update path to openssl(1) in testssl wrapper

run distcheck rather than just dist, cmake tests

.gitignore

@@ -41,10 +41,15 @@ Makefile.in
 *.def
 *.pc
 
+# man pages
+*.1
+*.3
+
 # tests
 test-driver
 *.log
 *.trs
+!tests/optionstest.c
 tests/aes_wrap*
 tests/arc4random_fork*
 tests/cipher*
@@ -60,7 +65,6 @@ tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
-!tests/optionstest.c
 
 # ctags stuff
 TAGS
@@ -70,8 +74,8 @@ autom4te.cache
 # Libtool adds these, at least sometimes
 INSTALL
 /COPYING
-m4/l*
 !m4/check*.m4
+m4/l*
 
 aclocal.m4
 compile
@@ -93,9 +97,11 @@ stamp-h2
 
 include/openssl/Makefile.am
 
+VERSION
 crypto/VERSION
 ssl/VERSION
 tls/VERSION
+libtls-standalone/VERSION
 
 ssl/*.c
 ssl/*.h
@@ -104,32 +110,36 @@ tls/*.h
 include/pqueue.h
 include/tls.h
 include/openssl/*.h
-include/openssl/*.he
 
-/apps/*.h
-/apps/*.c
-/apps/openssl
-/apps/openssl.cnf
-!/apps/apps_win.c
-!/apps/poll_win.c
-!/apps/certhash_disabled.c
+!/apps/nc/readpassphrase.c
+/apps/nc/*.h
+/apps/nc/*.c
+/apps/nc/nc*
+/apps/openssl/*.h
+/apps/openssl/*.c
+/apps/openssl/*.cnf
+/apps/openssl/*.pem
+/apps/openssl/openssl
+/apps/openssl/compat/strtonum.c
 
-/crypto
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
+!/crypto/compat/explicit_bzero_win.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
 !/crypto/compat/ui_openssl_win.c
+!/crypto/CMakeLists.txt
+/crypto
 
+!/libtls-standalone/compat/Makefile.am
 /libtls-standalone/include/*.h
 /libtls-standalone/src/*.c
 /libtls-standalone/src/*.h
 /libtls-standalone/src
 /libtls-standalone/tests/test
 /libtls-standalone/compat
-!/libtls-standalone/compat/Makefile.am
 /libtls-standalone/VERSION
 /libtls-standalone/m4
 /libtls-standalone/man
@@ -137,7 +147,4 @@ include/openssl/*.he
 openbsd/
 
 *.tar.gz
-apps/*.1*
-man/*.3
-man/*.1
 man/Makefile.am

.travis.yml

@@ -1,24 +1,24 @@
 language: c
 matrix:
-        include:
-                - compiler: clang
-                  os: osx
-                  env: ARCH=native
-                - compiler: gcc
-                  os: osx
-                  env: ARCH=native
-                - compiler: clang
-                  os: linux
-                  env: ARCH=native
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=native
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=mingw32
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=mingw64
+  include:
+    - compiler: clang
+      os: osx
+      env: ARCH=native
+    - compiler: gcc
+      os: osx
+      env: ARCH=native
+    - compiler: clang
+      os: linux
+      env: ARCH=native
+    - compiler: gcc
+      os: linux
+      env: ARCH=native
+    - compiler: gcc
+      os: linux
+      env: ARCH=mingw32
+    - compiler: gcc
+      os: linux
+      env: ARCH=mingw64
 
 script:
-        "./scripts/travis"
+  "./scripts/travis"

CMakeLists.txt

@@ -0,0 +1,182 @@
+cmake_minimum_required (VERSION 2.8)
+include(CheckFunctionExists)
+include(CheckLibraryExists)
+include(CheckIncludeFiles)
+
+project (LibreSSL)
+
+enable_testing()
+
+file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+string(STRIP ${SSL_VERSION} SSL_VERSION)
+string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
+string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
+
+file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
+string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
+string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
+
+file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+string(STRIP ${TLS_VERSION} TLS_VERSION)
+string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
+string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
+
+if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
+	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_definitions(-D_DEFAULT_SOURCE)
+	add_definitions(-D_BSD_SOURCE)
+	add_definitions(-D_POSIX_SOURCE)
+	add_definitions(-D_GNU_SOURCE)
+endif()
+
+add_definitions(-DLIBRESSL_INTERNAL)
+add_definitions(-DOPENSSL_NO_HW_PADLOCK)
+add_definitions(-DOPENSSL_NO_ASM)
+
+set(CMAKE_POSITION_INDEPENDENT_CODE true)
+
+if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
+	add_definitions(-Wno-pointer-sign)
+endif()
+
+if(MSVC)
+	add_definitions(-Dinline=__inline)
+	add_definitions(-Drestrict)
+	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
+	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
+	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
+	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+
+	set(MSVC_DISABLED_WARNINGS_LIST
+		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
+		        # indirection to slightly different base types from 'char [2]'
+		"C4100" # 'exarg' : unreferenced formal parameter
+		"C4127" # conditional expression is constant
+		"C4242" # 'function' : conversion from 'int' to 'uint8_t',
+		        # possible loss of data
+		"C4244" # 'function' : conversion from 'int' to 'uint8_t',
+		        # possible loss of data
+		"C4706" # assignment within conditional expression
+		"C4820" # 'bytes' bytes padding added after construct 'member_name'
+		"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
+		        # use the ISO C++ conformant name: _read.
+	)
+	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
+		${MSVC_DISABLED_WARNINGS_LIST})
+	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+endif()
+
+check_function_exists(asprintf HAVE_ASPRINTF)
+if(HAVE_ASPRINTF)
+	add_definitions(-DHAVE_ASPRINTF)
+endif()
+
+check_function_exists(inet_pton HAVE_INET_PTON)
+if(HAVE_INET_PTON)
+	add_definitions(-DHAVE_INET_PTON)
+endif()
+
+check_function_exists(reallocarray HAVE_REALLOCARRAY)
+if(HAVE_REALLOCARRAY)
+	add_definitions(-DHAVE_REALLOCARRAY)
+endif()
+
+check_function_exists(strcasecmp HAVE_STRCASECMP)
+if(HAVE_STRCASECMP)
+	add_definitions(-DHAVE_STRCASECMP)
+endif()
+
+check_function_exists(strlcat HAVE_STRLCAT)
+if(HAVE_STRLCAT)
+	add_definitions(-DHAVE_STRLCAT)
+endif()
+
+check_function_exists(strlcat HAVE_STRLCPY)
+if(HAVE_STRLCPY)
+	add_definitions(-DHAVE_STRLCPY)
+endif()
+
+check_function_exists(strndup HAVE_STRNDUP)
+if(HAVE_STRNDUP)
+	add_definitions(-DHAVE_STRNDUP)
+endif()
+
+if(MSVC)
+	set(HAVE_STRNLEN)
+	add_definitions(-DHAVE_STRNLEN)
+else()
+	check_function_exists(strnlen HAVE_STRNLEN)
+	if(HAVE_STRNLEN)
+		add_definitions(-DHAVE_STRNLEN)
+	endif()
+endif()
+
+check_function_exists(strsep HAVE_STRSEP)
+if(HAVE_STRSEP)
+	add_definitions(-DHAVE_STRSEP)
+endif()
+
+check_function_exists(arc4random_buf HAVE_ARC4RANDOM_BUF)
+if(HAVE_ARC4RANDOM_BUF)
+	add_definitions(-DHAVE_ARC4RANDOM_BUF)
+endif()
+
+check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
+if(HAVE_EXPLICIT_BZERO)
+	add_definitions(-DHAVE_EXPLICIT_BZERO)
+endif()
+
+check_function_exists(getauxval HAVE_GETAUXVAL)
+if(HAVE_GETAUXVAL)
+	add_definitions(-DHAVE_GETAUXVAL)
+endif()
+
+check_function_exists(getentropy HAVE_GETENTROPY)
+if(HAVE_GETENTROPY)
+	add_definitions(-DHAVE_GETENTROPY)
+endif()
+
+check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
+if(HAVE_TIMINGSAFE_BCMP)
+	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
+endif()
+
+check_function_exists(timingsafe_memcmp HAVE_TIMINGSAFE_MEMCMP)
+if(HAVE_MEMCMP)
+	add_definitions(-DHAVE_MEMCMP)
+endif()
+
+check_include_files(err.h HAVE_ERR_H)
+if(HAVE_ERR_H)
+	add_definitions(-DHAVE_ERR_H)
+endif()
+
+set(OPENSSL_LIBS ssl crypto)
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
+endif()
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
+	if (HAVE_CLOCK_GETTIME)
+		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
+	endif()
+endif()
+
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
+	set(BUILD_SHARED true)
+endif()
+
+add_subdirectory(crypto)
+add_subdirectory(ssl)
+add_subdirectory(apps)
+add_subdirectory(tls)
+add_subdirectory(include)
+if(NOT MSVC)
+	add_subdirectory(man)
+	add_subdirectory(tests)
+endif()

ChangeLog

@@ -28,14 +28,135 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-This release primarily addresses a number of security issues in coordination
-with the OpenSSL project.
+2.3.0 - SSLv3 removed, libtls API changes, portability improvements
+
+	* SSLv3 is now permanently removed from the tree.
+
+	* The libtls API is changed from the 2.2.x series.
+
+	  The read/write functions work correctly with external event
+	  libraries.  See the tls_init man page for examples of using libtls
+	  correctly in asynchronous mode.
+
+	  Client-side verification is now supported, with the client supplying
+	  the certificate to the server.
+
+	  Also, when using tls_connect_fds, tls_connect_socket or
+	  tls_accept_fds, libtls no longer implicitly closes the passed in
+	  sockets. The caller is responsible for closing them in this case.
+
+	* When loading a DSA key from an raw (without DH parameters) ASN.1
+	  serialization, perform some consistency checks on its `p' and `q'
+	  values, and return an error if the checks failed.
+
+	  Thanks for Georgi Guninski (guninski at guninski dot com) for
+	  mentioning the possibility of a weak (non prime) q value and
+	  providing a test case.
+
+	  See
+	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
+	  for a longer discussion.
+
+	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
+	  of the result key without error. A coding error could cause software
+	  to use much shorter keys than intended.
+
+	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
+	  longer supported.
+
+	* The engine command and parameters are removed from the openssl(1).
+	  Previous releases removed dynamic and builtin engine support
+	  already.
+
+	* SHA-0 is removed, which was withdrawn shortly after publication 20
+	  years ago.
+
+	* Added Certplus CA root certificate to the default cert.pem file.
+
+	* New interface OPENSSL_cpu_caps is provided that does not allow
+	  software to inadvertently modify cpu capability flags.
+	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+
+	* The out_len argument of AEAD changed from ssize_t to size_t.
+
+	* Deduplicated DTLS code, sharing bugfixes and improvements with
+	  TLS.
+
+	* Converted 'nc' to use libtls for client and server operations; it is
+	  included in the libressl-portable distribution as an example of how
+	  to use the library.
+
+2.2.3 - Bug fixes, build enhancements
+
+	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
+	  include TLS extensions, resulting in such handshakes being aborted.
+	  This release corrects the handling of such messages. Thanks to
+	  Ligushka from github for reporting the issue.
+
+	* Added install target for cmake builds. Thanks to TheNietsnie from
+	  github.
+
+	* Updated pkgconfig files to correctly report the release version
+	  number, not the individual library ABI version numbers. Thanks to
+	  Jan Engelhardt for reporting the issue.
+
+2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
+
+	* Switched 'openssl dhparam' default from 512 to 2048 bits
+
+	* Reworked openssl(1) option handling
+
+	* More CRYPTO ByteString (CBC) packet parsing conversions
+
+	* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
+
+	* Fixed dozens of Coverity issues including dead code, memory leaks,
+	  logic errors and more.
+
+	* Ensure that openssl(1) restores terminal echo state after reading a
+	  password.
+
+	* Incorporated fix for OpenSSL Issue #3683
+
+	* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
+	  for each portable release.
+
+	* Removed workarounds for TLS client padding bugs.
+
+	* No longer disable ECDHE-ECDSA on OS X
+
+	* Removed SSLv3 support from openssl(1)
+
+	* Removed IE 6 SSLv3 workarounds.
+
+	* Modified tls_write in libtls to allow partial writes, clarified with
+	  examples in the documentation.
+
+	* Removed RSAX engine
+
+	* Tested SSLv3 removal with the OpenBSD ports tree and found several
+	  applications that were not ready to build without SSLv3 yet. For
+	  now, building a program that intentionally uses SSLv3 will result in
+	  a linker warning.
+
+	* Added TLS_method, TLS_client_method and TLS_server_method as a
+	  replacement for the SSLv23_*method calls.
+
+	* Added initial cmake build support, including support for building with
+	  Visual Studio, currently tested with Visual Studio 2013 Community
+	  Edition.
+
+	* --with-enginesdir is removed as a configuration parameter
+
+	* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
+	  installed under $sysconfdir/ssl or the directory specified by
+	  --with-openssldir. Previous versions of LibreSSL left these empty.
 
 2.2.1 - Build fixes, feature added, features removed
 
 	* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
 
-	* Initial support for Windows 2009, 2003, XP
+	* Initial support for Windows Embedded 2009, Server 2003, XP
 
 	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
 

Makefile.am

@@ -5,3 +5,4 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
+EXTRA_DIST += CMakeLists.txt

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CFLAGS = -I$(top_srcdir)/include
+AM_CFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat
 AM_CPPFLAGS = -DLIBRESSL_INTERNAL

README.md

@@ -1,6 +1,8 @@
 ![LibreSSL image](http://www.libressl.org/images/libressl.jpg)
 ## Official portable version of [LibreSSL](http://www.libressl.org) ##
 
+[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable)
+
 LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
 [OpenBSD](http://www.openbsd.org) project.  Our goal is to modernize the codebase,
 improve security, and apply best practice development processes from OpenBSD.
@@ -11,7 +13,7 @@ LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
 new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
 present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
 
-LibreSSL it is not ABI compatible with any release of OpenSSL, or necessarily
+LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily
 earlier releases of LibreSSL. You will need to relink your programs to
 LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
 LibreSSL's installed library version numbers are incremented to account for
@@ -35,9 +37,9 @@ At the time of this writing, LibreSSL is know to build and work on:
 * AIX (5.3 and later)
 
 LibreSSL also supports the following Windows environments:
-* Microsoft Windows (Vista or higher, x86 and x64)
+* Microsoft Windows (XP or higher, x86 and x64)
 * Wine (32-bit and 64-bit)
-* Builds with Mingw-w64 and Cygwin
+* Builds with Mingw-w64, Cygwin, and Visual Studio
 
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory
@@ -60,14 +62,14 @@ If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 
 1. Ensure you have the following packages installed:
-   automake, autoconf, bash, git, libtool, perl, pod2man
+   automake, autoconf, git, libtool, perl, pod2man
 2. Run './autogen.sh' to prepare the source tree for building or
    run './dist.sh' to prepare a tarball.
 
 ## Building LibreSSL ##
 
 Once you have a source tree from Git or FTP, run these commands to build and
-install the package on most systems.
+install the package on most systems:
 
 ```sh
 ./configure   # see ./configure --help for configuration options
@@ -75,6 +77,26 @@ make check    # runs builtin unit tests
 make install  # set DESTDIR= to install to an alternate location
 ```
 
+If you wish to use the CMake build system, use these commands:
+
+```sh
+mkdir build
+cd build
+cmake ..
+make
+make test
+```
+
+For faster builds, you can use Ninja as well:
+
+```sh
+mkdir build-ninja
+cd build-ninja
+cmake -G"Ninja" ..
+ninja
+ninja test
+```
+
 ### OS specific build information: ###
 
 #### HP-UX (11i) ####
@@ -95,4 +117,17 @@ LibreSSL builds against relatively recent versions of Mingw-w64, not to be
 confused with the original mingw.org project.  Mingw-w64 3.2 or later
 should work. See README.windows for more information
 
-[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable)
+#### Windows - Visual Studio ####
+
+LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
+against older/newer targets as well. To generate a Visual Studio project,
+install CMake, enter the LibreSSL source directory and run:
+
+```sh
+ mkdir build-vs2013
+ cd build-vs2013
+ cmake -G"Visual Studio 12 2013" ..
+```
+
+This will generate a LibreSSL.sln file that you can incorporate into other
+projects or build by itself.

README.windows

@@ -6,9 +6,8 @@ GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
 then LibreSSL should integrate very nicely. Old versions of the mingw-w64
 toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
 building LibreSSL. Please try it with a recent toolchain if you encounter
-troubles. If you are building under Cygwin, only builds with the mingw-w64
-compiler are supported, though you can easily use Cygwin to drive the build
-process.
+troubles. Cygwin provides an easy method of installing the latest mingw-w64
+cross compilers on Windows.
 
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
@@ -40,3 +39,7 @@ Pre-built Windows binaries are available with LibreSSL releases if you do not
 have a mingw-w64 build environment. Mingw-w64 code is largely, but not 100%,
 compatible with code built from Visual Studio. Notably, FILE * pointers cannot
 be shared between code built for Mingw-w64 and Visual Studio.
+
+As of LibreSSL 2.2.2, Visual Studio Native builds can be produced using CMake.
+This produces ABI-compatible libraries for linking with native code generated
+by Visual Studio.

