update for 2.1.10

update version and changelog for 2.1.9
update for 2.1.8
2016-01-28 12:28:22 -06:00 · 2015-12-05 13:13:12 -06:00 · 2015-10-15 16:16:13 -05:00 · 2015-06-11 09:00:29 -05:00 · 2015-03-19 01:13:01 -05:00 · 2015-03-19 00:40:37 -05:00
110 changed files with 2104 additions and 6084 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -45,16 +45,13 @@ Makefile.in
 test-driver
 *.log
 *.trs
 !tests/optionstest.c
 tests/aes_wrap*
 tests/arc4random_fork*
 tests/cipher*
 tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
 tests/timingsafe*
 tests/*test
 tests/tests.h
 tests/*test.c
 tests/memmem.c
 tests/pbkdf2*
@@ -65,39 +62,41 @@ tests/*.txt
 # ctags stuff
 TAGS
-autom4te.cache
+## The initial / makes these files only get ignored in particular directories.
 /autom4te.cache
 # Libtool adds these, at least sometimes
 INSTALL
-/COPYING
+/m4/libtool.m4
-!m4/check*.m4
+/m4/ltoptions.m4
-m4/l*
+/m4/ltsugar.m4
 /m4/ltversion.m4
 /m4/lt~obsolete.m4
-aclocal.m4
+/aclocal.m4
-compile
+/compile
-doxygen
+/doxygen
-config.guess
+/config.guess
-config.log
+/config.log
-config.status
+/config.status
-config.sub
+/config.sub
-configure
+/configure
-depcomp
+/depcomp
-config.h
+/config.h
-config.h.in
+/config.h.in
-install-sh
+/install-sh
-libtool
+/libtool
-ltmain.sh
+/ltmain.sh
-missing
+/missing
-stamp-h1
+/stamp-h1
-stamp-h2
+/stamp-h2
 include/openssl/Makefile.am
 tests/Makefile.am
 VERSION
 crypto/VERSION
 ssl/VERSION
 tls/VERSION
 libtls-standalone/VERSION
 ssl/*.c
 ssl/*.h
@@ -106,42 +105,98 @@ tls/*.h
 include/pqueue.h
 include/tls.h
 include/openssl/*.h
 include/openssl/*.he
 apps/*.h
 apps/*.c
 apps/openssl
 apps/openssl.cnf
 !apps/apps_win.c
 !apps/poll_win.c
 !apps/certhash_disabled.c
-!/apps/apps_win.c
+crypto/compat/arc4random.c
-!/apps/poll_win.c
+crypto/compat/chacha_private.h
-!/apps/certhash_disabled.c
+crypto/compat/explicit_bzero.c
-/apps/*.h
+crypto/compat/getentropy_*.c
-/apps/*.c
+crypto/compat/reallocarray.c
-/apps/*.cnf
+crypto/compat/strlcat.c
-/apps/*.pem
+crypto/compat/strlcpy.c
-/apps/openssl
+crypto/compat/strndup.c
-
+crypto/compat/strnlen.c
-!/crypto/Makefile.am.*
+crypto/compat/timingsafe_bcmp.c
-!/crypto/compat/arc4random.h
+crypto/compat/timingsafe_memcmp.c
-!/crypto/compat/b_win.c
+crypto/compat/arc4random_*.h
 !/crypto/compat/explicit_bzero_win.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
 !/crypto/compat/ui_openssl_win.c
 !/crypto/CMakeLists.txt
 /crypto
 !/libtls-standalone/compat/Makefile.am
 /libtls-standalone/include/*.h
 /libtls-standalone/src/*.c
 /libtls-standalone/src/*.h
 /libtls-standalone/src
 /libtls-standalone/tests/test
 /libtls-standalone/compat
 /libtls-standalone/VERSION
 /libtls-standalone/m4
 /libtls-standalone/man
 crypto/aes/
 crypto/asn1/
 crypto/bf/
 crypto/bio/
 crypto/bn/
 crypto/buffer/
 crypto/camellia/
 crypto/cast/
 crypto/camellia/
 crypto/chacha/
 crypto/cmac/
 crypto/comp/
 crypto/conf/
 crypto/cpt_err.c
 crypto/cryptlib.c
 crypto/cryptlib.h
 crypto/cversion.c
 crypto/des/
 crypto/dh/
 crypto/dsa/
 crypto/dso/
 crypto/ec/
 crypto/ecdh/
 crypto/ecdsa/
 crypto/engine/
 crypto/err/
 crypto/evp/
 crypto/ex_data.c
 crypto/gost/
 crypto/hmac/
 crypto/idea/
 crypto/krb5/
 crypto/lhash/
 crypto/malloc-wrapper.c
 crypto/md32_common.h
 crypto/md4/
 crypto/md5/
 crypto/mdc2/
 crypto/mem_clr.c
 crypto/mem_dbg.c
 crypto/modes/
 crypto/o_init.c
 crypto/o_str.c
 crypto/o_time.c
 crypto/o_time.h
 crypto/objects
 crypto/ocsp/
 crypto/pem/
 crypto/pkcs12/
 crypto/pkcs7/
 crypto/poly1305/
 crypto/pqueue/
 crypto/rand/
 crypto/rc2/
 crypto/rc4/
 crypto/ripemd/
 crypto/rsa/
 crypto/sha/
 crypto/stack/
 crypto/ts/
 crypto/txt_db/
 crypto/ui/
 crypto/whrlpool/
 crypto/x509/
 crypto/x509v3/
 openbsd/
 *.tar.gz
 apps/*.1*
 man/*.3
 man/*.1
 man/Makefile.am
 .gitmodules
 COPYING
--- a/libtls-standalone/AUTHORS
+++ b/libtls-standalone/AUTHORS
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,182 +0,0 @@
 cmake_minimum_required (VERSION 2.8)
 include(CheckFunctionExists)
 include(CheckLibraryExists)
 include(CheckIncludeFiles)
 project (LibreSSL)
 enable_testing()
 file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
 string(STRIP ${SSL_VERSION} SSL_VERSION)
 string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
 string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
 file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
 string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
 string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
 string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
 file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
 string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_DEFAULT_SOURCE)
 	add_definitions(-D_BSD_SOURCE)
 	add_definitions(-D_POSIX_SOURCE)
 	add_definitions(-D_GNU_SOURCE)
 endif()
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
 add_definitions(-DOPENSSL_NO_ASM)
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 if(MSVC)
 	add_definitions(-Dinline=__inline)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
 		        # indirection to slightly different base types from 'char [2]'
 		"C4100" # 'exarg' : unreferenced formal parameter
 		"C4127" # conditional expression is constant
 		"C4242" # 'function' : conversion from 'int' to 'uint8_t',
 		        # possible loss of data
 		"C4244" # 'function' : conversion from 'int' to 'uint8_t',
 		        # possible loss of data
 		"C4706" # assignment within conditional expression
 		"C4820" # 'bytes' bytes padding added after construct 'member_name'
 		"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
 		        # use the ISO C++ conformant name: _read.
 	)
 	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
 		${MSVC_DISABLED_WARNINGS_LIST})
 	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
 endif()
 check_function_exists(asprintf HAVE_ASPRINTF)
 if(HAVE_ASPRINTF)
 	add_definitions(-DHAVE_ASPRINTF)
 endif()
 check_function_exists(inet_pton HAVE_INET_PTON)
 if(HAVE_INET_PTON)
 	add_definitions(-DHAVE_INET_PTON)
 endif()
 check_function_exists(reallocarray HAVE_REALLOCARRAY)
 if(HAVE_REALLOCARRAY)
 	add_definitions(-DHAVE_REALLOCARRAY)
 endif()
 check_function_exists(strcasecmp HAVE_STRCASECMP)
 if(HAVE_STRCASECMP)
 	add_definitions(-DHAVE_STRCASECMP)
 endif()
 check_function_exists(strlcat HAVE_STRLCAT)
 if(HAVE_STRLCAT)
 	add_definitions(-DHAVE_STRLCAT)
 endif()
 check_function_exists(strlcat HAVE_STRLCPY)
 if(HAVE_STRLCPY)
 	add_definitions(-DHAVE_STRLCPY)
 endif()
 check_function_exists(strndup HAVE_STRNDUP)
 if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 if(MSVC)
 	set(HAVE_STRNLEN)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)
 	if(HAVE_STRNLEN)
 		add_definitions(-DHAVE_STRNLEN)
 	endif()
 endif()
 check_function_exists(strsep HAVE_STRSEP)
 if(HAVE_STRSEP)
 	add_definitions(-DHAVE_STRSEP)
 endif()
 check_function_exists(arc4random_buf HAVE_ARC4RANDOM_BUF)
 if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)
 endif()
 check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
 if(HAVE_EXPLICIT_BZERO)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
 endif()
 check_function_exists(getauxval HAVE_GETAUXVAL)
 if(HAVE_GETAUXVAL)
 	add_definitions(-DHAVE_GETAUXVAL)
 endif()
 check_function_exists(getentropy HAVE_GETENTROPY)
 if(HAVE_GETENTROPY)
 	add_definitions(-DHAVE_GETENTROPY)
 endif()
 check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
 if(HAVE_TIMINGSAFE_BCMP)
 	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
 endif()
 check_function_exists(timingsafe_memcmp HAVE_TIMINGSAFE_MEMCMP)
 if(HAVE_MEMCMP)
 	add_definitions(-DHAVE_MEMCMP)
 endif()
 check_include_files(err.h HAVE_ERR_H)
 if(HAVE_ERR_H)
 	add_definitions(-DHAVE_ERR_H)
 endif()
 set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
 	if (HAVE_CLOCK_GETTIME)
 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
 	endif()
 endif()
 if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
 	set(BUILD_SHARED true)
 endif()
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(apps)
 add_subdirectory(tls)
 add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
 	add_subdirectory(tests)
 endif()
--- a/129
+++ b/129
@@ -28,116 +28,39 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
-2.2.4 - Build and bug fixes
+This release primarily addresses a number of security issues in coordination
 with the OpenSSL project.
