release note update for 2.2.1

Since it's now a foreign project in automake, we can use github markdown
in the README.

.gitignore

@@ -47,52 +47,51 @@ test-driver
 *.trs
 tests/aes_wrap*
 tests/arc4random_fork*
+tests/cipher*
 tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
 tests/timingsafe*
 tests/*test
+tests/tests.h
 tests/*test.c
 tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+!tests/optionstest.c
 
 # ctags stuff
 TAGS
 
-## The initial / makes these files only get ignored in particular directories.
-/autom4te.cache
+autom4te.cache
 
 # Libtool adds these, at least sometimes
 INSTALL
-/m4/libtool.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
+/COPYING
+m4/l*
+!m4/check*.m4
 
-/aclocal.m4
-/compile
-/doxygen
-/config.guess
-/config.log
-/config.status
-/config.sub
-/configure
-/depcomp
-/config.h
-/config.h.in
-/install-sh
-/libtool
-/ltmain.sh
-/missing
-/stamp-h1
-/stamp-h2
+aclocal.m4
+compile
+doxygen
+config.guess
+config.log
+config.status
+config.sub
+configure
+depcomp
+config.h
+config.h.in
+install-sh
+libtool
+ltmain.sh
+missing
+stamp-h1
+stamp-h2
 
 include/openssl/Makefile.am
-tests/Makefile.am
 
 crypto/VERSION
 ssl/VERSION
@@ -106,97 +105,39 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 include/openssl/*.he
-apps/*.h
-apps/*.c
-apps/openssl
-apps/openssl.cnf
-!apps/apps_win.c
-!apps/poll_win.c
-!apps/certhash_disabled.c
 
-crypto/compat/arc4random.c
-crypto/compat/chacha_private.h
-crypto/compat/explicit_bzero.c
-crypto/compat/getentropy_*.c
-crypto/compat/reallocarray.c
-crypto/compat/strlcat.c
-crypto/compat/strlcpy.c
-crypto/compat/strndup.c
-crypto/compat/strnlen.c
-crypto/compat/timingsafe_bcmp.c
-crypto/compat/timingsafe_memcmp.c
-crypto/compat/arc4random_*.h
+/apps/*.h
+/apps/*.c
+/apps/openssl
+/apps/openssl.cnf
+!/apps/apps_win.c
+!/apps/poll_win.c
+!/apps/certhash_disabled.c
+
+/crypto
+!/crypto/Makefile.am.*
+!/crypto/compat/arc4random.h
+!/crypto/compat/b_win.c
+!/crypto/compat/posix_win.c
+!/crypto/compat/bsd_asprintf.c
+!/crypto/compat/inet_pton.c
+!/crypto/compat/ui_openssl_win.c
+
+/libtls-standalone/include/*.h
+/libtls-standalone/src/*.c
+/libtls-standalone/src/*.h
+/libtls-standalone/src
+/libtls-standalone/tests/test
+/libtls-standalone/compat
+!/libtls-standalone/compat/Makefile.am
+/libtls-standalone/VERSION
+/libtls-standalone/m4
+/libtls-standalone/man
 
-crypto/aes/
-crypto/asn1/
-crypto/bf/
-crypto/bio/
-crypto/bn/
-crypto/buffer/
-crypto/camellia/
-crypto/cast/
-crypto/camellia/
-crypto/chacha/
-crypto/cmac/
-crypto/comp/
-crypto/conf/
-crypto/cpt_err.c
-crypto/cryptlib.c
-crypto/cryptlib.h
-crypto/cversion.c
-crypto/des/
-crypto/dh/
-crypto/dsa/
-crypto/dso/
-crypto/ec/
-crypto/ecdh/
-crypto/ecdsa/
-crypto/engine/
-crypto/err/
-crypto/evp/
-crypto/ex_data.c
-crypto/gost/
-crypto/hmac/
-crypto/idea/
-crypto/krb5/
-crypto/lhash/
-crypto/malloc-wrapper.c
-crypto/md32_common.h
-crypto/md4/
-crypto/md5/
-crypto/mdc2/
-crypto/mem_clr.c
-crypto/mem_dbg.c
-crypto/modes/
-crypto/o_init.c
-crypto/o_str.c
-crypto/o_time.c
-crypto/o_time.h
-crypto/objects
-crypto/ocsp/
-crypto/pem/
-crypto/pkcs12/
-crypto/pkcs7/
-crypto/poly1305/
-crypto/pqueue/
-crypto/rand/
-crypto/rc2/
-crypto/rc4/
-crypto/ripemd/
-crypto/rsa/
-crypto/sha/
-crypto/stack/
-crypto/ts/
-crypto/txt_db/
-crypto/ui/
-crypto/whrlpool/
-crypto/x509/
-crypto/x509v3/
 openbsd/
+
 *.tar.gz
 apps/*.1*
 man/*.3
 man/*.1
 man/Makefile.am
-.gitmodules
-COPYING

ChangeLog

@@ -31,6 +31,56 @@ LibreSSL Portable Release Notes:
 This release primarily addresses a number of security issues in coordination
 with the OpenSSL project.
 
+2.2.1 - Build fixes, feature added, features removed
+
+	* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
+
+	* Initial support for Windows 2009, 2003, XP
+
+	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
+
+	* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
+
+	* Removed Dynamic Engine support
+
+	* Removed unused and obsolete MDC-2DES cipher
+
+	* Removed workarounds for obsolete SSL implementations
+
+2.2.0 - Build cleanups and new OS support, Security Updates
+
+	* AIX Support - thanks to Michael Felt
+
+	* Cygwin Support - thanks to Corinna Vinschen
+
+	* Refactored build macros, support packaging libtls independently.
+	  There are more pieces required to support building and using OpenSSL
+	  with libtls, but this is an initial start at providing an
+	  independent package for people to start hacking on.
+
+	* Removal of OPENSSL_issetugid and all library getenv calls.
+	  Applications can and should no longer rely on environment variables
+	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
+	  supported with the openssl(1) command.
+
+	* libtls API and documentation additions
+
+	* Various bug fixes and simplifications to libssl and libcrypto
+
+	* Fixes for the following issues are integrated into LibreSSL 2.2.0:
+	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
+	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
+	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+	* The following CVEs did not apply to LibreSSL or were fixed in
+	  earlier releases:
+	 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
+	 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
+	 - CVE-2014-8176 - Invalid free in DTLS
+
+	* Fixes for the following CVEs are still in review for LibreSSL
+	 - CVE-2015-1791 - Race condition handling NewSessionTicket
+
 2.1.6 - Security update
 
 	* Fixes for the following issues are integrated into LibreSSL 2.1.6:

Makefile.am

@@ -4,4 +4,4 @@ ACLOCAL_AMFLAGS = -I m4
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
-EXTRA_DIST = README README.windows VERSION config scripts
+EXTRA_DIST = README.md README.windows VERSION config scripts

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CPPFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS += -DLIBRESSL_INTERNAL
+AM_CFLAGS = -I$(top_srcdir)/include
+AM_CPPFLAGS = -DLIBRESSL_INTERNAL

OPENBSD_BRANCH

@@ -1 +1 @@
-OPENBSD_5_7
+master

README

@@ -1,50 +0,0 @@
-This package is the official portable version of LibreSSL
-	(http://www.libressl.org).
-
-LibreSSL is a fork of OpenSSL developed by the OpenBSD project
-(http://www.openbsd.org). LibreSSL is developed on OpenBSD. This
-package then adds portability shims for other operating systems.
-
-Official release tarballs are available at your friendly neighborhood
-OpenBSD mirror in directory LibreSSL, e.g.:
-
-	http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
-
-although we suggest that you use a mirror:
-
-	http://www.openbsd.org/ftp.html
-
-The LibreSSL portable build framework is also mirrored in Github:
-
-	https://github.com/libressl-portable/portable
-
-Please report bugs either to tech@openbsd.org, or to the github issue tracker:
-
-	https://github.com/libressl-portable/portable/issues
-
-If you have checked this source using Git, follow these initial steps to
-prepare the source tree for building:
-
- 1. ensure you have the following packages installed:
-	automake, autoconf, bash, git, libtool, perl, pod2man
- 2. run './autogen.sh' to prepare the source tree for building
-    or run './dist.sh' to prepare a tarball.
-
-Once you have a source tree from Git or FTP, run these commands to build and
-install the package:
-
-  ./configure   # see ./configure --help for configuration options
-  make check    # runs builtin unit tests
-  make install  # set DESTDIR= to install to an alternate location
-
-The resulting library and 'openssl' utility is largely API-compatible with
-OpenSSL 1.0.1. However, it is not ABI compatible - you will need to relink your
-programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
-to 1.0.1.
-
-The project attempts to provide working alternatives for operating systems with
-limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
-assists with improving OS-native implementations where possible.
-
-LibreSSL portable will build on any reasonably modern version of Linux,
-Solaris, or OSX with a standards-compliant compiler and C library.

README.md

@@ -0,0 +1,98 @@
+![LibreSSL image](http://www.libressl.org/images/libressl.jpg)
+## Official portable version of [LibreSSL](http://www.libressl.org) ##
+
+LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
+[OpenBSD](http://www.openbsd.org) project.  Our goal is to modernize the codebase,
+improve security, and apply best practice development processes from OpenBSD.
+
+## Compatibility with OpenSSL: ##
+
+LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
+new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
+present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
+
+LibreSSL it is not ABI compatible with any release of OpenSSL, or necessarily
+earlier releases of LibreSSL. You will need to relink your programs to
+LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
+LibreSSL's installed library version numbers are incremented to account for
+ABI and API changes.
+
+## Compatibility with other operating systems: ##
+
+While primarily developed on and taking advantage of APIs available on OpenBSD,
+the LibreSSL portable project attempts to provide working alternatives for
+other operating systems, and assists with improving OS-native implementations
+where possible.
+
+At the time of this writing, LibreSSL is know to build and work on:
+
+* Linux (kernel 3.17 or later recommended)
+* FreeBSD (tested with 9.2 and later)
+* NetBSD (tested with 6.1.5)
+* HP-UX (11i)
+* Solaris (11 and later preferred)
+* Mac OS X (tested with 10.8 and later)
+* AIX (5.3 and later)
+
+LibreSSL also supports the following Windows environments:
+* Microsoft Windows (Vista or higher, x86 and x64)
+* Wine (32-bit and 64-bit)
+* Builds with Mingw-w64 and Cygwin
+
+Official release tarballs are available at your friendly neighborhood
+OpenBSD mirror in directory
+[LibreSSL](http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/),
+although we suggest that you use a [mirror](http://www.openbsd.org/ftp.html).
+
+The LibreSSL portable build framework is also
+[mirrored](https://github.com/libressl-portable/portable) in Github.
+
+Please report bugs either to the public libressl@openbsd.org mailing list,
+or to the github
+[issue tracker](https://github.com/libressl-portable/portable/issues)
+
+Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
+sent to the core team at libressl-security@openbsd.org.
+
+## Prerequisites when building from git ##
+
+If you have checked this source using Git, follow these initial steps to
+prepare the source tree for building:
+
+1. Ensure you have the following packages installed:
+   automake, autoconf, bash, git, libtool, perl, pod2man
+2. Run './autogen.sh' to prepare the source tree for building or
+   run './dist.sh' to prepare a tarball.
+
+## Building LibreSSL ##
+
+Once you have a source tree from Git or FTP, run these commands to build and
+install the package on most systems.
+
+```sh
+./configure   # see ./configure --help for configuration options
+make check    # runs builtin unit tests
+make install  # set DESTDIR= to install to an alternate location
+```
+
+### OS specific build information: ###
+
+#### HP-UX (11i) ####
+
+Set the UNIX_STD environment variable to '2003' before running 'configure'
+in order to build with the HP C/aC++ compiler. See the "standards(5)" man
+page for more details.
+
+```sh
+export UNIX_STD=2003
+./configure
+make
+```
+
+#### Windows - Mingw-w64 ####
+
+LibreSSL builds against relatively recent versions of Mingw-w64, not to be
+confused with the original mingw.org project.  Mingw-w64 3.2 or later
+should work. See README.windows for more information
+
+[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable)

README.windows

@@ -36,5 +36,7 @@ cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
 tool developed for the D language and can be found here:
 https://github.com/rainers/cv2pdb
 
-Pre-build Windows binaries are available with the LibreSSL release for your
-convenience.
+Pre-built Windows binaries are available with LibreSSL releases if you do not
+have a mingw-w64 build environment. Mingw-w64 code is largely, but not 100%,
+compatible with code built from Visual Studio. Notably, FILE * pointers cannot
+be shared between code built for Mingw-w64 and Visual Studio.

