update for 2.1.10

The API/ABI for the LibreSSL 2.1.x series is now fixed, so we can safely
enable libtls it by default. This is useful for new OpenNTPD and
OpenSMTPD releases as well.

ok deraadt@ beck@ sthen@

.gitignore

@@ -58,38 +58,41 @@ tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
-!tests/optionstest.c
 
 # ctags stuff
 TAGS
 
-autom4te.cache
+## The initial / makes these files only get ignored in particular directories.
+/autom4te.cache
 
 # Libtool adds these, at least sometimes
 INSTALL
-/COPYING
-m4/l*
-!m4/check*.m4
+/m4/libtool.m4
+/m4/ltoptions.m4
+/m4/ltsugar.m4
+/m4/ltversion.m4
+/m4/lt~obsolete.m4
 
-aclocal.m4
-compile
-doxygen
-config.guess
-config.log
-config.status
-config.sub
-configure
-depcomp
-config.h
-config.h.in
-install-sh
-libtool
-ltmain.sh
-missing
-stamp-h1
-stamp-h2
+/aclocal.m4
+/compile
+/doxygen
+/config.guess
+/config.log
+/config.status
+/config.sub
+/configure
+/depcomp
+/config.h
+/config.h.in
+/install-sh
+/libtool
+/ltmain.sh
+/missing
+/stamp-h1
+/stamp-h2
 
 include/openssl/Makefile.am
+tests/Makefile.am
 
 crypto/VERSION
 ssl/VERSION
@@ -103,37 +106,97 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 include/openssl/*.he
+apps/*.h
+apps/*.c
+apps/openssl
+apps/openssl.cnf
+!apps/apps_win.c
+!apps/poll_win.c
+!apps/certhash_disabled.c
 
-/apps/*.h
-/apps/*.c
-/apps/openssl
-/apps/openssl.cnf
-!/apps/apps_win.c
-!/apps/poll_win.c
-!/apps/certhash_disabled.c
-
-/crypto
-!/crypto/Makefile.am.*
-!/crypto/compat/arc4random.h
-!/crypto/compat/b_win.c
-!/crypto/compat/posix_win.c
-!/crypto/compat/bsd_asprintf.c
-!/crypto/compat/ui_openssl_win.c
-
-/libtls-standalone/include/*.h
-/libtls-standalone/src/*.c
-/libtls-standalone/src/*.h
-/libtls-standalone/src
-/libtls-standalone/compat
-!/libtls-standalone/compat/Makefile.am
-/libtls-standalone/VERSION
-/libtls-standalone/m4
-/libtls-standalone/man
+crypto/compat/arc4random.c
+crypto/compat/chacha_private.h
+crypto/compat/explicit_bzero.c
+crypto/compat/getentropy_*.c
+crypto/compat/reallocarray.c
+crypto/compat/strlcat.c
+crypto/compat/strlcpy.c
+crypto/compat/strndup.c
+crypto/compat/strnlen.c
+crypto/compat/timingsafe_bcmp.c
+crypto/compat/timingsafe_memcmp.c
+crypto/compat/arc4random_*.h
 
+crypto/aes/
+crypto/asn1/
+crypto/bf/
+crypto/bio/
+crypto/bn/
+crypto/buffer/
+crypto/camellia/
+crypto/cast/
+crypto/camellia/
+crypto/chacha/
+crypto/cmac/
+crypto/comp/
+crypto/conf/
+crypto/cpt_err.c
+crypto/cryptlib.c
+crypto/cryptlib.h
+crypto/cversion.c
+crypto/des/
+crypto/dh/
+crypto/dsa/
+crypto/dso/
+crypto/ec/
+crypto/ecdh/
+crypto/ecdsa/
+crypto/engine/
+crypto/err/
+crypto/evp/
+crypto/ex_data.c
+crypto/gost/
+crypto/hmac/
+crypto/idea/
+crypto/krb5/
+crypto/lhash/
+crypto/malloc-wrapper.c
+crypto/md32_common.h
+crypto/md4/
+crypto/md5/
+crypto/mdc2/
+crypto/mem_clr.c
+crypto/mem_dbg.c
+crypto/modes/
+crypto/o_init.c
+crypto/o_str.c
+crypto/o_time.c
+crypto/o_time.h
+crypto/objects
+crypto/ocsp/
+crypto/pem/
+crypto/pkcs12/
+crypto/pkcs7/
+crypto/poly1305/
+crypto/pqueue/
+crypto/rand/
+crypto/rc2/
+crypto/rc4/
+crypto/ripemd/
+crypto/rsa/
+crypto/sha/
+crypto/stack/
+crypto/ts/
+crypto/txt_db/
+crypto/ui/
+crypto/whrlpool/
+crypto/x509/
+crypto/x509v3/
 openbsd/
-
 *.tar.gz
 apps/*.1*
 man/*.3
 man/*.1
 man/Makefile.am
+.gitmodules
+COPYING

ChangeLog

@@ -31,27 +31,36 @@ LibreSSL Portable Release Notes:
 This release primarily addresses a number of security issues in coordination
 with the OpenSSL project.
 
-2.2.0 - Build cleanups and new OS support, Security Updates
+2.1.10
 
-	* AIX Support - thanks to Michael Felt
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag
 
-	* Cygwin Support - thanks to Corinna Vinschen
+2.1.9 - Reliability Update
 
-	* Refactored build macros, support packaging libtls independently.
-	  There are more pieces required to support building and using OpenSSL
-	  with libtls, but this is an initial start at providing an
-	  independent package for people to start hacking on.
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
 
-	* Removal of OPENSSL_issetugid and all library getenv calls.
-	  Applications can and should no longer rely on environment variables
-	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
-	  supported with the openssl(1) command.
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery squaring
+	                   procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint data.
 
-	* libtls API and documentation additions
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
 
-	* Various bug fixes and simplifications to libssl and libcrypto
+2.1.8 - Security Update
 
-	* Fixes for the following issues are integrated into LibreSSL 2.2.0:
+	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
+	  reported by Qualys Security.
+	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
+	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
+
+	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
+
+2.1.7 - Security Update
+
+	* Fixes for the following issues are integrated into LibreSSL 2.1.7:
 	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
 	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
 	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS = -DLIBRESSL_INTERNAL
+AM_CPPFLAGS = -I$(top_srcdir)/include
+AM_CPPFLAGS += -DLIBRESSL_INTERNAL

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_7

README

@@ -1,42 +1,9 @@
 This package is the official portable version of LibreSSL
 	(http://www.libressl.org).
 
-LibreSSL is a fork of OpenSSL 1.0.1 developed by the OpenBSD project.
-    (http://www.openbsd.org).
-
-Compatibility with OpenSSL:
-
- LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
- new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
- present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
-
- LibreSSL it is not ABI compatible with any release of OpenSSL, or necessarily
- earlier releases of LibreSSL. You will need to relink your programs to
- LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
- LibreSSL's installed library version numbers are incremented to account for
- ABI and API changes.
-
-Compatibility with other operating systems:
-
- While primarily developed on and taking advantage of APIs available on OpenBSD,
- the LibreSSL portable project attempts to provide working alternatives for
- other operating systems, and assists with improving OS-native implementations
- where possible.
-
-At the time of this writing, LibreSSL is know to build and work on:
-
- - Linux (kernel 3.17 or later recommended)
- - FreeBSD (tested with 9.2 and later)
- - NetBSD (tested with 6.1.5)
- - HP-UX (11i)
- - Solaris (11 and later preferred)
- - Mac OS X (tested with 10.8 and later)
- - AIX (5.3 and later)
-
-LibreSSL also supports the following Windows environments:
- - Microsoft Windows (Vista or higher, x86 and x64)
- - Wine (32-bit and 64-bit)
- - Builds with Mingw-w64 and Cygwin
+LibreSSL is a fork of OpenSSL developed by the OpenBSD project
+(http://www.openbsd.org). LibreSSL is developed on OpenBSD. This
+package then adds portability shims for other operating systems.
 
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory LibreSSL, e.g.:
@@ -64,24 +31,20 @@ prepare the source tree for building:
     or run './dist.sh' to prepare a tarball.
 
 Once you have a source tree from Git or FTP, run these commands to build and
-install the package on most systems.
+install the package:
 
   ./configure   # see ./configure --help for configuration options
   make check    # runs builtin unit tests
   make install  # set DESTDIR= to install to an alternate location
 
-OS specific build information:
+The resulting library and 'openssl' utility is largely API-compatible with
+OpenSSL 1.0.1. However, it is not ABI compatible - you will need to relink your
+programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
+to 1.0.1.
 
- - HP-UX (11i)
-   Set the UNIX_STD environment variable to '2003' before running 'configure'
-   in order to build with the HP C/aC++ compiler. See the "standards(5)" man
-   page for more details.
+The project attempts to provide working alternatives for operating systems with
+limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
+assists with improving OS-native implementations where possible.
 
-    export UNIX_STD=2003
-    ./configure
-    make
-
- - Windows - Mingw-w64
-   LibreSSL builds against relatively recent versions of Mingw-w64, not to be
-   confused with the original mingw.org project.  Mingw-w64 3.2 or later
-   should work. See README.windows for more information
+LibreSSL portable will build on any reasonably modern version of Linux,
+Solaris, or OSX with a standards-compliant compiler and C library.

README.windows

@@ -36,7 +36,5 @@ cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
 tool developed for the D language and can be found here:
 https://github.com/rainers/cv2pdb
 
-Pre-built Windows binaries are available with LibreSSL releases if you do not
-have a mingw-w64 build environment. Mingw-w64 code is largely, but not 100%,
-compatible with code built from Visual Studio. Notably, FILE * pointers cannot
-be shared between code built for Mingw-w64 and Visual Studio.
+Pre-build Windows binaries are available with the LibreSSL release for your
+convenience.

VERSION

@@ -1 +1 @@
-2.2.0
+2.1.10

apps/Makefile.am

@@ -2,6 +2,7 @@ include $(top_srcdir)/Makefile.am.common
 
 bin_PROGRAMS = openssl
 
+openssl_CFLAGS = $(USER_CFLAGS)
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 openssl_LDADD += $(top_builddir)/ssl/libssl.la
 openssl_LDADD += $(top_builddir)/crypto/libcrypto.la

configure.ac

@@ -1,17 +1,3 @@
-# Copyright (c) 2014-2015 Brent Cook
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
 AC_INIT([libressl], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBCRYPTO_VERSION], m4_esyscmd([tr -d '\n' < crypto/VERSION]))
 AC_SUBST([LIBSSL_VERSION], m4_esyscmd([tr -d '\n' < ssl/VERSION]))
@@ -23,36 +9,264 @@ AC_CONFIG_MACRO_DIR([m4])
 
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
-# This must be saved before AC_PROG_CC
-USER_CFLAGS="$CFLAGS"
+AC_SUBST([USER_CFLAGS], "$CFLAGS")
+CFLAGS="-Wall -std=gnu99 -g -O2"
+
+case $host_os in
+	*darwin*)
+		HOST_OS=darwin
+		HOST_ABI=macosx
+		;;
+	*freebsd*)
+		HOST_OS=freebsd
+		HOST_ABI=elf
+		AC_SUBST([PROG_LDADD], ['-lthr'])
+		;;
+	*hpux*)
+		HOST_OS=hpux;
+		CFLAGS="$CFLAGS -mlp64 -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
+		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
+		;;
+	*linux*)
+		HOST_OS=linux
+		HOST_ABI=elf
+		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		;;
+	*netbsd*)
+		HOST_OS=netbsd
+		;;
+	*openbsd*)
+		HOST_ABI=elf
+		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
+		;;
+	*mingw*)
+		HOST_OS=win
+		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -DNO_SYSLOG -D__USE_MINGW_ANSI_STDIO -static-libgcc"
+		LDFLAGS="$LDFLAGS -static-libgcc"
+		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
+		;;
+	*solaris*)
+		HOST_OS=solaris
+		HOST_ABI=elf
+		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
+		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
+		;;
+	*) ;;
+esac
+
+AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
+AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
+AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
+AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
+AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
+AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
+
+AC_CHECK_FUNC([clock_gettime],,
+	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
+
+AC_CHECK_FUNC([dl_iterate_phdr],,
+	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 
 AC_PROG_CC
+AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
-AC_PROG_LIBTOOL
-LT_INIT
 
-CHECK_OS_OPTIONS
+AC_MSG_CHECKING([if compiling with clang])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
+#ifndef __clang__
+	not clang
+#endif
+	]])],
+	[CLANG=yes],
+	[CLANG=no]
+)
+AC_MSG_RESULT([$CLANG])
+AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
 
-CHECK_C_HARDENING_OPTIONS
+# We want to check for compiler flag support. Prior to clang v5.1, there was no
+# way to make clang's "argument unused" warning fatal.  So we invoke the
+# compiler through a wrapper script that greps for this message.
+saved_CC="$CC"
+saved_LD="$LD"
+flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
+CC="$flag_wrap $CC"
+LD="$flag_wrap $LD"
 
-DISABLE_AS_EXECUTABLE_STACK
+AC_ARG_ENABLE([hardening],
+	[AS_HELP_STRING([--disable-hardening],
+			[Disable options to frustrate memory corruption exploits])],
+	[], [enable_hardening=yes])
+
+AC_ARG_ENABLE([windows-ssp],
+	[AS_HELP_STRING([--enable-windows-ssp],
+			[Enable building the stack smashing protection on
+			 Windows. This currently distributing libssp-0.dll.])])
+
+AC_DEFUN([CHECK_CFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
+	 old_cflags="$CFLAGS"
+	 CFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     CFLAGS=$old_cflags
+		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     CFLAGS=$old_cflags
+		     [$2])
+])
+
+AC_DEFUN([CHECK_LDFLAG], [
+	 AC_LANG_ASSERT(C)
+	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
+	 old_ldflags="$LDFLAGS"
+	 LDFLAGS="$1 -Wall -Werror"
+	 AC_TRY_LINK([
+		      #include <stdio.h>
+		      ],
+		     [printf("Hello")],
+		     AC_MSG_RESULT([yes])
+		     LDFLAGS=$old_ldflags
+		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
+		     AC_MSG_RESULT([no])
+		     LDFLAGS=$old_ldflags
+		     [$2])
+])
+
+AS_IF([test "x$enable_hardening" = "xyes"], [
+	# Tell GCC to NOT optimize based on signed arithmetic overflow
+	CHECK_CFLAG([[-fno-strict-overflow]])
+
+	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
+	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
+
+	# Enable read only relocations
+	CHECK_LDFLAG([[-Wl,-z,relro]])
+	CHECK_LDFLAG([[-Wl,-z,now]])
+
+	# Windows security flags
+	AS_IF([test "x$HOST_OS" = "xwin"], [
+		CHECK_LDFLAG([[-Wl,--nxcompat]])
+		CHECK_LDFLAG([[-Wl,--dynamicbase]])
+		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
+	])
+
+	# Use stack-protector-strong if available; if not, fallback to
+	# stack-protector-all which is considered to be overkill
+	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
+		CHECK_CFLAG([[-fstack-protector-strong]],
+			CHECK_CFLAG([[-fstack-protector-all]],
+				AC_MSG_WARN([compiler does not appear to support stack protection])
+			)
+		)
+		AS_IF([test "x$HOST_OS" = "xwin"], [
+			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
+		])
+	])
+])
+
+
+# Restore CC, LD
+CC="$saved_CC"
+LD="$saved_LD"
+
+CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
+
+# Removing the dependency on -Wno-pointer-sign should be a goal
+save_cflags="$CFLAGS"
+CFLAGS=-Wno-pointer-sign
+AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-Wno-pointer-sign],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+
+save_cflags="$CFLAGS"
+CFLAGS=
+AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-DHAVE_GNU_STACK],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
 AM_PROG_AS
 
-DISABLE_COMPILER_WARNINGS
+CFLAGS="$CFLAGS $CLANG_CFLAGS"
+LDFLAGS="$LDFLAGS $CLANG_FLAGS"
 
-# Check if the certhash command should be built
+AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
+AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([symlink])
+AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+
+# Share test results with automake
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
+AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
+AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
+AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
+AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
+AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
+AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
+AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
+AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
+AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
+AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
+AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
 AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
 
-# Check if funopen exists
-AC_CHECK_FUNC([funopen])
+# overrides for arc4random_buf implementations with known issues
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
+	[test "x$HOST_OS" != xdarwin \
+	   -a "x$HOST_OS" != xfreebsd \
+	   -a "x$HOST_OS" != xnetbsd \
+	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
-CHECK_LIBC_COMPAT
-CHECK_LIBC_CRYPTO_COMPAT
-CHECK_VA_COPY
+# overrides for issetugid implementations with known issues
+AM_CONDITIONAL([HAVE_ISSETUGID],
+       [test "x$HOST_OS" != xdarwin \
+	  -a "x$ac_cv_func_issetugid" = xyes])
 
-AC_CHECK_HEADERS([err.h])
+AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <stdarg.h>
+va_list x,y;
+		]], [[ va_copy(x,y); ]])],
+	[ ac_cv_have_va_copy="yes" ],
+	[ ac_cv_have_va_copy="no"
+	])
+])
+if test "x$ac_cv_have_va_copy" = "xyes" ; then
+	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
+fi
+
+AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <stdarg.h>
+va_list x,y;
+		]], [[ __va_copy(x,y); ]])],
+	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
+	])
+])
+if test "x$ac_cv_have___va_copy" = "xyes" ; then
+	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
+fi
+
+AC_CHECK_HEADERS([sys/sysctl.h err.h])
 
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
@@ -66,13 +280,12 @@ AC_ARG_WITH([enginesdir],
 	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
 )
 
-AC_ARG_ENABLE([extratests],
-	AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms]))
-AM_CONDITIONAL([ENABLE_EXTRATESTS], [test "x$enable_extratests" = xyes])
+AC_ARG_ENABLE([asm],
+	AS_HELP_STRING([--disable-asm], [Disable assembly]))
+AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
 