VERSION

@@ -1 +0,0 @@
-2.2.1

apps/CMakeLists.txt

@@ -0,0 +1,81 @@
+include_directories(
+	.
+	../include
+	../include/compat
+	./openssl
+)
+
+set(
+	OPENSSL_SRC
+	openssl/apps.c
+	openssl/asn1pars.c
+	openssl/ca.c
+	openssl/ciphers.c
+	openssl/cms.c
+	openssl/crl.c
+	openssl/crl2p7.c
+	openssl/dgst.c
+	openssl/dh.c
+	openssl/dhparam.c
+	openssl/dsa.c
+	openssl/dsaparam.c
+	openssl/ec.c
+	openssl/ecparam.c
+	openssl/enc.c
+	openssl/errstr.c
+	openssl/gendh.c
+	openssl/gendsa.c
+	openssl/genpkey.c
+	openssl/genrsa.c
+	openssl/nseq.c
+	openssl/ocsp.c
+	openssl/openssl.c
+	openssl/passwd.c
+	openssl/pkcs12.c
+	openssl/pkcs7.c
+	openssl/pkcs8.c
+	openssl/pkey.c
+	openssl/pkeyparam.c
+	openssl/pkeyutl.c
+	openssl/prime.c
+	openssl/rand.c
+	openssl/req.c
+	openssl/rsa.c
+	openssl/rsautl.c
+	openssl/s_cb.c
+	openssl/s_client.c
+	openssl/s_server.c
+	openssl/s_socket.c
+	openssl/s_time.c
+	openssl/sess_id.c
+	openssl/smime.c
+	openssl/speed.c
+	openssl/spkac.c
+	openssl/ts.c
+	openssl/verify.c
+	openssl/version.c
+	openssl/x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)

apps/Makefile.am

@@ -1,87 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-bin_PROGRAMS = openssl
+SUBDIRS = openssl nc
 
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES = apps.c
-openssl_SOURCES += asn1pars.c
-openssl_SOURCES += ca.c
-openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
-openssl_SOURCES += crl.c
-openssl_SOURCES += crl2p7.c
-openssl_SOURCES += dgst.c
-openssl_SOURCES += dh.c
-openssl_SOURCES += dhparam.c
-openssl_SOURCES += dsa.c
-openssl_SOURCES += dsaparam.c
-openssl_SOURCES += ec.c
-openssl_SOURCES += ecparam.c
-openssl_SOURCES += enc.c
-openssl_SOURCES += engine.c
-openssl_SOURCES += errstr.c
-openssl_SOURCES += gendh.c
-openssl_SOURCES += gendsa.c
-openssl_SOURCES += genpkey.c
-openssl_SOURCES += genrsa.c
-openssl_SOURCES += nseq.c
-openssl_SOURCES += ocsp.c
-openssl_SOURCES += openssl.c
-openssl_SOURCES += passwd.c
-openssl_SOURCES += pkcs12.c
-openssl_SOURCES += pkcs7.c
-openssl_SOURCES += pkcs8.c
-openssl_SOURCES += pkey.c
-openssl_SOURCES += pkeyparam.c
-openssl_SOURCES += pkeyutl.c
-openssl_SOURCES += prime.c
-openssl_SOURCES += rand.c
-openssl_SOURCES += req.c
-openssl_SOURCES += rsa.c
-openssl_SOURCES += rsautl.c
-openssl_SOURCES += s_cb.c
-openssl_SOURCES += s_client.c
-openssl_SOURCES += s_server.c
-openssl_SOURCES += s_socket.c
-openssl_SOURCES += s_time.c
-openssl_SOURCES += sess_id.c
-openssl_SOURCES += smime.c
-openssl_SOURCES += speed.c
-openssl_SOURCES += spkac.c
-openssl_SOURCES += ts.c
-openssl_SOURCES += verify.c
-openssl_SOURCES += version.c
-openssl_SOURCES += x509.c
-
-if BUILD_CERTHASH
-openssl_SOURCES += certhash.c
-else
-openssl_SOURCES += certhash_disabled.c
-endif
-
-if HOST_WIN
-openssl_SOURCES += apps_win.c
-else
-openssl_SOURCES += apps_posix.c
-endif
-
-if !HAVE_POLL
-if HOST_WIN
-openssl_SOURCES += poll_win.c
-endif
-endif
-
-if !HAVE_STRTONUM
-openssl_SOURCES += strtonum.c
-endif
-
-noinst_HEADERS = apps.h
-noinst_HEADERS += progs.h
-noinst_HEADERS += s_apps.h
-noinst_HEADERS += testdsa.h
-noinst_HEADERS += testrsa.h
-noinst_HEADERS += timeouts.h
-noinst_HEADERS += openssl.cnf
+EXTRA_DIST = CMakeLists.txt

apps/apps_win.c

@@ -1,29 +0,0 @@
-/*
- * Public domain
- *
- * Dongsheng Song <dongsheng.song@gmail.com>
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <windows.h>
-
-#include "apps.h"
-
-double
-app_tminterval(int stop, int usertime)
-{
-	static unsigned __int64 tmstart;
-	union {
-		unsigned __int64 u64;
-		FILETIME ft;
-	} ct, et, kt, ut;
-
-	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
-}

apps/nc/Makefile.am

@@ -0,0 +1,36 @@
+include $(top_srcdir)/Makefile.am.common
+
+if BUILD_NC
+
+noinst_PROGRAMS = nc
+
+EXTRA_DIST = nc.1
+
+nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+nc_LDADD += $(top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(top_builddir)/ssl/libssl.la
+nc_LDADD += $(top_builddir)/tls/libtls.la
+
+CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+
+nc_SOURCES = atomicio.c
+nc_SOURCES += netcat.c
+nc_SOURCES += socks.c
+noinst_HEADERS = atomicio.h
+noinst_HEADERS += compat/sys/socket.h
+
+nc_SOURCES += compat/socket.c
+
+if !HAVE_ACCEPT4
+nc_SOURCES += compat/accept4.c
+endif
+
+if !HAVE_READPASSPHRASE
+nc_SOURCES += compat/readpassphrase.c
+endif
+
+if !HAVE_STRTONUM
+nc_SOURCES += compat/strtonum.c
+endif
+
+endif

apps/nc/compat/accept4.c

@@ -0,0 +1,17 @@
+#include <sys/socket.h>
+#include <fcntl.h>
+
+int
+accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
+{
+	int rets = accept(s, addr, addrlen);
+	if (rets == -1)
+		return s;
+
+	if (flags & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	return rets;
+}

apps/nc/compat/readpassphrase.c

@@ -0,0 +1,205 @@
+/*	$OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $	*/
+
+/*
+ * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
+
+#include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <readpassphrase.h>
+
+#ifndef _PATH_TTY
+# define _PATH_TTY "/dev/tty"
+#endif
+
+#ifdef TCSASOFT
+# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
+#else
+# define _T_FLUSH	(TCSAFLUSH)
+#endif
+
+/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
+#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
+#  define _POSIX_VDISABLE       VDISABLE
+#endif
+
+#ifndef _NSIG
+# ifdef NSIG
+#  define _NSIG NSIG
+# else
+#  define _NSIG 128
+# endif
+#endif
+
+static volatile sig_atomic_t signo[_NSIG];
+
+static void handler(int);
+
+char *
+readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
+{
+	ssize_t bytes_written = 0;
+	ssize_t nr;
+	int input, output, save_errno, i, need_restart;
+	char ch, *p, *end;
+	struct termios term, oterm;
+	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
+	struct sigaction savetstp, savettin, savettou, savepipe;
+
+	/* I suppose we could alloc on demand in this case (XXX). */
+	if (bufsiz == 0) {
+		errno = EINVAL;
+		return(NULL);
+	}
+
+restart:
+	for (i = 0; i < _NSIG; i++)
+		signo[i] = 0;
+	nr = -1;
+	save_errno = 0;
+	need_restart = 0;
+	/*
+	 * Read and write to /dev/tty if available.  If not, read from
+	 * stdin and write to stderr unless a tty is required.
+	 */
+	if ((flags & RPP_STDIN) ||
+	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
+		if (flags & RPP_REQUIRE_TTY) {
+			errno = ENOTTY;
+			return(NULL);
+		}
+		input = STDIN_FILENO;
+		output = STDERR_FILENO;
+	}
+
+	/*
+	 * Catch signals that would otherwise cause the user to end
+	 * up with echo turned off in the shell.  Don't worry about
+	 * things like SIGXCPU and SIGVTALRM for now.
+	 */
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;		/* don't restart system calls */
+	sa.sa_handler = handler;
+	(void)sigaction(SIGALRM, &sa, &savealrm);
+	(void)sigaction(SIGHUP, &sa, &savehup);
+	(void)sigaction(SIGINT, &sa, &saveint);
+	(void)sigaction(SIGPIPE, &sa, &savepipe);
+	(void)sigaction(SIGQUIT, &sa, &savequit);
+	(void)sigaction(SIGTERM, &sa, &saveterm);
+	(void)sigaction(SIGTSTP, &sa, &savetstp);
+	(void)sigaction(SIGTTIN, &sa, &savettin);
+	(void)sigaction(SIGTTOU, &sa, &savettou);
+
+	/* Turn off echo if possible. */
+	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
+		memcpy(&term, &oterm, sizeof(term));
+		if (!(flags & RPP_ECHO_ON))
+			term.c_lflag &= ~(ECHO | ECHONL);
+#ifdef VSTATUS
+		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
+			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
+#endif
+		(void)tcsetattr(input, _T_FLUSH, &term);
+	} else {
+		memset(&term, 0, sizeof(term));
+		term.c_lflag |= ECHO;
+		memset(&oterm, 0, sizeof(oterm));
+		oterm.c_lflag |= ECHO;
+	}
+
+	/* No I/O if we are already backgrounded. */
+	if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
+		if (!(flags & RPP_STDIN))
+			bytes_written = write(output, prompt, strlen(prompt));
+		end = buf + bufsiz - 1;
+		p = buf;
+		while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
+			if (p < end) {
+				if ((flags & RPP_SEVENBIT))
+					ch &= 0x7f;
+				if (isalpha(ch)) {
+					if ((flags & RPP_FORCELOWER))
+						ch = (char)tolower(ch);
+					if ((flags & RPP_FORCEUPPER))
+						ch = (char)toupper(ch);
+				}
+				*p++ = ch;
+			}
+		}
+		*p = '\0';
+		save_errno = errno;
+		if (!(term.c_lflag & ECHO))
+			bytes_written = write(output, "\n", 1);
+	}
+
+	(void) bytes_written;
+
+	/* Restore old terminal settings and signals. */
+	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
+		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
+		    errno == EINTR)
+			continue;
+	}
+	(void)sigaction(SIGALRM, &savealrm, NULL);
+	(void)sigaction(SIGHUP, &savehup, NULL);
+	(void)sigaction(SIGINT, &saveint, NULL);
+	(void)sigaction(SIGQUIT, &savequit, NULL);
+	(void)sigaction(SIGPIPE, &savepipe, NULL);
+	(void)sigaction(SIGTERM, &saveterm, NULL);
+	(void)sigaction(SIGTSTP, &savetstp, NULL);
+	(void)sigaction(SIGTTIN, &savettin, NULL);
+	(void)sigaction(SIGTTOU, &savettou, NULL);
+	if (input != STDIN_FILENO)
+		(void)close(input);
+
+	/*
+	 * If we were interrupted by a signal, resend it to ourselves
+	 * now that we have restored the signal handlers.
+	 */
+	for (i = 0; i < _NSIG; i++) {
+		if (signo[i]) {
+			kill(getpid(), i);
+			switch (i) {
+			case SIGTSTP:
+			case SIGTTIN:
+			case SIGTTOU:
+				need_restart = 1;
+			}
+		}
+	}
+	if (need_restart)
+		goto restart;
+
+	if (save_errno)
+		errno = save_errno;
+	return(nr == -1 ? NULL : buf);
+}
+
+static void handler(int s)
+{
+	signo[s] = 1;
+}

apps/nc/compat/socket.c

@@ -0,0 +1,29 @@
+#define SOCKET_FLAGS_PRIV
+
+#include <sys/socket.h>
+
+#ifdef NEED_SOCKET_FLAGS
+
+#include <fcntl.h>
+
+int
+_socket(int domain, int type, int protocol)
+{
+	int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
+	int flags;
+	if (s == -1)
+		return s;
+
+	if (type & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(s, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	if (type & SOCK_NONBLOCK) {
+		flags = fcntl(s, F_GETFL);
+		fcntl(s, F_SETFL, flags | O_NONBLOCK);
+	}
+	return s;
+}
+
+#endif

apps/nc/compat/strtonum.c

@@ -0,0 +1,65 @@
+/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define	INVALID		1
+#define	TOOSMALL	2
+#define	TOOLARGE	3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+	long long ll = 0;
+	int error = 0;
+	char *ep;
+	struct errval {
+		const char *errstr;
+		int err;
+	} ev[4] = {
+		{ NULL,		0 },
+		{ "invalid",	EINVAL },
+		{ "too small",	ERANGE },
+		{ "too large",	ERANGE },
+	};
+
+	ev[0].err = errno;
+	errno = 0;
+	if (minval > maxval) {
+		error = INVALID;
+	} else {
+		ll = strtoll(numstr, &ep, 10);
+		if (numstr == ep || *ep != '\0')
+			error = INVALID;
+		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+			error = TOOSMALL;
+		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+			error = TOOLARGE;
+	}
+	if (errstrp != NULL)
+		*errstrp = ev[error].errstr;
+	errno = ev[error].err;
+	if (error)
+		ll = 0;
+
+	return (ll);
+}

apps/nc/compat/sys/socket.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/socket.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/socket.h>
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
+int _socket(int domain, int type, int protocol);
+#ifndef SOCKET_FLAGS_PRIV
+#define socket(d, t, p) _socket(d, t, p)
+#endif
+#endif
+
+#ifndef SOCK_NONBLOCK
+#define	SOCK_NONBLOCK		0x4000	/* set O_NONBLOCK */
+#endif
+
+#ifndef SOCK_CLOEXEC
+#define	SOCK_CLOEXEC		0x8000	/* set FD_CLOEXEC */
+#endif
+
+#ifndef HAVE_ACCEPT4
+int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
+#endif
+
+#else
+#include <win32netcompat.h>
+#endif

apps/openssl/Makefile.am

@@ -0,0 +1,118 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = openssl
+
+dist_man_MANS = openssl.1
+
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += compat/certhash_win.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += compat/apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += compat/poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += compat/strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+
+EXTRA_DIST = cert.pem
+EXTRA_DIST += openssl.cnf
+EXTRA_DIST += x509v3.cnf
+
+install-exec-hook:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	mkdir -p "$$OPENSSLDIR/certs"; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+		else \
+			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
+		fi \
+	done
+
+uninstall-local:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+			rm -f "$$OPENSSLDIR/$$i"; \
+		fi \
+	done

apps/openssl/compat/apps_win.c

@@ -0,0 +1,60 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include <io.h>
+#include <fcntl.h>
+
+#include <apps.h>
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}
+
+int
+setup_ui(void)
+{
+	ui_method = UI_create_method("OpenSSL application user interface");
+	UI_method_set_opener(ui_method, ui_open);
+	UI_method_set_reader(ui_method, ui_read);
+	UI_method_set_writer(ui_method, ui_write);
+	UI_method_set_closer(ui_method, ui_close);
+
+	/*
+	 * Set STDIO to binary
+	 */
+	_setmode(_fileno(stdin), _O_BINARY);
+	_setmode(_fileno(stdout), _O_BINARY);
+	_setmode(_fileno(stderr), _O_BINARY);
+
+	return 0;
+}
+
+void
+destroy_ui(void)
+{
+	if (ui_method) {
+		UI_destroy_method(ui_method);
+		ui_method = NULL;
+	}
+}

apps/openssl/compat/certhash_win.c

@@ -3,7 +3,7 @@
  * certhash dummy implementation for platforms without symlinks
  */
 