VERSION

@@ -1 +1 @@
-2.1.6
+2.2.1

apps/Makefile.am

@@ -2,7 +2,6 @@ include $(top_srcdir)/Makefile.am.common
 
 bin_PROGRAMS = openssl
 
-openssl_CFLAGS = $(USER_CFLAGS)
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 openssl_LDADD += $(top_builddir)/ssl/libssl.la
 openssl_LDADD += $(top_builddir)/crypto/libcrypto.la

autogen.sh

@@ -4,3 +4,8 @@ set -e
 ./update.sh
 mkdir -p m4
 autoreconf -i -f
+
+# Patch libtool 2.4.2 to pass -fstack-protector as a linker argument
+sed 's/-fuse-linker-plugin)/-fuse-linker-plugin|-fstack-protector*)/' \
+  ltmain.sh > ltmain.sh.fixed
+mv -f ltmain.sh.fixed ltmain.sh

configure.ac

@@ -1,272 +1,58 @@
+# Copyright (c) 2014-2015 Brent Cook
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
 AC_INIT([libressl], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBCRYPTO_VERSION], m4_esyscmd([tr -d '\n' < crypto/VERSION]))
 AC_SUBST([LIBSSL_VERSION], m4_esyscmd([tr -d '\n' < ssl/VERSION]))
 AC_SUBST([LIBTLS_VERSION], m4_esyscmd([tr -d '\n' < tls/VERSION]))
 
 AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects])
+AM_INIT_AUTOMAKE([subdir-objects foreign])
 AC_CONFIG_MACRO_DIR([m4])
 
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
-AC_SUBST([USER_CFLAGS], "$CFLAGS")
-CFLAGS="-Wall -std=gnu99 -g -O2"
-
-case $host_os in
-	*darwin*)
-		HOST_OS=darwin
-		HOST_ABI=macosx
-		;;
-	*freebsd*)
-		HOST_OS=freebsd
-		HOST_ABI=elf
-		AC_SUBST([PROG_LDADD], ['-lthr'])
-		;;
-	*hpux*)
-		HOST_OS=hpux;
-		CFLAGS="$CFLAGS -mlp64 -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
-		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
-		;;
-	*linux*)
-		HOST_OS=linux
-		HOST_ABI=elf
-		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-		;;
-	*netbsd*)
-		HOST_OS=netbsd
-		;;
-	*openbsd*)
-		HOST_ABI=elf
-		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
-		;;
-	*mingw*)
-		HOST_OS=win
-		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -DNO_SYSLOG -D__USE_MINGW_ANSI_STDIO -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
-		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
-		;;
-	*solaris*)
-		HOST_OS=solaris
-		HOST_ABI=elf
-		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
-		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
-		;;
-	*) ;;
-esac
-
-AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
-AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
-AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
-AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
-AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
-AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
-AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
-
-AC_CHECK_FUNC([clock_gettime],,
-	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-
-AC_CHECK_FUNC([dl_iterate_phdr],,
-	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+# This must be saved before AC_PROG_CC
+USER_CFLAGS="$CFLAGS"
 
 AC_PROG_CC
-AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
+AC_PROG_LIBTOOL
+LT_INIT
 
-AC_MSG_CHECKING([if compiling with clang])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
-#ifndef __clang__
-	not clang
-#endif
-	]])],
-	[CLANG=yes],
-	[CLANG=no]
-)
-AC_MSG_RESULT([$CLANG])
-AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
+CHECK_OS_OPTIONS
 
-# We want to check for compiler flag support. Prior to clang v5.1, there was no
-# way to make clang's "argument unused" warning fatal.  So we invoke the
-# compiler through a wrapper script that greps for this message.
-saved_CC="$CC"
-saved_LD="$LD"
-flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
-CC="$flag_wrap $CC"
-LD="$flag_wrap $LD"
+CHECK_C_HARDENING_OPTIONS
 
-AC_ARG_ENABLE([hardening],
-	[AS_HELP_STRING([--disable-hardening],
-			[Disable options to frustrate memory corruption exploits])],
-	[], [enable_hardening=yes])
-
-AC_ARG_ENABLE([windows-ssp],
-	[AS_HELP_STRING([--enable-windows-ssp],
-			[Enable building the stack smashing protection on
-			 Windows. This currently distributing libssp-0.dll.])])
-
-AC_DEFUN([CHECK_CFLAG], [
-	 AC_LANG_ASSERT(C)
-	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
-	 old_cflags="$CFLAGS"
-	 CFLAGS="$1 -Wall -Werror"
-	 AC_TRY_LINK([
-		      #include <stdio.h>
-		      ],
-		     [printf("Hello")],
-		     AC_MSG_RESULT([yes])
-		     CFLAGS=$old_cflags
-		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
-		     AC_MSG_RESULT([no])
-		     CFLAGS=$old_cflags
-		     [$2])
-])
-
-AC_DEFUN([CHECK_LDFLAG], [
-	 AC_LANG_ASSERT(C)
-	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
-	 old_ldflags="$LDFLAGS"
-	 LDFLAGS="$1 -Wall -Werror"
-	 AC_TRY_LINK([
-		      #include <stdio.h>
-		      ],
-		     [printf("Hello")],
-		     AC_MSG_RESULT([yes])
-		     LDFLAGS=$old_ldflags
-		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
-		     AC_MSG_RESULT([no])
-		     LDFLAGS=$old_ldflags
-		     [$2])
-])
-
-AS_IF([test "x$enable_hardening" = "xyes"], [
-	# Tell GCC to NOT optimize based on signed arithmetic overflow
-	CHECK_CFLAG([[-fno-strict-overflow]])
-
-	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
-	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
-
-	# Enable read only relocations
-	CHECK_LDFLAG([[-Wl,-z,relro]])
-	CHECK_LDFLAG([[-Wl,-z,now]])
-
-	# Windows security flags
-	AS_IF([test "x$HOST_OS" = "xwin"], [
-		CHECK_LDFLAG([[-Wl,--nxcompat]])
-		CHECK_LDFLAG([[-Wl,--dynamicbase]])
-		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
-	])
-
-	# Use stack-protector-strong if available; if not, fallback to
-	# stack-protector-all which is considered to be overkill
-	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
-		CHECK_CFLAG([[-fstack-protector-strong]],
-			CHECK_CFLAG([[-fstack-protector-all]],
-				AC_MSG_WARN([compiler does not appear to support stack protection])
-			)
-		)
-		AS_IF([test "x$HOST_OS" = "xwin"], [
-			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
-		])
-	])
-])
-
-
-# Restore CC, LD
-CC="$saved_CC"
-LD="$saved_LD"
-
-CFLAGS="$CFLAGS $HARDEN_CFLAGS"
-LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
-
-# Removing the dependency on -Wno-pointer-sign should be a goal
-save_cflags="$CFLAGS"
-CFLAGS=-Wno-pointer-sign
-AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-	[AC_MSG_RESULT([yes])]
-	[AM_CFLAGS=-Wno-pointer-sign],
-	[AC_MSG_RESULT([no])]
-)
-CFLAGS="$save_cflags $AM_CFLAGS"
-
-save_cflags="$CFLAGS"
-CFLAGS=
-AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
-	[AC_MSG_RESULT([yes])]
-	[AM_CFLAGS=-DHAVE_GNU_STACK],
-	[AC_MSG_RESULT([no])]
-)
-CFLAGS="$save_cflags $AM_CFLAGS"
+DISABLE_AS_EXECUTABLE_STACK
 AM_PROG_AS
 
-CFLAGS="$CFLAGS $CLANG_CFLAGS"
-LDFLAGS="$LDFLAGS $CLANG_FLAGS"
+DISABLE_COMPILER_WARNINGS
 
-AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
-AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
-AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+# Check if the certhash command should be built
 AC_CHECK_FUNCS([symlink])
-AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
-
-# Share test results with automake
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
-AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
-AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
-AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
-AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
-AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
-AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
-AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
-AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
-AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
-AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
-AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
-AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
-AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
-AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
-AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
 AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
 
-# overrides for arc4random_buf implementations with known issues
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$HOST_OS" != xdarwin \
-	   -a "x$HOST_OS" != xfreebsd \
-	   -a "x$HOST_OS" != xnetbsd \
-	   -a "x$ac_cv_func_arc4random_buf" = xyes])
+# Check if funopen exists
+AC_CHECK_FUNC([funopen])
 
-# overrides for issetugid implementations with known issues
-AM_CONDITIONAL([HAVE_ISSETUGID],
-       [test "x$HOST_OS" != xdarwin \
-	  -a "x$ac_cv_func_issetugid" = xyes])
+CHECK_LIBC_COMPAT
+CHECK_LIBC_CRYPTO_COMPAT
+CHECK_VA_COPY
 
-AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ va_copy(x,y); ]])],
-	[ ac_cv_have_va_copy="yes" ],
-	[ ac_cv_have_va_copy="no"
-	])
-])
-if test "x$ac_cv_have_va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
-fi
-
-AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ __va_copy(x,y); ]])],
-	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
-	])
-])
-if test "x$ac_cv_have___va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
-fi
-
-AC_CHECK_HEADERS([sys/sysctl.h err.h])
+AC_CHECK_HEADERS([err.h])
 
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
@@ -280,12 +66,13 @@ AC_ARG_WITH([enginesdir],
 	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
 )
 
-AC_ARG_ENABLE([asm],
-	AS_HELP_STRING([--disable-asm], [Disable assembly]))
-AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
+AC_ARG_ENABLE([extratests],
+	AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms]))
+AM_CONDITIONAL([ENABLE_EXTRATESTS], [test "x$enable_extratests" = xyes])
 
+# Add CPU-specific alignment flags
 old_cflags=$CFLAGS
-CFLAGS="$USER_CFLAGS -I$srcdir/include"
+CFLAGS="$CFLAGS -I$srcdir/include"
 AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT])
 AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       [int a = 0; BSWAP4(a);],
@@ -297,21 +84,24 @@ CFLAGS="$old_cflags"
 
 case $host_cpu in
 	*sparc*)
-		CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT"
+		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
 		;;
 	*arm*)
 		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT")
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
 esac
 
+AC_ARG_ENABLE([asm],
+	AS_HELP_STRING([--disable-asm], [Disable assembly]))
+AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
+
+# Conditionally enable assembly by default
 AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
     [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
     [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 
-LT_INIT
-
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile

crypto/Makefile.am

@@ -1,8 +1,8 @@
 include $(top_srcdir)/Makefile.am.common
 
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CFLAGS += -I$(top_srcdir)/crypto/modes
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -10,13 +10,12 @@ EXTRA_DIST = VERSION
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
+libcrypto_la_CPPFLAGS = -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 else
 if HOST_WIN
-libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 endif
 endif
 
@@ -31,7 +30,6 @@ libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
 endif
 
 # other compatibility functions
-libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
 
@@ -55,6 +53,10 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
+if !HAVE_INET_PTON
+libcompat_la_SOURCES += compat/inet_pton.c
+endif
+
 if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
@@ -67,60 +69,11 @@ if !HAVE_TIMINGSAFE_BCMP
 libcompat_la_SOURCES += compat/timingsafe_bcmp.c
 endif
 
-if !HAVE_ARC4RANDOM_BUF
-libcompat_la_SOURCES += compat/arc4random.c
-
-if !HAVE_GETENTROPY
-if HOST_FREEBSD
-libcompat_la_SOURCES += compat/getentropy_freebsd.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/getentropy_hpux.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/getentropy_linux.c
-endif
-if HOST_NETBSD
-libcompat_la_SOURCES += compat/getentropy_netbsd.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/getentropy_osx.c
-endif
-if HOST_SOLARIS
-libcompat_la_SOURCES += compat/getentropy_solaris.c
-endif
 if HOST_WIN
-libcompat_la_SOURCES += compat/getentropy_win.c
-endif
+libcompat_la_SOURCES += compat/posix_win.c
 endif
 
