCHR  _S_IFCHR                    /* Character device */
+#endif
+#if !defined(S_IFFIFO)
+#   define S_IFFIFO _S_IFFIFO                   /* Pipe */
+#endif
+#if !defined(S_IFREG)
+#   define S_IFREG  _S_IFREG                    /* Regular file */
+#endif
+#if !defined(S_IREAD)
+#   define S_IREAD  _S_IREAD                    /* Read permission */
+#endif
+#if !defined(S_IWRITE)
+#   define S_IWRITE _S_IWRITE                   /* Write permission */
+#endif
+#if !defined(S_IEXEC)
+#   define S_IEXEC  _S_IEXEC                    /* Execute permission */
+#endif
+#if !defined(S_IFIFO)
+#   define S_IFIFO _S_IFIFO                     /* Pipe */
+#endif
+#if !defined(S_IFBLK)
+#   define S_IFBLK   0                          /* Block device */
+#endif
+#if !defined(S_IFLNK)
+#   define S_IFLNK   0                          /* Link */
+#endif
+#if !defined(S_IFSOCK)
+#   define S_IFSOCK  0                          /* Socket */
+#endif
+
+#if defined(_MSC_VER)
+#   define S_IRUSR  S_IREAD                     /* Read user */
+#   define S_IWUSR  S_IWRITE                    /* Write user */
+#   define S_IXUSR  0                           /* Execute user */
+#   define S_IRGRP  0                           /* Read group */
+#   define S_IWGRP  0                           /* Write group */
+#   define S_IXGRP  0                           /* Execute group */
+#   define S_IROTH  0                           /* Read others */
+#   define S_IWOTH  0                           /* Write others */
+#   define S_IXOTH  0                           /* Execute others */
+#endif
+
+/* File type flags for d_type */
+#define DT_UNKNOWN  0
+#define DT_REG      S_IFREG
+#define DT_DIR      S_IFDIR
+#define DT_FIFO     S_IFIFO
+#define DT_SOCK     S_IFSOCK
+#define DT_CHR      S_IFCHR
+#define DT_BLK      S_IFBLK
+#define DT_LNK      S_IFLNK
+
+/* Macros for converting between st_mode and d_type */
+#define IFTODT(mode) ((mode) & S_IFMT)
+#define DTTOIF(type) (type)
+
+/*
+ * File type macros.  Note that block devices, sockets and links cannot be
+ * distinguished on Windows and the macros S_ISBLK, S_ISSOCK and S_ISLNK are
+ * only defined for compatibility.  These macros should always return false
+ * on Windows.
+ */
+#define	S_ISFIFO(mode) (((mode) & S_IFMT) == S_IFIFO)
+#define	S_ISDIR(mode)  (((mode) & S_IFMT) == S_IFDIR)
+#define	S_ISREG(mode)  (((mode) & S_IFMT) == S_IFREG)
+#define	S_ISLNK(mode)  (((mode) & S_IFMT) == S_IFLNK)
+#define	S_ISSOCK(mode) (((mode) & S_IFMT) == S_IFSOCK)
+#define	S_ISCHR(mode)  (((mode) & S_IFMT) == S_IFCHR)
+#define	S_ISBLK(mode)  (((mode) & S_IFMT) == S_IFBLK)
+
+#endif
+
+#endif

include/compat/sys/time.h

@@ -0,0 +1,16 @@
+/*
+ * Public domain
+ * sys/time.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_TIME_H
+#define LIBCRYPTOCOMPAT_SYS_TIME_H
+
+#ifdef _MSC_VER
+#include <winsock2.h>
+int gettimeofday(struct timeval *tp, void *tzp);
+#else
+#include_next <sys/time.h>
+#endif
+
+#endif

include/compat/sys/types.h

@@ -0,0 +1,47 @@
+/*
+ * Public domain
+ * sys/types.h compatibility shim
+ */
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/types.h>
+#else
+#include <../include/sys/types.h>
+#endif
+#else
+#include_next <sys/types.h>
+#endif
+
+#ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H
+#define LIBCRYPTOCOMPAT_SYS_TYPES_H
+
+#include <stdint.h>
+
+#ifdef __MINGW32__
+#include <_bsd_types.h>
+#endif
+
+#ifdef _MSC_VER
+typedef unsigned char   u_char;
+typedef unsigned short  u_short;
+typedef unsigned int    u_int;
+
+#include <basetsd.h>
+typedef SSIZE_T ssize_t;
+
+#ifndef SSIZE_MAX
+#ifdef _WIN64
+#define SSIZE_MAX _I64_MAX
+#else
+#define SSIZE_MAX INT_MAX
+#endif
+#endif
+
+#endif
+
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
+# define __bounded__(x, y, z)
+#endif
+
+#endif

include/compat/time.h

@@ -0,0 +1,23 @@
+/*
+ * Public domain
+ * sys/time.h compatibility shim
+ */
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/time.h>
+#else
+#include <../include/time.h>
+#endif
+#else
+#include_next <time.h>
+#endif
+
+#ifdef _WIN32
+struct tm *__gmtime_r(const time_t * t, struct tm * tm);
+#define gmtime_r(tp, tm) __gmtime_r(tp, tm)
+#endif
+
+#ifndef HAVE_TIMEGM
+time_t timegm(struct tm *tm);
+#endif