-#include "apps.h"
+#include <apps.h>
 
 int
 certhash_main(int argc, char **argv)

check-release.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+set -e
+
+ver=$1
+dir=libressl-$ver
+tarball=$dir.tar.gz
+tag=v$ver
+
+if [ -z "$LIBRESSL_SSH" ]; then
+	if ! curl -v 1>/dev/null 2>&1; then
+		download="curl -O"
+	elif echo quit | ftp 1>/dev/null 2>&1; then
+		download=ftp
+	else
+		echo "need 'ftp' or 'curl' to verify"
+		exit
+	fi
+fi
+
+if [ "$ver" = "" ]; then
+	echo "please specify a version to check, e.g. $0 2.1.2"
+	exit
+fi
+
+if [ ! -e releases/$tarball ]; then
+	mkdir -p releases
+	rm -f $tarball
+	if [ -z "$LIBRESSL_SSH" ]; then
+		$download http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$tarball releases/
+		mv $tarball releases
+	else
+		scp $LIBRESSL_SSH/$tarball releases
+	fi
+	(cd releases; tar zxvf $tarball)
+fi
+
+if [ ! -e gen-releases/$tarball ]; then
+	rm -fr tests man include ssl crypto libtls-standalone/VERSION INSTALL
+	git checkout OPENBSD_BRANCH update.sh tests man include ssl crypto
+	git checkout $tag
+	echo "libressl-$tag" > OPENBSD_BRANCH
+	sed -i 's/git pull --rebase//' update.sh
+	./autogen.sh
+	./configure --enable-libtls
+	make dist
+
+	mkdir -p gen-releases
+	mv $tarball gen-releases
+
+	git checkout OPENBSD_BRANCH update.sh
+	git checkout master
+fi
+
+(cd gen-releases; rm -fr $dir; tar zxf $tarball)
+(cd releases; rm -fr $dir; tar zxf $tarball)
+
+echo "differences between release and regenerated release tag:"
+diff -urN \
+	-x *.3 \
+	-x Makefile.in \
+	-x aclocal.m4 \
+	-x compile \
+	-x config.guess \
+	-x config.sub \
+	-x configure \
+	-x depcomp \
+	-x install-sh \
+	-x missing \
+	-x test-driver \
+	releases/$dir gen-releases/$dir

configure.ac

@@ -52,19 +52,13 @@ CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 CHECK_VA_COPY
 
-AC_CHECK_HEADERS([err.h])
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
-	AC_DEFINE_UNQUOTED(OPENSSLDIR, "$withval")
-)
-
-AC_ARG_WITH([enginesdir],
-	AS_HELP_STRING([--with-enginesdir],
-		       [Set the default engines directory (use with openssldir)]),
-	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
+	OPENSSLDIR="$withval"
+	AC_SUBST(OPENSSLDIR)
 )
+AM_CONDITIONAL([OPENSSLDIR_DEFINED], [test x$with_openssldir != x])
 
 AC_ARG_ENABLE([extratests],
 	AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms]))
@@ -90,8 +84,24 @@ case $host_cpu in
 		AS_IF([test "x$BSWAP4" = "xyes"],,
 		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
+	*amd64*)
+		host_cpu=x86_64
+		;;
+
 esac
 
+AC_MSG_CHECKING([if .gnu.warning accepts long strings])
+AC_LINK_IFELSE([AC_LANG_SOURCE([[
+extern void SSLv3_method();
+__asm__(".section .gnu.warning.SSLv3_method; .ascii \"SSLv3_method is insecure\" ; .text");
+int main() {return 0;}
+]])], [
+    AC_DEFINE(HAS_GNU_WARNING_LONG, 1, [Define if .gnu.warning accepts long strings.])
+    AC_MSG_RESULT(yes)
+], [
+   AC_MSG_RESULT(no)
+])
+
 AC_ARG_ENABLE([asm],
 	AS_HELP_STRING([--disable-asm], [Disable assembly]))
 AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
@@ -111,6 +121,8 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/openssl/Makefile
+	apps/nc/Makefile
 	man/Makefile
 	libcrypto.pc
 	libssl.pc

crypto/CMakeLists.txt

@@ -0,0 +1,649 @@
+include_directories(
+	.
+	../include
+	../include/compat
+	asn1
+	dsa
+	evp
+	modes
+)
+
+set(
+	CRYPTO_SRC
+
+	aes/aes_cbc.c
+	aes/aes_core.c
+	camellia/camellia.c
+	camellia/cmll_cbc.c
+	rc4/rc4_enc.c
+	rc4/rc4_skey.c
+	whrlpool/wp_block.c
+	cpt_err.c
+	cryptlib.c
+	cversion.c
+	ex_data.c
+	malloc-wrapper.c
+	mem_clr.c
+	mem_dbg.c
+	o_init.c
+	o_str.c
+	o_time.c
+	aes/aes_cfb.c
+	aes/aes_ctr.c
+	aes/aes_ecb.c
+	aes/aes_ige.c
+	aes/aes_misc.c
+	aes/aes_ofb.c
+	aes/aes_wrap.c
+	asn1/a_bitstr.c
+	asn1/a_bool.c
+	asn1/a_bytes.c
+	asn1/a_d2i_fp.c
+	asn1/a_digest.c
+	asn1/a_dup.c
+	asn1/a_enum.c
+	asn1/a_gentm.c
+	asn1/a_i2d_fp.c
+	asn1/a_int.c
+	asn1/a_mbstr.c
+	asn1/a_object.c
+	asn1/a_octet.c
+	asn1/a_print.c
+	asn1/a_set.c
+	asn1/a_sign.c
+	asn1/a_strex.c
+	asn1/a_strnid.c
+	asn1/a_time.c
+	asn1/a_type.c
+	asn1/a_utctm.c
+	asn1/a_utf8.c
+	asn1/a_verify.c
+	asn1/ameth_lib.c
+	asn1/asn1_err.c
+	asn1/asn1_gen.c
+	asn1/asn1_lib.c
+	asn1/asn1_par.c
+	asn1/asn_mime.c
+	asn1/asn_moid.c
+	asn1/asn_pack.c
+	asn1/bio_asn1.c
+	asn1/bio_ndef.c
+	asn1/d2i_pr.c
+	asn1/d2i_pu.c
+	asn1/evp_asn1.c
+	asn1/f_enum.c
+	asn1/f_int.c
+	asn1/f_string.c
+	asn1/i2d_pr.c
+	asn1/i2d_pu.c
+	asn1/n_pkey.c
+	asn1/nsseq.c
+	asn1/p5_pbe.c
+	asn1/p5_pbev2.c
+	asn1/p8_pkey.c
+	asn1/t_bitst.c
+	asn1/t_crl.c
+	asn1/t_pkey.c
+	asn1/t_req.c
+	asn1/t_spki.c
+	asn1/t_x509.c
+	asn1/t_x509a.c
+	asn1/tasn_dec.c
+	asn1/tasn_enc.c
+	asn1/tasn_fre.c
+	asn1/tasn_new.c
+	asn1/tasn_prn.c
+	asn1/tasn_typ.c
+	asn1/tasn_utl.c
+	asn1/x_algor.c
+	asn1/x_attrib.c
+	asn1/x_bignum.c
+	asn1/x_crl.c
+	asn1/x_exten.c
+	asn1/x_info.c
+	asn1/x_long.c
+	asn1/x_name.c
+	asn1/x_nx509.c
+	asn1/x_pkey.c
+	asn1/x_pubkey.c
+	asn1/x_req.c
+	asn1/x_sig.c
+	asn1/x_spki.c
+	asn1/x_val.c
+	asn1/x_x509.c
+	asn1/x_x509a.c
+	bf/bf_cfb64.c
+	bf/bf_ecb.c
+	bf/bf_enc.c
+	bf/bf_ofb64.c
+	bf/bf_skey.c
+	bio/b_dump.c
+	bio/b_print.c
+	bio/b_sock.c
+	bio/bf_buff.c
+	bio/bf_nbio.c
+	bio/bf_null.c
+	bio/bio_cb.c
+	bio/bio_err.c
+	bio/bio_lib.c
+	bio/bss_acpt.c
+	bio/bss_bio.c
+	bio/bss_conn.c
+	bio/bss_dgram.c
+	bio/bss_fd.c
+	bio/bss_file.c
+	bio/bss_mem.c
+	bio/bss_null.c
+	bio/bss_sock.c
+	bn/bn_add.c
+	bn/bn_asm.c
+	bn/bn_blind.c
+	bn/bn_const.c
+	bn/bn_ctx.c
+	bn/bn_depr.c
+	bn/bn_div.c
+	bn/bn_err.c
+	bn/bn_exp.c
+	bn/bn_exp2.c
+	bn/bn_gcd.c
+	bn/bn_gf2m.c
+	bn/bn_kron.c
+	bn/bn_lib.c
+	bn/bn_mod.c
+	bn/bn_mont.c
+	bn/bn_mpi.c
+	bn/bn_mul.c
+	bn/bn_nist.c
+	bn/bn_prime.c
+	bn/bn_print.c
+	bn/bn_rand.c
+	bn/bn_recp.c
+	bn/bn_shift.c
+	bn/bn_sqr.c
+	bn/bn_sqrt.c
+	bn/bn_word.c
+	bn/bn_x931p.c
+	buffer/buf_err.c
+	buffer/buf_str.c
+	buffer/buffer.c
+	camellia/cmll_cfb.c
+	camellia/cmll_ctr.c
+	camellia/cmll_ecb.c
+	camellia/cmll_misc.c
+	camellia/cmll_ofb.c
+	cast/c_cfb64.c
+	cast/c_ecb.c
+	cast/c_enc.c
+	cast/c_ofb64.c
+	cast/c_skey.c
+	chacha/chacha.c
+	cmac/cm_ameth.c
+	cmac/cm_pmeth.c
+	cmac/cmac.c
+	comp/c_rle.c
+	comp/c_zlib.c
+	comp/comp_err.c
+	comp/comp_lib.c
+	conf/conf_api.c
+	conf/conf_def.c
+	conf/conf_err.c
+	conf/conf_lib.c
+	conf/conf_mall.c
+	conf/conf_mod.c
+	conf/conf_sap.c
+	des/cbc_cksm.c
+	des/cbc_enc.c
+	des/cfb64ede.c
+	des/cfb64enc.c
+	des/cfb_enc.c
+	des/des_enc.c
+	des/ecb3_enc.c
+	des/ecb_enc.c
+	des/ede_cbcm_enc.c
+	des/enc_read.c
+	des/enc_writ.c
+	des/fcrypt.c
+	des/fcrypt_b.c
+	des/ofb64ede.c
+	des/ofb64enc.c
+	des/ofb_enc.c
+	des/pcbc_enc.c
+	des/qud_cksm.c
+	des/rand_key.c
+	des/set_key.c
+	des/str2key.c
+	des/xcbc_enc.c
+	dh/dh_ameth.c
+	dh/dh_asn1.c
+	dh/dh_check.c
+	dh/dh_depr.c
+	dh/dh_err.c
+	dh/dh_gen.c
+	dh/dh_key.c
+	dh/dh_lib.c
+	dh/dh_pmeth.c
+	dh/dh_prn.c
+	dsa/dsa_ameth.c
+	dsa/dsa_asn1.c
+	dsa/dsa_depr.c
+	dsa/dsa_err.c
+	dsa/dsa_gen.c
+	dsa/dsa_key.c
+	dsa/dsa_lib.c
+	dsa/dsa_ossl.c
+	dsa/dsa_pmeth.c
+	dsa/dsa_prn.c
+	dsa/dsa_sign.c
+	dsa/dsa_vrf.c
+	dso/dso_dlfcn.c
+	dso/dso_err.c
+	dso/dso_lib.c
+	dso/dso_null.c
+	dso/dso_openssl.c
+	ec/ec2_mult.c
+	ec/ec2_oct.c
+	ec/ec2_smpl.c
+	ec/ec_ameth.c
+	ec/ec_asn1.c
+	ec/ec_check.c
+	ec/ec_curve.c
+	ec/ec_cvt.c
+	ec/ec_err.c
+	ec/ec_key.c
+	ec/ec_lib.c
+	ec/ec_mult.c
+	ec/ec_oct.c
+	ec/ec_pmeth.c
+	ec/ec_print.c
+	ec/eck_prn.c
+	ec/ecp_mont.c
+	ec/ecp_nist.c
+	ec/ecp_oct.c
+	ec/ecp_smpl.c
+	ecdh/ech_err.c
+	ecdh/ech_key.c
+	ecdh/ech_lib.c
+	ecdsa/ecs_asn1.c
+	ecdsa/ecs_err.c
+	ecdsa/ecs_lib.c
+	ecdsa/ecs_ossl.c
+	ecdsa/ecs_sign.c
+	ecdsa/ecs_vrf.c
+	engine/eng_all.c
+	engine/eng_cnf.c
+	engine/eng_ctrl.c
+	engine/eng_dyn.c
+	engine/eng_err.c
+	engine/eng_fat.c
+	engine/eng_init.c
+	engine/eng_lib.c
+	engine/eng_list.c
+	engine/eng_openssl.c
+	engine/eng_pkey.c
+	engine/eng_table.c
+	engine/tb_asnmth.c
+	engine/tb_cipher.c
+	engine/tb_dh.c
+	engine/tb_digest.c
+	engine/tb_dsa.c
+	engine/tb_ecdh.c
+	engine/tb_ecdsa.c
+	engine/tb_pkmeth.c
+	engine/tb_rand.c
+	engine/tb_rsa.c
+	engine/tb_store.c
+	err/err.c
+	err/err_all.c
+	err/err_prn.c
+	evp/bio_b64.c
+	evp/bio_enc.c
+	evp/bio_md.c
+	evp/c_all.c
+	evp/digest.c
+	evp/e_aes.c
+	evp/e_aes_cbc_hmac_sha1.c
+	evp/e_bf.c
+	evp/e_camellia.c
+	evp/e_cast.c
+	evp/e_chacha.c
+	evp/e_chacha20poly1305.c
+	evp/e_des.c
+	evp/e_des3.c
+	evp/e_gost2814789.c
+	evp/e_idea.c
+	evp/e_null.c
+	evp/e_old.c
+	evp/e_rc2.c
+	evp/e_rc4.c
+	evp/e_rc4_hmac_md5.c
+	evp/e_xcbc_d.c
+	evp/encode.c
+	evp/evp_aead.c
+	evp/evp_enc.c
+	evp/evp_err.c
+	evp/evp_key.c
+	evp/evp_lib.c
+	evp/evp_pbe.c
+	evp/evp_pkey.c
+	evp/m_dss.c
+	evp/m_dss1.c
+	evp/m_ecdsa.c
+	evp/m_gost2814789.c
+	evp/m_gostr341194.c
+	evp/m_md4.c
+	evp/m_md5.c
+	evp/m_null.c
+	evp/m_ripemd.c
+	evp/m_sha1.c
+	evp/m_sigver.c
+	evp/m_streebog.c
+	evp/m_wp.c
+	evp/names.c
+	evp/p5_crpt.c
+	evp/p5_crpt2.c
+	evp/p_dec.c
+	evp/p_enc.c
+	evp/p_lib.c
+	evp/p_open.c
+	evp/p_seal.c
+	evp/p_sign.c
+	evp/p_verify.c
+	evp/pmeth_fn.c
+	evp/pmeth_gn.c
+	evp/pmeth_lib.c
+	gost/gost2814789.c
+	gost/gost89_keywrap.c
+	gost/gost89_params.c
+	gost/gost89imit_ameth.c
+	gost/gost89imit_pmeth.c
+	gost/gost_asn1.c
+	gost/gost_err.c
+	gost/gostr341001.c
+	gost/gostr341001_ameth.c
+	gost/gostr341001_key.c
+	gost/gostr341001_params.c
+	gost/gostr341001_pmeth.c
+	gost/gostr341194.c
+	gost/streebog.c
+	hmac/hm_ameth.c
+	hmac/hm_pmeth.c
+	hmac/hmac.c
+	idea/i_cbc.c
+	idea/i_cfb64.c
+	idea/i_ecb.c
+	idea/i_ofb64.c
+	idea/i_skey.c
+	krb5/krb5_asn.c
+	lhash/lh_stats.c
+	lhash/lhash.c
+	md4/md4_dgst.c
+	md4/md4_one.c
+	md5/md5_dgst.c
+	md5/md5_one.c
+	modes/cbc128.c
+	modes/ccm128.c
+	modes/cfb128.c
+	modes/ctr128.c
+	modes/cts128.c
+	modes/gcm128.c
+	modes/ofb128.c
+	modes/xts128.c
+	objects/o_names.c
+	objects/obj_dat.c
+	objects/obj_err.c
+	objects/obj_lib.c
+	objects/obj_xref.c
+	ocsp/ocsp_asn.c
+	ocsp/ocsp_cl.c
+	ocsp/ocsp_err.c
+	ocsp/ocsp_ext.c
+	ocsp/ocsp_ht.c
+	ocsp/ocsp_lib.c
+	ocsp/ocsp_prn.c
+	ocsp/ocsp_srv.c
+	ocsp/ocsp_vfy.c
+	pem/pem_all.c
+	pem/pem_err.c
+	pem/pem_info.c
+	pem/pem_lib.c
+	pem/pem_oth.c
+	pem/pem_pk8.c
+	pem/pem_pkey.c
+	pem/pem_seal.c
+	pem/pem_sign.c
+	pem/pem_x509.c
+	pem/pem_xaux.c
+	pem/pvkfmt.c
+	pkcs12/p12_add.c
+	pkcs12/p12_asn.c
+	pkcs12/p12_attr.c
+	pkcs12/p12_crpt.c
+	pkcs12/p12_crt.c
+	pkcs12/p12_decr.c
+	pkcs12/p12_init.c
+	pkcs12/p12_key.c
+	pkcs12/p12_kiss.c
+	pkcs12/p12_mutl.c
+	pkcs12/p12_npas.c
+	pkcs12/p12_p8d.c
+	pkcs12/p12_p8e.c
+	pkcs12/p12_utl.c
+	pkcs12/pk12err.c
+	pkcs7/bio_pk7.c
+	pkcs7/pk7_asn1.c
+	pkcs7/pk7_attr.c
+	pkcs7/pk7_doit.c
+	pkcs7/pk7_lib.c
+	pkcs7/pk7_mime.c
+	pkcs7/pk7_smime.c
+	pkcs7/pkcs7err.c
+	poly1305/poly1305.c
+	rand/rand_err.c
+	rand/rand_lib.c
+	rand/randfile.c
+	rc2/rc2_cbc.c
+	rc2/rc2_ecb.c
+	rc2/rc2_skey.c
+	rc2/rc2cfb64.c
+	rc2/rc2ofb64.c
+	ripemd/rmd_dgst.c
+	ripemd/rmd_one.c
+	rsa/rsa_ameth.c
+	rsa/rsa_asn1.c
+	rsa/rsa_chk.c
+	rsa/rsa_crpt.c
+	rsa/rsa_depr.c
+	rsa/rsa_eay.c
+	rsa/rsa_err.c
+	rsa/rsa_gen.c
+	rsa/rsa_lib.c
+	rsa/rsa_none.c
+	rsa/rsa_oaep.c
+	rsa/rsa_pk1.c
+	rsa/rsa_pmeth.c
+	rsa/rsa_prn.c
+	rsa/rsa_pss.c
+	rsa/rsa_saos.c
+	rsa/rsa_sign.c
+	rsa/rsa_ssl.c
+	rsa/rsa_x931.c
+	sha/sha1_one.c
+	sha/sha1dgst.c
+	sha/sha256.c
+	sha/sha512.c
+	stack/stack.c
+	ts/ts_asn1.c
+	ts/ts_conf.c
+	ts/ts_err.c
+	ts/ts_lib.c
+	ts/ts_req_print.c
+	ts/ts_req_utils.c
+	ts/ts_rsp_print.c
+	ts/ts_rsp_sign.c
+	ts/ts_rsp_utils.c
+	ts/ts_rsp_verify.c
+	ts/ts_verify_ctx.c
+	txt_db/txt_db.c
+	ui/ui_err.c
+	ui/ui_lib.c
+	ui/ui_util.c
+	whrlpool/wp_dgst.c
+	x509/by_dir.c
+	x509/by_file.c
+	x509/by_mem.c
+	x509/x509_att.c
+	x509/x509_cmp.c
+	x509/x509_d2.c
+	x509/x509_def.c
+	x509/x509_err.c
+	x509/x509_ext.c
+	x509/x509_lu.c
+	x509/x509_obj.c
+	x509/x509_r2x.c
+	x509/x509_req.c
+	x509/x509_set.c
+	x509/x509_trs.c
+	x509/x509_txt.c
+	x509/x509_v3.c
+	x509/x509_vfy.c
+	x509/x509_vpm.c
+	x509/x509cset.c
+	x509/x509name.c
+	x509/x509rset.c
+	x509/x509spki.c
+	x509/x509type.c
+	x509/x_all.c
+	x509v3/pcy_cache.c
+	x509v3/pcy_data.c
+	x509v3/pcy_lib.c
+	x509v3/pcy_map.c
+	x509v3/pcy_node.c
+	x509v3/pcy_tree.c
+	x509v3/v3_akey.c
+	x509v3/v3_akeya.c
+	x509v3/v3_alt.c
+	x509v3/v3_bcons.c
+	x509v3/v3_bitst.c
+	x509v3/v3_conf.c
+	x509v3/v3_cpols.c
+	x509v3/v3_crld.c
+	x509v3/v3_enum.c
+	x509v3/v3_extku.c
+	x509v3/v3_genn.c
+	x509v3/v3_ia5.c
+	x509v3/v3_info.c
+	x509v3/v3_int.c
+	x509v3/v3_lib.c
+	x509v3/v3_ncons.c
+	x509v3/v3_ocsp.c
+	x509v3/v3_pci.c
+	x509v3/v3_pcia.c
+	x509v3/v3_pcons.c
+	x509v3/v3_pku.c
+	x509v3/v3_pmaps.c
+	x509v3/v3_prn.c
+	x509v3/v3_purp.c
+	x509v3/v3_skey.c
+	x509v3/v3_sxnet.c
+	x509v3/v3_utl.c
+	x509v3/v3err.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_posix.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} bio/bss_log.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
+endif()
+
+if(NOT HAVE_ASPRINTF)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
+endif()
+
+if(NOT HAVE_INET_PTON)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
+endif()
+
+if(NOT HAVE_REALLOCARRAY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
+endif()
+
+if(NOT HAVE_STRCASECMP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
+endif()
+
+if(NOT HAVE_STRLCAT)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
+endif()
+
+if(NOT HAVE_STRLCPY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
+endif()
+
+if(NOT HAVE_STRNDUP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
+	if(NOT HAVE_STRNLEN)
+		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
+	endif()
+endif()
+
+if(NOT HAVE_EXPLICIT_BZERO)
+	if(CMAKE_HOST_WIN32)
+		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero_win.c)
+	else()
+		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
+		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
+	endif()
+endif()
+
+if(NOT HAVE_ARC4RANDOM_BUF)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+
+	if(NOT HAVE_GETENTROPY)
+		if(CMAKE_HOST_WIN32)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_win.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "AIX")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
+		endif()
+	endif()
+endif()
+
+if(NOT HAVE_TIMINGSAFE_BCMP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
+endif()
+
+if(NOT HAVE_TIMINGSAFE_MEMCMP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
+endif()
+
+if (BUILD_SHARED)
+	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
+	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
+	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	set_target_properties(crypto-shared PROPERTIES VERSION
+		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
+	install(TARGETS crypto crypto-shared DESTINATION lib)
+else()
+	add_library(crypto STATIC ${CRYPTO_SRC})
+	install(TARGETS crypto DESTINATION lib)
+endif()
+