-endif
-
-if !HAVE_ISSETUGID
-if HOST_LINUX
-libcompat_la_SOURCES += compat/issetugid_linux.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/issetugid_hpux.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/issetugid_osx.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/issetugid_win.c
-endif
-endif
-
-noinst_HEADERS =
-noinst_HEADERS += compat/arc4random.h
-noinst_HEADERS += compat/arc4random_freebsd.h
-noinst_HEADERS += compat/arc4random_hpux.h
-noinst_HEADERS += compat/arc4random_linux.h
-noinst_HEADERS += compat/arc4random_netbsd.h
-noinst_HEADERS += compat/arc4random_osx.h
-noinst_HEADERS += compat/arc4random_solaris.h
-noinst_HEADERS += compat/arc4random_win.h
-noinst_HEADERS += compat/chacha_private.h
+include Makefile.am.arc4random
 
 libcrypto_la_SOURCES =
 EXTRA_libcrypto_la_SOURCES =
@@ -531,7 +484,6 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
-libcrypto_la_SOURCES += evp/m_mdc2.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha.c
@@ -603,10 +555,6 @@ libcrypto_la_SOURCES += md5/md5_dgst.c
 libcrypto_la_SOURCES += md5/md5_one.c
 noinst_HEADERS += md5/md5_locl.h
 
-# mdc2
-libcrypto_la_SOURCES += mdc2/mdc2_one.c
-libcrypto_la_SOURCES += mdc2/mdc2dgst.c
-
 # modes
 libcrypto_la_SOURCES += modes/cbc128.c
 libcrypto_la_SOURCES += modes/ccm128.c

crypto/Makefile.am.arc4random

@@ -0,0 +1,45 @@
+if !HAVE_ARC4RANDOM_BUF
+libcompat_la_SOURCES += compat/arc4random.c
+
+if !HAVE_GETENTROPY
+if HOST_AIX
+libcompat_la_SOURCES += compat/getentropy_aix.c
+endif
+if HOST_FREEBSD
+libcompat_la_SOURCES += compat/getentropy_freebsd.c
+endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/getentropy_hpux.c
+endif
+if HOST_LINUX
+libcompat_la_SOURCES += compat/getentropy_linux.c
+endif
+if HOST_NETBSD
+libcompat_la_SOURCES += compat/getentropy_netbsd.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/getentropy_osx.c
+endif
+if HOST_SOLARIS
+libcompat_la_SOURCES += compat/getentropy_solaris.c
+endif
+if HOST_WIN
+libcompat_la_SOURCES += compat/getentropy_win.c
+endif
+endif
+
+endif
+
+noinst_HEADERS =
+noinst_HEADERS += compat/arc4random.h
+noinst_HEADERS += compat/arc4random_aix.h
+noinst_HEADERS += compat/arc4random_freebsd.h
+noinst_HEADERS += compat/arc4random_hpux.h
+noinst_HEADERS += compat/arc4random_linux.h
+noinst_HEADERS += compat/arc4random_netbsd.h
+noinst_HEADERS += compat/arc4random_osx.h
+noinst_HEADERS += compat/arc4random_solaris.h
+noinst_HEADERS += compat/arc4random_win.h
+noinst_HEADERS += compat/chacha_private.h
+
+

crypto/Makefile.am.elf-x86_64

@@ -22,20 +22,20 @@ ASM_X86_64_ELF += cpuid-elf-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_ELF)
 
 if HOST_ASM_ELF_X86_64
-libcrypto_la_CFLAGS += -DAES_ASM
-libcrypto_la_CFLAGS += -DBSAES_ASM
-libcrypto_la_CFLAGS += -DVPAES_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CFLAGS += -DMD5_ASM
-libcrypto_la_CFLAGS += -DGHASH_ASM
-libcrypto_la_CFLAGS += -DRSA_ASM
-libcrypto_la_CFLAGS += -DSHA1_ASM
-libcrypto_la_CFLAGS += -DSHA256_ASM
-libcrypto_la_CFLAGS += -DSHA512_ASM
-libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CPPFLAGS += -DAES_ASM
+libcrypto_la_CPPFLAGS += -DBSAES_ASM
+libcrypto_la_CPPFLAGS += -DVPAES_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CPPFLAGS += -DMD5_ASM
+libcrypto_la_CPPFLAGS += -DGHASH_ASM
+libcrypto_la_CPPFLAGS += -DRSA_ASM
+libcrypto_la_CPPFLAGS += -DSHA1_ASM
+libcrypto_la_CPPFLAGS += -DSHA256_ASM
+libcrypto_la_CPPFLAGS += -DSHA512_ASM
+libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_ELF)
 endif

crypto/Makefile.am.macosx-x86_64

@@ -22,20 +22,20 @@ ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_MACOSX)
 
 if HOST_ASM_MACOSX_X86_64
-libcrypto_la_CFLAGS += -DAES_ASM
-libcrypto_la_CFLAGS += -DBSAES_ASM
-libcrypto_la_CFLAGS += -DVPAES_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CFLAGS += -DMD5_ASM
-libcrypto_la_CFLAGS += -DGHASH_ASM
-libcrypto_la_CFLAGS += -DRSA_ASM
-libcrypto_la_CFLAGS += -DSHA1_ASM
-libcrypto_la_CFLAGS += -DSHA256_ASM
-libcrypto_la_CFLAGS += -DSHA512_ASM
-libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CPPFLAGS += -DAES_ASM
+libcrypto_la_CPPFLAGS += -DBSAES_ASM
+libcrypto_la_CPPFLAGS += -DVPAES_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CPPFLAGS += -DMD5_ASM
+libcrypto_la_CPPFLAGS += -DGHASH_ASM
+libcrypto_la_CPPFLAGS += -DRSA_ASM
+libcrypto_la_CPPFLAGS += -DSHA1_ASM
+libcrypto_la_CPPFLAGS += -DSHA256_ASM
+libcrypto_la_CPPFLAGS += -DSHA512_ASM
+libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_MACOSX)
 endif

crypto/compat/arc4random.h

@@ -3,7 +3,10 @@
 
 #include <sys/param.h>
 
-#if defined(__FreeBSD__)
+#if defined(_AIX)
+#include "arc4random_aix.h"
+
+#elif defined(__FreeBSD__)
 #include "arc4random_freebsd.h"
 
 #elif defined(__hpux)

crypto/compat/inet_pton.c

@@ -0,0 +1,212 @@
+/*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
+
+/* Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <string.h>
+#include <errno.h>
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int	inet_pton4(const char *src, u_char *dst);
+static int	inet_pton6(const char *src, u_char *dst);
+
+/* int
+ * inet_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+inet_pton(int af, const char *src, void *dst)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(const char *src, u_char *dst)
+{
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	u_char tmp[INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			u_int new = *tp * 10 + (pch - digits);
+
+			if (new > 255)
+				return (0);
+			if (! saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+			*tp = new;
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+
+	memcpy(dst, tmp, INADDRSZ);
+	return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(const char *src, u_char *dst)
+{
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit, count_xdigit;
+	u_int val;
+
+	memset((tp = tmp), '\0', IN6ADDRSZ);
+	endp = tp + IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = count_xdigit = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			if (count_xdigit >= 4)
+				return (0);
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			count_xdigit++;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			} else if (*src == '\0') {
+				return (0);
+			}
+			if (tp + INT16SZ > endp)
+				return (0);
+			*tp++ = (u_char) (val >> 8) & 0xff;
+			*tp++ = (u_char) val & 0xff;
+			saw_xdigit = 0;
+			count_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += INADDRSZ;
+			saw_xdigit = 0;
+			count_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (saw_xdigit) {
+		if (tp + INT16SZ > endp)
+			return (0);
+		*tp++ = (u_char) (val >> 8) & 0xff;
+		*tp++ = (u_char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			return (0);
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memcpy(dst, tmp, IN6ADDRSZ);
+	return (1);
+}

crypto/compat/issetugid_hpux.c

@@ -1,17 +0,0 @@
-#include <stdio.h>
-#include <unistd.h>
-#include <sys/pstat.h>
-
-/*
- * HP-UX does not have issetugid().
- * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
- * cannot be used, assume we must be running in a privileged environment.
- */
-int issetugid(void)
-{
-	struct pst_status buf;
-	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
-	    !(buf.pst_flag & PS_CHANGEDPRIV))
-		return 0;
-	return 1;
-}

crypto/compat/issetugid_linux.c

@@ -1,47 +0,0 @@
-/*
- * issetugid implementation for Linux
- * Public domain
- */
-
-#include <errno.h>
-#include <gnu/libc-version.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Linux-specific glibc 2.16+ interface for determining if a process was
- * launched setuid/setgid or with additional capabilities.
- */
-#ifdef HAVE_GETAUXVAL
-#include <sys/auxv.h>
-#endif
-
-int issetugid(void)
-{
-#ifdef HAVE_GETAUXVAL
-	/*
-	 * The API for glibc < 2.19 does not indicate if there is an error with
-	 * getauxval. While it should not be the case that any 2.6 or greater
-	 * kernel ever does not supply AT_SECURE, an emulated software environment
-	 * might rewrite the aux vector.
-	 *
-	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
-	 *
-	 * Perhaps this code should just read the aux vector itself, so we have
-	 * backward-compatibility and error handling in older glibc versions.
-	 * info: http://lwn.net/Articles/519085/
-	 *
-	 */
-	const char *glcv = gnu_get_libc_version();
-	if (strverscmp(glcv, "2.19") >= 0) {
-		errno = 0;
-		if (getauxval(AT_SECURE) == 0) {
-			if (errno != ENOENT) {
-				return 0;
-			}
-		}
-	}
-#endif
-	return 1;
-}

crypto/compat/issetugid_osx.c

@@ -1,16 +0,0 @@
-/*
- * issetugid implementation for OS X
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * OS X has issetugid, but it is not fork-safe as of version 10.10.
- * See this Solaris report for test code that fails similarly:
- * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
- */
-int issetugid(void)
-{
-	return 1;
-}

crypto/compat/issetugid_win.c

@@ -1,26 +0,0 @@
-/*
- * issetugid implementation for Windows
- * Public domain
- */
-
-#include <unistd.h>
-
-/*
- * Windows does not have a native setuid/setgid functionality.
- * A user must enter credentials each time a process elevates its
- * privileges.
- *
- * So, in theory, this could always return 0, given what I know currently.
- * However, it makes sense to stub out initially in 'safe' mode until we
- * understand more (and determine if any disabled functionality is actually
- * useful on Windows anyway).
- *
- * Future versions of this function that are made more 'open' should thoroughly
- * consider the case of this code running as a privileged service with saved
- * user credentials or privilege escalations by other means (e.g. the old
- * RunAsEx utility.)
- */
-int issetugid(void)
-{
-	return 1;
-}