-# Add CPU-specific alignment flags
 old_cflags=$CFLAGS
-CFLAGS="$CFLAGS -I$srcdir/include"
+CFLAGS="$USER_CFLAGS -I$srcdir/include"
 AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT])
 AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       [int a = 0; BSWAP4(a);],
@@ -84,24 +297,21 @@ CFLAGS="$old_cflags"
 
 case $host_cpu in
 	*sparc*)
-		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
+		CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT"
 		;;
 	*arm*)
 		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
+		    CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT")
 		;;
 esac
 
-AC_ARG_ENABLE([asm],
-	AS_HELP_STRING([--disable-asm], [Disable assembly]))
-AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
-
-# Conditionally enable assembly by default
 AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
     [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
     [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 
+LT_INIT
+
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile

crypto/Makefile.am

@@ -1,8 +1,8 @@
 include $(top_srcdir)/Makefile.am.common
 
-AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -10,12 +10,13 @@ EXTRA_DIST = VERSION
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = -DOPENSSL_NO_HW_PADLOCK
+libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
+libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
 else
 if HOST_WIN
-libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
 endif
 endif
 
@@ -30,6 +31,7 @@ libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
 endif
 
 # other compatibility functions
+libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
 
@@ -65,11 +67,60 @@ if !HAVE_TIMINGSAFE_BCMP
 libcompat_la_SOURCES += compat/timingsafe_bcmp.c
 endif
 
+if !HAVE_ARC4RANDOM_BUF
+libcompat_la_SOURCES += compat/arc4random.c
+
+if !HAVE_GETENTROPY
+if HOST_FREEBSD
+libcompat_la_SOURCES += compat/getentropy_freebsd.c
+endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/getentropy_hpux.c
+endif
+if HOST_LINUX
+libcompat_la_SOURCES += compat/getentropy_linux.c
+endif
+if HOST_NETBSD
+libcompat_la_SOURCES += compat/getentropy_netbsd.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/getentropy_osx.c
+endif
+if HOST_SOLARIS
+libcompat_la_SOURCES += compat/getentropy_solaris.c
+endif
 if HOST_WIN
-libcompat_la_SOURCES += compat/posix_win.c
+libcompat_la_SOURCES += compat/getentropy_win.c
+endif
 endif
 
-include Makefile.am.arc4random
+endif
+
+if !HAVE_ISSETUGID
+if HOST_LINUX
+libcompat_la_SOURCES += compat/issetugid_linux.c
+endif
+if HOST_HPUX
+libcompat_la_SOURCES += compat/issetugid_hpux.c
+endif
+if HOST_DARWIN
+libcompat_la_SOURCES += compat/issetugid_osx.c
+endif
+if HOST_WIN
+libcompat_la_SOURCES += compat/issetugid_win.c
+endif
+endif
+
+noinst_HEADERS =
+noinst_HEADERS += compat/arc4random.h
+noinst_HEADERS += compat/arc4random_freebsd.h
+noinst_HEADERS += compat/arc4random_hpux.h
+noinst_HEADERS += compat/arc4random_linux.h
+noinst_HEADERS += compat/arc4random_netbsd.h
+noinst_HEADERS += compat/arc4random_osx.h
+noinst_HEADERS += compat/arc4random_solaris.h
+noinst_HEADERS += compat/arc4random_win.h
+noinst_HEADERS += compat/chacha_private.h
 
 libcrypto_la_SOURCES =
 EXTRA_libcrypto_la_SOURCES =

crypto/Makefile.am.arc4random

@@ -1,45 +0,0 @@
-if !HAVE_ARC4RANDOM_BUF
-libcompat_la_SOURCES += compat/arc4random.c
-
-if !HAVE_GETENTROPY
-if HOST_AIX
-libcompat_la_SOURCES += compat/getentropy_aix.c
-endif
-if HOST_FREEBSD
-libcompat_la_SOURCES += compat/getentropy_freebsd.c
-endif
-if HOST_HPUX
-libcompat_la_SOURCES += compat/getentropy_hpux.c
-endif
-if HOST_LINUX
-libcompat_la_SOURCES += compat/getentropy_linux.c
-endif
-if HOST_NETBSD
-libcompat_la_SOURCES += compat/getentropy_netbsd.c
-endif
-if HOST_DARWIN
-libcompat_la_SOURCES += compat/getentropy_osx.c
-endif
-if HOST_SOLARIS
-libcompat_la_SOURCES += compat/getentropy_solaris.c
-endif
-if HOST_WIN
-libcompat_la_SOURCES += compat/getentropy_win.c
-endif
-endif
-
-endif
-
-noinst_HEADERS =
-noinst_HEADERS += compat/arc4random.h
-noinst_HEADERS += compat/arc4random_aix.h
-noinst_HEADERS += compat/arc4random_freebsd.h
-noinst_HEADERS += compat/arc4random_hpux.h
-noinst_HEADERS += compat/arc4random_linux.h
-noinst_HEADERS += compat/arc4random_netbsd.h
-noinst_HEADERS += compat/arc4random_osx.h
-noinst_HEADERS += compat/arc4random_solaris.h
-noinst_HEADERS += compat/arc4random_win.h
-noinst_HEADERS += compat/chacha_private.h
-
-

crypto/Makefile.am.elf-x86_64

@@ -22,20 +22,20 @@ ASM_X86_64_ELF += cpuid-elf-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_ELF)
 
 if HOST_ASM_ELF_X86_64
-libcrypto_la_CPPFLAGS += -DAES_ASM
-libcrypto_la_CPPFLAGS += -DBSAES_ASM
-libcrypto_la_CPPFLAGS += -DVPAES_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CPPFLAGS += -DMD5_ASM
-libcrypto_la_CPPFLAGS += -DGHASH_ASM
-libcrypto_la_CPPFLAGS += -DRSA_ASM
-libcrypto_la_CPPFLAGS += -DSHA1_ASM
-libcrypto_la_CPPFLAGS += -DSHA256_ASM
-libcrypto_la_CPPFLAGS += -DSHA512_ASM
-libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CFLAGS += -DAES_ASM
+libcrypto_la_CFLAGS += -DBSAES_ASM
+libcrypto_la_CFLAGS += -DVPAES_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CFLAGS += -DMD5_ASM
+libcrypto_la_CFLAGS += -DGHASH_ASM
+libcrypto_la_CFLAGS += -DRSA_ASM
+libcrypto_la_CFLAGS += -DSHA1_ASM
+libcrypto_la_CFLAGS += -DSHA256_ASM
+libcrypto_la_CFLAGS += -DSHA512_ASM
+libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_ELF)
 endif

crypto/Makefile.am.macosx-x86_64

@@ -22,20 +22,20 @@ ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_MACOSX)
 
 if HOST_ASM_MACOSX_X86_64
-libcrypto_la_CPPFLAGS += -DAES_ASM
-libcrypto_la_CPPFLAGS += -DBSAES_ASM
-libcrypto_la_CPPFLAGS += -DVPAES_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CPPFLAGS += -DMD5_ASM
-libcrypto_la_CPPFLAGS += -DGHASH_ASM
-libcrypto_la_CPPFLAGS += -DRSA_ASM
-libcrypto_la_CPPFLAGS += -DSHA1_ASM
-libcrypto_la_CPPFLAGS += -DSHA256_ASM
-libcrypto_la_CPPFLAGS += -DSHA512_ASM
-libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CFLAGS += -DAES_ASM
+libcrypto_la_CFLAGS += -DBSAES_ASM
+libcrypto_la_CFLAGS += -DVPAES_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CFLAGS += -DMD5_ASM
+libcrypto_la_CFLAGS += -DGHASH_ASM
+libcrypto_la_CFLAGS += -DRSA_ASM
+libcrypto_la_CFLAGS += -DSHA1_ASM
+libcrypto_la_CFLAGS += -DSHA256_ASM
+libcrypto_la_CFLAGS += -DSHA512_ASM
+libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_MACOSX)
 endif

crypto/compat/arc4random.h

@@ -3,10 +3,7 @@
 
 #include <sys/param.h>
 
-#if defined(_AIX)
-#include "arc4random_aix.h"
-
-#elif defined(__FreeBSD__)
+#if defined(__FreeBSD__)
 #include "arc4random_freebsd.h"
 
 #elif defined(__hpux)

crypto/compat/issetugid_hpux.c

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/pstat.h>
+
+/*
+ * HP-UX does not have issetugid().
+ * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
+ * cannot be used, assume we must be running in a privileged environment.
+ */
+int issetugid(void)
+{
+	struct pst_status buf;
+	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
+	    !(buf.pst_flag & PS_CHANGEDPRIV))
+		return 0;
+	return 1;
+}

crypto/compat/issetugid_linux.c

@@ -0,0 +1,47 @@
+/*
+ * issetugid implementation for Linux
+ * Public domain
+ */
+
+#include <errno.h>
+#include <gnu/libc-version.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+/*
+ * Linux-specific glibc 2.16+ interface for determining if a process was
+ * launched setuid/setgid or with additional capabilities.
+ */
+#ifdef HAVE_GETAUXVAL
+#include <sys/auxv.h>
+#endif
+
+int issetugid(void)
+{
+#ifdef HAVE_GETAUXVAL
+	/*
+	 * The API for glibc < 2.19 does not indicate if there is an error with
+	 * getauxval. While it should not be the case that any 2.6 or greater
+	 * kernel ever does not supply AT_SECURE, an emulated software environment
+	 * might rewrite the aux vector.
+	 *
+	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
+	 *
+	 * Perhaps this code should just read the aux vector itself, so we have
+	 * backward-compatibility and error handling in older glibc versions.
+	 * info: http://lwn.net/Articles/519085/
+	 *
+	 */
+	const char *glcv = gnu_get_libc_version();
+	if (strverscmp(glcv, "2.19") >= 0) {
+		errno = 0;
+		if (getauxval(AT_SECURE) == 0) {
+			if (errno != ENOENT) {
+				return 0;
+			}
+		}
+	}
+#endif
+	return 1;
+}

crypto/compat/issetugid_osx.c

@@ -0,0 +1,16 @@
+/*
+ * issetugid implementation for OS X
+ * Public domain
+ */
+
+#include <unistd.h>
+
+/*
+ * OS X has issetugid, but it is not fork-safe as of version 10.10.
+ * See this Solaris report for test code that fails similarly:
+ * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
+ */
+int issetugid(void)
+{
+	return 1;
+}

crypto/compat/issetugid_win.c

@@ -0,0 +1,26 @@
+/*
+ * issetugid implementation for Windows
+ * Public domain
+ */
+
+#include <unistd.h>
+
+/*
+ * Windows does not have a native setuid/setgid functionality.
+ * A user must enter credentials each time a process elevates its
+ * privileges.
+ *
+ * So, in theory, this could always return 0, given what I know currently.
+ * However, it makes sense to stub out initially in 'safe' mode until we
+ * understand more (and determine if any disabled functionality is actually
+ * useful on Windows anyway).
+ *
+ * Future versions of this function that are made more 'open' should thoroughly
+ * consider the case of this code running as a privileged service with saved
+ * user credentials or privilege escalations by other means (e.g. the old
+ * RunAsEx utility.)
+ */
+int issetugid(void)
+{
+	return 1;
+}

crypto/compat/posix_win.c

@@ -1,167 +0,0 @@
-/*
- * Public domain
- *
- * BSD socket emulation code for Winsock2
- * File IO compatibility shims
- * Brent Cook <bcook@openbsd.org>
- */
-
-#define NO_REDEF_POSIX_FUNCTIONS
-
-#include <windows.h>
-#include <ws2tcpip.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-void
-posix_perror(const char *s)
-{
-	fprintf(stderr, "%s: %s\n", s, strerror(errno));
-}
-
-FILE *
-posix_fopen(const char *path, const char *mode)
-{
-	if (strchr(mode, 'b') == NULL) {
-		char *bin_mode = NULL;
-		if (asprintf(&bin_mode, "%sb", mode) == -1)
-			return NULL;
-		FILE *f = fopen(path, bin_mode);
-		free(bin_mode);
-		return f;
-	}
-
-	return fopen(path, mode);
-}
-
-int
-posix_rename(const char *oldpath, const char *newpath)
-{
-	MoveFileEx(oldpath, newpath, MOVEFILE_REPLACE_EXISTING) ? 0 : -1;
-}
-
-static int
-wsa_errno(int err)
-{
-	switch (err) {
-	case WSAENOBUFS:
-		errno = ENOMEM;
-		break;
-	case WSAEACCES:
-		errno = EACCES;
-		break;
-	case WSANOTINITIALISED:
-		errno = EPERM;
-		break;
-	case WSAEHOSTUNREACH:
-	case WSAENETDOWN:
-		errno = EIO;
-		break;
-	case WSAEFAULT:
-		errno = EFAULT;
-		break;
-	case WSAEINTR:
-		errno = EINTR;
-		break;
-	case WSAEINVAL:
-		errno = EINVAL;
-		break;
-	case WSAEINPROGRESS:
-		errno = EINPROGRESS;
-		break;
-	case WSAEWOULDBLOCK:
-		errno = EAGAIN;
-		break;
-	case WSAEOPNOTSUPP:
-		errno = ENOTSUP;
-		break;
-	case WSAEMSGSIZE:
-		errno = EFBIG;
-		break;
-	case WSAENOTSOCK:
-		errno = ENOTSOCK;
-		break;
-	case WSAENOPROTOOPT:
-		errno = ENOPROTOOPT;
-		break;
-	case WSAECONNREFUSED:
-		errno = ECONNREFUSED;
-		break;
-	case WSAEAFNOSUPPORT:
-		errno = EAFNOSUPPORT;
-		break;
-	case WSAENETRESET:
-	case WSAENOTCONN:
-	case WSAECONNABORTED:
-	case WSAECONNRESET:
-	case WSAESHUTDOWN:
-	case WSAETIMEDOUT:
-		errno = EPIPE;
-		break;
-	}
-	return -1;
-}
-
-int
-posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
-{
-	int rc = connect(sockfd, addr, addrlen);
-	if (rc == SOCKET_ERROR)
-		return wsa_errno(WSAGetLastError());
-	return rc;
-}
-
-int
-posix_close(int fd)
-{
-	if (closesocket(fd) == SOCKET_ERROR) {
-		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
-			close(fd) : wsa_errno(err);
-	}
-	return 0;
-}
-
-ssize_t
-posix_read(int fd, void *buf, size_t count)
-{
-	ssize_t rc = recv(fd, buf, count, 0);
-	if (rc == SOCKET_ERROR) {
-		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
-			read(fd, buf, count) : wsa_errno(err);
-	}
-	return rc;
-}
-
-ssize_t
-posix_write(int fd, const void *buf, size_t count)
-{
-	ssize_t rc = send(fd, buf, count, 0);
-	if (rc == SOCKET_ERROR) {
-		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
-			write(fd, buf, count) : wsa_errno(err);
-	}
-	return rc;
-}
-
-int
-posix_getsockopt(int sockfd, int level, int optname,
-	void *optval, socklen_t *optlen)
-{
-	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
-	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
-
-}
-
-int
-posix_setsockopt(int sockfd, int level, int optname,
-	const void *optval, socklen_t optlen)
-{
-	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
-	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
-}

gen-coverage-report.sh

@@ -29,15 +29,9 @@ make check
 echo "Generating report"
 mkdir -p $DESTDIR
 find tests -name '*.gcda' -o -name '*.gcno' -delete
-lcov --capture --output-file $DESTDIR/coverage.tmp \
-	--rc lcov_branch_coverage=1 \
-	--directory crypto \
-	--directory ssl \
-	--directory tls \
+lcov --directory . --capture --output-file $DESTDIR/coverage.tmp \
     --test-name "LibreSSL $VERSION"
 genhtml --prefix . --output-directory $DESTDIR \
-	--branch-coverage --function-coverage \
-	--rc lcov_branch_coverage=1 \
     --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
 
 echo "Code coverage report is available under $DESTDIR"

include/stdio.h

@@ -15,17 +15,16 @@ int asprintf(char **str, const char *fmt, ...);
 #endif
 
 #ifdef _WIN32
+#include <errno.h>
+#include <string.h>
 
-void posix_perror(const char *s);
-FILE * posix_fopen(const char *path, const char *mode);
-int posix_rename(const char *oldpath, const char *newpath);
+static inline void
+posix_perror(const char *s)
+{
+	fprintf(stderr, "%s: %s\n", s, strerror(errno));
+}
 
-#ifndef NO_REDEF_POSIX_FUNCTIONS
 #define perror(errnum) posix_perror(errnum)
-#define fopen(path, mode) posix_fopen(path, mode)
-#define rename(oldpath, newpath) posix_rename(oldpath, newpath)
-#endif
-
 #endif
 
 #endif

include/unistd.h

@@ -12,4 +12,8 @@
 int getentropy(void *buf, size_t buflen);
 #endif
 
+#ifndef HAVE_ISSETUGID
+int issetugid(void);
+#endif
+
 #endif

include/win32netcompat.h

@@ -19,29 +19,142 @@
 #include <errno.h>
 #include <unistd.h>
 
-int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+static int
+wsa_errno(int err)
+{
+	switch (err) {
+	case WSAENOBUFS:
+		errno = ENOMEM;
+		break;
+	case WSAEACCES:
+		errno = EACCES;
+		break;
+	case WSANOTINITIALISED:
+		errno = EPERM;
+		break;
+	case WSAEHOSTUNREACH:
+	case WSAENETDOWN:
+		errno = EIO;
+		break;
+	case WSAEFAULT:
+		errno = EFAULT;
+		break;
+	case WSAEINTR:
+		errno = EINTR;
+		break;
+	case WSAEINVAL:
+		errno = EINVAL;
+		break;
+	case WSAEINPROGRESS:
+		errno = EINPROGRESS;
+		break;
+	case WSAEWOULDBLOCK:
+		errno = EAGAIN;
+		break;
+	case WSAEOPNOTSUPP:
+		errno = ENOTSUP;
+		break;
+	case WSAEMSGSIZE:
+		errno = EFBIG;
+		break;
+	case WSAENOTSOCK:
+		errno = ENOTSOCK;
+		break;
+	case WSAENOPROTOOPT:
+		errno = ENOPROTOOPT;
+		break;
+	case WSAECONNREFUSED:
+		errno = ECONNREFUSED;
+		break;
+	case WSAEAFNOSUPPORT:
+		errno = EAFNOSUPPORT;
+		break;
+	case WSAENETRESET:
+	case WSAENOTCONN:
+	case WSAECONNABORTED:
+	case WSAECONNRESET:
+	case WSAESHUTDOWN:
+	case WSAETIMEDOUT:
+		errno = EPIPE;
+		break;
+	}
+	return -1;
+}
 