-	* Backported build fixes for CMake on Windows, OSX and Linux
+2.1.10
 	* Deprecated the SSL_OP_SINGLE_DH_USE flag
 2.1.9 - Reliability Update
 	* Fixes from OpenSSL 1.0.1q
 	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
 	                   validation.
 	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
 	* The following OpenSSL CVEs did not apply to LibreSSL
 	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery squaring
 	                   procedure.
 	 - CVE-2015-3196 - Double free race condition of the identify hint data.
 	 See https://marc.info/?l=openbsd-announce&m=144925068504102
 2.1.8 - Security Update
 	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
 	  reported by Qualys Security.
 	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
 	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
-2.2.3 - Bug fixes, build enhancements
+	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
-	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
+2.1.7 - Security Update
 	  include TLS extensions, resulting in such handshakes being aborted.
 	  This release corrects the handling of such messages. Thanks to
 	  Ligushka from github for reporting the issue.
-	* Added install target for cmake builds. Thanks to TheNietsnie from
+	* Fixes for the following issues are integrated into LibreSSL 2.1.7:
 	  github.
 	* Updated pkgconfig files to correctly report the release version
 	  number, not the individual library ABI version numbers. Thanks to
 	  Jan Engelhardt for reporting the issue.
 2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
 	* Switched 'openssl dhparam' default from 512 to 2048 bits
 	* Reworked openssl(1) option handling
 	* More CRYPTO ByteString (CBC) packet parsing conversions
 	* Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
 	* Fixed dozens of Coverity issues including dead code, memory leaks,
 	  logic errors and more.
 	* Ensure that openssl(1) restores terminal echo state after reading a
 	  password.
 	* Incorporated fix for OpenSSL Issue #3683
 	* LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
 	  for each portable release.
 	* Removed workarounds for TLS client padding bugs.
 	* No longer disable ECDHE-ECDSA on OS X
 	* Removed SSLv3 support from openssl(1)
 	* Removed IE 6 SSLv3 workarounds.
 	* Modified tls_write in libtls to allow partial writes, clarified with
 	  examples in the documentation.
 	* Removed RSAX engine
 	* Tested SSLv3 removal with the OpenBSD ports tree and found several
 	  applications that were not ready to build without SSLv3 yet. For
 	  now, building a program that intentionally uses SSLv3 will result in
 	  a linker warning.
 	* Added TLS_method, TLS_client_method and TLS_server_method as a
 	  replacement for the SSLv23_*method calls.
 	* Added initial cmake build support, including support for building with
 	  Visual Studio, currently tested with Visual Studio 2013 Community
 	  Edition.
 	* --with-enginesdir is removed as a configuration parameter
 	* Default cert.pem, openssl.cnf, and x509v3.cnf files are now
 	  installed under $sysconfdir/ssl or the directory specified by
 	  --with-openssldir. Previous versions of LibreSSL left these empty.
 2.2.1 - Build fixes, feature added, features removed
 	* Assorted build fixes for musl, HP-UX, Mingw, Solaris.
 	* Initial support for Windows Embedded 2009, Server 2003, XP
 	* Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
 	* Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
 	* Removed Dynamic Engine support
 	* Removed unused and obsolete MDC-2DES cipher
 	* Removed workarounds for obsolete SSL implementations
 2.2.0 - Build cleanups and new OS support, Security Updates
 	* AIX Support - thanks to Michael Felt
 	* Cygwin Support - thanks to Corinna Vinschen
 	* Refactored build macros, support packaging libtls independently.
 	  There are more pieces required to support building and using OpenSSL
 	  with libtls, but this is an initial start at providing an
 	  independent package for people to start hacking on.
 	* Removal of OPENSSL_issetugid and all library getenv calls.
 	  Applications can and should no longer rely on environment variables
 	  for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
 	  supported with the openssl(1) command.
 	* libtls API and documentation additions
 	* Various bug fixes and simplifications to libssl and libcrypto
 	* Fixes for the following issues are integrated into LibreSSL 2.2.0:
 	 - CVE-2015-1788 - Malformed ECParameters causes infinite loop
 	 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
 	 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,5 +4,4 @@ ACLOCAL_AMFLAGS = -I m4
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
-EXTRA_DIST = README.md README.windows VERSION config scripts
+EXTRA_DIST = README README.windows VERSION config scripts
 EXTRA_DIST += CMakeLists.txt
--- a/Makefile.am.common
+++ b/Makefile.am.common
@@ -1,2 +1,2 @@
-AM_CFLAGS =
+AM_CPPFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
+AM_CPPFLAGS += -DLIBRESSL_INTERNAL
--- a/libtls-standalone/NEWS
+++ b/libtls-standalone/NEWS
--- a/2
+++ b/2
@@ -1 +1 @@
-OPENBSD_5_8
+OPENBSD_5_7
--- a/50
+++ b/50
@@ -0,0 +1,50 @@
 This package is the official portable version of LibreSSL
 	(http://www.libressl.org).
 LibreSSL is a fork of OpenSSL developed by the OpenBSD project
 (http://www.openbsd.org). LibreSSL is developed on OpenBSD. This
 package then adds portability shims for other operating systems.
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory LibreSSL, e.g.:
 	http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
 although we suggest that you use a mirror:
 	http://www.openbsd.org/ftp.html
 The LibreSSL portable build framework is also mirrored in Github:
 	https://github.com/libressl-portable/portable
 Please report bugs either to tech@openbsd.org, or to the github issue tracker:
 	https://github.com/libressl-portable/portable/issues
 If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 1. ensure you have the following packages installed:
 	automake, autoconf, bash, git, libtool, perl, pod2man
 2. run './autogen.sh' to prepare the source tree for building
    or run './dist.sh' to prepare a tarball.
 Once you have a source tree from Git or FTP, run these commands to build and
 install the package:
  ./configure   # see ./configure --help for configuration options
  make check    # runs builtin unit tests
  make install  # set DESTDIR= to install to an alternate location
 The resulting library and 'openssl' utility is largely API-compatible with
 OpenSSL 1.0.1. However, it is not ABI compatible - you will need to relink your
 programs to LibreSSL in order to use it, just as in moving from OpenSSL 0.9.8
 to 1.0.1.
 The project attempts to provide working alternatives for operating systems with
 limited or broken security primitives (e.g. arc4random(3), issetugid(2)) and
 assists with improving OS-native implementations where possible.
 LibreSSL portable will build on any reasonably modern version of Linux,
 Solaris, or OSX with a standards-compliant compiler and C library.
--- a/README.md
+++ b/README.md
@@ -1,133 +0,0 @@
 ![LibreSSL image](http://www.libressl.org/images/libressl.jpg)
 ## Official portable version of [LibreSSL](http://www.libressl.org) ##
 [![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable)
 LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
 [OpenBSD](http://www.openbsd.org) project.  Our goal is to modernize the codebase,
 improve security, and apply best practice development processes from OpenBSD.
 ## Compatibility with OpenSSL: ##
 LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
 new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
 present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
 LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily
 earlier releases of LibreSSL. You will need to relink your programs to
 LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
 LibreSSL's installed library version numbers are incremented to account for
 ABI and API changes.
 ## Compatibility with other operating systems: ##
 While primarily developed on and taking advantage of APIs available on OpenBSD,
 the LibreSSL portable project attempts to provide working alternatives for
 other operating systems, and assists with improving OS-native implementations
 where possible.
 At the time of this writing, LibreSSL is know to build and work on:
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
 * NetBSD (tested with 6.1.5)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)
 * AIX (5.3 and later)
 LibreSSL also supports the following Windows environments:
 * Microsoft Windows (XP or higher, x86 and x64)
 * Wine (32-bit and 64-bit)
 * Builds with Mingw-w64, Cygwin, and Visual Studio
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory
 [LibreSSL](http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/),
 although we suggest that you use a [mirror](http://www.openbsd.org/ftp.html).
 The LibreSSL portable build framework is also
 [mirrored](https://github.com/libressl-portable/portable) in Github.
 Please report bugs either to the public libressl@openbsd.org mailing list,
 or to the github
 [issue tracker](https://github.com/libressl-portable/portable/issues)
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.
 ## Prerequisites when building from git ##
 If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 1. Ensure you have the following packages installed:
   automake, autoconf, git, libtool, perl, pod2man
 2. Run './autogen.sh' to prepare the source tree for building or
   run './dist.sh' to prepare a tarball.
 ## Building LibreSSL ##
 Once you have a source tree from Git or FTP, run these commands to build and
 install the package on most systems:
 ```sh
 ./configure   # see ./configure --help for configuration options
 make check    # runs builtin unit tests
 make install  # set DESTDIR= to install to an alternate location
 ```
 If you wish to use the CMake build system, use these commands:
 ```sh
 mkdir build
 cd build
 cmake ..
 make
 make test
 ```
 For faster builds, you can use Ninja as well:
 ```sh
 mkdir build-ninja
 cd build-ninja
 cmake -G"Ninja" ..
 ninja
 ninja test
 ```
 ### OS specific build information: ###
 #### HP-UX (11i) ####
 Set the UNIX_STD environment variable to '2003' before running 'configure'
 in order to build with the HP C/aC++ compiler. See the "standards(5)" man
 page for more details.