include/compat/unistd.h

@@ -0,0 +1,41 @@
+/*
+ * Public domain
+ * unistd.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_UNISTD_H
+#define LIBCRYPTOCOMPAT_UNISTD_H
+
+#ifndef _MSC_VER
+#include_next <unistd.h>
+#else
+
+#include <stdlib.h>
+#include <io.h>
+#include <process.h>
+
+#define R_OK    4
+#define W_OK    2
+#define X_OK    0
+#define F_OK    0
+
+#define access _access
+
+unsigned int sleep(unsigned int seconds);
+
+#endif
+
+#ifndef HAVE_GETENTROPY
+int getentropy(void *buf, size_t buflen);
+#else
+/*
+ * Solaris 11.3 adds getentropy(2), but defines the function in sys/random.h
+ */
+#if defined(__sun)
+#include <sys/random.h>
+#endif
+#endif
+
+#define pledge(request, paths) 0
+
+#endif

include/compat/win32netcompat.h

@@ -0,0 +1,53 @@
+/*
+ * Public domain
+ *
+ * BSD socket emulation code for Winsock2
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#ifndef LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
+#define LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
+
+#ifdef _WIN32
+
+#include <ws2tcpip.h>
+#include <errno.h>
+#include <unistd.h>
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR SD_BOTH
+#endif
+#ifndef SHUT_RD
+#define SHUT_RD   SD_RECEIVE
+#endif
+#ifndef SHUT_WR
+#define SHUT_WR   SD_SEND
+#endif
+
+int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+
+int posix_close(int fd);
+ssize_t posix_read(int fd, void *buf, size_t count);
+
+ssize_t posix_write(int fd, const void *buf, size_t count);
+
+int posix_getsockopt(int sockfd, int level, int optname,
+	void *optval, socklen_t *optlen);
+
+int posix_setsockopt(int sockfd, int level, int optname,
+	const void *optval, socklen_t optlen);
+
+#ifndef NO_REDEF_POSIX_FUNCTIONS
+#define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
+#define close(fd) posix_close(fd)
+#define read(fd, buf, count) posix_read(fd, buf, count)
+#define write(fd, buf, count) posix_write(fd, buf, count)
+#define getsockopt(sockfd, level, optname, optval, optlen) \
+	posix_getsockopt(sockfd, level, optname, optval, optlen)
+#define setsockopt(sockfd, level, optname, optval, optlen) \
+	posix_setsockopt(sockfd, level, optname, optval, optlen)
+#endif
+
+#endif
+
+#endif

include/err.h

@@ -1,33 +0,0 @@
-/*
- * Public domain
- * err.h compatibility shim
- */
-
-#ifdef HAVE_ERR_H
-
-#include_next <err.h>
-
-#else
-
-#ifndef LIBCRYPTOCOMPAT_ERR_H
-#define LIBCRYPTOCOMPAT_ERR_H
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#define err(exitcode, format, args...) \
-  errx(exitcode, format ": %s", ## args, strerror(errno))
-
-#define errx(exitcode, format, args...) \
-  do { warnx(format, ## args); exit(exitcode); } while (0)
-
-#define warn(format, args...) \
-  warnx(format ": %s", ## args, strerror(errno))
-
-#define warnx(format, args...) \
-  fprintf(stderr, format "\n", ## args)
-
-#endif
-
-#endif

include/stdio.h

@@ -1,30 +0,0 @@
-/*
- * Public domain
- * stdio.h compatibility shim
- */
-
-#include_next <stdio.h>
-
-#ifndef LIBCRYPTOCOMPAT_STDIO_H
-#define LIBCRYPTOCOMPAT_STDIO_H
-
-#ifndef HAVE_ASPRINTF
-#include <stdarg.h>
-int vasprintf(char **str, const char *fmt, va_list ap);
-int asprintf(char **str, const char *fmt, ...);
-#endif
-
-#ifdef _WIN32
-#include <errno.h>
-#include <string.h>
-
-static inline void
-posix_perror(const char *s)
-{
-	fprintf(stderr, "%s: %s\n", s, strerror(errno));
-}
-
-#define perror(errnum) posix_perror(errnum)
-#endif
-
-#endif

include/sys/times.h

@@ -1,10 +0,0 @@
-/*
- * Public domain
- * sys/times.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <sys/times.h>
-#else
-#include <win32netcompat.h>
-#endif

include/sys/types.h

@@ -1,21 +0,0 @@
-/*
- * Public domain
- * sys/types.h compatibility shim
- */
-
-#include_next <sys/types.h>
-
-#ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H
-#define LIBCRYPTOCOMPAT_SYS_TYPES_H
-
-#include <stdint.h>
-
-#ifdef __MINGW32__
-#include <_bsd_types.h>
-#endif
-
-#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
-# define __bounded__(x, y, z)
-#endif
-
-#endif