crypto/Makefile.am

@@ -7,10 +7,15 @@ AM_CFLAGS += -I$(top_srcdir)/crypto/modes
 lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
+EXTRA_DIST += CMakeLists.txt
+
+# needed for a CMake target
+EXTRA_DIST += compat/strcasecmp.c
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = -DOPENSSL_NO_HW_PADLOCK
+libcrypto_la_CPPFLAGS = -DLIBRESSL_INTERNAL
+libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 else
@@ -19,6 +24,12 @@ libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
 endif
 endif
 
+if OPENSSLDIR_DEFINED
+libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"@OPENSSLDIR@\"
+else
+libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"$(sysconfdir)/ssl\"
+endif
+
 noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
 
 # compatibility functions that need to be built without optimizations
@@ -26,8 +37,12 @@ libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 
 if !HAVE_EXPLICIT_BZERO
+if HOST_WIN
+libcompatnoopt_la_SOURCES += compat/explicit_bzero_win.c
+else
 libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
 endif
+endif
 
 # other compatibility functions
 libcompat_la_SOURCES =
@@ -229,7 +244,9 @@ libcrypto_la_SOURCES += bio/bss_conn.c
 libcrypto_la_SOURCES += bio/bss_dgram.c
 libcrypto_la_SOURCES += bio/bss_fd.c
 libcrypto_la_SOURCES += bio/bss_file.c
+if !HOST_WIN
 libcrypto_la_SOURCES += bio/bss_log.c
+endif
 libcrypto_la_SOURCES += bio/bss_mem.c
 libcrypto_la_SOURCES += bio/bss_null.c
 libcrypto_la_SOURCES += bio/bss_sock.c
@@ -402,7 +419,6 @@ noinst_HEADERS += ec/ec_lcl.h
 libcrypto_la_SOURCES += ecdh/ech_err.c
 libcrypto_la_SOURCES += ecdh/ech_key.c
 libcrypto_la_SOURCES += ecdh/ech_lib.c
-libcrypto_la_SOURCES += ecdh/ech_ossl.c
 noinst_HEADERS += ecdh/ech_locl.h
 
 # ecdsa
@@ -426,7 +442,6 @@ libcrypto_la_SOURCES += engine/eng_lib.c
 libcrypto_la_SOURCES += engine/eng_list.c
 libcrypto_la_SOURCES += engine/eng_openssl.c
 libcrypto_la_SOURCES += engine/eng_pkey.c
-libcrypto_la_SOURCES += engine/eng_rsax.c
 libcrypto_la_SOURCES += engine/eng_table.c
 libcrypto_la_SOURCES += engine/tb_asnmth.c
 libcrypto_la_SOURCES += engine/tb_cipher.c
@@ -486,7 +501,6 @@ libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
-libcrypto_la_SOURCES += evp/m_sha.c
 libcrypto_la_SOURCES += evp/m_sha1.c
 libcrypto_la_SOURCES += evp/m_sigver.c
 libcrypto_la_SOURCES += evp/m_streebog.c
@@ -680,8 +694,6 @@ libcrypto_la_SOURCES += sha/sha1_one.c
 libcrypto_la_SOURCES += sha/sha1dgst.c
 libcrypto_la_SOURCES += sha/sha256.c
 libcrypto_la_SOURCES += sha/sha512.c
-libcrypto_la_SOURCES += sha/sha_dgst.c
-libcrypto_la_SOURCES += sha/sha_one.c
 noinst_HEADERS += sha/sha_locl.h
 
 # stack

crypto/compat/explicit_bzero_win.c

@@ -0,0 +1,13 @@
+/*
+ * Public domain.
+ * Win32 explicit_bzero compatibility shim.
+ */
+
+#include <windows.h>
+#include <string.h>
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+	SecureZeroMemory(buf, len);
+}

crypto/compat/posix_win.c

@@ -166,3 +166,34 @@ posix_setsockopt(int sockfd, int level, int optname,
 	int rc = setsockopt(sockfd, level, optname, (char *)optval, optlen);
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
+
+#ifdef _MSC_VER
+int gettimeofday(struct timeval * tp, struct timezone * tzp)
+{
+	/*
+	 * Note: some broken versions only have 8 trailing zero's, the correct
+	 * epoch has 9 trailing zero's
+	 */
+	static const uint64_t EPOCH = ((uint64_t) 116444736000000000ULL);
+
+	SYSTEMTIME  system_time;
+	FILETIME    file_time;
+	uint64_t    time;
+
+	GetSystemTime(&system_time);
+	SystemTimeToFileTime(&system_time, &file_time);
+	time = ((uint64_t)file_time.dwLowDateTime);
+	time += ((uint64_t)file_time.dwHighDateTime) << 32;
+
+	tp->tv_sec = (long)((time - EPOCH) / 10000000L);
+	tp->tv_usec = (long)(system_time.wMilliseconds * 1000);
+	return 0;
+}
+
+unsigned int sleep(unsigned int seconds)
+{
+	Sleep(seconds * 1000);
+	return seconds;
+}
+
+#endif

crypto/compat/ui_openssl_win.c

@@ -133,6 +133,7 @@
 /* Define globals.  They are protected by a lock */
 static void (*savsig[NX509_SIG])(int );
 
+DWORD console_mode;
 static FILE *tty_in, *tty_out;
 static int is_a_tty;
 
@@ -285,7 +286,7 @@ error:
 	if (ps >= 1)
 		popsig();
 
-	OPENSSL_cleanse(result, BUFSIZ);
+	explicit_bzero(result, BUFSIZ);
 	return ok;
 }
 
@@ -300,28 +301,27 @@ open_console(UI *ui)
 	tty_in = stdin;
 	tty_out = stderr;
 
-	return 1;
+	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
+	if (handle != INVALID_HANDLE_VALUE)
+		return GetConsoleMode(handle, &console_mode);
+	return 0;
 }
 
 static int
 noecho_console(UI *ui)
 {
-	DWORD mode = 0;
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
-		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode & (~ENABLE_ECHO_INPUT));
-	}
+	if (handle != INVALID_HANDLE_VALUE)
+		return SetConsoleMode(handle, console_mode & ~ENABLE_ECHO_INPUT);
 	return 0;
 }
 
 static int
 echo_console(UI *ui)
 {
-	DWORD mode = 0;
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
-		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode | ENABLE_ECHO_INPUT);
-	}
+	if (handle != INVALID_HANDLE_VALUE)
+		return SetConsoleMode(handle, console_mode);
 	return 0;
 }
 

dist-win.sh

@@ -29,20 +29,11 @@ for ARCH in X86 X64; do
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 
 	mkdir -p $DIST/$ARCHDIR
-	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
-		cp -a stage-$ARCHDIR/usr/local/include $DIST
-		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e "s/__attr.*;/;/"  \
-		       -e "s/sys\/time.h/winsock2.h/" \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
+		cp -r stage-$ARCHDIR/usr/local/include $DIST
 	fi
 
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
-	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3
+rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
 make distcheck

gen-openbsd-tags.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+for tag in `git tag`; do
+	branch=master
+	if [[ $tag = v2.0* ]]; then
+		branch=OPENBSD_5_6
+	elif [[ $tag = v2.1* ]]; then
+		branch=OPENBSD_5_7
+	elif [[ $tag = v2.2* ]]; then
+		branch=OPENBSD_5_8
+	elif [[ $tag = v2.3* ]]; then
+		branch=OPENBSD_5_9
+	fi
+	# adjust for 9 hour timezone delta between trees
+	release_ts=$((`git show -s --format=%ct $tag|tail -n1` + 32400))
+	commit=`git -C openbsd rev-list -n 1 --before=$release_ts $branch`
+	git -C openbsd tag -f libressl-$tag $commit
+	echo Tagged $tag as $commit in openbsd
+done

include/CMakeLists.txt

@@ -0,0 +1,5 @@
+install(DIRECTORY .
+        DESTINATION include
+        PATTERN "CMakeLists.txt" EXCLUDE
+        PATTERN "compat" EXCLUDE
+        PATTERN "Makefile.*" EXCLUDE)

include/Makefile.am

@@ -1,32 +1,41 @@
 include $(top_srcdir)/Makefile.am.common
 
+EXTRA_DIST = CMakeLists.txt
+
 SUBDIRS = openssl
 
-noinst_HEADERS = err.h
-noinst_HEADERS += netdb.h
-noinst_HEADERS += poll.h
-noinst_HEADERS += pqueue.h
-noinst_HEADERS += stdio.h
-noinst_HEADERS += stdlib.h
-noinst_HEADERS += string.h
-noinst_HEADERS += syslog.h
-noinst_HEADERS += unistd.h
-noinst_HEADERS += win32netcompat.h
+noinst_HEADERS = pqueue.h
+noinst_HEADERS += compat/dirent.h
+noinst_HEADERS += compat/dirent_msvc.h
+noinst_HEADERS += compat/err.h
+noinst_HEADERS += compat/netdb.h
+noinst_HEADERS += compat/poll.h
+noinst_HEADERS += compat/readpassphrase.h
+noinst_HEADERS += compat/stdio.h
+noinst_HEADERS += compat/stdlib.h
+noinst_HEADERS += compat/string.h
+noinst_HEADERS += compat/time.h
+noinst_HEADERS += compat/unistd.h
+noinst_HEADERS += compat/win32netcompat.h
 
-noinst_HEADERS += arpa/inet.h
-noinst_HEADERS += arpa/nameser.h
+noinst_HEADERS += compat/arpa/inet.h
+noinst_HEADERS += compat/arpa/nameser.h
 
-noinst_HEADERS += machine/endian.h
+noinst_HEADERS += compat/machine/endian.h
 
-noinst_HEADERS += netinet/in.h
-noinst_HEADERS += netinet/tcp.h
+noinst_HEADERS += compat/netinet/in.h
+noinst_HEADERS += compat/netinet/ip.h
+noinst_HEADERS += compat/netinet/tcp.h
 