-int posix_close(int fd);
-ssize_t posix_read(int fd, void *buf, size_t count);
+static inline int
+posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
+{
+	int rc = connect(sockfd, addr, addrlen);
+	if (rc == SOCKET_ERROR)
+		return wsa_errno(WSAGetLastError());
+	return rc;
+}
 
-ssize_t posix_write(int fd, const void *buf, size_t count);
-
-int posix_getsockopt(int sockfd, int level, int optname,
-	void *optval, socklen_t *optlen);
-
-int posix_setsockopt(int sockfd, int level, int optname,
-	const void *optval, socklen_t optlen);
-
-#ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
+
+static inline int
+posix_close(int fd)
+{
+	if (closesocket(fd) == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			close(fd) : wsa_errno(err);
+	}
+	return 0;
+}
+
 #define close(fd) posix_close(fd)
+
+static inline ssize_t
+posix_read(int fd, void *buf, size_t count)
+{
+	ssize_t rc = recv(fd, buf, count, 0);
+	if (rc == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			read(fd, buf, count) : wsa_errno(err);
+	}
+	return rc;
+}
+
 #define read(fd, buf, count) posix_read(fd, buf, count)
+
+static inline ssize_t
+posix_write(int fd, const void *buf, size_t count)
+{
+	ssize_t rc = send(fd, buf, count, 0);
+	if (rc == SOCKET_ERROR) {
+		int err = WSAGetLastError();
+		return err == WSAENOTSOCK ?
+			write(fd, buf, count) : wsa_errno(err);
+	}
+	return rc;
+}
+
 #define write(fd, buf, count) posix_write(fd, buf, count)
+
+static inline int
+posix_getsockopt(int sockfd, int level, int optname,
+	void *optval, socklen_t *optlen)
+{
+	int rc = getsockopt(sockfd, level, optname, (char *)optval, optlen);
+	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
+
+}
+
 #define getsockopt(sockfd, level, optname, optval, optlen) \
 	posix_getsockopt(sockfd, level, optname, optval, optlen)
+
+static inline int
+posix_setsockopt(int sockfd, int level, int optname,
+	const void *optval, socklen_t optlen)
+{
+	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
+	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
+}
+
 #define setsockopt(sockfd, level, optname, optval, optlen) \
 	posix_setsockopt(sockfd, level, optname, optval, optlen)
-#endif
 
 #endif
 

libtls-standalone/COPYING

@@ -1,13 +0,0 @@
-libtls is ISC licensed as per OpenBSD's normal licensing policy.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

libtls-standalone/Makefile.am

@@ -1,7 +0,0 @@
-SUBDIRS = include compat src tests man
-ACLOCAL_AMFLAGS = -I m4
-
-pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libtls.pc
-
-EXTRA_DIST = README VERSION

libtls-standalone/VERSION

@@ -1 +0,0 @@
-3.1.0

libtls-standalone/compat/Makefile.am

@@ -1,45 +0,0 @@
-#
-# Copyright (c) 2014-2015 Brent Cook
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
-
-noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
-
-# compatibility functions that need to be built without optimizations
-libcompatnoopt_la_CFLAGS = -O0
-libcompatnoopt_la_SOURCES =
-
-if !HAVE_EXPLICIT_BZERO
-libcompatnoopt_la_SOURCES += explicit_bzero.c
-endif
-
-# other compatibility functions
-libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libcompat_la_SOURCES =
-libcompat_la_LIBADD = $(PLATFORM_LDADD)
-
-if !HAVE_ASPRINTF
-libcompat_la_SOURCES += bsd-asprintf.c
-endif
-
-if !HAVE_STRLCPY
-libcompat_la_SOURCES += strlcpy.c
-endif
-
-if !HAVE_STRSEP
-libcompat_la_SOURCES += strsep.c
-endif
-
-include Makefile.am.arc4random

libtls-standalone/configure.ac

@@ -1,52 +0,0 @@
-# Copyright (c) 2014-2015 Brent Cook
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
-AC_SUBST([LIBTLS_VERSION], m4_esyscmd([sed -e 's/\./:/g' VERSION | tr -d '\n']))
-
-AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects])
-AC_CONFIG_MACRO_DIR([m4])
-
-m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-
-# This must be called before AC_PROG_CC
-USER_CFLAGS="$CFLAGS"
-
-AC_PROG_CC
-AC_PROG_CC_STDC
-AM_PROG_CC_C_O
-AC_PROG_LIBTOOL
-LT_INIT
-
-CHECK_OS_OPTIONS
-
-CHECK_C_HARDENING_OPTIONS
-
-DISABLE_COMPILER_WARNINGS
-
-CHECK_LIBC_COMPAT
-CHECK_LIBC_CRYPTO_COMPAT
-
-AC_CONFIG_FILES([
-	Makefile
-	include/Makefile
-	compat/Makefile
-	man/Makefile
-	src/Makefile
-	tests/Makefile
-	libtls.pc
-])
-
-AC_OUTPUT

libtls-standalone/include/Makefile.am

@@ -1,5 +0,0 @@
-noinst_HEADERS = stdlib.h
-noinst_HEADERS += string.h
-noinst_HEADERS += unistd.h
-
-include_HEADERS = tls.h

libtls-standalone/include/string.h

@@ -1,73 +0,0 @@
-/*
- * Public domain
- * string.h compatibility shim
- */
-
-#include_next <string.h>
-
-#ifndef LIBCRYPTOCOMPAT_STRING_H
-#define LIBCRYPTOCOMPAT_STRING_H
-
-#include <sys/types.h>
-
-#if defined(__sun) || defined(__hpux)
-/* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
- */
-#include <strings.h>
-#endif
-
-#ifndef HAVE_STRLCPY
-size_t strlcpy(char *dst, const char *src, size_t siz);
-#endif
-
-#ifndef HAVE_STRLCAT
-size_t strlcat(char *dst, const char *src, size_t siz);
-#endif
-
-#ifndef HAVE_STRNDUP
-char * strndup(const char *str, size_t maxlen);
-/* the only user of strnlen is strndup, so only build it if needed */
-#ifndef HAVE_STRNLEN
-size_t strnlen(const char *str, size_t maxlen);
-#endif
-#endif
-
-#ifndef HAVE_STRSEP
-char *strsep(char **stringp, const char *delim);
-#endif
-
-#ifndef HAVE_EXPLICIT_BZERO
-void explicit_bzero(void *, size_t);
-#endif
-
-#ifndef HAVE_TIMINGSAFE_BCMP
-int timingsafe_bcmp(const void *b1, const void *b2, size_t n);
-#endif
-
-#ifndef HAVE_TIMINGSAFE_MEMCMP
-int timingsafe_memcmp(const void *b1, const void *b2, size_t len);
-#endif
-
-#ifndef HAVE_MEMMEM
-void * memmem(const void *big, size_t big_len, const void *little,
-	size_t little_len);
-#endif
-
-#ifdef _WIN32
-#include <errno.h>
-
-static inline char  *
-posix_strerror(int errnum)
-{
-	if (errnum == ECONNREFUSED) {
-		return "Connection refused";
-	}
-	return strerror(errnum);
-}
-
-#define strerror(errnum) posix_strerror(errnum)
-
-#endif
-
-#endif

libtls-standalone/libtls.pc.in

@@ -1,16 +0,0 @@
-#libtls pkg-config source file
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name: LibreSSL-libtls
-Description: Secure communications using the TLS socket protocol.
-Version: @LIBTLS_VERSION@
-Requires:
-Requires.private: libcrypto libssl
-Conflicts:
-Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl
-Cflags: -I${includedir}

libtls-standalone/src/Makefile.am

@@ -1,16 +0,0 @@
-AM_CFLAGS = -I$(top_srcdir)/include
-
-lib_LTLIBRARIES = libtls.la
-
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_LIBADD = -lcrypto -lssl -lcrypto $(PLATFORM_LDADD)
-libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
-libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
-
-libtls_la_SOURCES = tls.c
-libtls_la_SOURCES += tls_client.c
-libtls_la_SOURCES += tls_config.c
-libtls_la_SOURCES += tls_server.c
-libtls_la_SOURCES += tls_util.c
-libtls_la_SOURCES += tls_verify.c
-noinst_HEADERS = tls_internal.h

libtls-standalone/tests/Makefile.am

@@ -1,7 +0,0 @@
-AM_CFLAGS = -I$(top_srcdir)/include
-
-check_PROGRAMS = test
-
-TESTS = test
-test_SOURCES = test.c
-test_LDADD = -lcrypto -lssl $(top_builddir)/src/libtls.la

libtls-standalone/tests/test.c

@@ -1,51 +0,0 @@
-#include <stdio.h>
-#include <tls.h>
-
-int main()
-{
-	struct tls *tls;
-	struct tls_config *tls_config;
-	size_t written, read;
-	char buf[4096];
-
-	if (tls_init() != 0) {
-		fprintf(stderr, "tls_init failed");
-		return 1;
-	}
-
-	if ((tls = tls_client()) == NULL)
-		goto err;
-
-	if ((tls_config = tls_config_new()) == NULL)
-		goto err;
-
-	if (tls_config_set_ciphers(tls_config, "compat") != 0)
-		goto err;
-
-	tls_config_insecure_noverifycert(tls_config);
-	tls_config_insecure_noverifyname(tls_config);
-
-	if (tls_configure(tls, tls_config) != 0)
-		goto err;
-
-	if (tls_connect(tls, "google.com", "443") != 0)
-		goto err;
-
-	if (tls_write(tls, "GET /\r\n", 7, &written) != 0)
-		goto err;
-
-	if (tls_read(tls, buf, sizeof(buf), &read) != 0)
-		goto err;
-
-	buf[read - 1] = '\0';
-	puts(buf);
-
-	if (tls_close(tls) != 0)
-		goto err;
-
-	return 0;
-
-err:
-	fprintf(stderr, "%s\n", tls_error(tls));
-	return 1;
-}

m4/check-hardening-options.m4

@@ -1,107 +0,0 @@
-
-AC_DEFUN([CHECK_CFLAG], [
-	 AC_LANG_ASSERT(C)
-	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
-	 old_cflags="$CFLAGS"
-	 CFLAGS="$1 -Wall -Werror"
-	 AC_TRY_LINK([
-		      #include <stdio.h>
-		      ],
-		     [printf("Hello")],
-		     AC_MSG_RESULT([yes])
-		     CFLAGS=$old_cflags
-		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
-		     AC_MSG_RESULT([no])
-		     CFLAGS=$old_cflags
-		     [$2])
-])
-
-AC_DEFUN([CHECK_LDFLAG], [
-	 AC_LANG_ASSERT(C)
-	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
-	 old_ldflags="$LDFLAGS"
-	 LDFLAGS="$1 -Wall -Werror"
-	 AC_TRY_LINK([
-		      #include <stdio.h>
-		      ],
-		     [printf("Hello")],
-		     AC_MSG_RESULT([yes])
-		     LDFLAGS=$old_ldflags
-		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
-		     AC_MSG_RESULT([no])
-		     LDFLAGS=$old_ldflags
-		     [$2])
-])
-
-AC_DEFUN([DISABLE_AS_EXECUTABLE_STACK], [
-	save_cflags="$CFLAGS"
-	CFLAGS=
-	AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-	__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
-		[AC_MSG_RESULT([yes])]
-		[AM_CFLAGS=-DHAVE_GNU_STACK],
-		[AC_MSG_RESULT([no])]
-	)
-	CFLAGS="$save_cflags $AM_CFLAGS"
-])
-
-
-AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [
-
-	AC_ARG_ENABLE([hardening],
-		[AS_HELP_STRING([--disable-hardening],
-				[Disable options to frustrate memory corruption exploits])],
-		[], [enable_hardening=yes])
-
-	AC_ARG_ENABLE([windows-ssp],
-		[AS_HELP_STRING([--enable-windows-ssp],
-				[Enable building the stack smashing protection on
-				 Windows. This currently distributing libssp-0.dll.])])
-
-	# We want to check for compiler flag support. Prior to clang v5.1, there was no
-	# way to make clang's "argument unused" warning fatal.  So we invoke the
-	# compiler through a wrapper script that greps for this message.
-	saved_CC="$CC"
-	saved_LD="$LD"
-	flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
-	CC="$flag_wrap $CC"
-	LD="$flag_wrap $LD"
-
-	AS_IF([test "x$enable_hardening" = "xyes"], [
-		# Tell GCC to NOT optimize based on signed arithmetic overflow
-		CHECK_CFLAG([[-fno-strict-overflow]])
-
-		# _FORTIFY_SOURCE replaces builtin functions with safer versions.
-		CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
-
-		# Enable read only relocations
-		CHECK_LDFLAG([[-Wl,-z,relro]])
-		CHECK_LDFLAG([[-Wl,-z,now]])
-
-		# Windows security flags
-		AS_IF([test "x$HOST_OS" = "xwin"], [
-			CHECK_LDFLAG([[-Wl,--nxcompat]])
-			CHECK_LDFLAG([[-Wl,--dynamicbase]])
-			CHECK_LDFLAG([[-Wl,--high-entropy-va]])
-		])
-
-		# Use stack-protector-strong if available; if not, fallback to
-		# stack-protector-all which is considered to be overkill
-		AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
-			CHECK_CFLAG([[-fstack-protector-strong]],
-				CHECK_CFLAG([[-fstack-protector-all]],
-					AC_MSG_WARN([compiler does not appear to support stack protection])
-				)
-			)
-			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
-		])
-	])
-
-	# Restore CC, LD
-	CC="$saved_CC"
-	LD="$saved_LD"
-
-	CFLAGS="$CFLAGS $HARDEN_CFLAGS"
-	LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
-])

m4/check-libc.m4

@@ -1,65 +0,0 @@
-AC_DEFUN([CHECK_LIBC_COMPAT], [
-# Check for general libc functions
-AC_CHECK_FUNCS([asprintf memmem poll reallocarray])
-AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
-AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
-AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
-AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
-AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
-AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
-AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
-AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
-AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
-AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
-AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
-])
-
-AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
-# Check crypto-related libc functions
-AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
-AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
-AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
-AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
-AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
-AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
-
-# Override arc4random_buf implementations with known issues
-AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$HOST_OS" != xdarwin \
-	   -a "x$HOST_OS" != xfreebsd \
-	   -a "x$HOST_OS" != xnetbsd \
-	   -a "x$ac_cv_func_arc4random_buf" = xyes])
-
-# Check for getentropy fallback dependencies
-AC_CHECK_FUNC([getauxval])
-AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
-])
-
-AC_DEFUN([CHECK_VA_COPY], [
-AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ va_copy(x,y); ]])],
-	[ ac_cv_have_va_copy="yes" ],
-	[ ac_cv_have_va_copy="no"
-	])
-])
-if test "x$ac_cv_have_va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
-fi
-
-AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <stdarg.h>
-va_list x,y;
-		]], [[ __va_copy(x,y); ]])],
-	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
-	])
-])
-if test "x$ac_cv_have___va_copy" = "xyes" ; then
-	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
-fi
-])

m4/check-os-options.m4

@@ -1,77 +0,0 @@
-# This must be called before AC_PROG_CC
-AC_DEFUN([CHECK_OS_OPTIONS], [
-
-CFLAGS="$CFLAGS -Wall -std=gnu99"
-
-case $host_os in
-	*aix*)
-		HOST_OS=aix
-		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
-			CFLAGS="$USER_CFLAGS"
-		fi
-		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
-		;;
-	*cygwin*)
-		HOST_OS=cygwin
-		;;
-	*darwin*)
-		HOST_OS=darwin
-		HOST_ABI=macosx
-		;;
-	*freebsd*)
-		HOST_OS=freebsd
-		HOST_ABI=elf
-		AC_SUBST([PROG_LDADD], ['-lthr'])
-		;;
-	*hpux*)
-		HOST_OS=hpux;
-		if test "`echo $CC | cut -d ' ' -f 1`" = "gcc" ; then
-			CFLAGS="$CFLAGS -mlp64"
-		else
-			CFLAGS="-g -O2 +DD64 $USER_CFLAGS"
-		fi
-		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
-		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
-		;;
-	*linux*)
-		HOST_OS=linux
-		HOST_ABI=elf
-		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-		;;
-	*netbsd*)
-		HOST_OS=netbsd
-		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
-		;;
-	*openbsd* | *bitrig*)
-		HOST_ABI=elf
-		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
-		;;
-	*mingw*)
-		HOST_OS=win
-		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
-		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
-		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600"
-		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
-		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
-		;;
-	*solaris*)
-		HOST_OS=solaris
-		HOST_ABI=elf
-		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
-		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
-		;;
-	*) ;;
-esac
-
-AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
-AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
-AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
-AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
-AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
-AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
-AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
-AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
-AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
-])