crypto/compat/posix_win.c

@@ -0,0 +1,168 @@
+/*
+ * Public domain
+ *
+ * BSD socket emulation code for Winsock2
+ * File IO compatibility shims
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#define NO_REDEF_POSIX_FUNCTIONS
+
+#include <windows.h>
+#include <ws2tcpip.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+void
+posix_perror(const char *s)
+{
+	fprintf(stderr, "%s: %s\n", s, strerror(errno));
+}
+
+FILE *
+posix_fopen(const char *path, const char *mode)
+{
+	if (strchr(mode, 'b') == NULL) {
+		char *bin_mode = NULL;
+		if (asprintf(&bin_mode, "%sb", mode) == -1)
+			return NULL;
+		FILE *f = fopen(path, bin_mode);
+		free(bin_mode);
+		return f;
+	}
+
+	return fopen(path, mode);
+}
+
+int
+posix_rename(const char *oldpath, const char *newpath)
+{
+	return MoveFileEx(oldpath, newpath, MOVEFILE_REPLACE_EXISTING) ? 0 : -1;
+}
+
+static int
+wsa_errno(int err)
+{
+	switch (err) {
+	case WSAENOBUFS:
+		errno = ENOMEM;
+		break;
+	case WSAEACCES:
+		errno = EACCES;
+		break;
+	case WSANOTINITIALISED:
+		errno = EPERM;
+		break;
+	case WSAEHOSTUNREACH:
+	case WSAENETDOWN:
+		errno = EIO;
+		break;
+	case WSAEFAULT:
+		errno = EFAULT;
+		break;
+	case WSAEINTR:
+		errno = EINTR;
+		break;
+	case WSAEINVAL:
+		errno = EINVAL;
+		break;
+	case WSAEINPROGRESS:
+		errno = EINPROGRESS;
+		break;
+	case WSAEWOULDBLOCK:
+		errno = EAGAIN;
+		break;
+	case WSAEOPNOTSUPP:
+		errno = ENOTSUP;
+		break;
+	case WSAEMSGSIZE:
+		errno = EFBIG;
+		break;
+	case WSAENOTSOCK:
+		errno = ENOTSOCK;
+		break;
+	case WSAENOPROTOOPT:
+		errno = ENOPROTOOPT;
+		break;
+	case WSAECONNREFUSED:
+		errno = ECONNREFUSED;
+		break;
+	case WSAEAFNOSUPPORT:
+		errno = EAFNOSUPPORT;
+		break;
+	case WSAENETRESET:
+	case WSAENOTCONN:
+	case WSAECONNABORTED:
+	case WSAECONNRESET:
+	case WSAESHUTDOWN:
+	case WSAETIMEDOUT:
+		errno = EPIPE;
+		break;
+	}
+	return -1;
+}
+
+int
+posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
+{
+	int rc = connect(sockfd, addr, addrlen);
+	if (rc == SOCKET_ERROR)
+		return wsa_errno(WSAGetLastError());
+	return rc;
+}
+
+int
+posix_close(int fd)
+{
+	if (closesocket(fd) == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			close(fd) : wsa_errno(err);
+	}
+	return 0;
+}
+
+ssize_t
+posix_read(int fd, void *buf, size_t count)
+{
+	ssize_t rc = recv(fd, buf, count, 0);
+	if (rc == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			read(fd, buf, count) : wsa_errno(err);
+	}
+	return rc;
+}
+
+ssize_t
+posix_write(int fd, const void *buf, size_t count)
+{
+	ssize_t rc = send(fd, buf, count, 0);
+	if (rc == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			write(fd, buf, count) : wsa_errno(err);
+	}
+	return rc;
+}
+
+int
+posix_getsockopt(int sockfd, int level, int optname,
+	void *optval, socklen_t *optlen)
+{
+	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
+	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
+
+}
+
+int
+posix_setsockopt(int sockfd, int level, int optname,
+	const void *optval, socklen_t optlen)
+{
+	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
+	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
+}

gen-coverage-report.sh

@@ -29,9 +29,15 @@ make check
 echo "Generating report"
 mkdir -p $DESTDIR
 find tests -name '*.gcda' -o -name '*.gcno' -delete
-lcov --directory . --capture --output-file $DESTDIR/coverage.tmp \
+lcov --capture --output-file $DESTDIR/coverage.tmp \
+	--rc lcov_branch_coverage=1 \
+	--directory crypto \
+	--directory ssl \
+	--directory tls \
     --test-name "LibreSSL $VERSION"
 genhtml --prefix . --output-directory $DESTDIR \
+	--branch-coverage --function-coverage \
+	--rc lcov_branch_coverage=1 \
     --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
 
 echo "Code coverage report is available under $DESTDIR"

include/Makefile.am

@@ -14,6 +14,7 @@ noinst_HEADERS += unistd.h
 noinst_HEADERS += win32netcompat.h
 
 noinst_HEADERS += arpa/inet.h
+noinst_HEADERS += arpa/nameser.h
 
 noinst_HEADERS += machine/endian.h
 

include/arpa/inet.h

@@ -7,4 +7,13 @@
 #include_next <arpa/inet.h>
 #else
 #include <win32netcompat.h>
+
+#ifndef AI_ADDRCONFIG
+#define AI_ADDRCONFIG               0x00000400
+#endif
+
+#endif
+
+#ifndef HAVE_INET_PTON
+int inet_pton(int af, const char * restrict src, void * restrict dst);
 #endif

include/arpa/nameser.h

@@ -0,0 +1,23 @@
+/*
+ * Public domain
+ * arpa/inet.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <arpa/nameser.h>
+#else
+#include <win32netcompat.h>
+
+#ifndef INADDRSZ
+#define INADDRSZ 4
+#endif
+
+#ifndef IN6ADDRSZ
+#define IN6ADDRSZ 16
+#endif
+
+#ifndef INT16SZ
+#define INT16SZ	2
+#endif
+
+#endif

include/stdio.h

@@ -15,16 +15,17 @@ int asprintf(char **str, const char *fmt, ...);
 #endif
 
 #ifdef _WIN32
-#include <errno.h>
-#include <string.h>
 
-static inline void
-posix_perror(const char *s)
-{
-	fprintf(stderr, "%s: %s\n", s, strerror(errno));
-}
+void posix_perror(const char *s);
+FILE * posix_fopen(const char *path, const char *mode);
+int posix_rename(const char *oldpath, const char *newpath);
 
+#ifndef NO_REDEF_POSIX_FUNCTIONS
 #define perror(errnum) posix_perror(errnum)
+#define fopen(path, mode) posix_fopen(path, mode)
+#define rename(oldpath, newpath) posix_rename(oldpath, newpath)
+#endif
+
 #endif
 
 #endif

include/unistd.h

@@ -12,8 +12,4 @@
 int getentropy(void *buf, size_t buflen);
 #endif
 
-#ifndef HAVE_ISSETUGID
-int issetugid(void);
-#endif
-
 #endif

include/win32netcompat.h

@@ -19,142 +19,29 @@
 #include <errno.h>
 #include <unistd.h>
 
-static int
-wsa_errno(int err)
-{
-	switch (err) {
-	case WSAENOBUFS:
-		errno = ENOMEM;
-		break;
-	case WSAEACCES:
-		errno = EACCES;
-		break;
-	case WSANOTINITIALISED:
-		errno = EPERM;
-		break;
-	case WSAEHOSTUNREACH:
-	case WSAENETDOWN:
-		errno = EIO;
-		break;
-	case WSAEFAULT:
-		errno = EFAULT;
-		break;
-	case WSAEINTR:
-		errno = EINTR;
-		break;
-	case WSAEINVAL:
-		errno = EINVAL;
-		break;
-	case WSAEINPROGRESS:
-		errno = EINPROGRESS;
-		break;
-	case WSAEWOULDBLOCK:
-		errno = EAGAIN;
-		break;
-	case WSAEOPNOTSUPP:
-		errno = ENOTSUP;
-		break;
-	case WSAEMSGSIZE:
-		errno = EFBIG;
-		break;
-	case WSAENOTSOCK:
-		errno = ENOTSOCK;
-		break;
-	case WSAENOPROTOOPT:
-		errno = ENOPROTOOPT;
-		break;
-	case WSAECONNREFUSED:
-		errno = ECONNREFUSED;
-		break;
-	case WSAEAFNOSUPPORT:
-		errno = EAFNOSUPPORT;
-		break;
-	case WSAENETRESET:
-	case WSAENOTCONN:
-	case WSAECONNABORTED:
-	case WSAECONNRESET:
-	case WSAESHUTDOWN:
-	case WSAETIMEDOUT:
-		errno = EPIPE;
-		break;
-	}
-	return -1;
-}
+int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 
-static inline int
-posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
-{
-	int rc = connect(sockfd, addr, addrlen);
-	if (rc == SOCKET_ERROR)
-		return wsa_errno(WSAGetLastError());
-	return rc;
-}
+int posix_close(int fd);
+ssize_t posix_read(int fd, void *buf, size_t count);
 
+ssize_t posix_write(int fd, const void *buf, size_t count);
+
+int posix_getsockopt(int sockfd, int level, int optname,
+	void *optval, socklen_t *optlen);
+
+int posix_setsockopt(int sockfd, int level, int optname,
+	const void *optval, socklen_t optlen);
+
+#ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
-
-static inline int
-posix_close(int fd)
-{
-	if (closesocket(fd) == SOCKET_ERROR) {
-		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
-			close(fd) : wsa_errno(err);
-	}
-	return 0;
-}
-
 #define close(fd) posix_close(fd)
-
-static inline ssize_t
-posix_read(int fd, void *buf, size_t count)
-{
-	ssize_t rc = recv(fd, buf, count, 0);
-	if (rc == SOCKET_ERROR) {
-		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
-			read(fd, buf, count) : wsa_errno(err);
-	}
-	return rc;
-}
-
 #define read(fd, buf, count) posix_read(fd, buf, count)
-
-static inline ssize_t
-posix_write(int fd, const void *buf, size_t count)
-{
-	ssize_t rc = send(fd, buf, count, 0);
-	if (rc == SOCKET_ERROR) {
-		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
-			write(fd, buf, count) : wsa_errno(err);
-	}
-	return rc;
-}
-
 #define write(fd, buf, count) posix_write(fd, buf, count)
-
-static inline int
-posix_getsockopt(int sockfd, int level, int optname,
-	void *optval, socklen_t *optlen)
-{
-	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
-	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
-
-}
-
 #define getsockopt(sockfd, level, optname, optval, optlen) \
 	posix_getsockopt(sockfd, level, optname, optval, optlen)
-
-static inline int
-posix_setsockopt(int sockfd, int level, int optname,
-	const void *optval, socklen_t optlen)
-{
-	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
-	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
-}
-
 #define setsockopt(sockfd, level, optname, optval, optlen) \
 	posix_setsockopt(sockfd, level, optname, optval, optlen)
+#endif
 
 #endif
 

libtls-standalone/COPYING

@@ -0,0 +1,13 @@
+libtls is ISC licensed as per OpenBSD's normal licensing policy.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

libtls-standalone/Makefile.am

@@ -0,0 +1,7 @@
+SUBDIRS = include compat src tests man
+ACLOCAL_AMFLAGS = -I m4
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = libtls.pc
+
+EXTRA_DIST = README VERSION

libtls-standalone/VERSION

@@ -0,0 +1 @@
+4.0.0

libtls-standalone/compat/Makefile.am

@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2014-2015 Brent Cook
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
+
+noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
+
+# compatibility functions that need to be built without optimizations
+libcompatnoopt_la_CFLAGS = -O0
+libcompatnoopt_la_SOURCES =
+
+if !HAVE_EXPLICIT_BZERO
+libcompatnoopt_la_SOURCES += explicit_bzero.c
+endif
+
+# other compatibility functions
+libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libcompat_la_SOURCES =
+libcompat_la_LIBADD = $(PLATFORM_LDADD)
+
+if !HAVE_ASPRINTF
+libcompat_la_SOURCES += bsd-asprintf.c
+endif
+
+if !HAVE_STRLCPY
+libcompat_la_SOURCES += strlcpy.c
+endif
+
+if !HAVE_STRSEP
+libcompat_la_SOURCES += strsep.c
+endif
+
+include Makefile.am.arc4random

libtls-standalone/configure.ac

@@ -0,0 +1,52 @@
+# Copyright (c) 2014-2015 Brent Cook
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
+AC_SUBST([LIBTLS_VERSION], m4_esyscmd([sed -e 's/\./:/g' VERSION | tr -d '\n']))
+
+AC_CANONICAL_HOST
+AM_INIT_AUTOMAKE([subdir-objects])
+AC_CONFIG_MACRO_DIR([m4])
+
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+# This must be called before AC_PROG_CC
+USER_CFLAGS="$CFLAGS"
+
+AC_PROG_CC
+AC_PROG_CC_STDC
+AM_PROG_CC_C_O
+AC_PROG_LIBTOOL
+LT_INIT
+
+CHECK_OS_OPTIONS
+
+CHECK_C_HARDENING_OPTIONS
+
+DISABLE_COMPILER_WARNINGS
+
+CHECK_LIBC_COMPAT
+CHECK_LIBC_CRYPTO_COMPAT
+
+AC_CONFIG_FILES([
+	Makefile
+	include/Makefile
+	compat/Makefile
+	man/Makefile
+	src/Makefile
+	tests/Makefile
+	libtls.pc
+])
+
+AC_OUTPUT