 ```sh
 export UNIX_STD=2003
 ./configure
 make
 ```
 #### Windows - Mingw-w64 ####
 LibreSSL builds against relatively recent versions of Mingw-w64, not to be
 confused with the original mingw.org project.  Mingw-w64 3.2 or later
 should work. See README.windows for more information
 #### Windows - Visual Studio ####
 LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
 against older/newer targets as well. To generate a Visual Studio project,
 install CMake, enter the LibreSSL source directory and run:
 ```sh
 mkdir build-vs2013
 cd build-vs2013
 cmake -G"Visual Studio 12 2013" ..
 ```
 This will generate a LibreSSL.sln file that you can incorporate into other
 projects or build by itself.
--- a/README.windows
+++ b/README.windows
@@ -6,8 +6,9 @@ GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
 then LibreSSL should integrate very nicely. Old versions of the mingw-w64
 toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
 building LibreSSL. Please try it with a recent toolchain if you encounter
-troubles. Cygwin provides an easy method of installing the latest mingw-w64
+troubles. If you are building under Cygwin, only builds with the mingw-w64
-cross compilers on Windows.
+compiler are supported, though you can easily use Cygwin to drive the build
 process.
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
@@ -35,11 +36,5 @@ cv2pdb to generate Visual Studio and windbg compatible debug files. cv2pdb is a
 tool developed for the D language and can be found here:
 https://github.com/rainers/cv2pdb
-Pre-built Windows binaries are available with LibreSSL releases if you do not
+Pre-build Windows binaries are available with the LibreSSL release for your
-have a mingw-w64 build environment. Mingw-w64 code is largely, but not 100%,
+convenience.
 compatible with code built from Visual Studio. Notably, FILE * pointers cannot
 be shared between code built for Mingw-w64 and Visual Studio.
 As of LibreSSL 2.2.2, Visual Studio Native builds can be produced using CMake.
 This produces ABI-compatible libraries for linking with native code generated
 by Visual Studio.
--- a/1
+++ b/1
@@ -0,0 +1 @@
 2.1.10
--- a/apps/CMakeLists.txt
+++ b/apps/CMakeLists.txt
@@ -1,81 +0,0 @@
 include_directories(
 	.
 	../include
 	../include/compat
 )
 set(
 	OPENSSL_SRC
 	apps.c
 	asn1pars.c
 	ca.c
 	ciphers.c
 	cms.c
 	crl.c
 	crl2p7.c
 	dgst.c
 	dh.c
 	dhparam.c
 	dsa.c
 	dsaparam.c
 	ec.c
 	ecparam.c
 	enc.c
 	engine.c
 	errstr.c
 	gendh.c
 	gendsa.c
 	genpkey.c
 	genrsa.c
 	nseq.c
 	ocsp.c
 	openssl.c
 	passwd.c
 	pkcs12.c
 	pkcs7.c
 	pkcs8.c
 	pkey.c
 	pkeyparam.c
 	pkeyutl.c
 	prime.c
 	rand.c
 	req.c
 	rsa.c
 	rsautl.c
 	s_cb.c
 	s_client.c
 	s_server.c
 	s_socket.c
 	s_time.c
 	sess_id.c
 	smime.c
 	speed.c
 	spkac.c
 	ts.c
 	verify.c
 	version.c
 	x509.c
 )
 if(CMAKE_HOST_UNIX)
 	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
 	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
 endif()
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
 	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_disabled.c)
 	set(OPENSSL_SRC ${OPENSSL_SRC} poll_win.c)
 endif()
 check_function_exists(strtonum HAVE_STRTONUM)
 if(HAVE_STRTONUM)
 	add_definitions(-DHAVE_STRTONUM)
 else()
 	set(OPENSSL_SRC ${OPENSSL_SRC} strtonum.c)
 endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
 install(TARGETS openssl DESTINATION bin)
--- a/apps/Makefile.am
+++ b/apps/Makefile.am
@@ -2,6 +2,7 @@ include $(top_srcdir)/Makefile.am.common
 bin_PROGRAMS = openssl
 openssl_CFLAGS = $(USER_CFLAGS)
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 openssl_LDADD += $(top_builddir)/ssl/libssl.la
 openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
@@ -84,35 +85,4 @@ noinst_HEADERS += s_apps.h
 noinst_HEADERS += testdsa.h
 noinst_HEADERS += testrsa.h
 noinst_HEADERS += timeouts.h
-
+noinst_HEADERS += openssl.cnf
 EXTRA_DIST = cert.pem
 EXTRA_DIST += openssl.cnf
 EXTRA_DIST += x509v3.cnf
 EXTRA_DIST += CMakeLists.txt
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
 		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
 	else \
 		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
 			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
 		fi \
 	done
 uninstall-local:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
 		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
 	else \
 		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
 	fi; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
 	done
--- a/autogen.sh
+++ b/autogen.sh
@@ -4,8 +4,3 @@ set -e
 ./update.sh
 mkdir -p m4
 autoreconf -i -f
 # Patch libtool 2.4.2 to pass -fstack-protector as a linker argument
 sed 's/-fuse-linker-plugin)/-fuse-linker-plugin|-fstack-protector*)/' \
  ltmain.sh > ltmain.sh.fixed
 mv -f ltmain.sh.fixed ltmain.sh
--- a/configure.ac
+++ b/configure.ac
@@ -1,74 +1,291 @@
 # Copyright (c) 2014-2015 Brent Cook
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([libressl], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBCRYPTO_VERSION], m4_esyscmd([tr -d '\n' < crypto/VERSION]))
 AC_SUBST([LIBSSL_VERSION], m4_esyscmd([tr -d '\n' < ssl/VERSION]))
 AC_SUBST([LIBTLS_VERSION], m4_esyscmd([tr -d '\n' < tls/VERSION]))
 AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects foreign])
+AM_INIT_AUTOMAKE([subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-# This must be saved before AC_PROG_CC
+AC_SUBST([USER_CFLAGS], "$CFLAGS")
-USER_CFLAGS="$CFLAGS"
+CFLAGS="-Wall -std=gnu99 -g -O2"
 case $host_os in
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
 		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
 		HOST_OS=hpux;
 		CFLAGS="$CFLAGS -mlp64 -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
 		HOST_OS=linux
 		HOST_ABI=elf
 		CFLAGS="$CFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		;;
 	*openbsd*)
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
 		CFLAGS="$CFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600 -DOPENSSL_NO_SPEED -DNO_SYSLOG -D__USE_MINGW_ANSI_STDIO -static-libgcc"
 		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
 		CFLAGS="$CFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;
 	*) ;;
 esac
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
 AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 AC_CHECK_FUNC([clock_gettime],,
 	[AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
 AC_CHECK_FUNC([dl_iterate_phdr],,
 	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 AC_PROG_CC
 AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
 AC_PROG_LIBTOOL
 LT_INIT
-CHECK_OS_OPTIONS
+AC_MSG_CHECKING([if compiling with clang])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
 #ifndef __clang__
 	not clang
 #endif
 	]])],
 	[CLANG=yes],
 	[CLANG=no]
 )
 AC_MSG_RESULT([$CLANG])
 AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
-CHECK_C_HARDENING_OPTIONS
+# We want to check for compiler flag support. Prior to clang v5.1, there was no
 # way to make clang's "argument unused" warning fatal.  So we invoke the
 # compiler through a wrapper script that greps for this message.
 saved_CC="$CC"
 saved_LD="$LD"
 flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
 CC="$flag_wrap $CC"
 LD="$flag_wrap $LD"
-DISABLE_AS_EXECUTABLE_STACK
+AC_ARG_ENABLE([hardening],
 	[AS_HELP_STRING([--disable-hardening],
 			[Disable options to frustrate memory corruption exploits])],
 	[], [enable_hardening=yes])
 AC_ARG_ENABLE([windows-ssp],
 	[AS_HELP_STRING([--enable-windows-ssp],
 			[Enable building the stack smashing protection on
 			 Windows. This currently distributing libssp-0.dll.])])