m4/disable-compiler-warnings.m4

@@ -1,29 +0,0 @@
-AC_DEFUN([DISABLE_COMPILER_WARNINGS], [
-# Clang throws a lot of warnings when it does not understand a flag. Disable
-# this warning for now so other warnings are visible.
-AC_MSG_CHECKING([if compiling with clang])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
-#ifndef __clang__
-	not clang
-#endif
-	]])],
-	[CLANG=yes],
-	[CLANG=no]
-)
-AC_MSG_RESULT([$CLANG])
-AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
-CFLAGS="$CFLAGS $CLANG_FLAGS"
-LDFLAGS="$LDFLAGS $CLANG_FLAGS"
-
-# Removing the dependency on -Wno-pointer-sign should be a goal. These are
-# largely unsigned char */char* mismatches in asn1 functions.
-save_cflags="$CFLAGS"
-CFLAGS=-Wno-pointer-sign
-AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-	[AC_MSG_RESULT([yes])]
-	[AM_CFLAGS=-Wno-pointer-sign],
-	[AC_MSG_RESULT([no])]
-)
-CFLAGS="$save_cflags $AM_CFLAGS"
-])

man/Makefile.am.tpl

@@ -0,0 +1,2 @@
+include $(top_srcdir)/Makefile.am.common
+dist_man_MANS=

man/links

@@ -1,9 +1,42 @@
-# This is an auto-generated file by ./update_links.sh
-ASN1_OBJECT_new.3,ASN1_OBJECT_free.3
+TLS_MLINKS="tls_init.3,tls_config_new.3
+	tls_init.3,tls_config_free.3
+	tls_init.3,tls_config_parse_protocols.3
+	tls_init.3,tls_config_set_ca_file.3
+	tls_init.3,tls_config_set_ca_path.3
+	tls_init.3,tls_config_set_ca_mem.3
+	tls_init.3,tls_config_set_cert_file.3
+	tls_init.3,tls_config_set_cert_mem.3
+	tls_init.3,tls_config_set_ciphers.3
+	tls_init.3,tls_config_set_ecdhecurve.3
+	tls_init.3,tls_config_set_dheparams.3
+	tls_init.3,tls_config_set_key_file.3
+	tls_init.3,tls_config_set_key_mem.3
+	tls_init.3,tls_config_set_protocols.3
+	tls_init.3,tls_config_set_verify_depth.3
+	tls_init.3,tls_config_clear_keys.3
+	tls_init.3,tls_config_insecure_noverifycert.3
+	tls_init.3,tls_config_insecure_noverifyname.3
+	tls_init.3,tls_config_verify.3
+	tls_init.3,tls_load_file.3
+	tls_init.3,tls_client.3
+	tls_init.3,tls_server.3
+	tls_init.3,tls_configure.3
+	tls_init.3,tls_error.3
+	tls_init.3,tls_reset.3
+	tls_init.3,tls_free.3
+	tls_init.3,tls_close.3
+	tls_init.3,tls_connect.3
+	tls_init.3,tls_connect_fds.3
+	tls_init.3,tls_connect_servername.3
+	tls_init.3,tls_connect_socket.3
+	tls_init.3,tls_accept_socket.3
+	tls_init.3,tls_read.3
+	tls_init.3,tls_write.3"
+
+SSL_MLINKS="ASN1_OBJECT_new.3,ASN1_OBJECT_free.3
 	ASN1_STRING_length.3,ASN1_STRING_cmp.3
 	ASN1_STRING_length.3,ASN1_STRING_data.3
 	ASN1_STRING_length.3,ASN1_STRING_dup.3
-ASN1_STRING_length.3,ASN1_STRING_length_set.3
 	ASN1_STRING_length.3,ASN1_STRING_set.3
 	ASN1_STRING_length.3,ASN1_STRING_to_UTF8.3
 	ASN1_STRING_length.3,ASN1_STRING_type.3
@@ -34,8 +67,6 @@ BIO_ctrl.3,BIO_seek.3
 	BIO_ctrl.3,BIO_set_close.3
 	BIO_ctrl.3,BIO_set_info_callback.3
 	BIO_ctrl.3,BIO_tell.3
-BIO_ctrl.3,BIO_wpending.3
-BIO_ctrl.3,bio_info_cb.3
 	BIO_f_buffer.3,BIO_get_buffer_num_lines.3
 	BIO_f_buffer.3,BIO_set_buffer_read_data.3
 	BIO_f_buffer.3,BIO_set_buffer_size.3
@@ -47,18 +78,6 @@ BIO_f_cipher.3,BIO_set_cipher.3
 	BIO_f_md.3,BIO_get_md.3
 	BIO_f_md.3,BIO_get_md_ctx.3
 	BIO_f_md.3,BIO_set_md.3
-BIO_f_ssl.3,BIO_do_handshake.3
-BIO_f_ssl.3,BIO_get_num_renegotiates.3
-BIO_f_ssl.3,BIO_get_ssl.3
-BIO_f_ssl.3,BIO_new_buffer_ssl_connect.3
-BIO_f_ssl.3,BIO_new_ssl.3
-BIO_f_ssl.3,BIO_new_ssl_connect.3
-BIO_f_ssl.3,BIO_set_ssl.3
-BIO_f_ssl.3,BIO_set_ssl_mode.3
-BIO_f_ssl.3,BIO_set_ssl_renegotiate_bytes.3
-BIO_f_ssl.3,BIO_set_ssl_renegotiate_timeout.3
-BIO_f_ssl.3,BIO_ssl_copy_session_id.3
-BIO_f_ssl.3,BIO_ssl_shutdown.3
 	BIO_find_type.3,BIO_method_type.3
 	BIO_find_type.3,BIO_next.3
 	BIO_new.3,BIO_free.3
@@ -115,14 +134,11 @@ BIO_s_mem.3,BIO_get_mem_ptr.3
 	BIO_s_mem.3,BIO_new_mem_buf.3
 	BIO_s_mem.3,BIO_set_mem_buf.3
 	BIO_s_mem.3,BIO_set_mem_eof_return.3
-BIO_s_socket.3,BIO_get_fd.3
 	BIO_s_socket.3,BIO_new_socket.3
-BIO_s_socket.3,BIO_set_fd.3
 	BIO_set_callback.3,BIO_debug_callback.3
 	BIO_set_callback.3,BIO_get_callback.3
 	BIO_set_callback.3,BIO_get_callback_arg.3
 	BIO_set_callback.3,BIO_set_callback_arg.3
-BIO_set_callback.3,callback.3
 	BIO_should_retry.3,BIO_get_retry_BIO.3
 	BIO_should_retry.3,BIO_get_retry_reason.3
 	BIO_should_retry.3,BIO_retry_type.3
@@ -133,10 +149,10 @@ BN_BLINDING_new.3,BN_BLINDING_convert.3
 	BN_BLINDING_new.3,BN_BLINDING_convert_ex.3
 	BN_BLINDING_new.3,BN_BLINDING_create_param.3
 	BN_BLINDING_new.3,BN_BLINDING_free.3
-BN_BLINDING_new.3,BN_BLINDING_get_flags.3
 	BN_BLINDING_new.3,BN_BLINDING_get_thread_id.3
 	BN_BLINDING_new.3,BN_BLINDING_invert.3
 	BN_BLINDING_new.3,BN_BLINDING_invert_ex.3
+	BN_BLINDING_new.3,BN_BLINDING_get_flags.3
 	BN_BLINDING_new.3,BN_BLINDING_set_flags.3
 	BN_BLINDING_new.3,BN_BLINDING_set_thread_id.3
 	BN_BLINDING_new.3,BN_BLINDING_thread_id.3
@@ -149,13 +165,9 @@ BN_add.3,BN_div.3
 	BN_add.3,BN_exp.3
 	BN_add.3,BN_gcd.3
 	BN_add.3,BN_mod.3
-BN_add.3,BN_mod_add.3
 	BN_add.3,BN_mod_exp.3
 	BN_add.3,BN_mod_mul.3
-BN_add.3,BN_mod_sqr.3
-BN_add.3,BN_mod_sub.3
 	BN_add.3,BN_mul.3
-BN_add.3,BN_nnmod.3
 	BN_add.3,BN_sqr.3
 	BN_add.3,BN_sub.3
 	BN_add_word.3,BN_div_word.3
@@ -180,7 +192,6 @@ BN_copy.3,BN_dup.3
 	BN_generate_prime.3,BN_GENCB_call.3
 	BN_generate_prime.3,BN_GENCB_set.3
 	BN_generate_prime.3,BN_GENCB_set_old.3
-BN_generate_prime.3,BN_generate_prime_ex.3
 	BN_generate_prime.3,BN_is_prime.3
 	BN_generate_prime.3,BN_is_prime_ex.3
 	BN_generate_prime.3,BN_is_prime_fasttest.3
@@ -224,12 +235,6 @@ CONF_modules_free.3,CONF_modules_finish.3
 	CONF_modules_free.3,CONF_modules_unload.3
 	CONF_modules_load_file.3,CONF_modules_load.3
 	CRYPTO_set_ex_data.3,CRYPTO_get_ex_data.3
-CRYPTO_set_locking_callback.3,CRYPTO_THREADID_cmp.3
-CRYPTO_set_locking_callback.3,CRYPTO_THREADID_cpy.3
-CRYPTO_set_locking_callback.3,CRYPTO_THREADID_current.3
-CRYPTO_set_locking_callback.3,CRYPTO_THREADID_get_callback.3
-CRYPTO_set_locking_callback.3,CRYPTO_THREADID_hash.3
-CRYPTO_set_locking_callback.3,CRYPTO_THREADID_set_callback.3
 	CRYPTO_set_locking_callback.3,CRYPTO_add.3
 	CRYPTO_set_locking_callback.3,CRYPTO_add_lock.3
 	CRYPTO_set_locking_callback.3,CRYPTO_destroy_dynlockid.3
@@ -244,37 +249,6 @@ CRYPTO_set_locking_callback.3,CRYPTO_set_dynlock_lock_callback.3
 	CRYPTO_set_locking_callback.3,CRYPTO_set_id_callback.3
 	CRYPTO_set_locking_callback.3,CRYPTO_w_lock.3
 	CRYPTO_set_locking_callback.3,CRYPTO_w_unlock.3
-DES_set_key.3,DES_cbc_cksum.3
-DES_set_key.3,DES_cfb64_encrypt.3
-DES_set_key.3,DES_cfb_encrypt.3
-DES_set_key.3,DES_crypt.3
-DES_set_key.3,DES_ecb2_encrypt.3
-DES_set_key.3,DES_ecb3_encrypt.3
-DES_set_key.3,DES_ecb_encrypt.3
-DES_set_key.3,DES_ede2_cbc_encrypt.3
-DES_set_key.3,DES_ede2_cfb64_encrypt.3
-DES_set_key.3,DES_ede2_ofb64_encrypt.3
-DES_set_key.3,DES_ede3_cbc_encrypt.3
-DES_set_key.3,DES_ede3_cbcm_encrypt.3
-DES_set_key.3,DES_ede3_cfb64_encrypt.3
-DES_set_key.3,DES_ede3_ofb64_encrypt.3
-DES_set_key.3,DES_enc_read.3
-DES_set_key.3,DES_enc_write.3
-DES_set_key.3,DES_fcrypt.3
-DES_set_key.3,DES_is_weak_key.3
-DES_set_key.3,DES_key_sched.3
-DES_set_key.3,DES_ncbc_encrypt.3
-DES_set_key.3,DES_ofb64_encrypt.3
-DES_set_key.3,DES_ofb_encrypt.3
-DES_set_key.3,DES_pcbc_encrypt.3
-DES_set_key.3,DES_quad_cksum.3
-DES_set_key.3,DES_random_key.3
-DES_set_key.3,DES_set_key_checked.3
-DES_set_key.3,DES_set_key_unchecked.3
-DES_set_key.3,DES_set_odd_parity.3
-DES_set_key.3,DES_string_to_2keys.3
-DES_set_key.3,DES_string_to_key.3
-DES_set_key.3,DES_xcbc_encrypt.3
 	DH_generate_key.3,DH_compute_key.3
 	DH_generate_parameters.3,DH_check.3
 	DH_generate_parameters.3,DH_generate_parameters_ex.3
@@ -287,11 +261,7 @@ DH_set_method.3,DH_get_default_openssl_method.3
 	DH_set_method.3,DH_new_method.3
 	DH_set_method.3,DH_set_default_method.3
 	DH_set_method.3,DH_set_default_openssl_method.3
-DSA_SIG_new.3,DSA_SIG_free.3
-DSA_do_sign.3,DSA_do_verify.3
 	DSA_generate_parameters.3,DSA_generate_parameters_ex.3
-DSA_get_ex_new_index.3,DSA_get_ex_data.3
-DSA_get_ex_new_index.3,DSA_set_ex_data.3
 	DSA_new.3,DSA_free.3
 	DSA_set_method.3,DSA_OpenSSL.3
 	DSA_set_method.3,DSA_get_default_method.3
@@ -327,9 +297,9 @@ EC_GROUP_copy.3,EC_GROUP_get_trinomial_basis.3
 	EC_GROUP_copy.3,EC_GROUP_method_of.3
 	EC_GROUP_copy.3,EC_GROUP_set_asn1_flag.3
 	EC_GROUP_copy.3,EC_GROUP_set_curve_name.3
-EC_GROUP_copy.3,EC_GROUP_set_generator.3
 	EC_GROUP_copy.3,EC_GROUP_set_point_conversion_form.3
 	EC_GROUP_copy.3,EC_GROUP_set_seed.3
+	EC_GROUP_copy.3,EC_GROUP_set_generator.3
 	EC_GROUP_new.3,EC_GROUP_clear_free.3
 	EC_GROUP_new.3,EC_GROUP_free.3
 	EC_GROUP_new.3,EC_GROUP_get_curve_GF2m.3
@@ -407,11 +377,7 @@ ERR_get_error.3,ERR_get_error_line_data.3
 	ERR_get_error.3,ERR_peek_error.3
 	ERR_get_error.3,ERR_peek_error_line.3
 	ERR_get_error.3,ERR_peek_error_line_data.3
-ERR_get_error.3,ERR_peek_last_error.3
-ERR_get_error.3,ERR_peek_last_error_line.3
-ERR_get_error.3,ERR_peek_last_error_line_data.3
 	ERR_load_crypto_strings.3,ERR_free_strings.3
-ERR_load_crypto_strings.3,SSL_load_error_strings.3
 	ERR_load_strings.3,ERR_PACK.3
 	ERR_load_strings.3,ERR_get_next_error_library.3
 	ERR_print_errors.3,ERR_print_errors_fp.3
@@ -419,17 +385,9 @@ ERR_put_error.3,ERR_add_error_data.3
 	ERR_remove_state.3,ERR_remove_thread_state.3
 	ERR_set_mark.3,ERR_pop_to_mark.3
 	EVP_DigestInit.3,EVP_DigestFinal.3
-EVP_DigestInit.3,EVP_DigestFinal_ex.3
-EVP_DigestInit.3,EVP_DigestInit_ex.3
 	EVP_DigestInit.3,EVP_DigestUpdate.3
-EVP_DigestInit.3,EVP_MAX_MD_SIZE.3
 	EVP_DigestInit.3,EVP_MD_CTX_block_size.3
-EVP_DigestInit.3,EVP_MD_CTX_cleanup.3
 	EVP_DigestInit.3,EVP_MD_CTX_copy.3
-EVP_DigestInit.3,EVP_MD_CTX_copy_ex.3
-EVP_DigestInit.3,EVP_MD_CTX_create.3
-EVP_DigestInit.3,EVP_MD_CTX_destroy.3
-EVP_DigestInit.3,EVP_MD_CTX_init.3
 	EVP_DigestInit.3,EVP_MD_CTX_md.3
 	EVP_DigestInit.3,EVP_MD_CTX_size.3
 	EVP_DigestInit.3,EVP_MD_CTX_type.3
@@ -449,35 +407,23 @@ EVP_DigestInit.3,EVP_mdc2.3
 	EVP_DigestInit.3,EVP_ripemd160.3
 	EVP_DigestInit.3,EVP_sha.3
 	EVP_DigestInit.3,EVP_sha1.3
-EVP_DigestInit.3,EVP_sha224.3
-EVP_DigestInit.3,EVP_sha256.3
-EVP_DigestInit.3,EVP_sha384.3
-EVP_DigestInit.3,EVP_sha512.3
-EVP_DigestSignInit.3,EVP_DigestSignFinal.3
 	EVP_DigestSignInit.3,EVP_DigestSignUpdate.3
-EVP_DigestVerifyInit.3,EVP_DigestVerifyFinal.3
+	EVP_DigestSignInit.3,EVP_DigestSignFinal.3
 	EVP_DigestVerifyInit.3,EVP_DigestVerifyUpdate.3
+	EVP_DigestVerifyInit.3,EVP_DigestVerifyFinal.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_block_size.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_cipher.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_cleanup.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_ctrl.3
-EVP_EncryptInit.3,EVP_CIPHER_CTX_flags.3
-EVP_EncryptInit.3,EVP_CIPHER_CTX_get_app_data.3
-EVP_EncryptInit.3,EVP_CIPHER_CTX_init.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_iv_length.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_key_length.3
-EVP_EncryptInit.3,EVP_CIPHER_CTX_mode.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_nid.3
-EVP_EncryptInit.3,EVP_CIPHER_CTX_set_app_data.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_set_key_length.3
-EVP_EncryptInit.3,EVP_CIPHER_CTX_set_padding.3
 	EVP_EncryptInit.3,EVP_CIPHER_CTX_type.3
 	EVP_EncryptInit.3,EVP_CIPHER_asn1_to_param.3
 	EVP_EncryptInit.3,EVP_CIPHER_block_size.3
-EVP_EncryptInit.3,EVP_CIPHER_flags.3
 	EVP_EncryptInit.3,EVP_CIPHER_iv_length.3
 	EVP_EncryptInit.3,EVP_CIPHER_key_length.3
-EVP_EncryptInit.3,EVP_CIPHER_mode.3
 	EVP_EncryptInit.3,EVP_CIPHER_nid.3
 	EVP_EncryptInit.3,EVP_CIPHER_param_to_asn1.3
 	EVP_EncryptInit.3,EVP_CIPHER_type.3
@@ -527,6 +473,7 @@ EVP_EncryptInit.3,EVP_get_cipherbyname.3
 	EVP_EncryptInit.3,EVP_get_cipherbynid.3
 	EVP_EncryptInit.3,EVP_get_cipherbyobj.3
 	EVP_EncryptInit.3,EVP_idea_cbc.3
+	EVP_EncryptInit.3,EVP_idea_cbc.3
 	EVP_EncryptInit.3,EVP_idea_cfb.3
 	EVP_EncryptInit.3,EVP_idea_ecb.3
 	EVP_EncryptInit.3,EVP_idea_ofb.3
@@ -544,7 +491,6 @@ EVP_EncryptInit.3,EVP_rc5_32_12_16_ecb.3
 	EVP_EncryptInit.3,EVP_rc5_32_12_16_ofb.3
 	EVP_OpenInit.3,EVP_OpenFinal.3
 	EVP_OpenInit.3,EVP_OpenUpdate.3
-EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_ctrl_str.3