libtls-standalone/include/Makefile.am

@@ -0,0 +1,5 @@
+noinst_HEADERS = stdlib.h
+noinst_HEADERS += string.h
+noinst_HEADERS += unistd.h
+
+include_HEADERS = tls.h

libtls-standalone/include/string.h

@@ -0,0 +1,73 @@
+/*
+ * Public domain
+ * string.h compatibility shim
+ */
+
+#include_next <string.h>
+
+#ifndef LIBCRYPTOCOMPAT_STRING_H
+#define LIBCRYPTOCOMPAT_STRING_H
+
+#include <sys/types.h>
+
+#if defined(__sun) || defined(__hpux)
+/* Some functions historically defined in string.h were placed in strings.h by
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ */
+#include <strings.h>
+#endif
+
+#ifndef HAVE_STRLCPY
+size_t strlcpy(char *dst, const char *src, size_t siz);
+#endif
+
+#ifndef HAVE_STRLCAT
+size_t strlcat(char *dst, const char *src, size_t siz);
+#endif
+
+#ifndef HAVE_STRNDUP
+char * strndup(const char *str, size_t maxlen);
+/* the only user of strnlen is strndup, so only build it if needed */
+#ifndef HAVE_STRNLEN
+size_t strnlen(const char *str, size_t maxlen);
+#endif
+#endif
+
+#ifndef HAVE_STRSEP
+char *strsep(char **stringp, const char *delim);
+#endif
+
+#ifndef HAVE_EXPLICIT_BZERO
+void explicit_bzero(void *, size_t);
+#endif
+
+#ifndef HAVE_TIMINGSAFE_BCMP
+int timingsafe_bcmp(const void *b1, const void *b2, size_t n);
+#endif
+
+#ifndef HAVE_TIMINGSAFE_MEMCMP
+int timingsafe_memcmp(const void *b1, const void *b2, size_t len);
+#endif
+
+#ifndef HAVE_MEMMEM
+void * memmem(const void *big, size_t big_len, const void *little,
+	size_t little_len);
+#endif
+
+#ifdef _WIN32
+#include <errno.h>
+
+static inline char  *
+posix_strerror(int errnum)
+{
+	if (errnum == ECONNREFUSED) {
+		return "Connection refused";
+	}
+	return strerror(errnum);
+}
+
+#define strerror(errnum) posix_strerror(errnum)
+
+#endif
+
+#endif

libtls-standalone/libtls.pc.in

@@ -0,0 +1,16 @@
+#libtls pkg-config source file
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: LibreSSL-libtls
+Description: Secure communications using the TLS socket protocol.
+Version: @LIBTLS_VERSION@
+Requires:
+Requires.private: libcrypto libssl
+Conflicts:
+Libs: -L${libdir} -ltls
+Libs.private: @LIBS@ -lcrypto -lssl
+Cflags: -I${includedir}

libtls-standalone/src/Makefile.am

@@ -0,0 +1,16 @@
+AM_CFLAGS = -I$(top_srcdir)/include
+
+lib_LTLIBRARIES = libtls.la
+
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_LIBADD = -lcrypto -lssl -lcrypto $(PLATFORM_LDADD)
+libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
+libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
+
+libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_config.c
+libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_util.c
+libtls_la_SOURCES += tls_verify.c
+noinst_HEADERS = tls_internal.h

libtls-standalone/tests/Makefile.am

@@ -0,0 +1,7 @@
+AM_CFLAGS = -I$(top_srcdir)/include
+
+check_PROGRAMS = test
+
+TESTS = test
+test_SOURCES = test.c
+test_LDADD = -lcrypto -lssl $(top_builddir)/src/libtls.la

libtls-standalone/tests/test.c

@@ -0,0 +1,51 @@
+#include <stdio.h>
+#include <tls.h>
+
+int main()
+{
+	struct tls *tls;
+	struct tls_config *tls_config;
+	size_t written, read;
+	char buf[4096];
+
+	if (tls_init() != 0) {
+		fprintf(stderr, "tls_init failed");
+		return 1;
+	}
+
+	if ((tls = tls_client()) == NULL)
+		goto err;
+
+	if ((tls_config = tls_config_new()) == NULL)
+		goto err;
+
+	if (tls_config_set_ciphers(tls_config, "compat") != 0)
+		goto err;
+
+	tls_config_insecure_noverifycert(tls_config);
+	tls_config_insecure_noverifyname(tls_config);
+
+	if (tls_configure(tls, tls_config) != 0)
+		goto err;
+
+	if (tls_connect(tls, "google.com", "443") != 0)
+		goto err;
+
+	if (tls_write(tls, "GET /\r\n", 7, &written) != 0)
+		goto err;
+
+	if (tls_read(tls, buf, sizeof(buf), &read) != 0)
+		goto err;
+
+	buf[read - 1] = '\0';
+	puts(buf);
+
+	if (tls_close(tls) != 0)
+		goto err;
+
+	return 0;
+
+err:
+	fprintf(stderr, "%s\n", tls_error(tls));
+	return 1;
+}

m4/check-hardening-options.m4

@@ -0,0 +1,109 @@
+
+AC_DEFUN([CHECK_CFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
+	 old_cflags="$CFLAGS"
+	 CFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     CFLAGS=$old_cflags
+		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     CFLAGS=$old_cflags
+		     [$2])
+])
+
+AC_DEFUN([CHECK_LDFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
+	 old_ldflags="$LDFLAGS"
+	 LDFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     LDFLAGS=$old_ldflags
+		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     LDFLAGS=$old_ldflags
+		     [$2])
+])
+
+AC_DEFUN([DISABLE_AS_EXECUTABLE_STACK], [
+	save_cflags="$CFLAGS"
+	CFLAGS=
+	AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+	__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
+		[AC_MSG_RESULT([yes])]
+		[AM_CFLAGS=-DHAVE_GNU_STACK],
+		[AC_MSG_RESULT([no])]
+	)
+	CFLAGS="$save_cflags $AM_CFLAGS"
+])
+
+
+AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [
+
+	AC_ARG_ENABLE([hardening],
+		[AS_HELP_STRING([--disable-hardening],
+				[Disable options to frustrate memory corruption exploits])],
+		[], [enable_hardening=yes])
+
+	AC_ARG_ENABLE([windows-ssp],
+		[AS_HELP_STRING([--enable-windows-ssp],
+				[Enable building the stack smashing protection on
+				 Windows. This currently distributing libssp-0.dll.])])
+
+	# We want to check for compiler flag support. Prior to clang v5.1, there was no
+	# way to make clang's "argument unused" warning fatal.  So we invoke the
+	# compiler through a wrapper script that greps for this message.
+	saved_CC="$CC"
+	saved_LD="$LD"
+	flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
+	CC="$flag_wrap $CC"
+	LD="$flag_wrap $LD"
+
+	AS_IF([test "x$enable_hardening" = "xyes"], [
+		# Tell GCC to NOT optimize based on signed arithmetic overflow
+		CHECK_CFLAG([[-fno-strict-overflow]])
+
+		# _FORTIFY_SOURCE replaces builtin functions with safer versions.
+		CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
+
+		# Enable read only relocations
+		CHECK_LDFLAG([[-Wl,-z,relro]])
+		CHECK_LDFLAG([[-Wl,-z,now]])
+
+		# Windows security flags
+		AS_IF([test "x$HOST_OS" = "xwin"], [
+			CHECK_LDFLAG([[-Wl,--nxcompat]])
+			CHECK_LDFLAG([[-Wl,--dynamicbase]])
+			CHECK_LDFLAG([[-Wl,--high-entropy-va]])
+		])
+
+		# Use stack-protector-strong if available; if not, fallback to
+		# stack-protector-all which is considered to be overkill
+		AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
+			CHECK_CFLAG([[-fstack-protector-strong]],
+				CHECK_CFLAG([[-fstack-protector-all]],
+					AC_MSG_WARN([compiler does not appear to support stack protection])
+				)
+			)
+			AS_IF([test "x$HOST_OS" = "xwin"], [
+				AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
+			])
+		])
+	])
+
+	# Restore CC, LD
+	CC="$saved_CC"
+	LD="$saved_LD"
+
+	CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+	LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
+])

m4/check-libc.m4

@@ -0,0 +1,66 @@
+AC_DEFUN([CHECK_LIBC_COMPAT], [
+# Check for general libc functions
+AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
+AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
+AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
+AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
+AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
+AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
+AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
+AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
+])
+
+AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
+# Check crypto-related libc functions
+AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
+AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
+AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
+AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
+
+# Override arc4random_buf implementations with known issues
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
+	[test "x$HOST_OS" != xdarwin \
+	   -a "x$HOST_OS" != xfreebsd \
+	   -a "x$HOST_OS" != xnetbsd \
+	   -a "x$ac_cv_func_arc4random_buf" = xyes])
+
+# Check for getentropy fallback dependencies
+AC_CHECK_FUNC([getauxval])
+AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
+AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+])
+
+AC_DEFUN([CHECK_VA_COPY], [
+AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <stdarg.h>
+va_list x,y;
+		]], [[ va_copy(x,y); ]])],
+	[ ac_cv_have_va_copy="yes" ],
+	[ ac_cv_have_va_copy="no"
+	])
+])
+if test "x$ac_cv_have_va_copy" = "xyes" ; then
+	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
+fi
+
+AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <stdarg.h>
+va_list x,y;
+		]], [[ __va_copy(x,y); ]])],
+	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
+	])
+])
+if test "x$ac_cv_have___va_copy" = "xyes" ; then
+	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
+fi
+])

m4/check-os-options.m4

@@ -0,0 +1,77 @@
+# This must be called before AC_PROG_CC
+AC_DEFUN([CHECK_OS_OPTIONS], [
+
+CFLAGS="$CFLAGS -Wall -std=gnu99"
+
+case $host_os in
+	*aix*)
+		HOST_OS=aix
+		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
+			CFLAGS="$USER_CFLAGS"
+		fi
+		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
+		;;
+	*cygwin*)
+		HOST_OS=cygwin
+		;;
+	*darwin*)
+		HOST_OS=darwin
+		HOST_ABI=macosx
+		;;
+	*freebsd*)
+		HOST_OS=freebsd
+		HOST_ABI=elf
+		AC_SUBST([PROG_LDADD], ['-lthr'])
+		;;
+	*hpux*)
+		HOST_OS=hpux;
+		if test "`echo $CC | cut -d ' ' -f 1`" = "gcc" ; then
+			CFLAGS="$CFLAGS -mlp64"
+		else
+			CFLAGS="-g -O2 +DD64 $USER_CFLAGS"
+		fi
+		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
+		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
+		;;
+	*linux*)
+		HOST_OS=linux
+		HOST_ABI=elf
+		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		;;
+	*netbsd*)
+		HOST_OS=netbsd
+		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
+		;;
+	*openbsd* | *bitrig*)
+		HOST_ABI=elf
+		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
+		;;
+	*mingw*)
+		HOST_OS=win
+		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
+		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
+		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
+		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG"
+		CFLAGS="$CFLAGS -static-libgcc"
+		LDFLAGS="$LDFLAGS -static-libgcc"
+		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
+		;;
+	*solaris*)
+		HOST_OS=solaris
+		HOST_ABI=elf
+		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
+		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
+		;;
+	*) ;;
+esac
+
+AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
+AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
+AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
+AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
+AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
+AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
+AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
+AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
+])