-noinst_HEADERS += sys/ioctl.h
-noinst_HEADERS += sys/mman.h
-noinst_HEADERS += sys/select.h
-noinst_HEADERS += sys/socket.h
-noinst_HEADERS += sys/times.h
-noinst_HEADERS += sys/types.h
-noinst_HEADERS += sys/uio.h
+noinst_HEADERS += compat/sys/cdefs.h
+noinst_HEADERS += compat/sys/ioctl.h
+noinst_HEADERS += compat/sys/mman.h
+noinst_HEADERS += compat/sys/param.h
+noinst_HEADERS += compat/sys/select.h
+noinst_HEADERS += compat/sys/socket.h
+noinst_HEADERS += compat/sys/stat.h
+noinst_HEADERS += compat/sys/time.h
+noinst_HEADERS += compat/sys/types.h
+noinst_HEADERS += compat/sys/uio.h
 
 include_HEADERS = tls.h

include/compat/arpa/inet.h

@@ -15,5 +15,5 @@
 #endif
 
 #ifndef HAVE_INET_PTON
-int inet_pton(int af, const char * restrict src, void * restrict dst);
+int inet_pton(int af, const char * src, void * dst);
 #endif

include/compat/dirent.h

@@ -0,0 +1,17 @@
+/*
+ * Public domain
+ * dirent.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_DIRENT_H
+#define LIBCRYPTOCOMPAT_DIRENT_H
+
+#ifdef _MSC_VER
+#include <windows.h>
+#include <dirent_msvc.h>
+#else
+#include_next <dirent.h>
+#endif
+
+#endif
+

include/compat/dirent_msvc.h

@@ -0,0 +1,611 @@
+/*
+ * dirent.h - dirent API for Microsoft Visual Studio
+ *
+ * Copyright (C) 2006-2012 Toni Ronkko
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * ``Software''), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL TONI RONKKO BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * $Id: dirent.h,v 1.20 2014/03/19 17:52:23 tronkko Exp $
+ */
+#ifndef DIRENT_MSVC_H
+#define DIRENT_MSVC_H
+
+#include <windows.h>
+
+#if _MSC_VER >= 1900
+#include <../ucrt/stdio.h>
+#include <../ucrt/wchar.h>
+#include <../ucrt/string.h>
+#include <../ucrt/stdlib.h>
+#include <../ucrt/sys/types.h>
+#include <../ucrt/errno.h>
+#else
+#include <../include/stdio.h>
+#include <../include/wchar.h>
+#include <../include/string.h>
+#include <../include/stdlib.h>
+#include <../include/sys/types.h>
+#include <../include/errno.h>
+#endif
+
+#include <stdarg.h>
+#include <sys/stat.h>
+
+/* Indicates that d_type field is available in dirent structure */
+#define _DIRENT_HAVE_D_TYPE
+
+/* Indicates that d_namlen field is available in dirent structure */
+#define _DIRENT_HAVE_D_NAMLEN
+
+/* Maximum length of file name */
+#if !defined(PATH_MAX)
+#   define PATH_MAX MAX_PATH
+#endif
+#if !defined(FILENAME_MAX)
+#   define FILENAME_MAX MAX_PATH
+#endif
+#if !defined(NAME_MAX)
+#   define NAME_MAX FILENAME_MAX
+#endif
+
+/* Return the exact length of d_namlen without zero terminator */
+#define _D_EXACT_NAMLEN(p)((p)->d_namlen)
+
+/* Return number of bytes needed to store d_namlen */
+#define _D_ALLOC_NAMLEN(p)(PATH_MAX)
+
+/* Wide-character version */
+struct _wdirent {
+	long d_ino;                         /* Always zero */
+	unsigned short d_reclen;            /* Structure size */
+	size_t d_namlen;                    /* Length of name without \0 */
+	int d_type;                         /* File type */
+	wchar_t d_name[PATH_MAX];           /* File name */
+};
+typedef struct _wdirent _wdirent;
+
+struct _WDIR {
+	struct _wdirent ent;                /* Current directory entry */
+	WIN32_FIND_DATAW data;              /* Private file data */
+	int cached;                         /* True if data is valid */
+	HANDLE handle;                      /* Win32 search handle */
+	wchar_t *patt;                      /* Initial directory name */
+};
+typedef struct _WDIR _WDIR;
+
+static _WDIR *_wopendir(const wchar_t *dirname);
+static struct _wdirent *_wreaddir(_WDIR *dirp);
+static int _wclosedir(_WDIR *dirp);
+static void _wrewinddir(_WDIR* dirp);
+
+/* Multi-byte character versions */
+struct dirent {
+	long d_ino;                         /* Always zero */
+	unsigned short d_reclen;            /* Structure size */
+	size_t d_namlen;                    /* Length of name without \0 */
+	int d_type;                         /* File type */
+	char d_name[PATH_MAX];              /* File name */
+};
+typedef struct dirent dirent;
+
+struct DIR {
+	struct dirent ent;
+	struct _WDIR *wdirp;
+};
+typedef struct DIR DIR;
+
+static DIR *opendir(const char *dirname);
+static struct dirent *readdir(DIR *dirp);
+static int closedir(DIR *dirp);
+static void rewinddir(DIR* dirp);
+
+/* Internal utility functions */
+static WIN32_FIND_DATAW *dirent_first(_WDIR *dirp);
+static WIN32_FIND_DATAW *dirent_next(_WDIR *dirp);
+
+static int dirent_mbstowcs_s(
+	size_t *pReturnValue,
+	wchar_t *wcstr,
+	size_t sizeInWords,
+	const char *mbstr,
+	size_t count);
+
+static int dirent_wcstombs_s(
+	size_t *pReturnValue,
+	char *mbstr,
+	size_t sizeInBytes,
+	const wchar_t *wcstr,
+	size_t count);
+
+/*
+ * Open directory stream DIRNAME for read and return a pointer to the
+ * internal working area that is used to retrieve individual directory
+ * entries.
+ */
+static _WDIR*
+_wopendir(const wchar_t *dirname)
+{
+	_WDIR *dirp = NULL;
+	int error;
+
+	/* Must have directory name */
+	if (dirname == NULL  ||  dirname[0] == '\0') {
+		_set_errno(ENOENT);
+		return NULL;
+	}
+
+	/* Allocate new _WDIR structure */
+	dirp =(_WDIR*) malloc(sizeof(struct _WDIR));
+	if (dirp != NULL) {
+		DWORD n;
+
+		/* Reset _WDIR structure */
+		dirp->handle = INVALID_HANDLE_VALUE;
+		dirp->patt = NULL;
+		dirp->cached = 0;
+
+		/* Compute the length of full path plus zero terminator */
+		n = GetFullPathNameW(dirname, 0, NULL, NULL);
+
+		/* Allocate room for absolute directory name and search pattern */
+		dirp->patt =(wchar_t*) malloc(sizeof(wchar_t) * n + 16);
+		if (dirp->patt) {
+
+			/*
+			 * Convert relative directory name to an absolute one.  This
+			 * allows rewinddir() to function correctly even when current
+			 * working directory is changed between opendir() and rewinddir().
+			 */
+			n = GetFullPathNameW(dirname, n, dirp->patt, NULL);
+			if (n > 0) {
+				wchar_t *p;
+
+				/* Append search pattern \* to the directory name */
+				p = dirp->patt + n;
+				if (dirp->patt < p) {
+					switch(p[-1]) {
+					case '\\':
+					case '/':
+					case ':':
+						/* Directory ends in path separator, e.g. c:\temp\ */
+						/*NOP*/;
+						break;
+
+					default:
+						/* Directory name doesn't end in path separator */
+						*p++ = '\\';
+					}
+				}
+				*p++ = '*';
+				*p = '\0';
+
+				/* Open directory stream and retrieve the first entry */
+				if (dirent_first(dirp)) {
+					/* Directory stream opened successfully */
+					error = 0;
+				} else {
+					/* Cannot retrieve first entry */
+					error = 1;
+					_set_errno(ENOENT);
+				}
+
+			} else {
+				/* Cannot retrieve full path name */
+				_set_errno(ENOENT);
+				error = 1;
+			}
+
+		} else {
+			/* Cannot allocate memory for search pattern */
+			error = 1;
+		}
+
+	} else {
+		/* Cannot allocate _WDIR structure */
+		error = 1;
+	}
+
+	/* Clean up in case of error */
+	if (error  &&  dirp) {
+		_wclosedir(dirp);
+		dirp = NULL;
+	}
+
+	return dirp;
+}
+
+/*
+ * Read next directory entry.  The directory entry is returned in dirent
+ * structure in the d_name field.  Individual directory entries returned by
+ * this function include regular files, sub-directories, pseudo-directories
+ * "." and ".." as well as volume labels, hidden files and system files.
+ */
+static struct _wdirent*
+_wreaddir(_WDIR *dirp)
+{
+	WIN32_FIND_DATAW *datap;
+	struct _wdirent *entp;
+
+	/* Read next directory entry */
+	datap = dirent_next(dirp);
+	if (datap) {
+		size_t n;
+		DWORD attr;
+
+		/* Pointer to directory entry to return */
+		entp = &dirp->ent;
+
+		/*
+		 * Copy file name as wide-character string.  If the file name is too
+		 * long to fit in to the destination buffer, then truncate file name
+		 * to PATH_MAX characters and zero-terminate the buffer.
+		 */
+		n = 0;
+		while(n + 1 < PATH_MAX  &&  datap->cFileName[n] != 0) {
+			entp->d_name[n] = datap->cFileName[n];
+			n++;
+		}
+		dirp->ent.d_name[n] = 0;
+
+		/* Length of file name excluding zero terminator */
+		entp->d_namlen = n;
+
+		/* File type */
+		attr = datap->dwFileAttributes;
+		if ((attr & FILE_ATTRIBUTE_DEVICE) != 0) {
+			entp->d_type = DT_CHR;
+		} else if ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0) {
+			entp->d_type = DT_DIR;
+		} else {
+			entp->d_type = DT_REG;
+		}
+
+		/* Reset dummy fields */
+		entp->d_ino = 0;
+		entp->d_reclen = sizeof(struct _wdirent);
+
+	} else {
+
+		/* Last directory entry read */
+		entp = NULL;
+
+	}
+
+	return entp;
+}
+
+/*
+ * Close directory stream opened by opendir() function.  This invalidates the
+ * DIR structure as well as any directory entry read previously by
+ * _wreaddir().
+ */
+static int
+_wclosedir(_WDIR *dirp)
+{
+	int ok;
+	if (dirp) {
+
+		/* Release search handle */
+		if (dirp->handle != INVALID_HANDLE_VALUE) {
+			FindClose(dirp->handle);
+			dirp->handle = INVALID_HANDLE_VALUE;
+		}
+
+		/* Release search pattern */
+		if (dirp->patt) {
+			free(dirp->patt);
+			dirp->patt = NULL;
+		}
+
+		/* Release directory structure */
+		free(dirp);
+		ok = /*success*/0;
+
+	} else {
+		/* Invalid directory stream */
+		_set_errno(EBADF);
+		ok = /*failure*/-1;
+	}
+	return ok;
+}
+
+/*
+ * Rewind directory stream such that _wreaddir() returns the very first
+ * file name again.
+ */
+static void
+_wrewinddir(_WDIR* dirp)
+{
+	if (dirp) {
+		/* Release existing search handle */
+		if (dirp->handle != INVALID_HANDLE_VALUE) {
+			FindClose(dirp->handle);
+		}
+
+		/* Open new search handle */
+		dirent_first(dirp);
+	}
+}
+
+/* Get first directory entry(internal) */
+static WIN32_FIND_DATAW*
+dirent_first(_WDIR *dirp)
+{
+	WIN32_FIND_DATAW *datap;
+
+	/* Open directory and retrieve the first entry */
+	dirp->handle = FindFirstFileW(dirp->patt, &dirp->data);
+	if (dirp->handle != INVALID_HANDLE_VALUE) {
+
+		/* a directory entry is now waiting in memory */
+		datap = &dirp->data;
+		dirp->cached = 1;
+
+	} else {
+
+		/* Failed to re-open directory: no directory entry in memory */
+		dirp->cached = 0;
+		datap = NULL;
+
+	}
+	return datap;
+}
+
+/* Get next directory entry(internal) */
+static WIN32_FIND_DATAW*
+dirent_next(_WDIR *dirp)
+{
+	WIN32_FIND_DATAW *p;
+
+	/* Get next directory entry */
+	if (dirp->cached != 0) {
+
+		/* A valid directory entry already in memory */
+		p = &dirp->data;
+		dirp->cached = 0;
+
+	} else if (dirp->handle != INVALID_HANDLE_VALUE) {
+
+		/* Get the next directory entry from stream */
+		if (FindNextFileW(dirp->handle, &dirp->data) != FALSE) {
+			/* Got a file */
+			p = &dirp->data;
+		} else {
+			/* The very last entry has been processed or an error occured */
+			FindClose(dirp->handle);
+			dirp->handle = INVALID_HANDLE_VALUE;
+			p = NULL;
+		}
+
+	} else {
+
+		/* End of directory stream reached */
+		p = NULL;
+
+	}
+
+	return p;
+}
+
+/*
+ * Open directory stream using plain old C-string.
+ */
+static DIR*
+opendir(const char *dirname)
+{
+	struct DIR *dirp;
+	int error;
+
+	/* Must have directory name */
+	if (dirname == NULL  ||  dirname[0] == '\0') {
+		_set_errno(ENOENT);
+		return NULL;
+	}
+
+	/* Allocate memory for DIR structure */
+	dirp =(DIR*) malloc(sizeof(struct DIR));
+	if (dirp) {
+		wchar_t wname[PATH_MAX];
+		size_t n;
+
+		/* Convert directory name to wide-character string */
+		error = dirent_mbstowcs_s(&n, wname, PATH_MAX, dirname, PATH_MAX);
+		if (!error) {
+
+			/* Open directory stream using wide-character name */
+			dirp->wdirp = _wopendir(wname);
+			if (dirp->wdirp) {
+				/* Directory stream opened */
+				error = 0;
+			} else {
+				/* Failed to open directory stream */
+				error = 1;
+			}
+
+		} else {
+			/*
+			 * Cannot convert file name to wide-character string.  This
+			 * occurs if the string contains invalid multi-byte sequences or
+			 * the output buffer is too small to contain the resulting
+			 * string.
+			 */
+			error = 1;
+		}
+
+	} else {
+		/* Cannot allocate DIR structure */
+		error = 1;
+	}
+
+	/* Clean up in case of error */
+	if (error  &&  dirp) {
+		free(dirp);
+		dirp = NULL;
+	}
+
+	return dirp;
+}
+
+/*
+ * Read next directory entry.
+ *
+ * When working with text consoles, please note that file names returned by
+ * readdir() are represented in the default ANSI code page while any output to
+ * console is typically formatted on another code page.  Thus, non-ASCII
+ * characters in file names will not usually display correctly on console.  The
+ * problem can be fixed in two ways:(1) change the character set of console
+ * to 1252 using chcp utility and use Lucida Console font, or(2) use
+ * _cprintf function when writing to console.  The _cprinf() will re-encode
+ * ANSI strings to the console code page so many non-ASCII characters will
+ * display correcly.
+ */
+static struct dirent*
+readdir(DIR *dirp)
+{
+	WIN32_FIND_DATAW *datap;
+	struct dirent *entp;
+
+	/* Read next directory entry */
+	datap = dirent_next(dirp->wdirp);
+	if (datap) {
+		size_t n;
+		int error;
+
+		/* Attempt to convert file name to multi-byte string */
+		error = dirent_wcstombs_s(
+			&n, dirp->ent.d_name, PATH_MAX, datap->cFileName, PATH_MAX);
+
+		/*
+		 * If the file name cannot be represented by a multi-byte string,
+		 * then attempt to use old 8+3 file name.  This allows traditional
+		 * Unix-code to access some file names despite of unicode
+		 * characters, although file names may seem unfamiliar to the user.
+		 *
+		 * Be ware that the code below cannot come up with a short file
+		 * name unless the file system provides one.  At least
+		 * VirtualBox shared folders fail to do this.
+		 */
+		if (error && datap->cAlternateFileName[0] != '\0') {
+			error = dirent_wcstombs_s(
+			    &n, dirp->ent.d_name, PATH_MAX,
+			    datap->cAlternateFileName, PATH_MAX);
+		}
+
+		if (!error) {
+			DWORD attr;
+
+			/* Initialize directory entry for return */
+			entp = &dirp->ent;
+
+			/* Length of file name excluding zero terminator */
+			entp->d_namlen = n - 1;
+
+			/* File attributes */
+			attr = datap->dwFileAttributes;
+			if ((attr & FILE_ATTRIBUTE_DEVICE) != 0) {
+				entp->d_type = DT_CHR;
+			} else if ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0) {
+				entp->d_type = DT_DIR;
+			} else {
+				entp->d_type = DT_REG;
+			}
+
+			/* Reset dummy fields */
+			entp->d_ino = 0;
+			entp->d_reclen = sizeof(struct dirent);
+
+		} else {
+			/*
+			 * Cannot convert file name to multi-byte string so construct
+			 * an errornous directory entry and return that.  Note that
+			 * we cannot return NULL as that would stop the processing
+			 * of directory entries completely.
+			 */
+			entp = &dirp->ent;
+			entp->d_name[0] = '?';
+			entp->d_name[1] = '\0';
+			entp->d_namlen = 1;
+			entp->d_type = DT_UNKNOWN;
+			entp->d_ino = 0;
+			entp->d_reclen = 0;
+		}
+
+	} else {
+		/* No more directory entries */
+		entp = NULL;
+	}
+
+	return entp;
+}
+
+/*
+ * Close directory stream.
+ */
+static int
+closedir(DIR *dirp)
+{
+	int ok;
+	if (dirp) {
+
+		/* Close wide-character directory stream */
+		ok = _wclosedir(dirp->wdirp);
+		dirp->wdirp = NULL;
+
+		/* Release multi-byte character version */
+		free(dirp);
+
+	} else {
+
+		/* Invalid directory stream */
+		_set_errno(EBADF);
+		ok = /*failure*/-1;
+
+	}
+	return ok;
+}
+
+/*
+ * Rewind directory stream to beginning.
+ */
+static void
+rewinddir(DIR* dirp)
+{
+	/* Rewind wide-character string directory stream */
+	_wrewinddir(dirp->wdirp);
+}
+
+/* Convert multi-byte string to wide character string */
+static int
+dirent_mbstowcs_s(size_t *pReturnValue, wchar_t *wcstr,
+	size_t sizeInWords, const char *mbstr, size_t count)
+{
+	return mbstowcs_s(pReturnValue, wcstr, sizeInWords, mbstr, count);
+}
+
+/* Convert wide-character string to multi-byte string */
+static int
+dirent_wcstombs_s(size_t *pReturnValue, char *mbstr,
+	size_t sizeInBytes, /* max size of mbstr */
+	const wchar_t *wcstr, size_t count)
+{
+	return wcstombs_s(pReturnValue, mbstr, sizeInBytes, wcstr, count);
+}
+
+#endif /*DIRENT_H*/