 AC_DEFUN([CHECK_CFLAG], [
 	 AC_LANG_ASSERT(C)
 	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
 	 old_cflags="$CFLAGS"
 	 CFLAGS="$1 -Wall -Werror"
 	 AC_TRY_LINK([
 		      #include <stdio.h>
 		      ],
 		     [printf("Hello")],
 		     AC_MSG_RESULT([yes])
 		     CFLAGS=$old_cflags
 		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
 		     AC_MSG_RESULT([no])
 		     CFLAGS=$old_cflags
 		     [$2])
 ])
 AC_DEFUN([CHECK_LDFLAG], [
 	 AC_LANG_ASSERT(C)
 	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
 	 old_ldflags="$LDFLAGS"
 	 LDFLAGS="$1 -Wall -Werror"
 	 AC_TRY_LINK([
 		      #include <stdio.h>
 		      ],
 		     [printf("Hello")],
 		     AC_MSG_RESULT([yes])
 		     LDFLAGS=$old_ldflags
 		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
 		     AC_MSG_RESULT([no])
 		     LDFLAGS=$old_ldflags
 		     [$2])
 ])
 AS_IF([test "x$enable_hardening" = "xyes"], [
 	# Tell GCC to NOT optimize based on signed arithmetic overflow
 	CHECK_CFLAG([[-fno-strict-overflow]])
 	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
 	CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
 	# Enable read only relocations
 	CHECK_LDFLAG([[-Wl,-z,relro]])
 	CHECK_LDFLAG([[-Wl,-z,now]])
 	# Windows security flags
 	AS_IF([test "x$HOST_OS" = "xwin"], [
 		CHECK_LDFLAG([[-Wl,--nxcompat]])
 		CHECK_LDFLAG([[-Wl,--dynamicbase]])
 		CHECK_LDFLAG([[-Wl,--high-entropy-va]])
 	])
 	# Use stack-protector-strong if available; if not, fallback to
 	# stack-protector-all which is considered to be overkill
 	AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
 		CHECK_CFLAG([[-fstack-protector-strong]],
 			CHECK_CFLAG([[-fstack-protector-all]],
 				AC_MSG_WARN([compiler does not appear to support stack protection])
 			)
 		)
 		AS_IF([test "x$HOST_OS" = "xwin"], [
 			AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
 		])
 	])
 ])
 # Restore CC, LD
 CC="$saved_CC"
 LD="$saved_LD"
 CFLAGS="$CFLAGS $HARDEN_CFLAGS"
 LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
 # Removing the dependency on -Wno-pointer-sign should be a goal
 save_cflags="$CFLAGS"
 CFLAGS=-Wno-pointer-sign
 AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
 	[AC_MSG_RESULT([yes])]
 	[AM_CFLAGS=-Wno-pointer-sign],
 	[AC_MSG_RESULT([no])]
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
 save_cflags="$CFLAGS"
 CFLAGS=
 AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 __asm__(".section .note.GNU-stack,\"\",@progbits");]])],
 	[AC_MSG_RESULT([yes])]
 	[AM_CFLAGS=-DHAVE_GNU_STACK],
 	[AC_MSG_RESULT([no])]
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
 AM_PROG_AS
-DISABLE_COMPILER_WARNINGS
+CFLAGS="$CFLAGS $CLANG_CFLAGS"
 LDFLAGS="$LDFLAGS $CLANG_FLAGS"
-# Check if the certhash command should be built
+AC_CHECK_FUNCS([arc4random_buf asprintf explicit_bzero funopen getauxval])
 AC_CHECK_FUNCS([getentropy issetugid memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([symlink])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 # Share test results with automake
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_ISSETUGID], [test "x$ac_cv_func_issetugid" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
 AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
 AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
-# Check if funopen exists
+# overrides for arc4random_buf implementations with known issues
-AC_CHECK_FUNC([funopen])
+AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
 	[test "x$HOST_OS" != xdarwin \
 	   -a "x$HOST_OS" != xfreebsd \
 	   -a "x$HOST_OS" != xnetbsd \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
-CHECK_LIBC_COMPAT
+# overrides for issetugid implementations with known issues
-CHECK_LIBC_CRYPTO_COMPAT
+AM_CONDITIONAL([HAVE_ISSETUGID],
-CHECK_VA_COPY
+       [test "x$HOST_OS" != xdarwin \
 	  -a "x$ac_cv_func_issetugid" = xyes])
-AC_CHECK_HEADERS([err.h])
+AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
 va_list x,y;
 		]], [[ va_copy(x,y); ]])],
 	[ ac_cv_have_va_copy="yes" ],
 	[ ac_cv_have_va_copy="no"
 	])
 ])
 if test "x$ac_cv_have_va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
 fi
 AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
 va_list x,y;
 		]], [[ __va_copy(x,y); ]])],
 	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
 	])
 ])
 if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 AC_CHECK_HEADERS([sys/sysctl.h err.h])
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
-	OPENSSLDIR="$withval"
+	AC_DEFINE_UNQUOTED(OPENSSLDIR, "$withval")
 	AC_SUBST(OPENSSLDIR)
 )
 AM_CONDITIONAL([OPENSSLDIR_DEFINED], [test x$with_openssldir != x])
-AC_ARG_ENABLE([extratests],
+AC_ARG_WITH([enginesdir],
-	AS_HELP_STRING([--enable-extratests], [Enable extra tests that may be unreliable on some platforms]))
+	AS_HELP_STRING([--with-enginesdir],
-AM_CONDITIONAL([ENABLE_EXTRATESTS], [test "x$enable_extratests" = xyes])
+		       [Set the default engines directory (use with openssldir)]),
 	AC_DEFINE_UNQUOTED(ENGINESDIR, "$withval")
 )
 AC_ARG_ENABLE([asm],
 	AS_HELP_STRING([--disable-asm], [Disable assembly]))
 AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
 # Add CPU-specific alignment flags
 old_cflags=$CFLAGS
-CFLAGS="$CFLAGS -I$srcdir/include"
+CFLAGS="$USER_CFLAGS -I$srcdir/include"
 AC_MSG_CHECKING([if BSWAP4 builds without __STRICT_ALIGNMENT])
 AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       [int a = 0; BSWAP4(a);],
@@ -80,36 +297,21 @@ CFLAGS="$old_cflags"
 case $host_cpu in
 	*sparc*)
-		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
+		CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT"
 		;;
 	*arm*)
 		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
+		    CFLAGS="$CFLAGS -D__STRICT_ALIGNMENT")
 		;;
 esac
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[
 extern void SSLv3_method();
 __asm__(".section .gnu.warning.SSLv3_method; .ascii \"SSLv3_method is insecure\" ; .text");
 int main() {return 0;}
 ]])], [
    AC_DEFINE(HAS_GNU_WARNING_LONG, 1, [Define if .gnu.warning accepts long strings.])
    AC_MSG_RESULT(yes)
 ], [
   AC_MSG_RESULT(no)
 ])
 AC_ARG_ENABLE([asm],
 	AS_HELP_STRING([--disable-asm], [Disable assembly]))
 AM_CONDITIONAL([OPENSSL_NO_ASM], [test "x$enable_asm" = "xno"])
 # Conditionally enable assembly by default
 AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
    [test "x$HOST_ABI" = "xelf" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
    [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 LT_INIT
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -1,653 +0,0 @@
 include_directories(
 	.
 	../include
 	../include/compat
 	asn1
 	dsa
 	evp
 	modes
 )
 set(
 	CRYPTO_SRC
 	aes/aes_cbc.c
 	aes/aes_core.c
 	camellia/camellia.c
 	camellia/cmll_cbc.c
 	rc4/rc4_enc.c
 	rc4/rc4_skey.c
 	whrlpool/wp_block.c
 	cpt_err.c
 	cryptlib.c
 	cversion.c
 	ex_data.c
 	malloc-wrapper.c
 	mem_clr.c
 	mem_dbg.c
 	o_init.c