include/syslog.h

@@ -1,38 +0,0 @@
-/*
- * Public domain
- * syslog.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_SYSLOG_H
-#define LIBCRYPTOCOMPAT_SYSLOG_H
-
-#ifndef _WIN32
-#include_next <syslog.h>
-#else
-
-/* priorities */
-#define LOG_EMERG 0
-#define LOG_ALERT 1
-#define LOG_CRIT 2
-#define LOG_ERR 3
-#define LOG_WARNING 4
-#define LOG_NOTICE 5
-#define LOG_INFO 6
-#define LOG_DEBUG 7
-
-/* facility codes */
-#define LOG_KERN (0<<3)
-#define LOG_USER (1<<3)
-#define LOG_DAEMON (3<<3)
-
-/* flags for openlog */
-#define LOG_PID 0x01
-#define LOG_CONS 0x02
-
-extern void openlog(const char *ident, int option, int facility);
-extern void syslog(int priority, const char *fmt, ...)
-	__attribute__ ((__format__ (__printf__, 2, 3)));
-extern void closelog (void);
-#endif
-
-#endif /* LIBCRYPTOCOMPAT_SYSLOG_H */

include/unistd.h

@@ -1,19 +0,0 @@
-/*
- * Public domain
- * unistd.h compatibility shim
- */
-
-#include_next <unistd.h>
-
-#ifndef LIBCRYPTOCOMPAT_UNISTD_H
-#define LIBCRYPTOCOMPAT_UNISTD_H
-
-#ifndef HAVE_GETENTROPY
-int getentropy(void *buf, size_t buflen);
-#endif
-
-#ifndef HAVE_ISSETUGID
-int issetugid(void);
-#endif
-
-#endif

libcrypto.pc.in

@@ -7,9 +7,9 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @LIBCRYPTO_VERSION@
+Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
-Libs.private: @LIBS@
+Libs.private: @LIBS@ @PLATFORM_LDADD@
 Cflags: -I${includedir}

libssl.pc.in

@@ -7,10 +7,10 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @LIBSSL_VERSION@
+Version: @VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:
 Libs: -L${libdir} -lssl
-Libs.private: @LIBS@ -lcrypto
+Libs.private: @LIBS@ -lcrypto @PLATFORM_LDADD@
 Cflags: -I${includedir}

libtls-standalone/COPYING

@@ -0,0 +1,13 @@
+libtls is ISC licensed as per OpenBSD's normal licensing policy.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

libtls-standalone/Makefile.am

@@ -0,0 +1,7 @@
+SUBDIRS = include compat src tests man
+ACLOCAL_AMFLAGS = -I m4
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = libtls.pc
+
+EXTRA_DIST = README VERSION

libtls-standalone/compat/Makefile.am

@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2014-2015 Brent Cook
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
+
+noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
+
+# compatibility functions that need to be built without optimizations
+libcompatnoopt_la_CFLAGS = -O0
+libcompatnoopt_la_SOURCES =
+
+if !HAVE_EXPLICIT_BZERO
+libcompatnoopt_la_SOURCES += explicit_bzero.c
+endif
+
+# other compatibility functions
+libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libcompat_la_SOURCES =
+libcompat_la_LIBADD = $(PLATFORM_LDADD)
+
+if !HAVE_ASPRINTF
+libcompat_la_SOURCES += bsd-asprintf.c
+endif
+
+if !HAVE_STRLCPY
+libcompat_la_SOURCES += strlcpy.c
+endif
+
+if !HAVE_STRSEP
+libcompat_la_SOURCES += strsep.c
+endif
+
+include Makefile.am.arc4random

libtls-standalone/configure.ac

@@ -0,0 +1,52 @@
+# Copyright (c) 2014-2015 Brent Cook
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
+AC_SUBST([LIBTLS_VERSION], m4_esyscmd([sed -e 's/\./:/g' VERSION | tr -d '\n']))
+
+AC_CANONICAL_HOST
+AM_INIT_AUTOMAKE([subdir-objects])
+AC_CONFIG_MACRO_DIR([m4])
+
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+# This must be called before AC_PROG_CC
+USER_CFLAGS="$CFLAGS"
+
+AC_PROG_CC
+AC_PROG_CC_STDC
+AM_PROG_CC_C_O
+AC_PROG_LIBTOOL
+LT_INIT
+
+CHECK_OS_OPTIONS
+
+CHECK_C_HARDENING_OPTIONS
+
+DISABLE_COMPILER_WARNINGS
+
+CHECK_LIBC_COMPAT
+CHECK_LIBC_CRYPTO_COMPAT
+
+AC_CONFIG_FILES([
+	Makefile
+	include/Makefile
+	compat/Makefile
+	man/Makefile
+	src/Makefile
+	tests/Makefile
+	libtls.pc
+])
+
+AC_OUTPUT

libtls-standalone/include/Makefile.am

@@ -0,0 +1,5 @@
+noinst_HEADERS = stdlib.h
+noinst_HEADERS += string.h
+noinst_HEADERS += unistd.h
+
+include_HEADERS = tls.h