include/compat/err.h

@@ -0,0 +1,33 @@
+/*
+ * Public domain
+ * err.h compatibility shim
+ */
+
+#ifdef HAVE_ERR_H
+
+#include_next <err.h>
+
+#else
+
+#ifndef LIBCRYPTOCOMPAT_ERR_H
+#define LIBCRYPTOCOMPAT_ERR_H
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#define err(exitcode, format, ...) \
+  errx(exitcode, format ": %s", ## __VA_ARGS__, strerror(errno))
+
+#define errx(exitcode, format, ...) \
+  do { warnx(format, ## __VA_ARGS__); exit(exitcode); } while (0)
+
+#define warn(format, ...) \
+  warnx(format ": %s", ## __VA_ARGS__, strerror(errno))
+
+#define warnx(format, ...) \
+  fprintf(stderr, format "\n", ## __VA_ARGS__)
+
+#endif
+
+#endif

include/compat/netinet/ip.h

@@ -0,0 +1,43 @@
+/*
+ * Public domain
+ * netinet/ip.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <netinet/ip.h>
+#else
+#include <win32netcompat.h>
+#endif
+
+/*
+ * Definitions for DiffServ Codepoints as per RFC2474
+ */
+#ifndef IPTOS_DSCP_CS0
+#define	IPTOS_DSCP_CS0		0x00
+#define	IPTOS_DSCP_CS1		0x20
+#define	IPTOS_DSCP_CS2		0x40
+#define	IPTOS_DSCP_CS3		0x60
+#define	IPTOS_DSCP_CS4		0x80
+#define	IPTOS_DSCP_CS5		0xa0
+#define	IPTOS_DSCP_CS6		0xc0
+#define	IPTOS_DSCP_CS7		0xe0
+#endif
+
+#ifndef IPTOS_DSCP_AF11
+#define	IPTOS_DSCP_AF11		0x28
+#define	IPTOS_DSCP_AF12		0x30
+#define	IPTOS_DSCP_AF13		0x38
+#define	IPTOS_DSCP_AF21		0x48
+#define	IPTOS_DSCP_AF22		0x50
+#define	IPTOS_DSCP_AF23		0x58
+#define	IPTOS_DSCP_AF31		0x68
+#define	IPTOS_DSCP_AF32		0x70
+#define	IPTOS_DSCP_AF33		0x78
+#define	IPTOS_DSCP_AF41		0x88
+#define	IPTOS_DSCP_AF42		0x90
+#define	IPTOS_DSCP_AF43		0x98
+#endif
+
+#ifndef IPTOS_DSCP_EF
+#define	IPTOS_DSCP_EF		0xb8
+#endif

include/compat/poll.h

@@ -14,7 +14,7 @@
 #ifndef LIBCRYPTOCOMPAT_POLL_H
 #define LIBCRYPTOCOMPAT_POLL_H
 
-#ifdef HAVE_POLL
+#ifndef _WIN32
 #include_next <poll.h>
 #else
 

include/compat/readpassphrase.h

@@ -0,0 +1,48 @@
+/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
+
+/*
+ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+#ifdef HAVE_READPASSPHRASE_H
+
+#include_next <readpassphrase.h>
+
+#else
+
+#ifndef _READPASSPHRASE_H_
+#define _READPASSPHRASE_H_
+
+#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
+#define RPP_ECHO_ON     0x01		/* Leave echo on. */
+#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
+#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
+#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
+#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
+#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+char * readpassphrase(const char *, char *, size_t, int);
+__END_DECLS
+
+#endif /* !_READPASSPHRASE_H_ */
+
+#endif

include/compat/stdio.h

@@ -3,11 +3,21 @@
  * stdio.h compatibility shim
  */
 
-#include_next <stdio.h>
-
 #ifndef LIBCRYPTOCOMPAT_STDIO_H
 #define LIBCRYPTOCOMPAT_STDIO_H
 
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#include <../ucrt/corecrt_io.h>
+#include <../ucrt/stdio.h>
+#else
+#include <../include/stdio.h>
+#endif
+#else
+#include_next <stdio.h>
+#endif
+
 #ifndef HAVE_ASPRINTF
 #include <stdarg.h>
 int vasprintf(char **str, const char *fmt, va_list ap);
@@ -26,6 +36,10 @@ int posix_rename(const char *oldpath, const char *newpath);
 #define rename(oldpath, newpath) posix_rename(oldpath, newpath)
 #endif
 
+#ifdef _MSC_VER
+#define snprintf _snprintf
+#endif
+
 #endif
 
 #endif

include/compat/stdlib.h

@@ -3,13 +3,20 @@
  * Public domain
  */
 
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
+#include <../include/stdlib.h>
+#endif
+#else
 #include_next <stdlib.h>
+#endif
 
 #ifndef LIBCRYPTOCOMPAT_STDLIB_H
 #define LIBCRYPTOCOMPAT_STDLIB_H
 
-#include <sys/stat.h>
-#include <sys/time.h>
+#include <sys/types.h>
 #include <stdint.h>
 
 #ifndef HAVE_ARC4RANDOM_BUF

include/compat/string.h

@@ -3,11 +3,19 @@
  * string.h compatibility shim
  */
 
-#include_next <string.h>
-
 #ifndef LIBCRYPTOCOMPAT_STRING_H
 #define LIBCRYPTOCOMPAT_STRING_H
 
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
+#include <../include/string.h>
+#endif
+#else
+#include_next <string.h>
+#endif
+
 #include <sys/types.h>
 
 #if defined(__sun) || defined(__hpux)
@@ -17,6 +25,11 @@
 #include <strings.h>
 #endif
 
+#ifndef HAVE_STRCASECMP
+int strcasecmp(const char *s1, const char *s2);
+int strncasecmp(const char *s1, const char *s2, size_t len);
+#endif
+
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif

include/compat/sys/cdefs.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/cdefs.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
+#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
+
+#ifdef _WIN32
+
+#define __warn_references(sym,msg)
+
+#else
+
+#include_next <sys/cdefs.h>
+
+#ifndef __warn_references
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+
+#endif /* _WIN32 */
+
+#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/param.h

@@ -0,0 +1,15 @@
+/*
+ * Public domain
+ * sys/param.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_PARAM_H
+#define LIBCRYPTOCOMPAT_SYS_PARAM_H
+
+#ifdef _MSC_VER
+#include <winsock2.h>
+#else
+#include_next <sys/param.h>
+#endif
+
+#endif

include/compat/sys/stat.h

@@ -0,0 +1,100 @@
+/*
+ * Public domain
+ * sys/stat.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_STAT_H
+#define LIBCRYPTOCOMPAT_SYS_STAT_H
+
+#ifndef _MSC_VER
+#include_next <sys/stat.h>
+#else
+
+#include <windows.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/stat.h>
+#else
+#include <../include/sys/stat.h>
+#endif
+
+/* File type and permission flags for stat() */
+#if !defined(S_IFMT)
+#   define S_IFMT   _S_IFMT                     /* File type mask */
+#endif
+#if !defined(S_IFDIR)
+#   define S_IFDIR  _S_IFDIR                    /* Directory */
+#endif
+#if !defined(S_IFCHR)
+#   define S_IFCHR  _S_IFCHR                    /* Character device */
+#endif
+#if !defined(S_IFFIFO)
+#   define S_IFFIFO _S_IFFIFO                   /* Pipe */
+#endif
+#if !defined(S_IFREG)
+#   define S_IFREG  _S_IFREG                    /* Regular file */
+#endif
+#if !defined(S_IREAD)
+#   define S_IREAD  _S_IREAD                    /* Read permission */
+#endif
+#if !defined(S_IWRITE)
+#   define S_IWRITE _S_IWRITE                   /* Write permission */
+#endif
+#if !defined(S_IEXEC)
+#   define S_IEXEC  _S_IEXEC                    /* Execute permission */
+#endif
+#if !defined(S_IFIFO)
+#   define S_IFIFO _S_IFIFO                     /* Pipe */
+#endif
+#if !defined(S_IFBLK)
+#   define S_IFBLK   0                          /* Block device */
+#endif
+#if !defined(S_IFLNK)
+#   define S_IFLNK   0                          /* Link */
+#endif
+#if !defined(S_IFSOCK)
+#   define S_IFSOCK  0                          /* Socket */
+#endif
+
+#if defined(_MSC_VER)
+#   define S_IRUSR  S_IREAD                     /* Read user */
+#   define S_IWUSR  S_IWRITE                    /* Write user */
+#   define S_IXUSR  0                           /* Execute user */
+#   define S_IRGRP  0                           /* Read group */
+#   define S_IWGRP  0                           /* Write group */
+#   define S_IXGRP  0                           /* Execute group */
+#   define S_IROTH  0                           /* Read others */
+#   define S_IWOTH  0                           /* Write others */
+#   define S_IXOTH  0                           /* Execute others */
+#endif
+
+/* File type flags for d_type */
+#define DT_UNKNOWN  0
+#define DT_REG      S_IFREG
+#define DT_DIR      S_IFDIR
+#define DT_FIFO     S_IFIFO
+#define DT_SOCK     S_IFSOCK
+#define DT_CHR      S_IFCHR
+#define DT_BLK      S_IFBLK
+#define DT_LNK      S_IFLNK
+
+/* Macros for converting between st_mode and d_type */
+#define IFTODT(mode) ((mode) & S_IFMT)
+#define DTTOIF(type) (type)
+
+/*
+ * File type macros.  Note that block devices, sockets and links cannot be
+ * distinguished on Windows and the macros S_ISBLK, S_ISSOCK and S_ISLNK are
+ * only defined for compatibility.  These macros should always return false
+ * on Windows.
+ */
+#define	S_ISFIFO(mode) (((mode) & S_IFMT) == S_IFIFO)
+#define	S_ISDIR(mode)  (((mode) & S_IFMT) == S_IFDIR)
+#define	S_ISREG(mode)  (((mode) & S_IFMT) == S_IFREG)
+#define	S_ISLNK(mode)  (((mode) & S_IFMT) == S_IFLNK)
+#define	S_ISSOCK(mode) (((mode) & S_IFMT) == S_IFSOCK)
+#define	S_ISCHR(mode)  (((mode) & S_IFMT) == S_IFCHR)
+#define	S_ISBLK(mode)  (((mode) & S_IFMT) == S_IFBLK)
+
+#endif
+
+#endif

include/compat/sys/time.h

@@ -0,0 +1,16 @@
+/*
+ * Public domain
+ * sys/time.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_TIME_H
+#define LIBCRYPTOCOMPAT_SYS_TIME_H
+
+#ifdef _MSC_VER
+#include <winsock2.h>
+int gettimeofday(struct timeval *tp, void *tzp);
+#else
+#include_next <sys/time.h>
+#endif
+
+#endif

include/compat/sys/types.h

@@ -0,0 +1,47 @@
+/*
+ * Public domain
+ * sys/types.h compatibility shim
+ */
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/types.h>
+#else
+#include <../include/sys/types.h>
+#endif
+#else
+#include_next <sys/types.h>
+#endif
+
+#ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H
+#define LIBCRYPTOCOMPAT_SYS_TYPES_H
+
+#include <stdint.h>
+
+#ifdef __MINGW32__
+#include <_bsd_types.h>
+#endif
+
+#ifdef _MSC_VER
+typedef unsigned char   u_char;
+typedef unsigned short  u_short;
+typedef unsigned int    u_int;
+
+#include <basetsd.h>
+typedef SSIZE_T ssize_t;
+
+#ifndef SSIZE_MAX
+#ifdef _WIN64
+#define SSIZE_MAX _I64_MAX
+#else
+#define SSIZE_MAX INT_MAX
+#endif
+#endif
+
+#endif
+
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
+# define __bounded__(x, y, z)
+#endif
+
+#endif

include/compat/time.h

@@ -0,0 +1,15 @@
+/*
+ * Public domain
+ * sys/time.h compatibility shim
+ */
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/time.h>
+#else
+#include <../include/time.h>
+#endif
+#define gmtime_r(tp, tm) ((gmtime_s((tm), (tp)) == 0) ? (tm) : NULL)
+#else
+#include_next <time.h>
+#endif

include/compat/unistd.h

@@ -3,11 +3,28 @@
  * unistd.h compatibility shim
  */
 
-#include_next <unistd.h>
-
 #ifndef LIBCRYPTOCOMPAT_UNISTD_H
 #define LIBCRYPTOCOMPAT_UNISTD_H
 
+#ifndef _MSC_VER
+#include_next <unistd.h>
+#else
+
+#include <stdlib.h>
+#include <io.h>
+#include <process.h>
+
+#define R_OK    4
+#define W_OK    2
+#define X_OK    0
+#define F_OK    0
+
+#define access _access
+
+unsigned int sleep(unsigned int seconds);
+
+#endif
+
 #ifndef HAVE_GETENTROPY
 int getentropy(void *buf, size_t buflen);
 #endif

include/err.h

@@ -1,33 +0,0 @@
-/*
- * Public domain
- * err.h compatibility shim
- */
-
-#ifdef HAVE_ERR_H
-
-#include_next <err.h>
-
-#else
-
-#ifndef LIBCRYPTOCOMPAT_ERR_H
-#define LIBCRYPTOCOMPAT_ERR_H
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#define err(exitcode, format, args...) \
-  errx(exitcode, format ": %s", ## args, strerror(errno))
-
-#define errx(exitcode, format, args...) \
-  do { warnx(format, ## args); exit(exitcode); } while (0)
-
-#define warn(format, args...) \
-  warnx(format ": %s", ## args, strerror(errno))
-
-#define warnx(format, args...) \
-  fprintf(stderr, format "\n", ## args)
-
-#endif
-
-#endif

include/sys/times.h

@@ -1,10 +0,0 @@
-/*
- * Public domain
- * sys/times.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <sys/times.h>
-#else
-#include <win32netcompat.h>
-#endif

include/sys/types.h

@@ -1,21 +0,0 @@
-/*
- * Public domain
- * sys/types.h compatibility shim
- */
-
-#include_next <sys/types.h>
-
-#ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H
-#define LIBCRYPTOCOMPAT_SYS_TYPES_H
-
-#include <stdint.h>
-
-#ifdef __MINGW32__
-#include <_bsd_types.h>
-#endif
-
-#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
-# define __bounded__(x, y, z)
-#endif
-
-#endif

include/syslog.h

@@ -1,38 +0,0 @@
-/*
- * Public domain
- * syslog.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_SYSLOG_H
-#define LIBCRYPTOCOMPAT_SYSLOG_H
-
-#ifndef _WIN32
-#include_next <syslog.h>
-#else
-
-/* priorities */
-#define LOG_EMERG 0
-#define LOG_ALERT 1
-#define LOG_CRIT 2
-#define LOG_ERR 3
-#define LOG_WARNING 4
-#define LOG_NOTICE 5
-#define LOG_INFO 6
-#define LOG_DEBUG 7
-
-/* facility codes */
-#define LOG_KERN (0<<3)
-#define LOG_USER (1<<3)
-#define LOG_DAEMON (3<<3)
-
-/* flags for openlog */
-#define LOG_PID 0x01
-#define LOG_CONS 0x02
-
-extern void openlog(const char *ident, int option, int facility);
-extern void syslog(int priority, const char *fmt, ...)
-	__attribute__ ((__format__ (__printf__, 2, 3)));
-extern void closelog (void);
-#endif
-
-#endif /* LIBCRYPTOCOMPAT_SYSLOG_H */

libcrypto.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @LIBCRYPTO_VERSION@
+Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto

libssl.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @LIBSSL_VERSION@
+Version: @VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:

libtls-standalone/VERSION

@@ -1 +0,0 @@
-4.0.0

libtls-standalone/include/string.h

@@ -3,11 +3,19 @@
  * string.h compatibility shim
  */
 
-#include_next <string.h>
-
 #ifndef LIBCRYPTOCOMPAT_STRING_H
 #define LIBCRYPTOCOMPAT_STRING_H
 
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
+#include <../include/string.h>
+#endif
+#else
+#include_next <string.h>
+#endif
+
 #include <sys/types.h>
 
 #if defined(__sun) || defined(__hpux)
@@ -17,6 +25,11 @@
 #include <strings.h>
 #endif
 
+#ifndef HAVE_STRCASECMP
+int strcasecmp(const char *s1, const char *s2);
+int strncasecmp(const char *s1, const char *s2, size_t len);
+#endif
+
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif

libtls.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
-Version: @LIBTLS_VERSION@
+Version: @VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:

m4/check-libc.m4

@@ -1,11 +1,15 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
+# Check for libc headers
+AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
+AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll readpassphrase reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])

m4/check-os-options.m4

@@ -1,13 +1,13 @@
 # This must be called before AC_PROG_CC
 AC_DEFUN([CHECK_OS_OPTIONS], [
 