 	o_str.c
 	o_time.c
 	aes/aes_cfb.c
 	aes/aes_ctr.c
 	aes/aes_ecb.c
 	aes/aes_ige.c
 	aes/aes_misc.c
 	aes/aes_ofb.c
 	aes/aes_wrap.c
 	asn1/a_bitstr.c
 	asn1/a_bool.c
 	asn1/a_bytes.c
 	asn1/a_d2i_fp.c
 	asn1/a_digest.c
 	asn1/a_dup.c
 	asn1/a_enum.c
 	asn1/a_gentm.c
 	asn1/a_i2d_fp.c
 	asn1/a_int.c
 	asn1/a_mbstr.c
 	asn1/a_object.c
 	asn1/a_octet.c
 	asn1/a_print.c
 	asn1/a_set.c
 	asn1/a_sign.c
 	asn1/a_strex.c
 	asn1/a_strnid.c
 	asn1/a_time.c
 	asn1/a_type.c
 	asn1/a_utctm.c
 	asn1/a_utf8.c
 	asn1/a_verify.c
 	asn1/ameth_lib.c
 	asn1/asn1_err.c
 	asn1/asn1_gen.c
 	asn1/asn1_lib.c
 	asn1/asn1_par.c
 	asn1/asn_mime.c
 	asn1/asn_moid.c
 	asn1/asn_pack.c
 	asn1/bio_asn1.c
 	asn1/bio_ndef.c
 	asn1/d2i_pr.c
 	asn1/d2i_pu.c
 	asn1/evp_asn1.c
 	asn1/f_enum.c
 	asn1/f_int.c
 	asn1/f_string.c
 	asn1/i2d_pr.c
 	asn1/i2d_pu.c
 	asn1/n_pkey.c
 	asn1/nsseq.c
 	asn1/p5_pbe.c
 	asn1/p5_pbev2.c
 	asn1/p8_pkey.c
 	asn1/t_bitst.c
 	asn1/t_crl.c
 	asn1/t_pkey.c
 	asn1/t_req.c
 	asn1/t_spki.c
 	asn1/t_x509.c
 	asn1/t_x509a.c
 	asn1/tasn_dec.c
 	asn1/tasn_enc.c
 	asn1/tasn_fre.c
 	asn1/tasn_new.c
 	asn1/tasn_prn.c
 	asn1/tasn_typ.c
 	asn1/tasn_utl.c
 	asn1/x_algor.c
 	asn1/x_attrib.c
 	asn1/x_bignum.c
 	asn1/x_crl.c
 	asn1/x_exten.c
 	asn1/x_info.c
 	asn1/x_long.c
 	asn1/x_name.c
 	asn1/x_nx509.c
 	asn1/x_pkey.c
 	asn1/x_pubkey.c
 	asn1/x_req.c
 	asn1/x_sig.c
 	asn1/x_spki.c
 	asn1/x_val.c
 	asn1/x_x509.c
 	asn1/x_x509a.c
 	bf/bf_cfb64.c
 	bf/bf_ecb.c
 	bf/bf_enc.c
 	bf/bf_ofb64.c
 	bf/bf_skey.c
 	bio/b_dump.c
 	bio/b_print.c
 	bio/b_sock.c
 	bio/bf_buff.c
 	bio/bf_nbio.c
 	bio/bf_null.c
 	bio/bio_cb.c
 	bio/bio_err.c
 	bio/bio_lib.c
 	bio/bss_acpt.c
 	bio/bss_bio.c
 	bio/bss_conn.c
 	bio/bss_dgram.c
 	bio/bss_fd.c
 	bio/bss_file.c
 	bio/bss_mem.c
 	bio/bss_null.c
 	bio/bss_sock.c
 	bn/bn_add.c
 	bn/bn_asm.c
 	bn/bn_blind.c
 	bn/bn_const.c
 	bn/bn_ctx.c
 	bn/bn_depr.c
 	bn/bn_div.c
 	bn/bn_err.c
 	bn/bn_exp.c
 	bn/bn_exp2.c
 	bn/bn_gcd.c
 	bn/bn_gf2m.c
 	bn/bn_kron.c
 	bn/bn_lib.c
 	bn/bn_mod.c
 	bn/bn_mont.c
 	bn/bn_mpi.c
 	bn/bn_mul.c
 	bn/bn_nist.c
 	bn/bn_prime.c
 	bn/bn_print.c
 	bn/bn_rand.c
 	bn/bn_recp.c
 	bn/bn_shift.c
 	bn/bn_sqr.c
 	bn/bn_sqrt.c
 	bn/bn_word.c
 	bn/bn_x931p.c
 	buffer/buf_err.c
 	buffer/buf_str.c
 	buffer/buffer.c
 	camellia/cmll_cfb.c
 	camellia/cmll_ctr.c
 	camellia/cmll_ecb.c
 	camellia/cmll_misc.c
 	camellia/cmll_ofb.c
 	cast/c_cfb64.c
 	cast/c_ecb.c
 	cast/c_enc.c
 	cast/c_ofb64.c
 	cast/c_skey.c
 	chacha/chacha.c
 	cmac/cm_ameth.c
 	cmac/cm_pmeth.c
 	cmac/cmac.c
 	comp/c_rle.c
 	comp/c_zlib.c
 	comp/comp_err.c
 	comp/comp_lib.c
 	conf/conf_api.c
 	conf/conf_def.c
 	conf/conf_err.c
 	conf/conf_lib.c
 	conf/conf_mall.c
 	conf/conf_mod.c
 	conf/conf_sap.c
 	des/cbc_cksm.c
 	des/cbc_enc.c
 	des/cfb64ede.c
 	des/cfb64enc.c
 	des/cfb_enc.c
 	des/des_enc.c
 	des/ecb3_enc.c
 	des/ecb_enc.c
 	des/ede_cbcm_enc.c
 	des/enc_read.c
 	des/enc_writ.c
 	des/fcrypt.c
 	des/fcrypt_b.c
 	des/ofb64ede.c
 	des/ofb64enc.c
 	des/ofb_enc.c
 	des/pcbc_enc.c
 	des/qud_cksm.c
 	des/rand_key.c
 	des/set_key.c
 	des/str2key.c
 	des/xcbc_enc.c
 	dh/dh_ameth.c
 	dh/dh_asn1.c
 	dh/dh_check.c
 	dh/dh_depr.c
 	dh/dh_err.c
 	dh/dh_gen.c
 	dh/dh_key.c
 	dh/dh_lib.c
 	dh/dh_pmeth.c
 	dh/dh_prn.c
 	dsa/dsa_ameth.c
 	dsa/dsa_asn1.c
 	dsa/dsa_depr.c
 	dsa/dsa_err.c
 	dsa/dsa_gen.c
 	dsa/dsa_key.c
 	dsa/dsa_lib.c
 	dsa/dsa_ossl.c
 	dsa/dsa_pmeth.c
 	dsa/dsa_prn.c
 	dsa/dsa_sign.c
 	dsa/dsa_vrf.c
 	dso/dso_dlfcn.c
 	dso/dso_err.c
 	dso/dso_lib.c
 	dso/dso_null.c
 	dso/dso_openssl.c
 	ec/ec2_mult.c
 	ec/ec2_oct.c
 	ec/ec2_smpl.c
 	ec/ec_ameth.c
 	ec/ec_asn1.c
 	ec/ec_check.c
 	ec/ec_curve.c
 	ec/ec_cvt.c
 	ec/ec_err.c
 	ec/ec_key.c
 	ec/ec_lib.c
 	ec/ec_mult.c
 	ec/ec_oct.c
 	ec/ec_pmeth.c
 	ec/ec_print.c
 	ec/eck_prn.c
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
 	ecdh/ech_lib.c
 	ecdh/ech_ossl.c
 	ecdsa/ecs_asn1.c
 	ecdsa/ecs_err.c
 	ecdsa/ecs_lib.c
 	ecdsa/ecs_ossl.c
 	ecdsa/ecs_sign.c
 	ecdsa/ecs_vrf.c
 	engine/eng_all.c
 	engine/eng_cnf.c
 	engine/eng_ctrl.c
 	engine/eng_dyn.c
 	engine/eng_err.c
 	engine/eng_fat.c
 	engine/eng_init.c
 	engine/eng_lib.c
 	engine/eng_list.c
 	engine/eng_openssl.c
 	engine/eng_pkey.c
 	engine/eng_table.c
 	engine/tb_asnmth.c
 	engine/tb_cipher.c
 	engine/tb_dh.c
 	engine/tb_digest.c
 	engine/tb_dsa.c
 	engine/tb_ecdh.c
 	engine/tb_ecdsa.c
 	engine/tb_pkmeth.c
 	engine/tb_rand.c
 	engine/tb_rsa.c
 	engine/tb_store.c
 	err/err.c
 	err/err_all.c
 	err/err_prn.c
 	evp/bio_b64.c
 	evp/bio_enc.c
 	evp/bio_md.c
 	evp/c_all.c
 	evp/digest.c
 	evp/e_aes.c
 	evp/e_aes_cbc_hmac_sha1.c
 	evp/e_bf.c
 	evp/e_camellia.c
 	evp/e_cast.c
 	evp/e_chacha.c
 	evp/e_chacha20poly1305.c
 	evp/e_des.c
 	evp/e_des3.c
 	evp/e_gost2814789.c
 	evp/e_idea.c
 	evp/e_null.c
 	evp/e_old.c
 	evp/e_rc2.c
 	evp/e_rc4.c
 	evp/e_rc4_hmac_md5.c
 	evp/e_xcbc_d.c
 	evp/encode.c
 	evp/evp_aead.c
 	evp/evp_enc.c
 	evp/evp_err.c
 	evp/evp_key.c
 	evp/evp_lib.c
 	evp/evp_pbe.c
 	evp/evp_pkey.c
 	evp/m_dss.c
 	evp/m_dss1.c
 	evp/m_ecdsa.c
 	evp/m_gost2814789.c
 	evp/m_gostr341194.c
 	evp/m_md4.c
 	evp/m_md5.c
 	evp/m_null.c
 	evp/m_ripemd.c
 	evp/m_sha.c
 	evp/m_sha1.c
 	evp/m_sigver.c
 	evp/m_streebog.c
 	evp/m_wp.c
 	evp/names.c
 	evp/p5_crpt.c
 	evp/p5_crpt2.c
 	evp/p_dec.c
 	evp/p_enc.c
 	evp/p_lib.c
 	evp/p_open.c
 	evp/p_seal.c
 	evp/p_sign.c
 	evp/p_verify.c
 	evp/pmeth_fn.c
 	evp/pmeth_gn.c
 	evp/pmeth_lib.c
 	gost/gost2814789.c
 	gost/gost89_keywrap.c
 	gost/gost89_params.c
 	gost/gost89imit_ameth.c
 	gost/gost89imit_pmeth.c
 	gost/gost_asn1.c
 	gost/gost_err.c
 	gost/gostr341001.c
 	gost/gostr341001_ameth.c
 	gost/gostr341001_key.c
 	gost/gostr341001_params.c
 	gost/gostr341001_pmeth.c
 	gost/gostr341194.c
 	gost/streebog.c
 	hmac/hm_ameth.c
 	hmac/hm_pmeth.c
 	hmac/hmac.c
 	idea/i_cbc.c
 	idea/i_cfb64.c
 	idea/i_ecb.c
 	idea/i_ofb64.c
 	idea/i_skey.c
 	krb5/krb5_asn.c
 	lhash/lh_stats.c
 	lhash/lhash.c
 	md4/md4_dgst.c
 	md4/md4_one.c
 	md5/md5_dgst.c
 	md5/md5_one.c
 	modes/cbc128.c
 	modes/ccm128.c
 	modes/cfb128.c
 	modes/ctr128.c
 	modes/cts128.c
 	modes/gcm128.c
 	modes/ofb128.c
 	modes/xts128.c
 	objects/o_names.c
 	objects/obj_dat.c
 	objects/obj_err.c
 	objects/obj_lib.c
 	objects/obj_xref.c
 	ocsp/ocsp_asn.c
 	ocsp/ocsp_cl.c
 	ocsp/ocsp_err.c
 	ocsp/ocsp_ext.c
 	ocsp/ocsp_ht.c
 	ocsp/ocsp_lib.c
 	ocsp/ocsp_prn.c
 	ocsp/ocsp_srv.c
 	ocsp/ocsp_vfy.c
 	pem/pem_all.c
 	pem/pem_err.c
 	pem/pem_info.c
 	pem/pem_lib.c
 	pem/pem_oth.c
 	pem/pem_pk8.c
 	pem/pem_pkey.c
 	pem/pem_seal.c
 	pem/pem_sign.c
 	pem/pem_x509.c
 	pem/pem_xaux.c
 	pem/pvkfmt.c
 	pkcs12/p12_add.c
 	pkcs12/p12_asn.c
 	pkcs12/p12_attr.c
 	pkcs12/p12_crpt.c
 	pkcs12/p12_crt.c
 	pkcs12/p12_decr.c
 	pkcs12/p12_init.c
 	pkcs12/p12_key.c
 	pkcs12/p12_kiss.c
 	pkcs12/p12_mutl.c
 	pkcs12/p12_npas.c
 	pkcs12/p12_p8d.c
 	pkcs12/p12_p8e.c
 	pkcs12/p12_utl.c
 	pkcs12/pk12err.c
 	pkcs7/bio_pk7.c
 	pkcs7/pk7_asn1.c