 	EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_generator.3
 	EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_prime_len.3
 	EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dsa_paramgen_bits.3
@@ -556,29 +502,31 @@ EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3
 	EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_signature_md.3
 	EVP_PKEY_CTX_ctrl.3,EVP_PKEY_ctrl_str.3
 	EVP_PKEY_CTX_ctrl.3,EVP_PKEY_get_default_digest_nid.3
+	EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_new_id.3
 	EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_dup.3
 	EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_free.3
-EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_new_id.3
-EVP_PKEY_cmp.3,EVP_PKEY_cmp_parameters.3
 	EVP_PKEY_cmp.3,EVP_PKEY_copy_parameters.3
 	EVP_PKEY_cmp.3,EVP_PKEY_missing_parameters.3
+	EVP_PKEY_cmp.3,EVP_PKEY_cmp_parameters.3
+	EVP_PKEY_new.3,EVP_PKEY_free.3
 	EVP_PKEY_decrypt.3,EVP_PKEY_decrypt_init.3
 	EVP_PKEY_derive.3,EVP_PKEY_derive_init.3
 	EVP_PKEY_derive.3,EVP_PKEY_derive_set_peer.3
-EVP_PKEY_encrypt.3,EVP_PKEY_encrypt_init.3
 	EVP_PKEY_get_default_digest.3,EVP_PKEY_get_default_digest_nid.3
-EVP_PKEY_keygen.3,EVP_PKEVP_PKEY_CTX_set_app_data.3
-EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_app_data.3
+	EVP_PKEY_encrypt.3,EVP_PKEY_encrypt_init.3
+	EVP_PKEY_keygen.3,EVP_PKEY_keygen_init.3
+	EVP_PKEY_keygen.3,EVP_PKEY_paramgen_init.3
+	EVP_PKEY_keygen.3,EVP_PKEY_paramgen.3
+	EVP_PKEY_keygen.3,EVP_PKEY_CTX_set_cb.3
 	EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_cb.3
 	EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_keygen_info.3
 	EVP_PKEY_keygen.3,EVP_PKEY_CTX_set_app_data.3
-EVP_PKEY_keygen.3,EVP_PKEY_CTX_set_cb.3
-EVP_PKEY_keygen.3,EVP_PKEY_keygen_init.3
-EVP_PKEY_keygen.3,EVP_PKEY_paramgen.3
-EVP_PKEY_keygen.3,EVP_PKEY_paramgen_init.3
-EVP_PKEY_new.3,EVP_PKEY_free.3
-EVP_PKEY_print_private.3,EVP_PKEY_print_params.3
+	EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_app_data.3
 	EVP_PKEY_print_private.3,EVP_PKEY_print_public.3
+	EVP_PKEY_print_private.3,EVP_PKEY_print_params.3
+	EVP_PKEY_sign.3,EVP_PKEY_sign_init.3
+	EVP_PKEY_verify.3,EVP_PKEY_verify_init.3
+	EVP_PKEY_verify_recover.3,EVP_PKEY_verify_recover_init.3
 	EVP_PKEY_set1_RSA.3,EVP_PKEY_assign_DH.3
 	EVP_PKEY_set1_RSA.3,EVP_PKEY_assign_DSA.3
 	EVP_PKEY_set1_RSA.3,EVP_PKEY_assign_EC_KEY.3
@@ -591,9 +539,6 @@ EVP_PKEY_set1_RSA.3,EVP_PKEY_set1_DH.3
 	EVP_PKEY_set1_RSA.3,EVP_PKEY_set1_DSA.3
 	EVP_PKEY_set1_RSA.3,EVP_PKEY_set1_EC_KEY.3
 	EVP_PKEY_set1_RSA.3,EVP_PKEY_type.3
-EVP_PKEY_sign.3,EVP_PKEY_sign_init.3
-EVP_PKEY_verify.3,EVP_PKEY_verify_init.3
-EVP_PKEY_verify_recover.3,EVP_PKEY_verify_recover_init.3
 	EVP_SealInit.3,EVP_SealFinal.3
 	EVP_SealInit.3,EVP_SealUpdate.3
 	EVP_SignInit.3,EVP_PKEY_size.3
@@ -636,7 +581,7 @@ OPENSSL_load_builtin_modules.3,ENGINE_add_conf_module.3
 	OpenSSL_add_all_algorithms.3,EVP_cleanup.3
 	OpenSSL_add_all_algorithms.3,OpenSSL_add_all_ciphers.3
 	OpenSSL_add_all_algorithms.3,OpenSSL_add_all_digests.3
-PEM_read_bio_PrivateKey.3,PEM.3
+	PKCS5_PBKDF2_HMAC.3,PKCS5_PBKDF2_HMAC_SHA1.3
 	PEM_read_bio_PrivateKey.3,PEM_read_DHparams.3
 	PEM_read_bio_PrivateKey.3,PEM_read_DSAPrivateKey.3
 	PEM_read_bio_PrivateKey.3,PEM_read_DSA_PUBKEY.3
@@ -702,7 +647,6 @@ PEM_read_bio_PrivateKey.3,PEM_write_bio_X509_AUX.3
 	PEM_read_bio_PrivateKey.3,PEM_write_bio_X509_CRL.3
 	PEM_read_bio_PrivateKey.3,PEM_write_bio_X509_REQ.3
 	PEM_read_bio_PrivateKey.3,PEM_write_bio_X509_REQ_NEW.3
-PKCS5_PBKDF2_HMAC.3,PKCS5_PBKDF2_HMAC_SHA1.3
 	PKCS7_verify.3,PKCS7_get0_signers.3
 	RAND_add.3,RAND_seed.3
 	RAND_add.3,RAND_status.3
@@ -753,6 +697,204 @@ RSA_sign_ASN1_OCTET_STRING.3,RSA_verify_ASN1_OCTET_STRING.3
 	SHA1.3,SHA1_Final.3
 	SHA1.3,SHA1_Init.3
 	SHA1.3,SHA1_Update.3
+	X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_NID.3
+	X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_OBJ.3
+	X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_txt.3
+	X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_get_data.3
+	X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_set_data.3
+	X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_set_object.3
+	X509_NAME_add_entry_by_txt.3,X509_NAME_add_entry.3
+	X509_NAME_add_entry_by_txt.3,X509_NAME_add_entry_by_NID.3
+	X509_NAME_add_entry_by_txt.3,X509_NAME_add_entry_by_OBJ.3
+	X509_NAME_add_entry_by_txt.3,X509_NAME_delete_entry.3
+	X509_new.3,X509_free.3
+	X509_STORE_CTX_get_error.3,X509_STORE_CTX_get1_chain.3
+	X509_STORE_CTX_get_error.3,X509_STORE_CTX_get_current_cert.3
+	X509_STORE_CTX_get_error.3,X509_STORE_CTX_get_error_depth.3
+	X509_STORE_CTX_get_error.3,X509_STORE_CTX_set_error.3
+	X509_STORE_CTX_get_error.3,X509_verify_cert_error_string.3
+	X509_STORE_CTX_get_ex_new_index.3,X509_STORE_CTX_get_ex_data.3
+	X509_STORE_CTX_get_ex_new_index.3,X509_STORE_CTX_set_ex_data.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_cleanup.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_free.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_get0_param.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_init.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_set0_crls.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_set0_param.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_set_cert.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_set_chain.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_set_default.3
+	X509_STORE_CTX_new.3,X509_STORE_CTX_trusted_stack.3
+	X509_STORE_set_verify_cb_func.3,X509_STORE_set_verify_cb.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_add0_policy.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_clear_flags.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_get_depth.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_get_flags.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set1_policies.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_depth.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_purpose.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_time.3
+	X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
+	bn_internal.3,bn_add_words.3
+	bn_internal.3,bn_check_top.3
+	bn_internal.3,bn_cmp_words.3
+	bn_internal.3,bn_div_words.3
+	bn_internal.3,bn_dump.3
+	bn_internal.3,bn_expand.3
+	bn_internal.3,bn_expand2.3
+	bn_internal.3,bn_fix_top.3
+	bn_internal.3,bn_mul_add_words.3
+	bn_internal.3,bn_mul_comba4.3
+	bn_internal.3,bn_mul_comba8.3
+	bn_internal.3,bn_mul_high.3
+	bn_internal.3,bn_mul_low_normal.3
+	bn_internal.3,bn_mul_low_recursive.3
+	bn_internal.3,bn_mul_normal.3
+	bn_internal.3,bn_mul_part_recursive.3
+	bn_internal.3,bn_mul_recursive.3
+	bn_internal.3,bn_mul_words.3
+	bn_internal.3,bn_print.3
+	bn_internal.3,bn_set_high.3
+	bn_internal.3,bn_set_low.3
+	bn_internal.3,bn_set_max.3
+	bn_internal.3,bn_sqr_comba4.3
+	bn_internal.3,bn_sqr_comba8.3
+	bn_internal.3,bn_sqr_normal.3
+	bn_internal.3,bn_sqr_recursive.3
+	bn_internal.3,bn_sqr_words.3
+	bn_internal.3,bn_sub_words.3
+	bn_internal.3,bn_wexpand.3
+	bn_internal.3,mul.3
+	bn_internal.3,mul_add.3
+	bn_internal.3,sqr.3
+	d2i_ASN1_OBJECT.3,i2d_ASN1_OBJECT.3
+	d2i_DHparams.3,i2d_DHparams.3
+	d2i_DSAPublicKey.3,d2i_DSAPrivateKey.3
+	d2i_DSAPublicKey.3,d2i_DSA_PUBKEY.3
+	d2i_DSAPublicKey.3,d2i_DSA_SIG.3
+	d2i_DSAPublicKey.3,d2i_DSAparams.3
+	d2i_DSAPublicKey.3,i2d_DSAPrivateKey.3
+	d2i_DSAPublicKey.3,i2d_DSAPublicKey.3
+	d2i_DSAPublicKey.3,i2d_DSA_PUBKEY.3
+	d2i_DSAPublicKey.3,i2d_DSA_SIG.3
+	d2i_DSAPublicKey.3,i2d_DSAparams.3
+	d2i_ECPKParameters.3,ECPKParameters_print.3
+	d2i_ECPKParameters.3,ECPKParameters_print_fp.3
+	d2i_ECPKParameters.3,d2i_ECPKParameters_bio.3
+	d2i_ECPKParameters.3,d2i_ECPKParameters_fp.3
+	d2i_ECPKParameters.3,i2d_ECPKParameters.3
+	d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
+	d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
+	d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_bio.3
+	d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_fp.3
+	d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_bio.3
+	d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_fp.3
+	d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_bio.3
+	d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_fp.3
+	d2i_RSAPublicKey.3,d2i_Netscape_RSA.3
+	d2i_RSAPublicKey.3,d2i_RSAPrivateKey.3
+	d2i_RSAPublicKey.3,i2d_Netscape_RSA.3
+	d2i_RSAPublicKey.3,i2d_RSAPrivateKey.3
+	d2i_RSAPublicKey.3,i2d_RSAPublicKey.3
+	d2i_X509.3,d2i_X509_bio.3
+	d2i_X509.3,d2i_X509_fp.3
+	d2i_X509.3,i2d_X509.3
+	d2i_X509.3,i2d_X509_bio.3
+	d2i_X509.3,i2d_X509_fp.3
+	d2i_X509_ALGOR.3,i2d_X509_ALGOR.3
+	d2i_X509_CRL.3,d2i_X509_CRL_bio.3
+	d2i_X509_CRL.3,d2i_X509_CRL_fp.3
+	d2i_X509_CRL.3,i2d_X509_CRL.3
+	d2i_X509_CRL.3,i2d_X509_CRL_bio.3
+	d2i_X509_CRL.3,i2d_X509_CRL_fp.3
+	d2i_X509_NAME.3,i2d_X509_NAME.3
+	d2i_X509_REQ.3,d2i_X509_REQ_bio.3
+	d2i_X509_REQ.3,d2i_X509_REQ_fp.3
+	d2i_X509_REQ.3,i2d_X509_REQ.3
+	d2i_X509_REQ.3,i2d_X509_REQ_bio.3
+	d2i_X509_REQ.3,i2d_X509_REQ_fp.3
+	ecdsa.3,ECDSA_OpenSSL.3
+	ecdsa.3,ECDSA_SIG_free.3
+	ecdsa.3,ECDSA_SIG_new.3
+	ecdsa.3,ECDSA_do_sign.3
+	ecdsa.3,ECDSA_do_sign_ex.3
+	ecdsa.3,ECDSA_do_verify.3
+	ecdsa.3,ECDSA_get_default_method.3
+	ecdsa.3,ECDSA_get_ex_data.3
+	ecdsa.3,ECDSA_get_ex_new_index.3
+	ecdsa.3,ECDSA_set_default_method.3
+	ecdsa.3,ECDSA_set_ex_data.3
+	ecdsa.3,ECDSA_set_method.3
+	ecdsa.3,ECDSA_sign.3
+	ecdsa.3,ECDSA_sign_ex.3
+	ecdsa.3,ECDSA_sign_setup.3
+	ecdsa.3,ECDSA_verify.3
+	ecdsa.3,d2i_ECDSA_SIG.3
+	ecdsa.3,i2d_ECDSA_SIG.3
+	engine.3,ENGINE_add.3
+	engine.3,ENGINE_by_id.3
+	engine.3,ENGINE_finish.3
+	engine.3,ENGINE_get_first.3
+	engine.3,ENGINE_get_last.3
+	engine.3,ENGINE_get_next.3
+	engine.3,ENGINE_get_prev.3
+	engine.3,ENGINE_init.3
+	engine.3,ENGINE_load_builtin_engines.3
+	engine.3,ENGINE_remove.3
+	lh_stats.3,lh_node_stats.3
+	lh_stats.3,lh_node_stats_bio.3
+	lh_stats.3,lh_node_usage_stats.3
+	lh_stats.3,lh_node_usage_stats_bio.3
+	lh_stats.3,lh_stats_bio.3
+	lhash.3,lh_delete.3
+	lhash.3,lh_doall.3
+	lhash.3,lh_doall_arg.3
+	lhash.3,lh_error.3
+	lhash.3,lh_free.3
+	lhash.3,lh_insert.3
+	lhash.3,lh_new.3
+	lhash.3,lh_retrieve.3
+	ui.3,UI_OpenSSL.3
+	ui.3,UI_add_error_string.3
+	ui.3,UI_add_info_string.3
+	ui.3,UI_add_input_boolean.3
+	ui.3,UI_add_input_string.3
+	ui.3,UI_add_user_data.3
+	ui.3,UI_add_verify_string.3
+	ui.3,UI_construct_prompt.3
+	ui.3,UI_ctrl.3
+	ui.3,UI_dup_error_string.3
+	ui.3,UI_dup_info_string.3
+	ui.3,UI_dup_input_boolean.3
+	ui.3,UI_dup_input_string.3
+	ui.3,UI_dup_verify_string.3
+	ui.3,UI_free.3
+	ui.3,UI_get0_result.3
+	ui.3,UI_get0_user_data.3
+	ui.3,UI_get_default_method.3
+	ui.3,UI_get_method.3
+	ui.3,UI_new.3
+	ui.3,UI_new_method.3
+	ui.3,UI_process.3
+	ui.3,UI_set_default_method.3
+	ui.3,UI_set_method.3
+	ui_compat.3,des_read_2passwords.3
+	ui_compat.3,des_read_password.3
+	ui_compat.3,des_read_pw.3
+	ui_compat.3,des_read_pw_string.3
+	BIO_f_ssl.3,BIO_do_handshake.3
+	BIO_f_ssl.3,BIO_get_num_renegotiates.3
+	BIO_f_ssl.3,BIO_get_ssl.3
+	BIO_f_ssl.3,BIO_new_buffer_ssl_connect.3
+	BIO_f_ssl.3,BIO_new_ssl.3
+	BIO_f_ssl.3,BIO_new_ssl_connect.3
+	BIO_f_ssl.3,BIO_set_ssl.3
+	BIO_f_ssl.3,BIO_set_ssl_mode.3
+	BIO_f_ssl.3,BIO_set_ssl_renegotiate_bytes.3
+	BIO_f_ssl.3,BIO_set_ssl_renegotiate_timeout.3
+	BIO_f_ssl.3,BIO_ssl_copy_session_id.3
+	BIO_f_ssl.3,BIO_ssl_shutdown.3
+	ERR_load_crypto_strings.3,SSL_load_error_strings.3
 	SSL_CIPHER_get_name.3,SSL_CIPHER_description.3
 	SSL_CIPHER_get_name.3,SSL_CIPHER_get_bits.3
 	SSL_CIPHER_get_name.3,SSL_CIPHER_get_version.3
@@ -799,24 +941,12 @@ SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_get_new_cb.3
 	SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_get_remove_cb.3
 	SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_new_cb.3
 	SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove.3
-SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove_cb.3
-SSL_CTX_sess_set_get_cb.3,get_session_cb.3
-SSL_CTX_sess_set_get_cb.3,new_session_cb.3
-SSL_CTX_sess_set_get_cb.3,remove_session_cb.3
 	SSL_CTX_set_cert_store.3,SSL_CTX_get_cert_store.3
 	SSL_CTX_set_cipher_list.3,SSL_set_cipher_list.3