-CFLAGS="$CFLAGS -Wall -std=gnu99"
+CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
 
 case $host_os in
 	*aix*)
 		HOST_OS=aix
 		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
-			CFLAGS="$USER_CFLAGS"
+			CFLAGS="-qnoansialias $USER_CFLAGS"
 		fi
 		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
 		;;
@@ -15,8 +15,10 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
+		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
@@ -28,21 +30,25 @@ case $host_os in
 		if test "`echo $CC | cut -d ' ' -f 1`" = "gcc" ; then
 			CFLAGS="$CFLAGS -mlp64"
 		else
-			CFLAGS="-g -O2 +DD64 $USER_CFLAGS"
+			CFLAGS="-g -O2 +DD64 +Otype_safety=off $USER_CFLAGS"
 		fi
 		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
+		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
+		BUILD_NC=yes
+		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
@@ -51,7 +57,7 @@ case $host_os in
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
-		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG"
+		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
 		CFLAGS="$CFLAGS -static-libgcc"
 		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
@@ -65,6 +71,7 @@ case $host_os in
 	*) ;;
 esac
 
+AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
@@ -72,6 +79,7 @@ AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_OPENBSD], [test x$HOST_OS = xopenbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])

man/CMakeLists.txt

@@ -0,0 +1,9 @@
+install(DIRECTORY .
+    DESTINATION share/man/man3
+    FILES_MATCHING PATTERN "*.3"
+    )
+
+install(DIRECTORY .
+    DESTINATION share/man/man1
+    FILES_MATCHING PATTERN "*.1"
+    )

man/links

@@ -445,9 +445,7 @@ EVP_DigestInit.3,EVP_get_digestbyobj.3
 EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
 EVP_DigestInit.3,EVP_md_null.3
-EVP_DigestInit.3,EVP_mdc2.3
 EVP_DigestInit.3,EVP_ripemd160.3
-EVP_DigestInit.3,EVP_sha.3
 EVP_DigestInit.3,EVP_sha1.3
 EVP_DigestInit.3,EVP_sha224.3
 EVP_DigestInit.3,EVP_sha256.3
@@ -1105,8 +1103,11 @@ tls_init.3,tls_config_clear_keys.3
 tls_init.3,tls_config_free.3
 tls_init.3,tls_config_insecure_noverifycert.3
 tls_init.3,tls_config_insecure_noverifyname.3
+tls_init.3,tls_config_insecure_noverifytime.3
 tls_init.3,tls_config_new.3
 tls_init.3,tls_config_parse_protocols.3
+tls_init.3,tls_config_prefer_ciphers_client.3
+tls_init.3,tls_config_prefer_ciphers_server.3
 tls_init.3,tls_config_set_ca_file.3
 tls_init.3,tls_config_set_ca_mem.3
 tls_init.3,tls_config_set_ca_path.3
@@ -1120,14 +1121,24 @@ tls_init.3,tls_config_set_key_mem.3
 tls_init.3,tls_config_set_protocols.3
 tls_init.3,tls_config_set_verify_depth.3
 tls_init.3,tls_config_verify.3
+tls_init.3,tls_config_verify_client.3
+tls_init.3,tls_config_verify_client_optional.3
 tls_init.3,tls_configure.3
+tls_init.3,tls_conn_cipher.3
+tls_init.3,tls_conn_version.3
 tls_init.3,tls_connect.3
 tls_init.3,tls_connect_fds.3
 tls_init.3,tls_connect_servername.3
 tls_init.3,tls_connect_socket.3
 tls_init.3,tls_error.3
 tls_init.3,tls_free.3
+tls_init.3,tls_handshake.3
 tls_init.3,tls_load_file.3
+tls_init.3,tls_peer_cert_contains_name.3
+tls_init.3,tls_peer_cert_hash.3
+tls_init.3,tls_peer_cert_issuer.3
+tls_init.3,tls_peer_cert_provided.3
+tls_init.3,tls_peer_cert_subject.3
 tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3

man/update_links.sh

@@ -3,7 +3,7 @@
 # Run this periodically to ensure that the manpage links are up to date
 
 echo "# This is an auto-generated file by $0" > links
-sudo makewhatis
+doas makewhatis
 for i in `ls -1 *.3`; do
   name=`echo $i|cut -d. -f1`
   links=`sqlite3 /usr/share/man/mandoc.db \

patches/netcat.c.patch

@@ -0,0 +1,155 @@
+--- apps/nc/netcat.c.orig	Sun Sep 13 08:12:39 2015
++++ apps/nc/netcat.c	Sun Sep 13 19:15:13 2015
+@@ -98,9 +98,13 @@
+ int	Dflag;					/* sodebug */
+ int	Iflag;					/* TCP receive buffer size */
+ int	Oflag;					/* TCP send buffer size */
++#ifdef TCP_MD5SIG
+ int	Sflag;					/* TCP MD5 signature option */
++#endif
+ int	Tflag = -1;				/* IP Type of Service */
++#ifdef SO_RTABLE
+ int	rtableid = -1;
++#endif
+ 
+ int	usetls;					/* use TLS */
+ char    *Cflag;					/* Public cert file */
+@@ -150,7 +154,7 @@
+ 	struct servent *sv;
+ 	socklen_t len;
+ 	struct sockaddr_storage cliaddr;
+-	char *proxy;
++	char *proxy = NULL;
+ 	const char *errstr, *proxyhost = "", *proxyport = NULL;
+ 	struct addrinfo proxyhints;
+ 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
+@@ -251,12 +255,14 @@
+ 		case 'u':
+ 			uflag = 1;
+ 			break;
++#ifdef SO_RTABLE
+ 		case 'V':
+ 			rtableid = (int)strtonum(optarg, 0,
+ 			    RT_TABLEID_MAX, &errstr);
+ 			if (errstr)
+ 				errx(1, "rtable %s: %s", errstr, optarg);
+ 			break;
++#endif
+ 		case 'v':
+ 			vflag = 1;
+ 			break;
+@@ -289,9 +295,11 @@
+ 				errx(1, "TCP send window %s: %s",
+ 				    errstr, optarg);
+ 			break;
++#ifdef TCP_MD5SIG
+ 		case 'S':
+ 			Sflag = 1;
+ 			break;
++#endif
+ 		case 'T':
+ 			errstr = NULL;
+ 			errno = 0;
+@@ -776,7 +784,10 @@
+ remote_connect(const char *host, const char *port, struct addrinfo hints)
+ {
+ 	struct addrinfo *res, *res0;
+-	int s, error, on = 1;
++	int s, error;
++#ifdef SO_BINDANY
++	int on = 1;
++#endif
+ 
+ 	if ((error = getaddrinfo(host, port, &hints, &res)))
+ 		errx(1, "getaddrinfo: %s", gai_strerror(error));
+@@ -787,16 +798,20 @@
+ 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
+ 			continue;
+ 
++#ifdef SO_RTABLE
+ 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
+ 		    &rtableid, sizeof(rtableid)) == -1))
+ 			err(1, "setsockopt SO_RTABLE");
++#endif
+ 
+ 		/* Bind to a local port or source address if specified. */
+ 		if (sflag || pflag) {
+ 			struct addrinfo ahints, *ares;
+ 
++#ifdef SO_BINDANY
+ 			/* try SO_BINDANY, but don't insist */
+ 			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
++#endif
+ 			memset(&ahints, 0, sizeof(struct addrinfo));
+ 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
+@@ -865,7 +880,10 @@
+ local_listen(char *host, char *port, struct addrinfo hints)
+ {
+ 	struct addrinfo *res, *res0;
+-	int s, ret, x = 1;
++	int s;
++#ifdef SO_REUSEPORT
++	int ret, x = 1;
++#endif
+ 	int error;
+ 
+ 	/* Allow nodename to be null. */
+@@ -887,13 +905,17 @@
+ 		    res0->ai_protocol)) < 0)
+ 			continue;
+ 
++#ifdef SO_RTABLE
+ 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
+ 		    &rtableid, sizeof(rtableid)) == -1))
+ 			err(1, "setsockopt SO_RTABLE");
++#endif
+ 
++#ifdef SO_REUSEPORT
+ 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
+ 		if (ret == -1)
+ 			err(1, NULL);
++#endif
+ 
+ 		set_common_sockopts(s, res0->ai_family);
+ 
+@@ -1337,11 +1359,13 @@
+ {
+ 	int x = 1;
+ 
++#ifdef TCP_MD5SIG
+ 	if (Sflag) {
+ 		if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
+ 			&x, sizeof(x)) == -1)
+ 			err(1, NULL);
+ 	}
++#endif
+ 	if (Dflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
+ 			&x, sizeof(x)) == -1)
+@@ -1516,15 +1540,19 @@
+ 	\t-P proxyuser\tUsername for proxy authentication\n\
+ 	\t-p port\t	Specify local port for remote connects\n\
+ 	\t-R CAfile	CA bundle\n\
+-	\t-r		Randomize remote ports\n\
+-	\t-S		Enable the TCP MD5 signature option\n\
+-	\t-s source	Local source address\n\
++	\t-r		Randomize remote ports\n"
++#ifdef TCP_MD5SIG
++	"\t-S		Enable the TCP MD5 signature option\n"
++#endif
++	"\t-s source	Local source address\n\
+ 	\t-T keyword	TOS value or TLS options\n\
+ 	\t-t		Answer TELNET negotiation\n\
+ 	\t-U		Use UNIX domain socket\n\
+-	\t-u		UDP mode\n\
+-	\t-V rtable	Specify alternate routing table\n\
+-	\t-v		Verbose\n\
++	\t-u		UDP mode\n"
++#ifdef SO_RTABLE
++	"\t-V rtable	Specify alternate routing table\n"
++#endif
++	"\t-v		Verbose\n\
+ 	\t-w timeout	Timeout for connects and final net reads\n\
+ 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
+ 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/openssl.c.patch

@@ -1,29 +1,12 @@
---- apps/openssl.c.orig	2015-06-05 03:42:12.956112944 -0500
-+++ apps/openssl.c	2015-06-05 03:41:54.215381908 -0500
-@@ -130,6 +130,18 @@
- #include <openssl/engine.h>
- #endif
- 
-+#ifdef _WIN32
-+#include <fcntl.h>
-+static void set_stdio_binary(void)
-+{
-+	_setmode(_fileno(stdin), _O_BINARY);
-+	_setmode(_fileno(stdout), _O_BINARY);
-+	_setmode(_fileno(stderr), _O_BINARY);
-+}
-+#else
-+static void set_stdio_binary(void) {};
-+#endif
-+
- #include "progs.h"
- #include "s_apps.h"
- 
-@@ -216,6 +228,7 @@
- #endif
- 
- 	setup_ui_method();
-+	set_stdio_binary();
- }
- 
+--- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
++++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
+@@ -399,7 +399,9 @@
  static void
+ openssl_startup(void)
+ {
++#ifndef _WIN32
+ 	signal(SIGPIPE, SIG_IGN);
++#endif
+ 
+ 	OpenSSL_add_all_algorithms();
+ 	SSL_library_init();

patches/windows_headers.patch

@@ -0,0 +1,100 @@
+diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
+--- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
+@@ -60,7 +60,11 @@
+ #ifndef HEADER_DTLS1_H
+ #define HEADER_DTLS1_H
+ 
++#if defined(_WIN32)
++#include <winsock2.h>
++#else
+ #include <sys/time.h>
++#endif
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
+--- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
+@@ -1,6 +1,10 @@
+ #include <openssl/opensslfeatures.h>
+ /* crypto/opensslconf.h.in */
+ 
++#if defined(_MSC_VER) && !defined(__attribute__)
++#define __attribute__(a)
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+ 
+diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
+--- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
+@@ -100,6 +100,22 @@
+ typedef struct ASN1_ITEM_st ASN1_ITEM;
+ typedef struct asn1_pctx_st ASN1_PCTX;
+ 
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#undef OCSP_REQUEST
++#undef OCSP_RESPONSE
++#undef PKCS7_ISSUER_AND_SERIAL
++#endif
++
+ #ifdef BIGNUM
+ #undef BIGNUM
+ #endif
+diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
+--- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
+@@ -69,6 +69,18 @@
+ extern "C" {
+ #endif
+ 
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef PKCS7_ISSUER_AND_SERIAL
++#undef PKCS7_SIGNER_INFO
++#endif
++
+ /*
+ Encryption_ID		DES-CBC
+ Digest_ID		MD5
+diff -urN include/openssl.orig/x509.h include/openssl/x509.h
+--- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
+@@ -112,6 +112,19 @@
+ extern "C" {
+ #endif
+ 
++#if defined(_WIN32)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#endif
++
+ #define X509_FILETYPE_PEM	1
+ #define X509_FILETYPE_ASN1	2
+ #define X509_FILETYPE_DEFAULT	3

scripts/travis

@@ -4,12 +4,31 @@ set -e
 ./autogen.sh
 
 if [ "x$ARCH" = "xnative" ]; then
+	# test autotools
 	./configure
+	make -j 4 distcheck
+
+	# make distribution
+	make dist
+	tar zxvf libressl-*.tar.gz
+	cd libressl-*
+	mkdir build
+	cd build
+
+	# test cmake and ninja
 	if [ `uname` = "Darwin" ]; then
-		# OS X runs out of resources if we run 'make -j check'
-		make check
+		cmake ..
+		make
+		make test
 	else
-		make -j distcheck
+		sudo apt-get update
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:kalakris/cmake
+		sudo apt-get update
+		sudo apt-get install -y cmake ninja-build
+		cmake -GNinja ..
+		ninja
+		ninja test
 	fi
 else
 	CPU=i686

ssl/CMakeLists.txt

@@ -0,0 +1,62 @@
+include_directories(
+	.
+	../include
+	../include/compat
+)
+
+set(
+	SSL_SRC
+	bio_ssl.c
+	bs_ber.c
+	bs_cbb.c
+	bs_cbs.c
+	d1_both.c
+	d1_clnt.c
+	d1_enc.c
+	d1_lib.c
+	d1_meth.c
+	d1_pkt.c
+	d1_srtp.c
+	d1_srvr.c
+	pqueue.c
+	s23_clnt.c
+	s23_lib.c
+	s23_pkt.c
+	s23_srvr.c
+	s3_both.c
+	s3_cbc.c
+	s3_clnt.c
+	s3_lib.c
+	s3_pkt.c
+	s3_srvr.c
+	ssl_algs.c
+	ssl_asn1.c
+	ssl_cert.c
+	ssl_ciph.c
+	ssl_err.c
+	ssl_err2.c
+	ssl_lib.c
+	ssl_rsa.c
+	ssl_sess.c
+	ssl_stat.c
+	ssl_txt.c
+	t1_clnt.c
+	t1_enc.c
+	t1_lib.c
+	t1_meth.c
+	t1_reneg.c
+	t1_srvr.c
+)
+
+if (BUILD_SHARED)
+	add_library(ssl-objects OBJECT ${SSL_SRC})
+	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
+	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
+	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
+		SOVERSION ${SSL_MAJOR_VERSION})
+	install(TARGETS ssl ssl-shared DESTINATION lib)
+else()
+	add_library(ssl STATIC ${SSL_SRC})
+	install(TARGETS ssl DESTINATION lib)
+endif()

ssl/Makefile.am

@@ -3,6 +3,7 @@ include $(top_srcdir)/Makefile.am.common
 lib_LTLIBRARIES = libssl.la
 