 	pkcs7/pk7_attr.c
 	pkcs7/pk7_doit.c
 	pkcs7/pk7_lib.c
 	pkcs7/pk7_mime.c
 	pkcs7/pk7_smime.c
 	pkcs7/pkcs7err.c
 	poly1305/poly1305.c
 	rand/rand_err.c
 	rand/rand_lib.c
 	rand/randfile.c
 	rc2/rc2_cbc.c
 	rc2/rc2_ecb.c
 	rc2/rc2_skey.c
 	rc2/rc2cfb64.c
 	rc2/rc2ofb64.c
 	ripemd/rmd_dgst.c
 	ripemd/rmd_one.c
 	rsa/rsa_ameth.c
 	rsa/rsa_asn1.c
 	rsa/rsa_chk.c
 	rsa/rsa_crpt.c
 	rsa/rsa_depr.c
 	rsa/rsa_eay.c
 	rsa/rsa_err.c
 	rsa/rsa_gen.c
 	rsa/rsa_lib.c
 	rsa/rsa_none.c
 	rsa/rsa_oaep.c
 	rsa/rsa_pk1.c
 	rsa/rsa_pmeth.c
 	rsa/rsa_prn.c
 	rsa/rsa_pss.c
 	rsa/rsa_saos.c
 	rsa/rsa_sign.c
 	rsa/rsa_ssl.c
 	rsa/rsa_x931.c
 	sha/sha1_one.c
 	sha/sha1dgst.c
 	sha/sha256.c
 	sha/sha512.c
 	sha/sha_dgst.c
 	sha/sha_one.c
 	stack/stack.c
 	ts/ts_asn1.c
 	ts/ts_conf.c
 	ts/ts_err.c
 	ts/ts_lib.c
 	ts/ts_req_print.c
 	ts/ts_req_utils.c
 	ts/ts_rsp_print.c
 	ts/ts_rsp_sign.c
 	ts/ts_rsp_utils.c
 	ts/ts_rsp_verify.c
 	ts/ts_verify_ctx.c
 	txt_db/txt_db.c
 	ui/ui_err.c
 	ui/ui_lib.c
 	ui/ui_util.c
 	whrlpool/wp_dgst.c
 	x509/by_dir.c
 	x509/by_file.c
 	x509/by_mem.c
 	x509/x509_att.c
 	x509/x509_cmp.c
 	x509/x509_d2.c
 	x509/x509_def.c
 	x509/x509_err.c
 	x509/x509_ext.c
 	x509/x509_lu.c
 	x509/x509_obj.c
 	x509/x509_r2x.c
 	x509/x509_req.c
 	x509/x509_set.c
 	x509/x509_trs.c
 	x509/x509_txt.c
 	x509/x509_v3.c
 	x509/x509_vfy.c
 	x509/x509_vpm.c
 	x509/x509cset.c
 	x509/x509name.c
 	x509/x509rset.c
 	x509/x509spki.c
 	x509/x509type.c
 	x509/x_all.c
 	x509v3/pcy_cache.c
 	x509v3/pcy_data.c
 	x509v3/pcy_lib.c
 	x509v3/pcy_map.c
 	x509v3/pcy_node.c
 	x509v3/pcy_tree.c
 	x509v3/v3_akey.c
 	x509v3/v3_akeya.c
 	x509v3/v3_alt.c
 	x509v3/v3_bcons.c
 	x509v3/v3_bitst.c
 	x509v3/v3_conf.c
 	x509v3/v3_cpols.c
 	x509v3/v3_crld.c
 	x509v3/v3_enum.c
 	x509v3/v3_extku.c
 	x509v3/v3_genn.c
 	x509v3/v3_ia5.c
 	x509v3/v3_info.c
 	x509v3/v3_int.c
 	x509v3/v3_lib.c
 	x509v3/v3_ncons.c
 	x509v3/v3_ocsp.c
 	x509v3/v3_pci.c
 	x509v3/v3_pcia.c
 	x509v3/v3_pcons.c
 	x509v3/v3_pku.c
 	x509v3/v3_pmaps.c
 	x509v3/v3_prn.c
 	x509v3/v3_purp.c
 	x509v3/v3_skey.c
 	x509v3/v3_sxnet.c
 	x509v3/v3_utl.c
 	x509v3/v3err.c
 )
 if(CMAKE_HOST_UNIX)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_posix.c)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/bss_log.c)
 	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl.c)
 endif()
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
 	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
 endif()
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
 endif()
 if(NOT HAVE_ASPRINTF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
 endif()
 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
 endif()
 if(NOT HAVE_REALLOCARRAY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
 endif()
 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
 endif()
 if(NOT HAVE_STRLCAT)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
 endif()
 if(NOT HAVE_STRLCPY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
 endif()
 if(NOT HAVE_STRNDUP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
 	if(NOT HAVE_STRNLEN)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
 	endif()
 endif()
 if(NOT HAVE_EXPLICIT_BZERO)
 	if(CMAKE_HOST_WIN32)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero_win.c)
 	else()
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
 		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
 	endif()
 endif()
 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_win.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "AIX")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
 	endif()
 endif()
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
 endif()
 if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
 endif()
 if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
 	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
 	install(TARGETS crypto crypto-shared DESTINATION lib)
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
 	install(TARGETS crypto DESTINATION lib)
 endif()
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -7,30 +7,19 @@ AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
 lib_LTLIBRARIES = libcrypto.la
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
+libcrypto_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
+libcrypto_la_CFLAGS += -DOPENSSL_NO_HW_PADLOCK
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
 else
 if HOST_WIN
-libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
+libcrypto_la_CFLAGS += -DOPENSSL_NO_ASM
 endif
 endif
 if OPENSSLDIR_DEFINED
 libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"@OPENSSLDIR@\"
 else
 libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"$(sysconfdir)/ssl\"
 endif
 noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
 # compatibility functions that need to be built without optimizations
@@ -38,14 +27,11 @@ libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 if !HAVE_EXPLICIT_BZERO
 if HOST_WIN
 libcompatnoopt_la_SOURCES += compat/explicit_bzero_win.c
 else
 libcompatnoopt_la_SOURCES += compat/explicit_bzero.c
 endif
 endif
 # other compatibility functions
 libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
@@ -69,10 +55,6 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
 if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
@@ -85,11 +67,60 @@ if !HAVE_TIMINGSAFE_BCMP
 libcompat_la_SOURCES += compat/timingsafe_bcmp.c
 endif
 if !HAVE_ARC4RANDOM_BUF
 libcompat_la_SOURCES += compat/arc4random.c
 if !HAVE_GETENTROPY
 if HOST_FREEBSD
 libcompat_la_SOURCES += compat/getentropy_freebsd.c
 endif
 if HOST_HPUX
 libcompat_la_SOURCES += compat/getentropy_hpux.c
 endif
 if HOST_LINUX
 libcompat_la_SOURCES += compat/getentropy_linux.c
 endif
 if HOST_NETBSD
 libcompat_la_SOURCES += compat/getentropy_netbsd.c
 endif
 if HOST_DARWIN
 libcompat_la_SOURCES += compat/getentropy_osx.c
 endif
 if HOST_SOLARIS
 libcompat_la_SOURCES += compat/getentropy_solaris.c
 endif
 if HOST_WIN
-libcompat_la_SOURCES += compat/posix_win.c
+libcompat_la_SOURCES += compat/getentropy_win.c
 endif
 endif
-include Makefile.am.arc4random
+endif
 if !HAVE_ISSETUGID
 if HOST_LINUX
 libcompat_la_SOURCES += compat/issetugid_linux.c
 endif
 if HOST_HPUX
 libcompat_la_SOURCES += compat/issetugid_hpux.c
 endif
 if HOST_DARWIN
 libcompat_la_SOURCES += compat/issetugid_osx.c
 endif
 if HOST_WIN
 libcompat_la_SOURCES += compat/issetugid_win.c
 endif
 endif
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_freebsd.h
 noinst_HEADERS += compat/arc4random_hpux.h
 noinst_HEADERS += compat/arc4random_linux.h
 noinst_HEADERS += compat/arc4random_netbsd.h
 noinst_HEADERS += compat/arc4random_osx.h
 noinst_HEADERS += compat/arc4random_solaris.h
 noinst_HEADERS += compat/arc4random_win.h
 noinst_HEADERS += compat/chacha_private.h
 libcrypto_la_SOURCES =
 EXTRA_libcrypto_la_SOURCES =
@@ -245,9 +276,7 @@ libcrypto_la_SOURCES += bio/bss_conn.c