m4/disable-compiler-warnings.m4

@@ -0,0 +1,29 @@
+AC_DEFUN([DISABLE_COMPILER_WARNINGS], [
+# Clang throws a lot of warnings when it does not understand a flag. Disable
+# this warning for now so other warnings are visible.
+AC_MSG_CHECKING([if compiling with clang])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
+#ifndef __clang__
+	not clang
+#endif
+	]])],
+	[CLANG=yes],
+	[CLANG=no]
+)
+AC_MSG_RESULT([$CLANG])
+AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
+CFLAGS="$CFLAGS $CLANG_FLAGS"
+LDFLAGS="$LDFLAGS $CLANG_FLAGS"
+
+# Removing the dependency on -Wno-pointer-sign should be a goal. These are
+# largely unsigned char */char* mismatches in asn1 functions.
+save_cflags="$CFLAGS"
+CFLAGS=-Wno-pointer-sign
+AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-Wno-pointer-sign],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+])

man/Makefile.am.tpl

@@ -1,2 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-dist_man_MANS=

man/update_links.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Run this periodically to ensure that the manpage links are up to date
+
+echo "# This is an auto-generated file by $0" > links
+sudo makewhatis
+for i in `ls -1 *.3`; do
+  name=`echo $i|cut -d. -f1`
+  links=`sqlite3 /usr/share/man/mandoc.db \
+    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
+  for j in $links; do
+    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
+    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
+    if [ $a != $b ]; then
+      echo $name.3,$j.3 >> links
+    fi
+  done
+done

patches/openssl.c.patch

@@ -0,0 +1,29 @@
+--- apps/openssl.c.orig	2015-06-05 03:42:12.956112944 -0500
++++ apps/openssl.c	2015-06-05 03:41:54.215381908 -0500
+@@ -130,6 +130,18 @@
+ #include <openssl/engine.h>
+ #endif
+ 
++#ifdef _WIN32
++#include <fcntl.h>
++static void set_stdio_binary(void)
++{
++	_setmode(_fileno(stdin), _O_BINARY);
++	_setmode(_fileno(stdout), _O_BINARY);
++	_setmode(_fileno(stderr), _O_BINARY);
++}
++#else
++static void set_stdio_binary(void) {};
++#endif
++
+ #include "progs.h"
+ #include "s_apps.h"
+ 
+@@ -216,6 +228,7 @@
+ #endif
+ 
+ 	setup_ui_method();
++	set_stdio_binary();
+ }
+ 
+ static void

patches/win_bio_sock_init.diff

@@ -1,44 +0,0 @@
-diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
-index e7dd11c..cfd4593 100644
---- a/src/usr.bin/openssl/openssl.c
-+++ b/src/usr.bin/openssl/openssl.c
-@@ -253,6 +253,11 @@ main(int argc, char **argv)
- 	arg.data = NULL;
- 	arg.count = 0;
- 
-+	if (BIO_sock_init() != 1) {
-+		fprintf(stderr, "BIO_sock_init failed\n");
-+		exit(1);
-+	}
-+
- 	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
- 	if (bio_err == NULL) {
- 		fprintf(stderr, "openssl: failed to initialise bio_err\n");
-diff --git a/src/usr.bin/openssl/s_socket.c b/src/usr.bin/openssl/s_socket.c
-index 3b96b1a..2ce31eb 100644
---- a/src/usr.bin/openssl/s_socket.c
-+++ b/src/usr.bin/openssl/s_socket.c
-@@ -85,11 +85,6 @@ init_client(int *sock, char *host, char *port, int type, int af)
- 	struct addrinfo hints, *ai_top, *ai;
- 	int i, s;
- 
--	if (BIO_sock_init() != 1) {
--		BIO_printf(bio_err, "BIO_sock_init failed\n");
--		return (0);
--	}
--
- 	memset(&hints, '\0', sizeof(hints));
- 	hints.ai_family = af;
- 	hints.ai_socktype = type;
-@@ -181,11 +176,6 @@ init_server_long(int *sock, int port, char *ip, int type)
- 	struct sockaddr_in server;
- 	int s = -1;
- 
--	if (BIO_sock_init() != 1) {
--		BIO_printf(bio_err, "BIO_sock_init failed\n");
--		return (0);
--	}
--
- 	memset((char *) &server, 0, sizeof(server));
- 	server.sin_family = AF_INET;
- 	server.sin_port = htons((unsigned short) port);

ssl/Makefile.am

@@ -5,7 +5,6 @@ lib_LTLIBRARIES = libssl.la
 EXTRA_DIST = VERSION
 
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
-libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libssl_la_LIBADD = ../crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c

tests/Makefile.am

@@ -0,0 +1,302 @@
+include $(top_srcdir)/Makefile.am.common
+
+AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I $(top_srcdir)/ssl
+AM_CPPFLAGS += -I $(top_srcdir)/apps
+
+LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+LDADD += $(top_builddir)/ssl/libssl.la
+LDADD += $(top_builddir)/crypto/libcrypto.la
+
+TESTS =
+check_PROGRAMS =
+EXTRA_DIST =
+DISTCLEANFILES = pidwraptest.txt
+
+# aeadtest
+TESTS += aeadtest.sh
+check_PROGRAMS += aeadtest
+aeadtest_SOURCES = aeadtest.c
+EXTRA_DIST += aeadtest.sh
+EXTRA_DIST += aeadtests.txt
+
+# aes_wrap
+TESTS += aes_wrap
+check_PROGRAMS += aes_wrap
+aes_wrap_SOURCES = aes_wrap.c
+
+# arc4randomforktest
+# Windows/mingw does not have fork, but Cygwin does.
+if !HOST_WIN
+TESTS += arc4randomforktest.sh
+check_PROGRAMS += arc4randomforktest
+arc4randomforktest_SOURCES = arc4randomforktest.c
+endif
+EXTRA_DIST += arc4randomforktest.sh
+
+# asn1test
+TESTS += asn1test
+check_PROGRAMS += asn1test
+asn1test_SOURCES = asn1test.c
+
+# base64test
+TESTS += base64test
+check_PROGRAMS += base64test
+base64test_SOURCES = base64test.c
+
+# bftest
+TESTS += bftest
+check_PROGRAMS += bftest
+bftest_SOURCES = bftest.c
+
+# biotest
+# the BIO tests rely on resolver results that are OS and environment-specific
+if ENABLE_EXTRATESTS
+TESTS += biotest
+check_PROGRAMS += biotest
+biotest_SOURCES = biotest.c
+endif
+
+# bntest
+TESTS += bntest
+check_PROGRAMS += bntest
+bntest_SOURCES = bntest.c
+
+# bytestringtest
+TESTS += bytestringtest
+check_PROGRAMS += bytestringtest
+bytestringtest_SOURCES = bytestringtest.c
+
+# casttest
+TESTS += casttest
+check_PROGRAMS += casttest
+casttest_SOURCES = casttest.c
+
+# chachatest
+TESTS += chachatest
+check_PROGRAMS += chachatest
+chachatest_SOURCES = chachatest.c
+
+# cipher_list
+TESTS += cipher_list
+check_PROGRAMS += cipher_list
+cipher_list_SOURCES = cipher_list.c
+noinst_HEADERS = tests.h
+
+# cipherstest
+TESTS += cipherstest
+check_PROGRAMS += cipherstest
+cipherstest_SOURCES = cipherstest.c
+
+# cts128test
+TESTS += cts128test
+check_PROGRAMS += cts128test
+cts128test_SOURCES = cts128test.c
+
+# destest
+TESTS += destest
+check_PROGRAMS += destest
+destest_SOURCES = destest.c
+
+# dhtest
+TESTS += dhtest
+check_PROGRAMS += dhtest
+dhtest_SOURCES = dhtest.c
+
+# dsatest
+TESTS += dsatest
+check_PROGRAMS += dsatest
+dsatest_SOURCES = dsatest.c
+
+# ecdhtest
+TESTS += ecdhtest
+check_PROGRAMS += ecdhtest
+ecdhtest_SOURCES = ecdhtest.c
+
+# ecdsatest
+TESTS += ecdsatest
+check_PROGRAMS += ecdsatest
+ecdsatest_SOURCES = ecdsatest.c
+
+# ectest
+TESTS += ectest
+check_PROGRAMS += ectest
+ectest_SOURCES = ectest.c
+
+# enginetest
+TESTS += enginetest
+check_PROGRAMS += enginetest
+enginetest_SOURCES = enginetest.c
+
+# evptest
+TESTS += evptest.sh
+check_PROGRAMS += evptest
+evptest_SOURCES = evptest.c
+EXTRA_DIST += evptest.sh
+EXTRA_DIST += evptests.txt
+
+# explicit_bzero
+# explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
+if !HOST_WIN
+if !HOST_CYGWIN
+TESTS += explicit_bzero
+check_PROGRAMS += explicit_bzero
+explicit_bzero_SOURCES = explicit_bzero.c
+if !HAVE_MEMMEM
+explicit_bzero_SOURCES += memmem.c
+endif
+endif
+endif
+
+# exptest
+TESTS += exptest
+check_PROGRAMS += exptest
+exptest_SOURCES = exptest.c
+
+# gcm128test
+TESTS += gcm128test
+check_PROGRAMS += gcm128test
+gcm128test_SOURCES = gcm128test.c
+
+# gost2814789t
+TESTS += gost2814789t
+check_PROGRAMS += gost2814789t
+gost2814789t_SOURCES = gost2814789t.c
+
+# hmactest
+TESTS += hmactest
+check_PROGRAMS += hmactest
+hmactest_SOURCES = hmactest.c
+
+# ideatest
+TESTS += ideatest
+check_PROGRAMS += ideatest
+ideatest_SOURCES = ideatest.c
+
+# igetest
+TESTS += igetest
+check_PROGRAMS += igetest
+igetest_SOURCES = igetest.c
+
+# md4test
+TESTS += md4test
+check_PROGRAMS += md4test
+md4test_SOURCES = md4test.c
+
+# md5test
+TESTS += md5test
+check_PROGRAMS += md5test
+md5test_SOURCES = md5test.c
+
+# mont
+TESTS += mont
+check_PROGRAMS += mont
+mont_SOURCES = mont.c
+
+# optionstest
+TESTS += optionstest
+check_PROGRAMS += optionstest
+optionstest_SOURCES = optionstest.c
+
+# pbkdf2
+TESTS += pbkdf2
+check_PROGRAMS += pbkdf2
+pbkdf2_SOURCES = pbkdf2.c
+
+# pidwraptest
+# pidwraptest relies on an OS-specific way to give out pids and is generally
+# awkward on systems with slow fork
+if ENABLE_EXTRATESTS
+TESTS += pidwraptest
+check_PROGRAMS += pidwraptest
+pidwraptest_SOURCES = pidwraptest.c
+endif
+
+# pkcs7test
+TESTS += pkcs7test
+check_PROGRAMS += pkcs7test
+pkcs7test_SOURCES = pkcs7test.c
+
+# poly1305test
+TESTS += poly1305test
+check_PROGRAMS += poly1305test
+poly1305test_SOURCES = poly1305test.c
+
+# pq_test
+TESTS += pq_test.sh
+check_PROGRAMS += pq_test
+pq_test_SOURCES = pq_test.c
+EXTRA_DIST += pq_test.sh
+EXTRA_DIST += pq_expected.txt
+
+# randtest
+TESTS += randtest
+check_PROGRAMS += randtest
+randtest_SOURCES = randtest.c
+
+# rc2test
+TESTS += rc2test
+check_PROGRAMS += rc2test
+rc2test_SOURCES = rc2test.c
+
+# rc4test
+TESTS += rc4test
+check_PROGRAMS += rc4test
+rc4test_SOURCES = rc4test.c
+
+# rmdtest
+TESTS += rmdtest
+check_PROGRAMS += rmdtest
+rmdtest_SOURCES = rmdtest.c
+
+# sha1test
+TESTS += sha1test
+check_PROGRAMS += sha1test
+sha1test_SOURCES = sha1test.c
+
+# sha256test
+TESTS += sha256test
+check_PROGRAMS += sha256test
+sha256test_SOURCES = sha256test.c
+
+# sha512test
+TESTS += sha512test
+check_PROGRAMS += sha512test
+sha512test_SOURCES = sha512test.c
+
+# shatest
+TESTS += shatest
+check_PROGRAMS += shatest
+shatest_SOURCES = shatest.c
+
+# ssltest
+TESTS += ssltest.sh
+check_PROGRAMS += ssltest
+ssltest_SOURCES = ssltest.c
+EXTRA_DIST += ssltest.sh
+EXTRA_DIST += testssl ca.pem server.pem
+
+# testdsa
+TESTS += testdsa.sh
+EXTRA_DIST += testdsa.sh
+EXTRA_DIST += openssl.cnf
+
+# testenc
+TESTS += testenc.sh
+EXTRA_DIST += testenc.sh
+
+# testrsa
+TESTS += testrsa.sh
+EXTRA_DIST += testrsa.sh
+
+# timingsafe
+TESTS += timingsafe
+check_PROGRAMS += timingsafe
+timingsafe_SOURCES = timingsafe.c
+
+# utf8test
+TESTS += utf8test
+check_PROGRAMS += utf8test
+utf8test_SOURCES = utf8test.c
+