 	SSL_CTX_set_client_CA_list.3,SSL_CTX_add_client_CA.3
 	SSL_CTX_set_client_CA_list.3,SSL_add_client_CA.3
 	SSL_CTX_set_client_CA_list.3,SSL_set_client_CA_list.3
-SSL_CTX_set_client_cert_cb.3,SSL_CTX_get_client_cert_cb.3
-SSL_CTX_set_client_cert_cb.3,client_cert_cb.3
 	SSL_CTX_set_default_passwd_cb.3,SSL_CTX_set_default_passwd_cb_userdata.3
-SSL_CTX_set_default_passwd_cb.3,pem_passwd_cb.3
-SSL_CTX_set_generate_session_id.3,SSL_has_matching_session_id.3
-SSL_CTX_set_generate_session_id.3,SSL_set_generate_session_id.3
-SSL_CTX_set_info_callback.3,SSL_CTX_get_info_callback.3
-SSL_CTX_set_info_callback.3,SSL_get_info_callback.3
-SSL_CTX_set_info_callback.3,SSL_set_info_callback.3
 	SSL_CTX_set_max_cert_list.3,SSL_CTX_get_max_cert_list.3
 	SSL_CTX_set_max_cert_list.3,SSL_get_max_cert_list.3
 	SSL_CTX_set_max_cert_list.3,SSL_set_max_cert_list.3
@@ -824,14 +954,10 @@ SSL_CTX_set_mode.3,SSL_CTX_get_mode.3
 	SSL_CTX_set_mode.3,SSL_get_mode.3
 	SSL_CTX_set_mode.3,SSL_set_mode.3
 	SSL_CTX_set_msg_callback.3,SSL_CTX_set_msg_callback_arg.3
-SSL_CTX_set_msg_callback.3,SSL_get_msg_callback_arg.3
 	SSL_CTX_set_msg_callback.3,SSL_set_msg_callback.3
 	SSL_CTX_set_msg_callback.3,SSL_set_msg_callback_arg.3
-SSL_CTX_set_options.3,SSL_CTX_clear_options.3
 	SSL_CTX_set_options.3,SSL_CTX_get_options.3
-SSL_CTX_set_options.3,SSL_clear_options.3
 	SSL_CTX_set_options.3,SSL_get_options.3
-SSL_CTX_set_options.3,SSL_get_secure_renegotiation_support.3
 	SSL_CTX_set_options.3,SSL_set_options.3
 	SSL_CTX_set_psk_client_callback.3,SSL_set_psk_client_callback.3
 	SSL_CTX_set_quiet_shutdown.3,SSL_CTX_get_quiet_shutdown.3
@@ -850,11 +976,9 @@ SSL_CTX_set_tmp_rsa_callback.3,SSL_CTX_set_tmp_rsa.3
 	SSL_CTX_set_tmp_rsa_callback.3,SSL_need_tmp_rsa.3
 	SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa.3
 	SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa_callback.3
-SSL_CTX_set_tmp_rsa_callback.3,tmp_rsa_callback.3
 	SSL_CTX_set_verify.3,SSL_CTX_set_verify_depth.3
 	SSL_CTX_set_verify.3,SSL_set_verify.3
 	SSL_CTX_set_verify.3,SSL_set_verify_depth.3
-SSL_CTX_set_verify.3,verify_callback.3
 	SSL_CTX_use_certificate.3,SSL_CTX_check_private_key.3
 	SSL_CTX_use_certificate.3,SSL_CTX_use_PrivateKey.3
 	SSL_CTX_use_certificate.3,SSL_CTX_use_PrivateKey_ASN1.3
@@ -876,9 +1000,9 @@ SSL_CTX_use_certificate.3,SSL_use_RSAPrivateKey_file.3
 	SSL_CTX_use_certificate.3,SSL_use_certificate.3
 	SSL_CTX_use_certificate.3,SSL_use_certificate_ASN1.3
 	SSL_CTX_use_certificate.3,SSL_use_certificate_file.3
+	SSL_CTX_use_psk_identity_hint.3,SSL_use_psk_identity_hint.3
 	SSL_CTX_use_psk_identity_hint.3,SSL_CTX_set_psk_server_callback.3
 	SSL_CTX_use_psk_identity_hint.3,SSL_set_psk_server_callback.3
-SSL_CTX_use_psk_identity_hint.3,SSL_use_psk_identity_hint.3
 	SSL_SESSION_get_ex_new_index.3,SSL_SESSION_get_ex_data.3
 	SSL_SESSION_get_ex_new_index.3,SSL_SESSION_set_ex_data.3
 	SSL_SESSION_get_time.3,SSL_SESSION_get_timeout.3
@@ -908,7 +1032,6 @@ SSL_get_session.3,SSL_get1_session.3
 	SSL_library_init.3,OpenSSL_add_ssl_algorithms.3
 	SSL_library_init.3,SSLeay_add_ssl_algorithms.3
 	SSL_rstate_string.3,SSL_rstate_string_long.3
-SSL_set_connect_state.3,SSL_get_accept_state.3
 	SSL_set_connect_state.3,SSL_set_accept_state.3
 	SSL_set_fd.3,SSL_set_rfd.3
 	SSL_set_fd.3,SSL_set_wfd.3
@@ -918,246 +1041,4 @@ SSL_want.3,SSL_want_nothing.3
 	SSL_want.3,SSL_want_read.3
 	SSL_want.3,SSL_want_write.3
 	SSL_want.3,SSL_want_x509_lookup.3
-X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_NID.3
-X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_OBJ.3
-X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_txt.3
-X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_get_data.3
-X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_set_data.3
-X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_set_object.3
-X509_NAME_add_entry_by_txt.3,X509_NAME_add_entry.3
-X509_NAME_add_entry_by_txt.3,X509_NAME_add_entry_by_NID.3
-X509_NAME_add_entry_by_txt.3,X509_NAME_add_entry_by_OBJ.3
-X509_NAME_add_entry_by_txt.3,X509_NAME_delete_entry.3
-X509_NAME_get_index_by_NID.3,X509_NAME_entry_count.3
-X509_NAME_get_index_by_NID.3,X509_NAME_get_entry.3
-X509_NAME_get_index_by_NID.3,X509_NAME_get_index_by_OBJ.3
-X509_NAME_get_index_by_NID.3,X509_NAME_get_text_by_NID.3
-X509_NAME_get_index_by_NID.3,X509_NAME_get_text_by_OBJ.3
-X509_NAME_print_ex.3,X509_NAME_oneline.3
-X509_NAME_print_ex.3,X509_NAME_print.3
-X509_NAME_print_ex.3,X509_NAME_print_ex_fp.3
-X509_STORE_CTX_get_error.3,X509_STORE_CTX_get1_chain.3
-X509_STORE_CTX_get_error.3,X509_STORE_CTX_get_current_cert.3
-X509_STORE_CTX_get_error.3,X509_STORE_CTX_get_error_depth.3
-X509_STORE_CTX_get_error.3,X509_STORE_CTX_set_error.3
-X509_STORE_CTX_get_error.3,X509_verify_cert_error_string.3
-X509_STORE_CTX_get_ex_new_index.3,X509_STORE_CTX_get_ex_data.3
-X509_STORE_CTX_get_ex_new_index.3,X509_STORE_CTX_set_ex_data.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_cleanup.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_free.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_get0_param.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_init.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_set0_crls.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_set0_param.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_set_cert.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_set_chain.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_set_default.3
-X509_STORE_CTX_new.3,X509_STORE_CTX_trusted_stack.3
-X509_STORE_set_verify_cb_func.3,X509_STORE_set_verify_cb.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_add0_policy.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_clear_flags.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_get_depth.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_get_flags.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set1_policies.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_depth.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_purpose.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_time.3
-X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
-X509_new.3,X509_free.3
-bn_internal.3,bn_add_words.3
-bn_internal.3,bn_check_top.3
-bn_internal.3,bn_cmp_words.3
-bn_internal.3,bn_div_words.3
-bn_internal.3,bn_dump.3
-bn_internal.3,bn_expand.3
-bn_internal.3,bn_expand2.3
-bn_internal.3,bn_fix_top.3
-bn_internal.3,bn_mul_add_words.3
-bn_internal.3,bn_mul_comba4.3
-bn_internal.3,bn_mul_comba8.3
-bn_internal.3,bn_mul_high.3
-bn_internal.3,bn_mul_low_normal.3
-bn_internal.3,bn_mul_low_recursive.3
-bn_internal.3,bn_mul_normal.3
-bn_internal.3,bn_mul_part_recursive.3
-bn_internal.3,bn_mul_recursive.3
-bn_internal.3,bn_mul_words.3
-bn_internal.3,bn_print.3
-bn_internal.3,bn_set_high.3
-bn_internal.3,bn_set_low.3
-bn_internal.3,bn_set_max.3
-bn_internal.3,bn_sqr_comba4.3
-bn_internal.3,bn_sqr_comba8.3
-bn_internal.3,bn_sqr_normal.3
-bn_internal.3,bn_sqr_recursive.3
-bn_internal.3,bn_sqr_words.3
-bn_internal.3,bn_sub_words.3
-bn_internal.3,bn_wexpand.3
-bn_internal.3,mul.3
-bn_internal.3,mul_add.3
-bn_internal.3,sqr.3
-crypto.3,crypto_dispatch.3
-crypto.3,crypto_done.3
-crypto.3,crypto_freereq.3
-crypto.3,crypto_freesession.3
-crypto.3,crypto_get_driverid.3
-crypto.3,crypto_getreq.3
-crypto.3,crypto_newsession.3
-crypto.3,crypto_register.3
-crypto.3,crypto_unregister.3
-d2i_ASN1_OBJECT.3,i2d_ASN1_OBJECT.3
-d2i_DHparams.3,i2d_DHparams.3
-d2i_DSAPublicKey.3,d2i_DSAPrivateKey.3
-d2i_DSAPublicKey.3,d2i_DSA_PUBKEY.3
-d2i_DSAPublicKey.3,d2i_DSA_SIG.3
-d2i_DSAPublicKey.3,d2i_DSAparams.3
-d2i_DSAPublicKey.3,i2d_DSAPrivateKey.3
-d2i_DSAPublicKey.3,i2d_DSAPublicKey.3
-d2i_DSAPublicKey.3,i2d_DSA_PUBKEY.3
-d2i_DSAPublicKey.3,i2d_DSA_SIG.3
-d2i_DSAPublicKey.3,i2d_DSAparams.3
-d2i_ECPKParameters.3,ECPKParameters_print.3
-d2i_ECPKParameters.3,ECPKParameters_print_fp.3
-d2i_ECPKParameters.3,d2i_ECPKParameters_bio.3
-d2i_ECPKParameters.3,d2i_ECPKParameters_fp.3
-d2i_ECPKParameters.3,i2d_ECPKParameters.3
-d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
-d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_fp.3
-d2i_RSAPublicKey.3,d2i_Netscape_RSA.3
-d2i_RSAPublicKey.3,d2i_RSAPrivateKey.3
-d2i_RSAPublicKey.3,d2i_RSA_PUBKEY.3
-d2i_RSAPublicKey.3,i2d_Netscape_RSA.3
-d2i_RSAPublicKey.3,i2d_RSAPrivateKey.3
-d2i_RSAPublicKey.3,i2d_RSAPublicKey.3
-d2i_RSAPublicKey.3,i2d_RSA_PUBKEY.3
-d2i_SSL_SESSION.3,i2d_SSL_SESSION.3
-d2i_X509.3,d2i_X509_bio.3
-d2i_X509.3,d2i_X509_fp.3
-d2i_X509.3,i2d_X509.3
-d2i_X509.3,i2d_X509_bio.3
-d2i_X509.3,i2d_X509_fp.3
-d2i_X509_ALGOR.3,i2d_X509_ALGOR.3
-d2i_X509_CRL.3,d2i_X509_CRL_bio.3
-d2i_X509_CRL.3,d2i_X509_CRL_fp.3
-d2i_X509_CRL.3,i2d_X509_CRL.3
-d2i_X509_CRL.3,i2d_X509_CRL_bio.3
-d2i_X509_CRL.3,i2d_X509_CRL_fp.3
-d2i_X509_NAME.3,i2d_X509_NAME.3
-d2i_X509_REQ.3,d2i_X509_REQ_bio.3
-d2i_X509_REQ.3,d2i_X509_REQ_fp.3
-d2i_X509_REQ.3,i2d_X509_REQ.3
-d2i_X509_REQ.3,i2d_X509_REQ_bio.3
-d2i_X509_REQ.3,i2d_X509_REQ_fp.3
-d2i_X509_SIG.3,i2d_X509_SIG.3
-ecdsa.3,ECDSA_OpenSSL.3
-ecdsa.3,ECDSA_SIG_free.3
-ecdsa.3,ECDSA_SIG_new.3
-ecdsa.3,ECDSA_do_sign.3
-ecdsa.3,ECDSA_do_sign_ex.3
-ecdsa.3,ECDSA_do_verify.3
-ecdsa.3,ECDSA_get_default_method.3
-ecdsa.3,ECDSA_get_ex_data.3
-ecdsa.3,ECDSA_get_ex_new_index.3
-ecdsa.3,ECDSA_set_default_method.3
-ecdsa.3,ECDSA_set_ex_data.3
-ecdsa.3,ECDSA_set_method.3
-ecdsa.3,ECDSA_sign.3
-ecdsa.3,ECDSA_sign_ex.3
-ecdsa.3,ECDSA_sign_setup.3
-ecdsa.3,ECDSA_size.3
-ecdsa.3,ECDSA_verify.3
-ecdsa.3,d2i_ECDSA_SIG.3
-ecdsa.3,i2d_ECDSA_SIG.3
-engine.3,ENGINE_add.3
-engine.3,ENGINE_by_id.3
-engine.3,ENGINE_finish.3
-engine.3,ENGINE_get_first.3
-engine.3,ENGINE_get_last.3
-engine.3,ENGINE_get_next.3
-engine.3,ENGINE_get_prev.3
-engine.3,ENGINE_init.3
-engine.3,ENGINE_load_builtin_engines.3
-engine.3,ENGINE_remove.3
-lh_stats.3,lh_node_stats.3
-lh_stats.3,lh_node_stats_bio.3
-lh_stats.3,lh_node_usage_stats.3
-lh_stats.3,lh_node_usage_stats_bio.3
-lh_stats.3,lh_stats_bio.3
-lhash.3,lh_delete.3
-lhash.3,lh_doall.3
-lhash.3,lh_doall_arg.3
-lhash.3,lh_error.3
-lhash.3,lh_free.3
-lhash.3,lh_insert.3
-lhash.3,lh_new.3
-lhash.3,lh_retrieve.3
-tls_init.3,tls_accept_fds.3
-tls_init.3,tls_accept_socket.3
-tls_init.3,tls_client.3
-tls_init.3,tls_close.3
-tls_init.3,tls_config_clear_keys.3
-tls_init.3,tls_config_free.3
-tls_init.3,tls_config_insecure_noverifycert.3
-tls_init.3,tls_config_insecure_noverifyname.3
-tls_init.3,tls_config_new.3
-tls_init.3,tls_config_parse_protocols.3
-tls_init.3,tls_config_set_ca_file.3
-tls_init.3,tls_config_set_ca_mem.3
-tls_init.3,tls_config_set_ca_path.3
-tls_init.3,tls_config_set_cert_file.3
-tls_init.3,tls_config_set_cert_mem.3
-tls_init.3,tls_config_set_ciphers.3
-tls_init.3,tls_config_set_dheparams.3
-tls_init.3,tls_config_set_ecdhecurve.3
-tls_init.3,tls_config_set_key_file.3
-tls_init.3,tls_config_set_key_mem.3
-tls_init.3,tls_config_set_protocols.3
-tls_init.3,tls_config_set_verify_depth.3
-tls_init.3,tls_config_verify.3
-tls_init.3,tls_configure.3
-tls_init.3,tls_connect.3
-tls_init.3,tls_connect_fds.3
-tls_init.3,tls_connect_servername.3
-tls_init.3,tls_connect_socket.3
-tls_init.3,tls_error.3
-tls_init.3,tls_free.3
-tls_init.3,tls_load_file.3
-tls_init.3,tls_read.3
-tls_init.3,tls_reset.3
-tls_init.3,tls_server.3
-tls_init.3,tls_write.3
-ui.3,ERR_load_UI_strings.3
-ui.3,UI_OpenSSL.3
-ui.3,UI_add_error_string.3
-ui.3,UI_add_info_string.3
-ui.3,UI_add_input_boolean.3
-ui.3,UI_add_input_string.3
-ui.3,UI_add_user_data.3
-ui.3,UI_add_verify_string.3
-ui.3,UI_construct_prompt.3
-ui.3,UI_ctrl.3
-ui.3,UI_dup_error_string.3
-ui.3,UI_dup_info_string.3
-ui.3,UI_dup_input_boolean.3
-ui.3,UI_dup_input_string.3
-ui.3,UI_dup_verify_string.3
-ui.3,UI_free.3
-ui.3,UI_get0_result.3
-ui.3,UI_get0_user_data.3
-ui.3,UI_get_default_method.3
-ui.3,UI_get_method.3
-ui.3,UI_new.3
-ui.3,UI_new_method.3
-ui.3,UI_process.3
-ui.3,UI_set_default_method.3
-ui.3,UI_set_method.3
-ui_compat.3,des_read_2passwords.3
-ui_compat.3,des_read_password.3
-ui_compat.3,des_read_pw.3
-ui_compat.3,des_read_pw_string.3
+	d2i_SSL_SESSION.3,i2d_SSL_SESSION.3"