 libcrypto_la_SOURCES += bio/bss_dgram.c
 libcrypto_la_SOURCES += bio/bss_fd.c
 libcrypto_la_SOURCES += bio/bss_file.c
 if !HOST_WIN
 libcrypto_la_SOURCES += bio/bss_log.c
 endif
 libcrypto_la_SOURCES += bio/bss_mem.c
 libcrypto_la_SOURCES += bio/bss_null.c
 libcrypto_la_SOURCES += bio/bss_sock.c
@@ -444,6 +473,7 @@ libcrypto_la_SOURCES += engine/eng_lib.c
 libcrypto_la_SOURCES += engine/eng_list.c
 libcrypto_la_SOURCES += engine/eng_openssl.c
 libcrypto_la_SOURCES += engine/eng_pkey.c
 libcrypto_la_SOURCES += engine/eng_rsax.c
 libcrypto_la_SOURCES += engine/eng_table.c
 libcrypto_la_SOURCES += engine/tb_asnmth.c
 libcrypto_la_SOURCES += engine/tb_cipher.c
@@ -501,6 +531,7 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_mdc2.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha.c
@@ -572,6 +603,10 @@ libcrypto_la_SOURCES += md5/md5_dgst.c
 libcrypto_la_SOURCES += md5/md5_one.c
 noinst_HEADERS += md5/md5_locl.h
 # mdc2
 libcrypto_la_SOURCES += mdc2/mdc2_one.c
 libcrypto_la_SOURCES += mdc2/mdc2dgst.c
 # modes
 libcrypto_la_SOURCES += modes/cbc128.c
 libcrypto_la_SOURCES += modes/ccm128.c
--- a/crypto/Makefile.am.arc4random
+++ b/crypto/Makefile.am.arc4random
@@ -1,45 +0,0 @@
 if !HAVE_ARC4RANDOM_BUF
 libcompat_la_SOURCES += compat/arc4random.c
 if !HAVE_GETENTROPY
 if HOST_AIX
 libcompat_la_SOURCES += compat/getentropy_aix.c
 endif
 if HOST_FREEBSD
 libcompat_la_SOURCES += compat/getentropy_freebsd.c
 endif
 if HOST_HPUX
 libcompat_la_SOURCES += compat/getentropy_hpux.c
 endif
 if HOST_LINUX
 libcompat_la_SOURCES += compat/getentropy_linux.c
 endif
 if HOST_NETBSD
 libcompat_la_SOURCES += compat/getentropy_netbsd.c
 endif
 if HOST_DARWIN
 libcompat_la_SOURCES += compat/getentropy_osx.c
 endif
 if HOST_SOLARIS
 libcompat_la_SOURCES += compat/getentropy_solaris.c
 endif
 if HOST_WIN
 libcompat_la_SOURCES += compat/getentropy_win.c
 endif
 endif
 endif
 noinst_HEADERS =
 noinst_HEADERS += compat/arc4random.h
 noinst_HEADERS += compat/arc4random_aix.h
 noinst_HEADERS += compat/arc4random_freebsd.h
 noinst_HEADERS += compat/arc4random_hpux.h
 noinst_HEADERS += compat/arc4random_linux.h
 noinst_HEADERS += compat/arc4random_netbsd.h
 noinst_HEADERS += compat/arc4random_osx.h
 noinst_HEADERS += compat/arc4random_solaris.h
 noinst_HEADERS += compat/arc4random_win.h
 noinst_HEADERS += compat/chacha_private.h
--- a/crypto/Makefile.am.elf-x86_64
+++ b/crypto/Makefile.am.elf-x86_64
@@ -22,20 +22,20 @@ ASM_X86_64_ELF += cpuid-elf-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_ELF)
 if HOST_ASM_ELF_X86_64
-libcrypto_la_CPPFLAGS += -DAES_ASM
+libcrypto_la_CFLAGS += -DAES_ASM
-libcrypto_la_CPPFLAGS += -DBSAES_ASM
+libcrypto_la_CFLAGS += -DBSAES_ASM
-libcrypto_la_CPPFLAGS += -DVPAES_ASM
+libcrypto_la_CFLAGS += -DVPAES_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CPPFLAGS += -DMD5_ASM
+libcrypto_la_CFLAGS += -DMD5_ASM
-libcrypto_la_CPPFLAGS += -DGHASH_ASM
+libcrypto_la_CFLAGS += -DGHASH_ASM
-libcrypto_la_CPPFLAGS += -DRSA_ASM
+libcrypto_la_CFLAGS += -DRSA_ASM
-libcrypto_la_CPPFLAGS += -DSHA1_ASM
+libcrypto_la_CFLAGS += -DSHA1_ASM
-libcrypto_la_CPPFLAGS += -DSHA256_ASM
+libcrypto_la_CFLAGS += -DSHA256_ASM
-libcrypto_la_CPPFLAGS += -DSHA512_ASM
+libcrypto_la_CFLAGS += -DSHA512_ASM
-libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_ELF)
 endif
--- a/crypto/Makefile.am.macosx-x86_64
+++ b/crypto/Makefile.am.macosx-x86_64
@@ -22,20 +22,20 @@ ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 EXTRA_DIST += $(ASM_X86_64_MACOSX)
 if HOST_ASM_MACOSX_X86_64
-libcrypto_la_CPPFLAGS += -DAES_ASM
+libcrypto_la_CFLAGS += -DAES_ASM
-libcrypto_la_CPPFLAGS += -DBSAES_ASM
+libcrypto_la_CFLAGS += -DBSAES_ASM
-libcrypto_la_CPPFLAGS += -DVPAES_ASM
+libcrypto_la_CFLAGS += -DVPAES_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_IA32_SSE2
+libcrypto_la_CFLAGS += -DOPENSSL_IA32_SSE2
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_MONT5
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_MONT5
-libcrypto_la_CPPFLAGS += -DOPENSSL_BN_ASM_GF2m
+libcrypto_la_CFLAGS += -DOPENSSL_BN_ASM_GF2m
-libcrypto_la_CPPFLAGS += -DMD5_ASM
+libcrypto_la_CFLAGS += -DMD5_ASM
-libcrypto_la_CPPFLAGS += -DGHASH_ASM
+libcrypto_la_CFLAGS += -DGHASH_ASM
-libcrypto_la_CPPFLAGS += -DRSA_ASM
+libcrypto_la_CFLAGS += -DRSA_ASM
-libcrypto_la_CPPFLAGS += -DSHA1_ASM
+libcrypto_la_CFLAGS += -DSHA1_ASM
-libcrypto_la_CPPFLAGS += -DSHA256_ASM
+libcrypto_la_CFLAGS += -DSHA256_ASM
-libcrypto_la_CPPFLAGS += -DSHA512_ASM
+libcrypto_la_CFLAGS += -DSHA512_ASM
-libcrypto_la_CPPFLAGS += -DWHIRLPOOL_ASM
+libcrypto_la_CFLAGS += -DWHIRLPOOL_ASM
-libcrypto_la_CPPFLAGS += -DOPENSSL_CPUID_OBJ
+libcrypto_la_CFLAGS += -DOPENSSL_CPUID_OBJ
 libcrypto_la_SOURCES += $(ASM_X86_64_MACOSX)
 endif
--- a/crypto/compat/arc4random.h
+++ b/crypto/compat/arc4random.h
@@ -3,10 +3,7 @@
 #include <sys/param.h>
-#if defined(_AIX)
+#if defined(__FreeBSD__)
 #include "arc4random_aix.h"
 #elif defined(__FreeBSD__)
 #include "arc4random_freebsd.h"
 #elif defined(__hpux)
--- a/crypto/compat/explicit_bzero_win.c
+++ b/crypto/compat/explicit_bzero_win.c
@@ -1,13 +0,0 @@
 /*
 * Public domain.
 * Win32 explicit_bzero compatibility shim.
 */
 #include <windows.h>
 #include <string.h>
 void
 explicit_bzero(void *buf, size_t len)
 {
 	SecureZeroMemory(buf, len);
 }
--- a/crypto/compat/inet_pton.c
+++ b/crypto/compat/inet_pton.c
@@ -1,212 +0,0 @@
 /*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
 /* Copyright (c) 1996 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
 * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
 * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 * SOFTWARE.
 */
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <arpa/nameser.h>
 #include <string.h>
 #include <errno.h>
 /*
 * WARNING: Don't even consider trying to compile this on a system where
 * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
 */
 static int	inet_pton4(const char *src, u_char *dst);
 static int	inet_pton6(const char *src, u_char *dst);
 /* int
 * inet_pton(af, src, dst)
 *	convert from presentation format (which usually means ASCII printable)
 *	to network format (which is usually some kind of binary format).
 * return:
 *	1 if the address was valid for the specified address family
 *	0 if the address wasn't valid (`dst' is untouched in this case)
 *	-1 if some other error occurred (`dst' is untouched in this case, too)
 * author:
 *	Paul Vixie, 1996.
 */
 int
 inet_pton(int af, const char *src, void *dst)
 {
 	switch (af) {
 	case AF_INET:
 		return (inet_pton4(src, dst));
 	case AF_INET6:
 		return (inet_pton6(src, dst));
 	default:
 		errno = EAFNOSUPPORT;
 		return (-1);
 	}
 	/* NOTREACHED */
 }
 /* int
 * inet_pton4(src, dst)
 *	like inet_aton() but without all the hexadecimal and shorthand.
 * return:
 *	1 if `src' is a valid dotted quad, else 0.
 * notice:
 *	does not touch `dst' unless it's returning 1.
 * author:
 *	Paul Vixie, 1996.