tests/Makefile.am.tpl

@@ -1,15 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
-AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I $(top_srcdir)/ssl
-
-LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(top_builddir)/ssl/libssl.la
-LDADD += $(top_builddir)/crypto/libcrypto.la
-
-TESTS =
-check_PROGRAMS =
-EXTRA_DIST =
-DISTCLEANFILES = pidwraptest.txt
-

tests/openssl.cnf

@@ -0,0 +1,29 @@
+#	$OpenBSD: openssl.cnf,v 1.1 2014/08/26 17:50:07 jsing Exp $
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# hacked by iang to do DSA certs - Server
+
+RANDFILE              = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name    = req_distinguished_name
+encrypt_rsa_key               = no
+
+[ req_distinguished_name ]
+countryName                   = Country Name (2 letter code)
+countryName_default           = CA
+countryName_value             = CA
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Shake it Vera 
+
+0.commonName                  = Common Name (eg, YOUR name)
+0.commonName_value            = Wastelandus
+
+1.commonName                  = Common Name (eg, YOUR name)
+1.commonName_value            = Maximus
+

tests/optionstest.c

@@ -0,0 +1,382 @@
+/*	$OpenBSD: optionstest.c,v 1.8 2015/01/22 05:48:00 doug Exp $	*/
+/*
+ * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/conf.h>
+
+#include <apps.h>
+#include <apps.c>
+#include <strtonum.c>
+
+/* Needed to keep apps.c happy... */
+BIO *bio_err;
+CONF *config;
+
+static int argfunc(char *arg);
+static int defaultarg(int argc, char **argv, int *argsused);
+static int multiarg(int argc, char **argv, int *argsused);
+
+static struct {
+	char *arg;
+	int flag;
+} test_config;
+
+static struct option test_options[] = {
+	{
+		.name = "arg",
+		.argname = "argname",
+		.type = OPTION_ARG,
+		.opt.arg = &test_config.arg,
+	},
+	{
+		.name = "argfunc",
+		.argname = "argname",
+		.type = OPTION_ARG_FUNC,
+		.opt.argfunc = argfunc,
+	},
+	{
+		.name = "flag",
+		.type = OPTION_FLAG,
+		.opt.flag = &test_config.flag,
+	},
+	{
+		.name = "multiarg",
+		.type = OPTION_ARGV_FUNC,
+		.opt.argvfunc = multiarg,
+	},
+	{
+		.name = NULL,
+		.type = OPTION_ARGV_FUNC,
+		.opt.argvfunc = defaultarg,
+	},
+	{ NULL },
+};
+
+char *args1[] = { "opts" };
+char *args2[] = { "opts", "-arg", "arg", "-flag" };
+char *args3[] = { "opts", "-arg", "arg", "-flag", "unnamed" };
+char *args4[] = { "opts", "-arg", "arg", "unnamed", "-flag" };
+char *args5[] = { "opts", "unnamed1", "-arg", "arg", "-flag", "unnamed2" };
+char *args6[] = { "opts", "-argfunc", "arg", "-flag" };
+char *args7[] = { "opts", "-arg", "arg", "-flag", "-", "-unnamed" };
+char *args8[] = { "opts", "-arg", "arg", "-flag", "file1", "file2", "file3" };
+char *args9[] = { "opts", "-arg", "arg", "-flag", "file1", "-file2", "file3" };
+char *args10[] = { "opts", "-arg", "arg", "-flag", "-", "file1", "file2" };
+char *args11[] = { "opts", "-arg", "arg", "-flag", "-", "-file1", "-file2" };
+char *args12[] = { "opts", "-multiarg", "arg1", "arg2", "-flag", "unnamed" };
+char *args13[] = { "opts", "-multiargz", "arg1", "arg2", "-flagz", "unnamed" };
+
+struct options_test {
+	int argc;
+	char **argv;
+	enum {
+		OPTIONS_TEST_NONE,
+		OPTIONS_TEST_UNNAMED,
+		OPTIONS_TEST_ARGSUSED,
+	} type;
+	char *unnamed;
+	int used;
+	int want;
+	char *wantarg;
+	int wantflag;
+};
+
+struct options_test options_tests[] = {
+	{
+		/* Test 1 - No arguments (only program name). */
+		.argc = 1,
+		.argv = args1,
+		.type = OPTIONS_TEST_NONE,
+		.want = 0,
+		.wantarg = NULL,
+		.wantflag = 0,
+	},
+	{
+		/* Test 2 - Named arguments (unnamed not permitted). */
+		.argc = 4,
+		.argv = args2,
+		.type = OPTIONS_TEST_NONE,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 3 - Named arguments (unnamed permitted). */
+		.argc = 4,
+		.argv = args2,
+		.type = OPTIONS_TEST_UNNAMED,
+		.unnamed = NULL,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 4 - Named and single unnamed (unnamed not permitted). */
+		.argc = 5,
+		.argv = args3,
+		.type = OPTIONS_TEST_NONE,
+		.want = 1,
+	},
+	{
+		/* Test 5 - Named and single unnamed (unnamed permitted). */
+		.argc = 5,
+		.argv = args3,
+		.type = OPTIONS_TEST_UNNAMED,
+		.unnamed = "unnamed",
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 6 - Named and single unnamed (different sequence). */
+		.argc = 5,
+		.argv = args4,
+		.type = OPTIONS_TEST_UNNAMED,
+		.unnamed = "unnamed",
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 7 - Multiple unnamed arguments (should fail). */
+		.argc = 6,
+		.argv = args5,
+		.type = OPTIONS_TEST_UNNAMED,
+		.want = 1,
+	},
+	{
+		/* Test 8 - Function. */
+		.argc = 4,
+		.argv = args6,
+		.type = OPTIONS_TEST_NONE,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 9 - Named and single unnamed (hyphen separated). */
+		.argc = 6,
+		.argv = args7,
+		.type = OPTIONS_TEST_UNNAMED,
+		.unnamed = "-unnamed",
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 10 - Named and multiple unnamed. */
+		.argc = 7,
+		.argv = args8,
+		.used = 4,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 11 - Named and multiple unnamed. */
+		.argc = 7,
+		.argv = args9,
+		.used = 4,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 12 - Named and multiple unnamed. */
+		.argc = 7,
+		.argv = args10,
+		.used = 5,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 13 - Named and multiple unnamed. */
+		.argc = 7,
+		.argv = args11,
+		.used = 5,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 14 - Named only. */
+		.argc = 4,
+		.argv = args2,
+		.used = 4,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = "arg",
+		.wantflag = 1,
+	},
+	{
+		/* Test 15 - Multiple argument callback. */
+		.argc = 6,
+		.argv = args12,
+		.unnamed = "unnamed",
+		.type = OPTIONS_TEST_UNNAMED,
+		.want = 0,
+		.wantarg = NULL,
+		.wantflag = 1,
+	},
+	{
+		/* Test 16 - Multiple argument callback. */
+		.argc = 6,
+		.argv = args12,
+		.used = 5,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = NULL,
+		.wantflag = 1,
+	},
+	{
+		/* Test 17 - Default callback. */
+		.argc = 6,
+		.argv = args13,
+		.unnamed = "unnamed",
+		.type = OPTIONS_TEST_UNNAMED,
+		.want = 0,
+		.wantarg = NULL,
+		.wantflag = 1,
+	},
+	{
+		/* Test 18 - Default callback. */
+		.argc = 6,
+		.argv = args13,
+		.used = 5,
+		.type = OPTIONS_TEST_ARGSUSED,
+		.want = 0,
+		.wantarg = NULL,
+		.wantflag = 1,
+	},
+};
+
+#define N_OPTIONS_TESTS \
+    (sizeof(options_tests) / sizeof(*options_tests))
+
+static int
+argfunc(char *arg)
+{
+	test_config.arg = arg;
+	return (0);
+}
+
+static int
+defaultarg(int argc, char **argv, int *argsused)
+{
+	if (argc < 1)
+		return (1);
+
+	if (strcmp(argv[0], "-multiargz") == 0) {
+		if (argc < 3)
+			return (1);
+		*argsused = 3;
+		return (0);
+	} else if (strcmp(argv[0], "-flagz") == 0) {
+		test_config.flag = 1;
+		*argsused = 1;
+		return (0);
+	}
+
+	return (1);
+}
+
+static int
+multiarg(int argc, char **argv, int *argsused)
+{
+	if (argc < 3)
+		return (1);
+
+	*argsused = 3;
+	return (0);
+}
+
+static int
+do_options_test(int test_no, struct options_test *ot)
+{
+	int *argsused = NULL;
+	char *unnamed = NULL;
+	char **arg = NULL;
+	int used = 0;
+	int ret;
+
+	if (ot->type == OPTIONS_TEST_UNNAMED)
+		arg = &unnamed;
+	else if (ot->type == OPTIONS_TEST_ARGSUSED)
+		argsused = &used;
+
+	memset(&test_config, 0, sizeof(test_config));
+	ret = options_parse(ot->argc, ot->argv, test_options, arg, argsused);
+	if (ret != ot->want) {
+		fprintf(stderr, "FAIL: test %i options_parse() returned %i, "
+		    "want %i\n", test_no, ret, ot->want);
+		return (1);
+	}
+	if (ret != 0)
+		return (0);
+
+	if ((test_config.arg != NULL || ot->wantarg != NULL) &&
+	    (test_config.arg == NULL || ot->wantarg == NULL ||
+	     strcmp(test_config.arg, ot->wantarg) != 0)) {
+		fprintf(stderr, "FAIL: test %i got arg '%s', want '%s'\n",
+		    test_no, test_config.arg, ot->wantarg);
+		return (1);
+	}
+	if (test_config.flag != ot->wantflag) {
+		fprintf(stderr, "FAIL: test %i got flag %i, want %i\n",
+		    test_no, test_config.flag, ot->wantflag);
+		return (1);
+	}
+	if (ot->type == OPTIONS_TEST_UNNAMED &&
+	    (unnamed != NULL || ot->unnamed != NULL) &&
+	    (unnamed == NULL || ot->unnamed == NULL ||
+	     strcmp(unnamed, ot->unnamed) != 0)) {
+		fprintf(stderr, "FAIL: test %i got unnamed '%s', want '%s'\n",
+		    test_no, unnamed, ot->unnamed);
+		return (1);
+	}
+	if (ot->type == OPTIONS_TEST_ARGSUSED && used != ot->used) {
+		fprintf(stderr, "FAIL: test %i got used %i, want %i\n",
+		    test_no, used, ot->used);
+		return (1);
+	}
+
+	return (0);
+}
+
+int
+main(int argc, char **argv)
+{
+	int failed = 0;
+	size_t i;
+
+	for (i = 0; i < N_OPTIONS_TESTS; i++) {
+		printf("Test %d%s\n", (int)(i + 1), options_tests[i].want == 0 ?
+		    "" : " is expected to complain");
+		failed += do_options_test(i + 1, &options_tests[i]);
+	}
+
+	return (failed);
+}