man/update_links.sh

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-# Run this periodically to ensure that the manpage links are up to date
-
-echo "# This is an auto-generated file by $0" > links
-sudo makewhatis
-for i in `ls -1 *.3`; do
-  name=`echo $i|cut -d. -f1`
-  links=`sqlite3 /usr/share/man/mandoc.db \
-    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
-  for j in $links; do
-    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
-    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
-    if [ $a != $b ]; then
-      echo $name.3,$j.3 >> links
-    fi
-  done
-done

patches/openssl.c.patch

@@ -1,29 +0,0 @@
---- apps/openssl.c.orig	2015-06-05 03:42:12.956112944 -0500
-+++ apps/openssl.c	2015-06-05 03:41:54.215381908 -0500
-@@ -130,6 +130,18 @@
- #include <openssl/engine.h>
- #endif
- 
-+#ifdef _WIN32
-+#include <fcntl.h>
-+static void set_stdio_binary(void)
-+{
-+	_setmode(_fileno(stdin), _O_BINARY);
-+	_setmode(_fileno(stdout), _O_BINARY);
-+	_setmode(_fileno(stderr), _O_BINARY);
-+}
-+#else
-+static void set_stdio_binary(void) {};
-+#endif
-+
- #include "progs.h"
- #include "s_apps.h"
- 
-@@ -216,6 +228,7 @@
- #endif
- 
- 	setup_ui_method();
-+	set_stdio_binary();
- }
- 
- static void

patches/tls.h.patch

@@ -1,25 +0,0 @@
---- include/tls.h.orig	2015-05-23 19:18:30.002576267 -0500
-+++ include/tls.h	2015-05-23 19:18:09.830576581 -0500
-@@ -18,6 +18,13 @@
- #ifndef HEADER_TLS_H
- #define HEADER_TLS_H
- 
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+#include <stddef.h>
-+#include <stdint.h>
-+
- #define TLS_API	20141031
- 
- #define TLS_PROTOCOL_TLSv1_0	(1 << 1)
-@@ -88,4 +95,8 @@
- 
- uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
- 
-+#ifdef __cplusplus
-+}
-+#endif
-+
- #endif /* HEADER_TLS_H */

patches/win_bio_sock_init.diff

@@ -0,0 +1,44 @@
+diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
+index e7dd11c..cfd4593 100644
+--- a/src/usr.bin/openssl/openssl.c
++++ b/src/usr.bin/openssl/openssl.c
+@@ -253,6 +253,11 @@ main(int argc, char **argv)
+ 	arg.data = NULL;
+ 	arg.count = 0;
+ 
++	if (BIO_sock_init() != 1) {
++		fprintf(stderr, "BIO_sock_init failed\n");
++		exit(1);
++	}
++
+ 	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ 	if (bio_err == NULL) {
+ 		fprintf(stderr, "openssl: failed to initialise bio_err\n");
+diff --git a/src/usr.bin/openssl/s_socket.c b/src/usr.bin/openssl/s_socket.c
+index 3b96b1a..2ce31eb 100644
+--- a/src/usr.bin/openssl/s_socket.c
++++ b/src/usr.bin/openssl/s_socket.c
+@@ -85,11 +85,6 @@ init_client(int *sock, char *host, char *port, int type, int af)
+ 	struct addrinfo hints, *ai_top, *ai;
+ 	int i, s;
+ 
+-	if (BIO_sock_init() != 1) {
+-		BIO_printf(bio_err, "BIO_sock_init failed\n");
+-		return (0);
+-	}
+-
+ 	memset(&hints, '\0', sizeof(hints));
+ 	hints.ai_family = af;
+ 	hints.ai_socktype = type;
+@@ -181,11 +176,6 @@ init_server_long(int *sock, int port, char *ip, int type)
+ 	struct sockaddr_in server;
+ 	int s = -1;
+ 
+-	if (BIO_sock_init() != 1) {
+-		BIO_printf(bio_err, "BIO_sock_init failed\n");
+-		return (0);
+-	}
+-
+ 	memset((char *) &server, 0, sizeof(server));
+ 	server.sin_family = AF_INET;
+ 	server.sin_port = htons((unsigned short) port);

ssl/Makefile.am

@@ -5,6 +5,7 @@ lib_LTLIBRARIES = libssl.la
 EXTRA_DIST = VERSION
 
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
+libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libssl_la_LIBADD = ../crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c

tests/Makefile.am

@@ -1,301 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
-AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I $(top_srcdir)/ssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps
-
-LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(top_builddir)/ssl/libssl.la
-LDADD += $(top_builddir)/crypto/libcrypto.la
-
-TESTS =
-check_PROGRAMS =
-EXTRA_DIST =
-DISTCLEANFILES = pidwraptest.txt
-
-# aeadtest
-TESTS += aeadtest.sh
-check_PROGRAMS += aeadtest
-aeadtest_SOURCES = aeadtest.c
-EXTRA_DIST += aeadtest.sh
-EXTRA_DIST += aeadtests.txt
-
-# aes_wrap
-TESTS += aes_wrap
-check_PROGRAMS += aes_wrap
-aes_wrap_SOURCES = aes_wrap.c
-
-# arc4randomforktest
-# Windows/mingw does not have fork, but Cygwin does.
-if !HOST_WIN
-TESTS += arc4randomforktest.sh
-check_PROGRAMS += arc4randomforktest
-arc4randomforktest_SOURCES = arc4randomforktest.c
-endif
-EXTRA_DIST += arc4randomforktest.sh
-
-# asn1test
-TESTS += asn1test
-check_PROGRAMS += asn1test
-asn1test_SOURCES = asn1test.c
-
-# base64test
-TESTS += base64test
-check_PROGRAMS += base64test
-base64test_SOURCES = base64test.c
-
-# bftest
-TESTS += bftest
-check_PROGRAMS += bftest
-bftest_SOURCES = bftest.c
-
-# biotest
-# the BIO tests rely on resolver results that are OS and environment-specific
-if ENABLE_EXTRATESTS
-TESTS += biotest
-check_PROGRAMS += biotest
-biotest_SOURCES = biotest.c
-endif
-
-# bntest
-TESTS += bntest
-check_PROGRAMS += bntest
-bntest_SOURCES = bntest.c
-
-# bytestringtest
-TESTS += bytestringtest
-check_PROGRAMS += bytestringtest
-bytestringtest_SOURCES = bytestringtest.c
-
-# casttest
-TESTS += casttest
-check_PROGRAMS += casttest
-casttest_SOURCES = casttest.c
-
-# chachatest
-TESTS += chachatest
-check_PROGRAMS += chachatest
-chachatest_SOURCES = chachatest.c
-
-# cipherstest
-TESTS += cipherstest
-check_PROGRAMS += cipherstest
-cipherstest_SOURCES = cipherstest.c
-
-# cts128test
-TESTS += cts128test
-check_PROGRAMS += cts128test
-cts128test_SOURCES = cts128test.c
-
-# destest
-TESTS += destest
-check_PROGRAMS += destest
-destest_SOURCES = destest.c
-
-# dhtest
-TESTS += dhtest
-check_PROGRAMS += dhtest
-dhtest_SOURCES = dhtest.c
-
-# dsatest
-TESTS += dsatest
-check_PROGRAMS += dsatest
-dsatest_SOURCES = dsatest.c
-
-# ecdhtest
-TESTS += ecdhtest
-check_PROGRAMS += ecdhtest
-ecdhtest_SOURCES = ecdhtest.c
-
-# ecdsatest
-TESTS += ecdsatest
-check_PROGRAMS += ecdsatest
-ecdsatest_SOURCES = ecdsatest.c
-
-# ectest
-TESTS += ectest
-check_PROGRAMS += ectest
-ectest_SOURCES = ectest.c
-
-# enginetest
-TESTS += enginetest
-check_PROGRAMS += enginetest
-enginetest_SOURCES = enginetest.c
-
-# evptest
-TESTS += evptest.sh
-check_PROGRAMS += evptest
-evptest_SOURCES = evptest.c
-EXTRA_DIST += evptest.sh
-EXTRA_DIST += evptests.txt
-
-# explicit_bzero
-# explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
-if !HOST_WIN
-if !HOST_CYGWIN
-TESTS += explicit_bzero
-check_PROGRAMS += explicit_bzero
-explicit_bzero_SOURCES = explicit_bzero.c
-if !HAVE_MEMMEM
-explicit_bzero_SOURCES += memmem.c
-endif
-endif
-endif
-
-# exptest
-TESTS += exptest
-check_PROGRAMS += exptest
-exptest_SOURCES = exptest.c
-
-# gcm128test
-TESTS += gcm128test
-check_PROGRAMS += gcm128test
-gcm128test_SOURCES = gcm128test.c
-
-# gost2814789t
-TESTS += gost2814789t
-check_PROGRAMS += gost2814789t
-gost2814789t_SOURCES = gost2814789t.c
-
-# hmactest
-TESTS += hmactest
-check_PROGRAMS += hmactest
-hmactest_SOURCES = hmactest.c
-
-# ideatest
-TESTS += ideatest
-check_PROGRAMS += ideatest
-ideatest_SOURCES = ideatest.c
-
-# igetest
-TESTS += igetest
-check_PROGRAMS += igetest
-igetest_SOURCES = igetest.c
-
-# md4test
-TESTS += md4test
-check_PROGRAMS += md4test
-md4test_SOURCES = md4test.c
-
-# md5test
-TESTS += md5test
-check_PROGRAMS += md5test
-md5test_SOURCES = md5test.c
-
-# mdc2test
-TESTS += mdc2test
-check_PROGRAMS += mdc2test
-mdc2test_SOURCES = mdc2test.c
-
-# mont
-TESTS += mont
-check_PROGRAMS += mont
-mont_SOURCES = mont.c
-
-# optionstest
-TESTS += optionstest
-check_PROGRAMS += optionstest
-optionstest_SOURCES = optionstest.c
-
-# pbkdf2
-TESTS += pbkdf2
-check_PROGRAMS += pbkdf2
-pbkdf2_SOURCES = pbkdf2.c
-
-# pidwraptest
-# pidwraptest relies on an OS-specific way to give out pids and is generally
-# awkward on systems with slow fork
-if ENABLE_EXTRATESTS
-TESTS += pidwraptest
-check_PROGRAMS += pidwraptest
-pidwraptest_SOURCES = pidwraptest.c
-endif
-
-# pkcs7test
-TESTS += pkcs7test
-check_PROGRAMS += pkcs7test
-pkcs7test_SOURCES = pkcs7test.c
-
-# poly1305test
-TESTS += poly1305test
-check_PROGRAMS += poly1305test
-poly1305test_SOURCES = poly1305test.c
-
-# pq_test
-TESTS += pq_test.sh
-check_PROGRAMS += pq_test
-pq_test_SOURCES = pq_test.c
-EXTRA_DIST += pq_test.sh
-EXTRA_DIST += pq_expected.txt
-
-# randtest
-TESTS += randtest
-check_PROGRAMS += randtest
-randtest_SOURCES = randtest.c
-
-# rc2test
-TESTS += rc2test
-check_PROGRAMS += rc2test
-rc2test_SOURCES = rc2test.c
-
-# rc4test
-TESTS += rc4test
-check_PROGRAMS += rc4test
-rc4test_SOURCES = rc4test.c
-
-# rmdtest
-TESTS += rmdtest
-check_PROGRAMS += rmdtest
-rmdtest_SOURCES = rmdtest.c
-
-# sha1test
-TESTS += sha1test
-check_PROGRAMS += sha1test
-sha1test_SOURCES = sha1test.c
-
-# sha256test
-TESTS += sha256test
-check_PROGRAMS += sha256test
-sha256test_SOURCES = sha256test.c
-
-# sha512test
-TESTS += sha512test
-check_PROGRAMS += sha512test
-sha512test_SOURCES = sha512test.c
-
-# shatest
-TESTS += shatest
-check_PROGRAMS += shatest
-shatest_SOURCES = shatest.c
-
-# ssltest
-TESTS += ssltest.sh
-check_PROGRAMS += ssltest
-ssltest_SOURCES = ssltest.c
-EXTRA_DIST += ssltest.sh
-EXTRA_DIST += testssl ca.pem server.pem
-
-# testdsa
-TESTS += testdsa.sh
-EXTRA_DIST += testdsa.sh
-EXTRA_DIST += openssl.cnf
-
-# testenc
-TESTS += testenc.sh
-EXTRA_DIST += testenc.sh
-
-# testrsa
-TESTS += testrsa.sh
-EXTRA_DIST += testrsa.sh
-
-# timingsafe
-TESTS += timingsafe
-check_PROGRAMS += timingsafe
-timingsafe_SOURCES = timingsafe.c
-
-# utf8test
-TESTS += utf8test
-check_PROGRAMS += utf8test
-utf8test_SOURCES = utf8test.c
-

tests/Makefile.am.tpl

@@ -0,0 +1,15 @@
+include $(top_srcdir)/Makefile.am.common
+
+AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I $(top_srcdir)/ssl
+
+LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+LDADD += $(top_builddir)/ssl/libssl.la
+LDADD += $(top_builddir)/crypto/libcrypto.la
+
+TESTS =
+check_PROGRAMS =
+EXTRA_DIST =
+DISTCLEANFILES = pidwraptest.txt
+

tests/openssl.cnf

@@ -1,29 +0,0 @@
-#	$OpenBSD: openssl.cnf,v 1.1 2014/08/26 17:50:07 jsing Exp $
-
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DSA certs - Server
-
-RANDFILE              = ./.rnd
-
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = CA
-countryName_value             = CA
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Shake it Vera 
-
-0.commonName                  = Common Name (eg, YOUR name)
-0.commonName_value            = Wastelandus
-
-1.commonName                  = Common Name (eg, YOUR name)
-1.commonName_value            = Maximus
-