 EXTRA_DIST = VERSION
+EXTRA_DIST += CMakeLists.txt
 
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
 libssl_la_LIBADD = ../crypto/libcrypto.la
@@ -22,15 +23,12 @@ libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
 libssl_la_SOURCES += s23_clnt.c
 libssl_la_SOURCES += s23_lib.c
-libssl_la_SOURCES += s23_meth.c
 libssl_la_SOURCES += s23_pkt.c
 libssl_la_SOURCES += s23_srvr.c
 libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
 libssl_la_SOURCES += s3_clnt.c
-libssl_la_SOURCES += s3_enc.c
 libssl_la_SOURCES += s3_lib.c
-libssl_la_SOURCES += s3_meth.c
 libssl_la_SOURCES += s3_pkt.c
 libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c

tests/CMakeLists.txt

@@ -0,0 +1,272 @@
+include_directories(
+	.
+	../include
+	../include/compat
+	../crypto/modes
+	../crypto/asn1
+	../ssl
+	../apps/openssl
+	../apps/openssl/compat
+)
+
+set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
+
+# aeadtest
+#add_executable(aeadtest aeadtest.c)
+#target_link_libraries(aeadtest ${OPENSSL_LIBS})
+#add_test(aeadtest aeadtest.sh)
+#configure_file(aeadtests.txt aeadtests.txt COPYONLY)
+#configure_file(aeadtest.sh aeadtest.sh COPYONLY)
+
+# aes_wrap
+add_executable(aes_wrap aes_wrap.c)
+target_link_libraries(aes_wrap ${OPENSSL_LIBS})
+add_test(aes_wrap aes_wrap)
+
+# arc4randomforktest
+# Windows/mingw does not have fork, but Cygwin does.
+if(NOT CMAKE_HOST_WIN32)
+add_executable(arc4randomforktest arc4randomforktest.c)
+target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
+add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
+endif()
+
+# asn1test
+add_executable(asn1test asn1test.c)
+target_link_libraries(asn1test ${OPENSSL_LIBS})
+add_test(asn1test asn1test)
+
+# base64test
+add_executable(base64test base64test.c)
+target_link_libraries(base64test ${OPENSSL_LIBS})
+add_test(base64test base64test)
+
+# bftest
+add_executable(bftest bftest.c)
+target_link_libraries(bftest ${OPENSSL_LIBS})
+add_test(bftest bftest)
+
+# bntest
+add_executable(bntest bntest.c)
+target_link_libraries(bntest ${OPENSSL_LIBS})
+add_test(bntest bntest)
+
+# bytestringtest
+add_executable(bytestringtest bytestringtest.c)
+target_link_libraries(bytestringtest ${OPENSSL_LIBS})
+add_test(bytestringtest bytestringtest)
+
+# casttest
+add_executable(casttest casttest.c)
+target_link_libraries(casttest ${OPENSSL_LIBS})
+add_test(casttest casttest)
+
+# chachatest
+add_executable(chachatest chachatest.c)
+target_link_libraries(chachatest ${OPENSSL_LIBS})
+add_test(chachatest chachatest)
+
+# cipher_list
+add_executable(cipher_list cipher_list.c)
+target_link_libraries(cipher_list ${OPENSSL_LIBS})
+add_test(cipher_list cipher_list)
+
+# cipherstest
+add_executable(cipherstest cipherstest.c)
+target_link_libraries(cipherstest ${OPENSSL_LIBS})
+add_test(cipherstest cipherstest)
+
+# clienttest
+add_executable(clienttest clienttest.c)
+target_link_libraries(clienttest ${OPENSSL_LIBS})
+add_test(clienttest clienttest)
+
+# cts128test
+add_executable(cts128test cts128test.c)
+target_link_libraries(cts128test ${OPENSSL_LIBS})
+add_test(cts128test cts128test)
+
+# destest
+add_executable(destest destest.c)
+target_link_libraries(destest ${OPENSSL_LIBS})
+add_test(destest destest)
+
+# dhtest
+add_executable(dhtest dhtest.c)
+target_link_libraries(dhtest ${OPENSSL_LIBS})
+add_test(dhtest dhtest)
+
+# dsatest
+add_executable(dsatest dsatest.c)
+target_link_libraries(dsatest ${OPENSSL_LIBS})
+add_test(dsatest dsatest)
+
+# ecdhtest
+add_executable(ecdhtest ecdhtest.c)
+target_link_libraries(ecdhtest ${OPENSSL_LIBS})
+add_test(ecdhtest ecdhtest)
+
+# ecdsatest
+add_executable(ecdsatest ecdsatest.c)
+target_link_libraries(ecdsatest ${OPENSSL_LIBS})
+add_test(ecdsatest ecdsatest)
+
+# ectest
+add_executable(ectest ectest.c)
+target_link_libraries(ectest ${OPENSSL_LIBS})
+add_test(ectest ectest)
+
+# enginetest
+add_executable(enginetest enginetest.c)
+target_link_libraries(enginetest ${OPENSSL_LIBS})
+add_test(enginetest enginetest)
+
+# evptest
+#add_executable(evptest evptest.c)
+#target_link_libraries(evptest ${OPENSSL_LIBS})
+#add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
+
+# explicit_bzero
+# explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
+if(NOT CMAKE_HOST_WIN32)
+add_executable(explicit_bzero explicit_bzero.c)
+target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
+add_test(explicit_bzero explicit_bzero)
+#if !HAVE_MEMMEM
+#explicit_bzero_SOURCES += memmem.c
+#endif
+endif()
+
+# exptest
+add_executable(exptest exptest.c)
+target_link_libraries(exptest ${OPENSSL_LIBS})
+add_test(exptest exptest)
+
+# gcm128test
+add_executable(gcm128test gcm128test.c)
+target_link_libraries(gcm128test ${OPENSSL_LIBS})
+add_test(gcm128test gcm128test)
+
+# gost2814789t
+add_executable(gost2814789t gost2814789t.c)
+target_link_libraries(gost2814789t ${OPENSSL_LIBS})
+add_test(gost2814789t gost2814789t)
+
+# hmactest
+add_executable(hmactest hmactest.c)
+target_link_libraries(hmactest ${OPENSSL_LIBS})
+add_test(hmactest hmactest)
+
+# ideatest
+add_executable(ideatest ideatest.c)
+target_link_libraries(ideatest ${OPENSSL_LIBS})
+add_test(ideatest ideatest)
+
+# igetest
+add_executable(igetest igetest.c)
+target_link_libraries(igetest ${OPENSSL_LIBS})
+add_test(igetest igetest)
+
+# md4test
+add_executable(md4test md4test.c)
+target_link_libraries(md4test ${OPENSSL_LIBS})
+add_test(md4test md4test)
+
+# md5test
+add_executable(md5test md5test.c)
+target_link_libraries(md5test ${OPENSSL_LIBS})
+add_test(md5test md5test)
+
+# mont
+add_executable(mont mont.c)
+target_link_libraries(mont ${OPENSSL_LIBS})
+add_test(mont mont)
+
+# optionstest
+add_executable(optionstest optionstest.c)
+target_link_libraries(optionstest ${OPENSSL_LIBS})
+add_test(optionstest optionstest)
+
+# pbkdf2
+add_executable(pbkdf2 pbkdf2.c)
+target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
+add_test(pbkdf2 pbkdf2)
+
+# pkcs7test
+add_executable(pkcs7test pkcs7test.c)
+target_link_libraries(pkcs7test ${OPENSSL_LIBS})
+add_test(pkcs7test pkcs7test)
+
+# poly1305test
+add_executable(poly1305test poly1305test.c)
+target_link_libraries(poly1305test ${OPENSSL_LIBS})
+add_test(poly1305test poly1305test)
+
+# pq_test
+#add_executable(pq_test pq_test.c)
+#target_link_libraries(pq_test ${OPENSSL_LIBS})
+#add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+
+# randtest
+add_executable(randtest randtest.c)
+target_link_libraries(randtest ${OPENSSL_LIBS})
+add_test(randtest randtest)
+
+# rc2test
+add_executable(rc2test rc2test.c)
+target_link_libraries(rc2test ${OPENSSL_LIBS})
+add_test(rc2test rc2test)
+
+# rc4test
+add_executable(rc4test rc4test.c)
+target_link_libraries(rc4test ${OPENSSL_LIBS})
+add_test(rc4test rc4test)
+
+# rmdtest
+add_executable(rmdtest rmdtest.c)
+target_link_libraries(rmdtest ${OPENSSL_LIBS})
+add_test(rmdtest rmdtest)
+
+# sha1test
+add_executable(sha1test sha1test.c)
+target_link_libraries(sha1test ${OPENSSL_LIBS})
+add_test(sha1test sha1test)
+
+# sha256test
+add_executable(sha256test sha256test.c)
+target_link_libraries(sha256test ${OPENSSL_LIBS})
+add_test(sha256test sha256test)
+
+# sha512test
+add_executable(sha512test sha512test.c)
+target_link_libraries(sha512test ${OPENSSL_LIBS})
+add_test(sha512test sha512test)
+
+# ssltest
+#add_executable(ssltest ssltest.c)
+#target_link_libraries(ssltest ${OPENSSL_LIBS})
+#add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+
+# testdsa
+#add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+
+# testenc
+add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
+
+# testrsa
+#add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+
+# timingsafe
+add_executable(timingsafe timingsafe.c)
+target_link_libraries(timingsafe ${OPENSSL_LIBS})
+add_test(timingsafe timingsafe)
+
+# utf8test
+add_executable(utf8test utf8test.c)
+target_link_libraries(utf8test ${OPENSSL_LIBS})
+add_test(utf8test utf8test)
+
+# verifytest
+add_executable(verifytest verifytest.c)
+target_link_libraries(verifytest tls ${OPENSSL_LIBS})
+add_test(verifytest verifytest)

tests/Makefile.am

@@ -3,15 +3,17 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps
+AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
+AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
+LDADD += $(top_builddir)/tls/libtls.la
 
 TESTS =
 check_PROGRAMS =
-EXTRA_DIST =
+EXTRA_DIST = CMakeLists.txt
 DISTCLEANFILES = pidwraptest.txt
 
 # aeadtest
@@ -89,6 +91,11 @@ TESTS += cipherstest
 check_PROGRAMS += cipherstest
 cipherstest_SOURCES = cipherstest.c
 
+# clienttest
+TESTS += clienttest
+check_PROGRAMS += clienttest
+clienttest_SOURCES = clienttest.c
+
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -208,9 +215,10 @@ pbkdf2_SOURCES = pbkdf2.c
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
 if ENABLE_EXTRATESTS
-TESTS += pidwraptest
+TESTS += pidwraptest.sh
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
+EXTRA_DIST += pidwraptest.sh
 endif
 
 # pkcs7test
@@ -265,11 +273,6 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
-# shatest
-TESTS += shatest
-check_PROGRAMS += shatest
-shatest_SOURCES = shatest.c
-
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
@@ -300,3 +303,7 @@ TESTS += utf8test
 check_PROGRAMS += utf8test
 utf8test_SOURCES = utf8test.c
 
+# verifytest
+TESTS += verifytest
+check_PROGRAMS += verifytest
+verifytest_SOURCES = verifytest.c

tests/ssltest.sh

@@ -6,9 +6,9 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	openssl_bin=../apps/openssl.exe
+openssl_bin=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	openssl_bin=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,9 +4,9 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,9 +2,9 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 cat openssl.cnf >$test;

tests/testrsa.sh

@@ -4,9 +4,9 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -0,0 +1,36 @@
+include_directories(
+	.
+	../include
+	../include/compat
+)
+
+set(
+	TLS_SRC
+	tls.c
+	tls_client.c
+	tls_config.c
+	tls_conninfo.c
+	tls_server.c
+	tls_peer.c
+	tls_util.c
+	tls_verify.c
+)
+
+
+if(NOT HAVE_STRCASECMP)
+	set(TLS_SRC ${TLS_SRC} strsep.c)
+endif()
+
+if (BUILD_SHARED)
+	add_library(tls-objects OBJECT ${TLS_SRC})
+	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
+	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
+	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
+		SOVERSION ${TLS_MAJOR_VERSION})
+	install(TARGETS tls tls-shared DESTINATION lib)
+else()
+	add_library(tls STATIC ${TLS_SRC})
+	install(TARGETS tls DESTINATION lib)
+endif()
+

tls/Makefile.am

@@ -3,6 +3,7 @@ include $(top_srcdir)/Makefile.am.common
 lib_LTLIBRARIES = libtls.la
 
 EXTRA_DIST = VERSION
+EXTRA_DIST += CMakeLists.txt
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
 libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
@@ -10,7 +11,9 @@ libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
+libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h

update.sh

@@ -1,8 +1,7 @@
-#!/usr/bin/env bash
+#!/bin/sh
 set -e
 
 openbsd_branch=`cat OPENBSD_BRANCH`
-libressl_version=`cat VERSION`
 
 # pull in latest upstream code
 echo "pulling upstream openbsd source"
@@ -26,20 +25,21 @@ libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
 libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
-openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
+libtls_regress=$CWD/openbsd/src/regress/lib/libtls
+app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
-source $libcrypto_src/crypto/shlib_version
+. $libcrypto_src/crypto/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-source $libssl_src/ssl/shlib_version
+. $libssl_src/ssl/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
 
-source $libtls_src/shlib_version
+. $libtls_src/shlib_version
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
@@ -53,38 +53,45 @@ do_mv() {
 		rm -f "$1"
 	fi
 }
-CP='cp -p'
 MV='do_mv'
 
+do_cp_libc() {
+	sed "/DEF_WEAK/d" < "$1" > "$2"/`basename "$1"`
+}
+CP_LIBC='do_cp_libc'
+
+CP='cp -p'
+
 $CP $libssl_src/src/LICENSE COPYING
 
 $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
-	$CP $libc_src/crypt/arc4random.c \
-		$libc_src/crypt/chacha_private.h \
-		$libc_src/string/explicit_bzero.c \
-		$libc_src/stdlib/reallocarray.c \
-		$libc_src/string/strlcpy.c \
-		$libc_src/string/strlcat.c \
-		$libc_src/string/strndup.c \
-		$libc_src/string/strnlen.c \
-		$libc_src/string/timingsafe_bcmp.c \
-		$libc_src/string/timingsafe_memcmp.c \
-		$libcrypto_src/crypto/getentropy_*.c \
-		$libcrypto_src/crypto/arc4random_*.h \
-		$i
+	for j in $libc_src/crypt/arc4random.c \
+	    $libc_src/crypt/chacha_private.h \
+	    $libc_src/string/explicit_bzero.c \
+	    $libc_src/stdlib/reallocarray.c \
+	    $libc_src/string/strcasecmp.c \
+	    $libc_src/string/strlcpy.c \
+	    $libc_src/string/strlcat.c \
+	    $libc_src/string/strndup.c \
+	    $libc_src/string/strnlen.c \
+	    $libc_src/string/timingsafe_bcmp.c \
+	    $libc_src/string/timingsafe_memcmp.c \
+	    $libcrypto_src/crypto/getentropy_*.c \
+	    $libcrypto_src/crypto/arc4random_*.h; do
+		$CP_LIBC $j $i
+	done
 done
 
-$CP include/stdlib.h \
-	include/string.h \
-	include/unistd.h \
+$CP include/compat/stdlib.h \
+	include/compat/string.h \
+	include/compat/unistd.h \
 	libtls-standalone/include
 
 $CP crypto/compat/arc4random*.h \
@@ -120,9 +127,9 @@ copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 
 copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-sed -e "s/\"LibreSSL .*\"/\"LibreSSL ${libressl_version}\"/" \
-	$libssl_src/src/crypto/opensslv.h > include/openssl/opensslv.h.lcl
-$MV include/openssl/opensslv.h.lcl include/openssl/opensslv.h
+$CP $libssl_src/src/crypto/opensslv.h include/openssl
+awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
+echo "LibreSSL version `cat VERSION`"
 
 # copy libcrypto source
 echo copying libcrypto source
@@ -143,7 +150,7 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui
 asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
-	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
 	#if defined(HAVE_GNU_STACK)
 	.section .note.GNU-stack,"",%progbits
 	#endif
@@ -152,7 +159,7 @@ gen_asm_stdout() {
 }
 gen_asm() {
 	perl $asm_src/$2 $1 $3.tmp
-	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
 	#if defined(HAVE_GNU_STACK)
 	.section .note.GNU-stack,"",%progbits
 	#endif
@@ -191,8 +198,10 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-$CP $libc_src/string/strsep.c tls
-$CP $libc_src/string/strsep.c libtls-standalone/compat
+
+$CP_LIBC $libc_src/string/strsep.c tls
+$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
+
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
 	m4/disable*.m4 \
@@ -200,16 +209,30 @@ $CP m4/check*.m4 \
 sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 	libtls-standalone/compat/Makefile.am.arc4random
 
-# copy openssl(1) source
-echo "copying openssl(1) source"
-$CP $libc_src/stdlib/strtonum.c apps
-$CP $libcrypto_src/openssl.cnf apps
-for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
-	if [ -e $openssl_app_src/$i ]; then
-		$CP $openssl_app_src/$i apps
+# copy nc(1) source
+echo "copying nc(1) source"
+$CP $app_src/nc/nc.1 apps/nc
+rm -f apps/nc/*.c apps/nc/*.h
+$CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
+	if [ -e $app_src/nc/$i ]; then
+		$CP $app_src/nc/$i apps/nc
+	fi
+done
+
+# copy openssl(1) source
+echo "copying openssl(1) source"
+$CP $app_src/openssl/openssl.1 apps/openssl
+rm -f apps/openssl/*.c apps/openssl/*.h
+$CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
+$CP $libcrypto_src/cert.pem apps/openssl
+$CP $libcrypto_src/openssl.cnf apps/openssl
+$CP $libcrypto_src/x509v3.cnf apps/openssl
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
+	if [ -e $app_src/openssl/$i ]; then
+		$CP $app_src/openssl/$i apps/openssl
 	fi
 done
-patch -p0 < patches/openssl.c.patch
 
 # copy libssl source
 echo "copying libssl source"
@@ -230,7 +253,7 @@ $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP $libc_src/string/memmem.c tests
+$CP_LIBC $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -242,6 +265,11 @@ $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
+# copy libtls tests
+for i in `find $libtls_regress -name '*.c'`; do
+	 $CP "$i" tests
+done
+
 chmod 755 tests/testssl
 
 # add headers
@@ -272,12 +300,15 @@ add_man_links() {
 	done
 }
 
+# apply local patches
+for i in patches/*.patch; do
+    patch -p0 < $i
+done
+
 # copy manpages
 echo "copying manpages"
-echo dist_man_MANS= > man/Makefile.am
-
-$CP $openssl_app_src/openssl.1 man
-echo "dist_man_MANS += openssl.1" >> man/Makefile.am
+echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
+echo dist_man_MANS = >> man/Makefile.am
 
 $CP $libtls_src/tls_init.3 man
 echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
@@ -301,7 +332,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 		BASE=`echo $i|sed -e "s/\.pod//"`
 		NAME=`basename "$BASE"`
 		# reformat file if new
-		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../VERSION -nt $NAME.3 ]; then
+		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../include/openssl/opensslv.h -nt $NAME.3 ]; then
 			echo processing $NAME
 			pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
 				--section=3 $POD2MAN --name=$NAME < $BASE.pod > $NAME.3