tests/testdsa.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+#	$OpenBSD: testdsa.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
+
+
+#Test DSA certificate generation of openssl
+
+cmd=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	cmd=../apps/openssl.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+# Generate DSA paramter set
+$cmd dsaparam 512 -out dsa512.pem
+if [ $? != 0 ]; then
+        exit 1;
+fi
+
+
+# Denerate a DSA certificate
+$cmd req -config $srcdir/openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
+if [ $? != 0 ]; then
+        exit 1;
+fi
+
+
+# Now check the certificate
+$cmd x509 -text -in testdsa.pem
+if [ $? != 0 ]; then
+        exit 1;
+fi
+
+rm testdsa.key dsa512.pem testdsa.pem
+
+exit 0

tests/testenc.sh

@@ -0,0 +1,69 @@
+#!/bin/sh
+#	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
+
+test=p
+cmd=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	cmd=../apps/openssl.exe
+fi
+
+cat openssl.cnf >$test;
+
+echo cat
+$cmd enc < $test > $test.cipher
+$cmd enc < $test.cipher >$test.clear
+cmp $test $test.clear
+if [ $? != 0 ]
+then
+	exit 1
+else
+	/bin/rm $test.cipher $test.clear
+fi
+echo base64
+$cmd enc -a -e < $test > $test.cipher
+$cmd enc -a -d < $test.cipher >$test.clear
+cmp $test $test.clear
+if [ $? != 0 ]
+then
+	exit 1
+else
+	/bin/rm $test.cipher $test.clear
+fi
+
+for i in \
+	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8 \
+	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb \
+	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb \
+	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8 \
+	aes-256-ecb aes-256-ofb \
+	bf-cbc bf-cfb bf-ecb bf-ofb \
+	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb \
+	des-cbc des-cfb des-cfb8 des-ecb des-ede \
+	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 \
+	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc \
+	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb \
+	rc4 rc4-40
+do
+	echo $i
+	$cmd $i -e -k test < $test > $test.$i.cipher
+	$cmd $i -d -k test < $test.$i.cipher >$test.$i.clear
+	cmp $test $test.$i.clear
+	if [ $? != 0 ]
+	then
+		exit 1
+	else
+		/bin/rm $test.$i.cipher $test.$i.clear
+	fi
+
+	echo $i base64
+	$cmd $i -a -e -k test < $test > $test.$i.cipher
+	$cmd $i -a -d -k test < $test.$i.cipher >$test.$i.clear
+	cmp $test $test.$i.clear
+	if [ $? != 0 ]
+	then
+		exit 1
+	else
+		/bin/rm $test.$i.cipher $test.$i.clear
+	fi
+done
+rm -f $test

tests/testrsa.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+#	$OpenBSD: testrsa.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
+
+
+#Test RSA certificate generation of openssl
+
+cmd=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	cmd=../apps/openssl.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+# Generate RSA private key
+$cmd genrsa -out rsakey.pem
+if [ $? != 0 ]; then
+        exit 1;
+fi
+
+
+# Generate an RSA certificate
+$cmd req -config $srcdir/openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
+if [ $? != 0 ]; then
+        exit 1;
+fi
+
+
+# Now check the certificate
+$cmd x509 -text -in rsacert.pem
+if [ $? != 0 ]; then
+        exit 1;
+fi
+
+rm -f rsacert.pem rsakey.pem
+
+exit 0

tls/Makefile.am

@@ -5,7 +5,6 @@ lib_LTLIBRARIES = libtls.la
 EXTRA_DIST = VERSION
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 
 libtls_la_SOURCES = tls.c

update.sh

@@ -43,6 +43,7 @@ source $libtls_src/shlib_version
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
+echo $major.$minor.0 > libtls-standalone/VERSION
 
 do_mv() {
 	if ! cmp -s "$1" "$2"
@@ -61,17 +62,34 @@ $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
 $CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
-$CP $libtls_src/tls.h include
 
-for i in explicit_bzero.c strlcpy.c strlcat.c strndup.c strnlen.c \
-		timingsafe_bcmp.c timingsafe_memcmp.c; do
-	$CP $libc_src/string/$i crypto/compat
+$CP $libtls_src/tls.h include
+$CP $libtls_src/tls.h libtls-standalone/include
+
+for i in crypto/compat libtls-standalone/compat; do
+	$CP $libc_src/crypt/arc4random.c \
+		$libc_src/crypt/chacha_private.h \
+		$libc_src/string/explicit_bzero.c \
+		$libc_src/stdlib/reallocarray.c \
+		$libc_src/string/strlcpy.c \
+		$libc_src/string/strlcat.c \
+		$libc_src/string/strndup.c \
+		$libc_src/string/strnlen.c \
+		$libc_src/string/timingsafe_bcmp.c \
+		$libc_src/string/timingsafe_memcmp.c \
+		$libcrypto_src/crypto/getentropy_*.c \
+		$libcrypto_src/crypto/arc4random_*.h \
+		$i
 done
-$CP $libc_src/stdlib/reallocarray.c crypto/compat
-$CP $libc_src/crypt/arc4random.c crypto/compat
-$CP $libc_src/crypt/chacha_private.h crypto/compat
-$CP $libcrypto_src/crypto/getentropy_*.c crypto/compat
-$CP $libcrypto_src/crypto/arc4random_*.h crypto/compat
+
+$CP include/stdlib.h \
+	include/string.h \
+	include/unistd.h \
+	libtls-standalone/include
+
+$CP crypto/compat/arc4random*.h \
+	crypto/compat/bsd-asprintf.c \
+	libtls-standalone/compat
 
 (cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
@@ -95,7 +113,7 @@ copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
 	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
-	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h mdc2/mdc2.h
+	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
 	gost/gost.h"
@@ -166,14 +184,21 @@ done
 
 # copy libtls source
 echo copying libtls source
-rm -f tls/*.c tls/*.h
+rm -f tls/*.c tls/*.h libtls/src/*.c libtls/src/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	if [ -e $libtls_src/$i ]; then
 		$CP $libtls_src/$i tls
-	else
-		$CP $libc_src/string/$i tls
+		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
+$CP $libc_src/string/strsep.c tls
+$CP $libc_src/string/strsep.c libtls-standalone/compat
+mkdir -p libtls-standalone/m4
+$CP m4/check*.m4 \
+	m4/disable*.m4 \
+	libtls-standalone/m4
+sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
+	libtls-standalone/compat/Makefile.am.arc4random
 
 # copy openssl(1) source
 echo "copying openssl(1) source"
@@ -184,8 +209,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
 		$CP $openssl_app_src/$i apps
 	fi
 done
-# patch for openssl(1) oscp on windows
-(cd apps; patch -p4 < $CWD/patches/win_bio_sock_init.diff)
+patch -p0 < patches/openssl.c.patch
 
 # copy libssl source
 echo "copying libssl source"
@@ -199,13 +223,14 @@ echo "copying tests"
 for i in `find $libcrypto_regress -name '*.c'`; do
 	 $CP "$i" tests
 done
-
-# the BIO tests rely on resolver results that are OS and environment-specific
-rm tests/biotest.c
+$CP $libcrypto_regress/evp/evptests.txt tests
+$CP $libcrypto_regress/aead/aeadtests.txt tests
+$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
+$CP $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -213,71 +238,13 @@ $CP $libssl_regress/ssl/testssl tests
 for i in `find $libssl_regress -name '*.c'`; do
 	 $CP "$i" tests
 done
+$CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
-# setup test drivers
-# do not directly run all test programs
-test_drivers=(
-	aeadtest
-	evptest
-	pq_test
-	ssltest
-	arc4randomforktest
-	pidwraptest
-)
-tests_posix_only=(
-	arc4randomforktest
-	explicit_bzero
-	pidwraptest
-)
-$CP $libc_src/string/memmem.c tests/
-(cd tests
-	$CP Makefile.am.tpl Makefile.am
-
-	for i in `ls -1 *.c|sort|grep -v memmem.c`; do
-		TEST=`echo $i|sed -e "s/\.c//"`
-		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
-			echo "if !HOST_WIN" >> Makefile.am
-		fi
-		if ! [[ ${test_drivers[*]} =~ "$TEST" ]]; then
-			echo "TESTS += $TEST" >> Makefile.am
-		fi
-		echo "check_PROGRAMS += $TEST" >> Makefile.am
-		echo "${TEST}_SOURCES = $i" >> Makefile.am
-		if [[ ${TEST} = "explicit_bzero" ]]; then
-			echo "if !HAVE_MEMMEM" >> Makefile.am
-			echo "explicit_bzero_SOURCES += memmem.c" >> Makefile.am
-			echo "endif" >> Makefile.am
-		fi
-		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
-			echo "endif" >> Makefile.am
-		fi
-	done
-)
-$CP $libcrypto_regress/evp/evptests.txt tests
-$CP $libcrypto_regress/aead/aeadtests.txt tests
-$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 chmod 755 tests/testssl
-for i in "${test_drivers[@]}"; do
-	if [ -e tests/${i}.sh ]; then
-		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
-			echo "if !HOST_WIN" >> tests/Makefile.am
-		fi
-		if ! [[ ${tests_disabled[*]} =~ "$i" ]]; then
-			echo "TESTS += ${i}.sh" >> tests/Makefile.am
-		fi
-		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
-			echo "endif" >> tests/Makefile.am
-		fi
-		echo "EXTRA_DIST += ${i}.sh" >> tests/Makefile.am
-	fi
-done
-echo "EXTRA_DIST += aeadtests.txt" >> tests/Makefile.am
-echo "EXTRA_DIST += evptests.txt" >> tests/Makefile.am
-echo "EXTRA_DIST += pq_expected.txt" >> tests/Makefile.am
-echo "EXTRA_DIST += testssl ca.pem server.pem" >> tests/Makefile.am
 
+# add headers
 (cd include/openssl
 	$CP Makefile.am.tpl Makefile.am
 	for i in `ls -1 *.h|sort`; do
@@ -285,26 +252,49 @@ echo "EXTRA_DIST += testssl ca.pem server.pem" >> tests/Makefile.am
 	done
 )
 
-echo "copying manpages"
-# copy manpages
-(cd man
-	$CP Makefile.am.tpl Makefile.am
+add_man_links() {
+	filter=$1
+	dest=$2
+	echo "install-data-hook:" >> $dest
+	for i in `grep $filter man/links`; do
+		IFS=","; set $i; unset IFS
+		if [ "$2" != "" ]; then
+			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+		fi
+	done
+	echo "" >> $dest
+	echo "uninstall-local:" >> $dest
+	for i in `grep $filter man/links`; do
+		IFS=","; set $i; unset IFS
+		if [ "$2" != "" ]; then
+			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+		fi
+	done
+}
 
+# copy manpages
+echo "copying manpages"
+echo dist_man_MANS= > man/Makefile.am
+
+$CP $openssl_app_src/openssl.1 man
+echo "dist_man_MANS += openssl.1" >> man/Makefile.am
+
+$CP $libtls_src/tls_init.3 man
+echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
+
+(cd man
 	# update new-style manpages
 	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
+
 	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
-	$CP $openssl_app_src/openssl.1 .
-	echo "dist_man_MANS += openssl.1" >> Makefile.am
-	$CP $libtls_src/tls_init.3 .
-	echo "dist_man_MANS += tls_init.3" >> Makefile.am
 
 	# convert remaining POD manpages
 	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
@@ -318,27 +308,12 @@ echo "copying manpages"
 		fi
 		echo "dist_man_MANS += $NAME.3" >> Makefile.am
 	done
-
-	echo "install-data-hook:" >> Makefile.am
-	source ./links
-	for i in $SSL_MLINKS; do
-		IFS=","; set $i; unset IFS
-		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
-		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
-	done
-	for i in $TLS_MLINKS; do
-		IFS=","; set $i; unset IFS
-		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
-		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
-	done
-	echo "" >> Makefile.am
-	echo "uninstall-local:" >> Makefile.am
-	for i in $SSL_MLINKS; do
-		IFS=","; set $i; unset IFS
-		echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
-	done
-	for i in $TLS_MLINKS; do
-		IFS=","; set $i; unset IFS
-		echo "	rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
-	done
 )
+add_man_links . man/Makefile.am
+
+# standalone libtls manpages
+mkdir -p libtls-standalone/man
+echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
+
+$CP $libtls_src/tls_init.3 libtls-standalone/man
+add_man_links tls_init libtls-standalone/man/Makefile.am