tests/optionstest.c

@@ -1,382 +0,0 @@
-/*	$OpenBSD: optionstest.c,v 1.8 2015/01/22 05:48:00 doug Exp $	*/
-/*
- * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/conf.h>
-
-#include <apps.h>
-#include <apps.c>
-#include <strtonum.c>
-
-/* Needed to keep apps.c happy... */
-BIO *bio_err;
-CONF *config;
-
-static int argfunc(char *arg);
-static int defaultarg(int argc, char **argv, int *argsused);
-static int multiarg(int argc, char **argv, int *argsused);
-
-static struct {
-	char *arg;
-	int flag;
-} test_config;
-
-static struct option test_options[] = {
-	{
-		.name = "arg",
-		.argname = "argname",
-		.type = OPTION_ARG,
-		.opt.arg = &test_config.arg,
-	},
-	{
-		.name = "argfunc",
-		.argname = "argname",
-		.type = OPTION_ARG_FUNC,
-		.opt.argfunc = argfunc,
-	},
-	{
-		.name = "flag",
-		.type = OPTION_FLAG,
-		.opt.flag = &test_config.flag,
-	},
-	{
-		.name = "multiarg",
-		.type = OPTION_ARGV_FUNC,
-		.opt.argvfunc = multiarg,
-	},
-	{
-		.name = NULL,
-		.type = OPTION_ARGV_FUNC,
-		.opt.argvfunc = defaultarg,
-	},
-	{ NULL },
-};
-
-char *args1[] = { "opts" };
-char *args2[] = { "opts", "-arg", "arg", "-flag" };
-char *args3[] = { "opts", "-arg", "arg", "-flag", "unnamed" };
-char *args4[] = { "opts", "-arg", "arg", "unnamed", "-flag" };
-char *args5[] = { "opts", "unnamed1", "-arg", "arg", "-flag", "unnamed2" };
-char *args6[] = { "opts", "-argfunc", "arg", "-flag" };
-char *args7[] = { "opts", "-arg", "arg", "-flag", "-", "-unnamed" };
-char *args8[] = { "opts", "-arg", "arg", "-flag", "file1", "file2", "file3" };
-char *args9[] = { "opts", "-arg", "arg", "-flag", "file1", "-file2", "file3" };
-char *args10[] = { "opts", "-arg", "arg", "-flag", "-", "file1", "file2" };
-char *args11[] = { "opts", "-arg", "arg", "-flag", "-", "-file1", "-file2" };
-char *args12[] = { "opts", "-multiarg", "arg1", "arg2", "-flag", "unnamed" };
-char *args13[] = { "opts", "-multiargz", "arg1", "arg2", "-flagz", "unnamed" };
-
-struct options_test {
-	int argc;
-	char **argv;
-	enum {
-		OPTIONS_TEST_NONE,
-		OPTIONS_TEST_UNNAMED,
-		OPTIONS_TEST_ARGSUSED,
-	} type;
-	char *unnamed;
-	int used;
-	int want;
-	char *wantarg;
-	int wantflag;
-};
-
-struct options_test options_tests[] = {
-	{
-		/* Test 1 - No arguments (only program name). */
-		.argc = 1,
-		.argv = args1,
-		.type = OPTIONS_TEST_NONE,
-		.want = 0,
-		.wantarg = NULL,
-		.wantflag = 0,
-	},
-	{
-		/* Test 2 - Named arguments (unnamed not permitted). */
-		.argc = 4,
-		.argv = args2,
-		.type = OPTIONS_TEST_NONE,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 3 - Named arguments (unnamed permitted). */
-		.argc = 4,
-		.argv = args2,
-		.type = OPTIONS_TEST_UNNAMED,
-		.unnamed = NULL,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 4 - Named and single unnamed (unnamed not permitted). */
-		.argc = 5,
-		.argv = args3,
-		.type = OPTIONS_TEST_NONE,
-		.want = 1,
-	},
-	{
-		/* Test 5 - Named and single unnamed (unnamed permitted). */
-		.argc = 5,
-		.argv = args3,
-		.type = OPTIONS_TEST_UNNAMED,
-		.unnamed = "unnamed",
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 6 - Named and single unnamed (different sequence). */
-		.argc = 5,
-		.argv = args4,
-		.type = OPTIONS_TEST_UNNAMED,
-		.unnamed = "unnamed",
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 7 - Multiple unnamed arguments (should fail). */
-		.argc = 6,
-		.argv = args5,
-		.type = OPTIONS_TEST_UNNAMED,
-		.want = 1,
-	},
-	{
-		/* Test 8 - Function. */
-		.argc = 4,
-		.argv = args6,
-		.type = OPTIONS_TEST_NONE,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 9 - Named and single unnamed (hyphen separated). */
-		.argc = 6,
-		.argv = args7,
-		.type = OPTIONS_TEST_UNNAMED,
-		.unnamed = "-unnamed",
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 10 - Named and multiple unnamed. */
-		.argc = 7,
-		.argv = args8,
-		.used = 4,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 11 - Named and multiple unnamed. */
-		.argc = 7,
-		.argv = args9,
-		.used = 4,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 12 - Named and multiple unnamed. */
-		.argc = 7,
-		.argv = args10,
-		.used = 5,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 13 - Named and multiple unnamed. */
-		.argc = 7,
-		.argv = args11,
-		.used = 5,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 14 - Named only. */
-		.argc = 4,
-		.argv = args2,
-		.used = 4,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = "arg",
-		.wantflag = 1,
-	},
-	{
-		/* Test 15 - Multiple argument callback. */
-		.argc = 6,
-		.argv = args12,
-		.unnamed = "unnamed",
-		.type = OPTIONS_TEST_UNNAMED,
-		.want = 0,
-		.wantarg = NULL,
-		.wantflag = 1,
-	},
-	{
-		/* Test 16 - Multiple argument callback. */
-		.argc = 6,
-		.argv = args12,
-		.used = 5,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = NULL,
-		.wantflag = 1,
-	},
-	{
-		/* Test 17 - Default callback. */
-		.argc = 6,
-		.argv = args13,
-		.unnamed = "unnamed",
-		.type = OPTIONS_TEST_UNNAMED,
-		.want = 0,
-		.wantarg = NULL,
-		.wantflag = 1,
-	},
-	{
-		/* Test 18 - Default callback. */
-		.argc = 6,
-		.argv = args13,
-		.used = 5,
-		.type = OPTIONS_TEST_ARGSUSED,
-		.want = 0,
-		.wantarg = NULL,
-		.wantflag = 1,
-	},
-};
-
-#define N_OPTIONS_TESTS \
-    (sizeof(options_tests) / sizeof(*options_tests))
-
-static int
-argfunc(char *arg)
-{
-	test_config.arg = arg;
-	return (0);
-}
-
-static int
-defaultarg(int argc, char **argv, int *argsused)
-{
-	if (argc < 1)
-		return (1);
-
-	if (strcmp(argv[0], "-multiargz") == 0) {
-		if (argc < 3)
-			return (1);
-		*argsused = 3;
-		return (0);
-	} else if (strcmp(argv[0], "-flagz") == 0) {
-		test_config.flag = 1;
-		*argsused = 1;
-		return (0);
-	}
-
-	return (1);
-}
-
-static int
-multiarg(int argc, char **argv, int *argsused)
-{
-	if (argc < 3)
-		return (1);
-
-	*argsused = 3;
-	return (0);
-}
-
-static int
-do_options_test(int test_no, struct options_test *ot)
-{
-	int *argsused = NULL;
-	char *unnamed = NULL;
-	char **arg = NULL;
-	int used = 0;
-	int ret;
-
-	if (ot->type == OPTIONS_TEST_UNNAMED)
-		arg = &unnamed;
-	else if (ot->type == OPTIONS_TEST_ARGSUSED)
-		argsused = &used;
-
-	memset(&test_config, 0, sizeof(test_config));
-	ret = options_parse(ot->argc, ot->argv, test_options, arg, argsused);
-	if (ret != ot->want) {
-		fprintf(stderr, "FAIL: test %i options_parse() returned %i, "
-		    "want %i\n", test_no, ret, ot->want);
-		return (1);
-	}
-	if (ret != 0)
-		return (0);
-
-	if ((test_config.arg != NULL || ot->wantarg != NULL) &&
-	    (test_config.arg == NULL || ot->wantarg == NULL ||
-	     strcmp(test_config.arg, ot->wantarg) != 0)) {
-		fprintf(stderr, "FAIL: test %i got arg '%s', want '%s'\n",
-		    test_no, test_config.arg, ot->wantarg);
-		return (1);
-	}
-	if (test_config.flag != ot->wantflag) {
-		fprintf(stderr, "FAIL: test %i got flag %i, want %i\n",
-		    test_no, test_config.flag, ot->wantflag);
-		return (1);
-	}
-	if (ot->type == OPTIONS_TEST_UNNAMED &&
-	    (unnamed != NULL || ot->unnamed != NULL) &&
-	    (unnamed == NULL || ot->unnamed == NULL ||
-	     strcmp(unnamed, ot->unnamed) != 0)) {
-		fprintf(stderr, "FAIL: test %i got unnamed '%s', want '%s'\n",
-		    test_no, unnamed, ot->unnamed);
-		return (1);
-	}
-	if (ot->type == OPTIONS_TEST_ARGSUSED && used != ot->used) {
-		fprintf(stderr, "FAIL: test %i got used %i, want %i\n",
-		    test_no, used, ot->used);
-		return (1);
-	}
-
-	return (0);
-}
-
-int
-main(int argc, char **argv)
-{
-	int failed = 0;
-	size_t i;
-
-	for (i = 0; i < N_OPTIONS_TESTS; i++) {
-		printf("Test %d%s\n", (int)(i + 1), options_tests[i].want == 0 ?
-		    "" : " is expected to complain");
-		failed += do_options_test(i + 1, &options_tests[i]);
-	}
-
-	return (failed);
-}

tests/testdsa.sh

@@ -1,38 +0,0 @@
-#!/bin/sh
-#	$OpenBSD: testdsa.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
-
-
-#Test DSA certificate generation of openssl
-
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
-fi
-
-if [ -z $srcdir ]; then
-	srcdir=.
-fi
-
-# Generate DSA paramter set
-$cmd dsaparam 512 -out dsa512.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-
-# Denerate a DSA certificate
-$cmd req -config $srcdir/openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-
-# Now check the certificate
-$cmd x509 -text -in testdsa.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-rm testdsa.key dsa512.pem testdsa.pem
-
-exit 0

tests/testenc.sh

@@ -1,69 +0,0 @@
-#!/bin/sh
-#	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
-
-test=p
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
-fi
-
-cat openssl.cnf >$test;
-
-echo cat
-$cmd enc < $test > $test.cipher
-$cmd enc < $test.cipher >$test.clear
-cmp $test $test.clear
-if [ $? != 0 ]
-then
-	exit 1
-else
-	/bin/rm $test.cipher $test.clear
-fi
-echo base64
-$cmd enc -a -e < $test > $test.cipher
-$cmd enc -a -d < $test.cipher >$test.clear
-cmp $test $test.clear
-if [ $? != 0 ]
-then
-	exit 1
-else
-	/bin/rm $test.cipher $test.clear
-fi
-
-for i in \
-	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8 \
-	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb \
-	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb \
-	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8 \
-	aes-256-ecb aes-256-ofb \
-	bf-cbc bf-cfb bf-ecb bf-ofb \
-	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb \
-	des-cbc des-cfb des-cfb8 des-ecb des-ede \
-	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 \
-	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc \
-	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb \
-	rc4 rc4-40
-do
-	echo $i
-	$cmd $i -e -k test < $test > $test.$i.cipher
-	$cmd $i -d -k test < $test.$i.cipher >$test.$i.clear
-	cmp $test $test.$i.clear
-	if [ $? != 0 ]
-	then
-		exit 1
-	else
-		/bin/rm $test.$i.cipher $test.$i.clear
-	fi
-
-	echo $i base64
-	$cmd $i -a -e -k test < $test > $test.$i.cipher
-	$cmd $i -a -d -k test < $test.$i.cipher >$test.$i.clear
-	cmp $test $test.$i.clear
-	if [ $? != 0 ]
-	then
-		exit 1
-	else
-		/bin/rm $test.$i.cipher $test.$i.clear
-	fi
-done
-rm -f $test

tests/testrsa.sh

@@ -1,38 +0,0 @@
-#!/bin/sh
-#	$OpenBSD: testrsa.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
-
-
-#Test RSA certificate generation of openssl
-
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
-fi
-
-if [ -z $srcdir ]; then
-	srcdir=.
-fi
-
-# Generate RSA private key
-$cmd genrsa -out rsakey.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-
-# Generate an RSA certificate
-$cmd req -config $srcdir/openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-
-# Now check the certificate
-$cmd x509 -text -in rsacert.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-rm -f rsacert.pem rsakey.pem
-
-exit 0

tls/Makefile.am

@@ -5,6 +5,7 @@ lib_LTLIBRARIES = libtls.la
 EXTRA_DIST = VERSION
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 
 libtls_la_SOURCES = tls.c

update.sh

@@ -43,7 +43,6 @@ source $libtls_src/shlib_version
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
-echo $major.$minor.0 > libtls-standalone/VERSION
 
 do_mv() {
 	if ! cmp -s "$1" "$2"
@@ -62,35 +61,17 @@ $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
 $CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
+$CP $libtls_src/tls.h include
 
-$CP $libtls_src/tls.h include/tls.h
-patch -p0 < patches/tls.h.patch
-$CP include/tls.h libtls-standalone/include
-
-for i in crypto/compat libtls-standalone/compat; do
-	$CP $libc_src/crypt/arc4random.c \
-		$libc_src/crypt/chacha_private.h \
-		$libc_src/string/explicit_bzero.c \
-		$libc_src/stdlib/reallocarray.c \
-		$libc_src/string/strlcpy.c \
-		$libc_src/string/strlcat.c \
-		$libc_src/string/strndup.c \
-		$libc_src/string/strnlen.c \
-		$libc_src/string/timingsafe_bcmp.c \
-		$libc_src/string/timingsafe_memcmp.c \
-		$libcrypto_src/crypto/getentropy_*.c \
-		$libcrypto_src/crypto/arc4random_*.h \
-		$i
+for i in explicit_bzero.c strlcpy.c strlcat.c strndup.c strnlen.c \
+		timingsafe_bcmp.c timingsafe_memcmp.c; do
+	$CP $libc_src/string/$i crypto/compat
 done
-
-$CP include/stdlib.h \
-	include/string.h \
-	include/unistd.h \
-	libtls-standalone/include
-
-$CP crypto/compat/arc4random*.h \
-	crypto/compat/bsd-asprintf.c \
-	libtls-standalone/compat
+$CP $libc_src/stdlib/reallocarray.c crypto/compat
+$CP $libc_src/crypt/arc4random.c crypto/compat
+$CP $libc_src/crypt/chacha_private.h crypto/compat
+$CP $libcrypto_src/crypto/getentropy_*.c crypto/compat
+$CP $libcrypto_src/crypto/arc4random_*.h crypto/compat
 
 (cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
@@ -185,21 +166,14 @@ done
 
 # copy libtls source
 echo copying libtls source
-rm -f tls/*.c tls/*.h libtls/src/*.c libtls/src/*.h
+rm -f tls/*.c tls/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	if [ -e $libtls_src/$i ]; then
 		$CP $libtls_src/$i tls
-		$CP $libtls_src/$i libtls-standalone/src
+	else
+		$CP $libc_src/string/$i tls
 	fi
 done
-$CP $libc_src/string/strsep.c tls
-$CP $libc_src/string/strsep.c libtls-standalone/compat
-mkdir -p libtls-standalone/m4
-$CP m4/check*.m4 \
-	m4/disable*.m4 \
-	libtls-standalone/m4
-sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
-	libtls-standalone/compat/Makefile.am.arc4random
 
 # copy openssl(1) source
 echo "copying openssl(1) source"
@@ -210,7 +184,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
 		$CP $openssl_app_src/$i apps
 	fi
 done
-patch -p0 < patches/openssl.c.patch
+# patch for openssl(1) oscp on windows
+(cd apps; patch -p4 < $CWD/patches/win_bio_sock_init.diff)
 
 # copy libssl source
 echo "copying libssl source"
@@ -224,14 +199,13 @@ echo "copying tests"
 for i in `find $libcrypto_regress -name '*.c'`; do
 	 $CP "$i" tests
 done
-$CP $libcrypto_regress/evp/evptests.txt tests
-$CP $libcrypto_regress/aead/aeadtests.txt tests
-$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
+
+# the BIO tests rely on resolver results that are OS and environment-specific
+rm tests/biotest.c
 
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -242,9 +216,68 @@ done
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
-chmod 755 tests/testssl
+# setup test drivers
+# do not directly run all test programs
+test_drivers=(
+	aeadtest
+	evptest
+	pq_test
+	ssltest
+	arc4randomforktest
+	pidwraptest
+)
+tests_posix_only=(
+	arc4randomforktest
+	explicit_bzero
+	pidwraptest
+)
+$CP $libc_src/string/memmem.c tests/
+(cd tests
+	$CP Makefile.am.tpl Makefile.am
+
+	for i in `ls -1 *.c|sort|grep -v memmem.c`; do
+		TEST=`echo $i|sed -e "s/\.c//"`
+		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
+			echo "if !HOST_WIN" >> Makefile.am
+		fi
+		if ! [[ ${test_drivers[*]} =~ "$TEST" ]]; then
+			echo "TESTS += $TEST" >> Makefile.am
+		fi
+		echo "check_PROGRAMS += $TEST" >> Makefile.am
+		echo "${TEST}_SOURCES = $i" >> Makefile.am
+		if [[ ${TEST} = "explicit_bzero" ]]; then
+			echo "if !HAVE_MEMMEM" >> Makefile.am
+			echo "explicit_bzero_SOURCES += memmem.c" >> Makefile.am
+			echo "endif" >> Makefile.am
+		fi
+		if [[ ${tests_posix_only[*]} =~ "$TEST" ]]; then
+			echo "endif" >> Makefile.am
+		fi
+	done
+)
+$CP $libcrypto_regress/evp/evptests.txt tests
+$CP $libcrypto_regress/aead/aeadtests.txt tests
+$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
+chmod 755 tests/testssl
+for i in "${test_drivers[@]}"; do
+	if [ -e tests/${i}.sh ]; then
+		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
+			echo "if !HOST_WIN" >> tests/Makefile.am
+		fi
+		if ! [[ ${tests_disabled[*]} =~ "$i" ]]; then
+			echo "TESTS += ${i}.sh" >> tests/Makefile.am
+		fi
+		if [[ ${tests_posix_only[*]} =~ "$i" ]]; then
+			echo "endif" >> tests/Makefile.am
+		fi
+		echo "EXTRA_DIST += ${i}.sh" >> tests/Makefile.am
+	fi
+done
+echo "EXTRA_DIST += aeadtests.txt" >> tests/Makefile.am
+echo "EXTRA_DIST += evptests.txt" >> tests/Makefile.am
+echo "EXTRA_DIST += pq_expected.txt" >> tests/Makefile.am
+echo "EXTRA_DIST += testssl ca.pem server.pem" >> tests/Makefile.am
 
-# add headers
 (cd include/openssl
 	$CP Makefile.am.tpl Makefile.am
 	for i in `ls -1 *.h|sort`; do
@@ -252,49 +285,26 @@ chmod 755 tests/testssl
 	done
 )
 
-add_man_links() {
-	filter=$1
-	dest=$2
-	echo "install-data-hook:" >> $dest
-	for i in `grep $filter man/links`; do
-		IFS=","; set $i; unset IFS
-		if [ "$2" != "" ]; then
-			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
-		fi
-	done
-	echo "" >> $dest
-	echo "uninstall-local:" >> $dest
-	for i in `grep $filter man/links`; do
-		IFS=","; set $i; unset IFS
-		if [ "$2" != "" ]; then
-			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
-		fi
-	done
-}
-
-# copy manpages
 echo "copying manpages"
-echo dist_man_MANS= > man/Makefile.am
-
-$CP $openssl_app_src/openssl.1 man
-echo "dist_man_MANS += openssl.1" >> man/Makefile.am
-
-$CP $libtls_src/tls_init.3 man
-echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
-
+# copy manpages
 (cd man
+	$CP Makefile.am.tpl Makefile.am
+
 	# update new-style manpages
 	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
-
 	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
+	$CP $openssl_app_src/openssl.1 .
+	echo "dist_man_MANS += openssl.1" >> Makefile.am
+	$CP $libtls_src/tls_init.3 .
+	echo "dist_man_MANS += tls_init.3" >> Makefile.am
 
 	# convert remaining POD manpages
 	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
@@ -308,12 +318,27 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 		fi
 		echo "dist_man_MANS += $NAME.3" >> Makefile.am
 	done
+
+	echo "install-data-hook:" >> Makefile.am
+	source ./links
+	for i in $SSL_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
+		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
+	for i in $TLS_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	ln -f \$(DESTDIR)\$(mandir)/man3/$1 \\" >> Makefile.am
+		echo "    \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
+	echo "" >> Makefile.am
+	echo "uninstall-local:" >> Makefile.am
+	for i in $SSL_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
+	for i in $TLS_MLINKS; do
+		IFS=","; set $i; unset IFS
+		echo "	rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> Makefile.am
+	done
 )
-add_man_links . man/Makefile.am
-
-# standalone libtls manpages
-mkdir -p libtls-standalone/man
-echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
-
-$CP $libtls_src/tls_init.3 libtls-standalone/man
-add_man_links tls_init libtls-standalone/man/Makefile.am