 */
 static int
 inet_pton4(const char *src, u_char *dst)
 {
 	static const char digits[] = "0123456789";
 	int saw_digit, octets, ch;
 	u_char tmp[INADDRSZ], *tp;
 	saw_digit = 0;
 	octets = 0;
 	*(tp = tmp) = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
 		if ((pch = strchr(digits, ch)) != NULL) {
 			u_int new = *tp * 10 + (pch - digits);
 			if (new > 255)
 				return (0);
 			if (! saw_digit) {
 				if (++octets > 4)
 					return (0);
 				saw_digit = 1;
 			}
 			*tp = new;
 		} else if (ch == '.' && saw_digit) {
 			if (octets == 4)
 				return (0);
 			*++tp = 0;
 			saw_digit = 0;
 		} else
 			return (0);
 	}
 	if (octets < 4)
 		return (0);
 	memcpy(dst, tmp, INADDRSZ);
 	return (1);
 }
 /* int
 * inet_pton6(src, dst)
 *	convert presentation level address to network order binary form.
 * return:
 *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
 * notice:
 *	does not touch `dst' unless it's returning 1.
 * credit:
 *	inspired by Mark Andrews.
 * author:
 *	Paul Vixie, 1996.
 */
 static int
 inet_pton6(const char *src, u_char *dst)
 {
 	static const char xdigits_l[] = "0123456789abcdef",
 			  xdigits_u[] = "0123456789ABCDEF";
 	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
 	const char *xdigits, *curtok;
 	int ch, saw_xdigit, count_xdigit;
 	u_int val;
 	memset((tp = tmp), '\0', IN6ADDRSZ);
 	endp = tp + IN6ADDRSZ;
 	colonp = NULL;
 	/* Leading :: requires some special handling. */
 	if (*src == ':')
 		if (*++src != ':')
 			return (0);
 	curtok = src;
 	saw_xdigit = count_xdigit = 0;
 	val = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
 		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
 			pch = strchr((xdigits = xdigits_u), ch);
 		if (pch != NULL) {
 			if (count_xdigit >= 4)
 				return (0);
 			val <<= 4;
 			val |= (pch - xdigits);
 			if (val > 0xffff)
 				return (0);
 			saw_xdigit = 1;
 			count_xdigit++;
 			continue;
 		}
 		if (ch == ':') {
 			curtok = src;
 			if (!saw_xdigit) {
 				if (colonp)
 					return (0);
 				colonp = tp;
 				continue;
 			} else if (*src == '\0') {
 				return (0);
 			}
 			if (tp + INT16SZ > endp)
 				return (0);
 			*tp++ = (u_char) (val >> 8) & 0xff;
 			*tp++ = (u_char) val & 0xff;
 			saw_xdigit = 0;
 			count_xdigit = 0;
 			val = 0;
 			continue;
 		}
 		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
 		    inet_pton4(curtok, tp) > 0) {
 			tp += INADDRSZ;
 			saw_xdigit = 0;
 			count_xdigit = 0;
 			break;	/* '\0' was seen by inet_pton4(). */
 		}
 		return (0);
 	}
 	if (saw_xdigit) {
 		if (tp + INT16SZ > endp)
 			return (0);
 		*tp++ = (u_char) (val >> 8) & 0xff;
 		*tp++ = (u_char) val & 0xff;
 	}
 	if (colonp != NULL) {
 		/*
 		 * Since some memmove()'s erroneously fail to handle
 		 * overlapping regions, we'll do the shift by hand.
 		 */
 		const int n = tp - colonp;
 		int i;
 		if (tp == endp)
 			return (0);
 		for (i = 1; i <= n; i++) {
 			endp[- i] = colonp[n - i];
 			colonp[n - i] = 0;
 		}
 		tp = endp;
 	}
 	if (tp != endp)
 		return (0);
 	memcpy(dst, tmp, IN6ADDRSZ);
 	return (1);
 }
--- a/crypto/compat/issetugid_hpux.c
+++ b/crypto/compat/issetugid_hpux.c
@@ -0,0 +1,17 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <sys/pstat.h>
 /*
 * HP-UX does not have issetugid().
 * Use pstat_getproc() and check PS_CHANGEDPRIV bit of pst_flag. If this call
 * cannot be used, assume we must be running in a privileged environment.
 */
 int issetugid(void)
 {
 	struct pst_status buf;
 	if (pstat_getproc(&buf, sizeof(buf), 0, getpid()) == 1 &&
 	    !(buf.pst_flag & PS_CHANGEDPRIV))
 		return 0;
 	return 1;
 }
--- a/crypto/compat/issetugid_linux.c
+++ b/crypto/compat/issetugid_linux.c
@@ -0,0 +1,47 @@
 /*
 * issetugid implementation for Linux
 * Public domain
 */
 #include <errno.h>
 #include <gnu/libc-version.h>
 #include <string.h>
 #include <sys/types.h>
 #include <unistd.h>
 /*
 * Linux-specific glibc 2.16+ interface for determining if a process was
 * launched setuid/setgid or with additional capabilities.
 */
 #ifdef HAVE_GETAUXVAL
 #include <sys/auxv.h>
 #endif
 int issetugid(void)
 {
 #ifdef HAVE_GETAUXVAL
 	/*
 	 * The API for glibc < 2.19 does not indicate if there is an error with
 	 * getauxval. While it should not be the case that any 2.6 or greater
 	 * kernel ever does not supply AT_SECURE, an emulated software environment
 	 * might rewrite the aux vector.
 	 *
 	 * See https://sourceware.org/bugzilla/show_bug.cgi?id=15846
 	 *
 	 * Perhaps this code should just read the aux vector itself, so we have
 	 * backward-compatibility and error handling in older glibc versions.
 	 * info: http://lwn.net/Articles/519085/
 	 *
 	 */
 	const char *glcv = gnu_get_libc_version();
 	if (strverscmp(glcv, "2.19") >= 0) {
 		errno = 0;
 		if (getauxval(AT_SECURE) == 0) {
 			if (errno != ENOENT) {
 				return 0;
 			}
 		}
 	}
 #endif
 	return 1;
 }
--- a/crypto/compat/issetugid_osx.c
+++ b/crypto/compat/issetugid_osx.c
@@ -0,0 +1,16 @@
 /*
 * issetugid implementation for OS X
 * Public domain
 */
 #include <unistd.h>
 /*
 * OS X has issetugid, but it is not fork-safe as of version 10.10.
 * See this Solaris report for test code that fails similarly:
 * http://mcarpenter.org/blog/2013/01/15/solaris-issetugid%282%29-bug
 */
 int issetugid(void)
 {
 	return 1;
 }
--- a/crypto/compat/issetugid_win.c
+++ b/crypto/compat/issetugid_win.c
@@ -0,0 +1,26 @@
 /*
 * issetugid implementation for Windows
 * Public domain
 */
 #include <unistd.h>
 /*
 * Windows does not have a native setuid/setgid functionality.
 * A user must enter credentials each time a process elevates its
 * privileges.
 *
 * So, in theory, this could always return 0, given what I know currently.
 * However, it makes sense to stub out initially in 'safe' mode until we
 * understand more (and determine if any disabled functionality is actually
 * useful on Windows anyway).
 *
 * Future versions of this function that are made more 'open' should thoroughly
 * consider the case of this code running as a privileged service with saved
 * user credentials or privilege escalations by other means (e.g. the old
 * RunAsEx utility.)
 */
 int issetugid(void)
 {
 	return 1;
 }
--- a/crypto/compat/ui_openssl_win.c
+++ b/crypto/compat/ui_openssl_win.c
@@ -133,7 +133,6 @@
 /* Define globals.  They are protected by a lock */
 static void (*savsig[NX509_SIG])(int );
 DWORD console_mode;
 static FILE *tty_in, *tty_out;
 static int is_a_tty;
@@ -301,27 +300,28 @@ open_console(UI *ui)
 	tty_in = stdin;
 	tty_out = stderr;
-	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
+	return 1;
 	if (handle != INVALID_HANDLE_VALUE)
 		return GetConsoleMode(handle, &console_mode);
 	return 0;
 }
 static int
 noecho_console(UI *ui)
 {
 	DWORD mode = 0;
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
+	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
-		return SetConsoleMode(handle, console_mode & ~ENABLE_ECHO_INPUT);
+		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode & (~ENABLE_ECHO_INPUT));
 	}
 	return 0;
 }
 static int
 echo_console(UI *ui)
 {
 	DWORD mode = 0;
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
+	if (handle != INVALID_HANDLE_VALUE && handle != handle) {
-		return SetConsoleMode(handle, console_mode);
+		return GetConsoleMode(handle, &mode) && SetConsoleMode(handle, mode | ENABLE_ECHO_INPUT);
 	}
 	return 0;
 }
--- a/dist.sh
+++ b/dist.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
-rm -f man/*.1 man/*.3 include/openssl/*.h
+rm -f man/*.1 man/*.3
 ./autogen.sh
 ./configure
 make distcheck
--- a/gen-coverage-report.sh
+++ b/gen-coverage-report.sh
@@ -29,15 +29,9 @@ make check
 echo "Generating report"
 mkdir -p $DESTDIR
 find tests -name '*.gcda' -o -name '*.gcno' -delete
-lcov --capture --output-file $DESTDIR/coverage.tmp \
+lcov --directory . --capture --output-file $DESTDIR/coverage.tmp \
 	--rc lcov_branch_coverage=1 \
 	--directory crypto \
 	--directory ssl \
 	--directory tls \
    --test-name "LibreSSL $VERSION"
 genhtml --prefix . --output-directory $DESTDIR \
 	--branch-coverage --function-coverage \
 	--rc lcov_branch_coverage=1 \
    --title "LibreSSL $VERSION" --legend --show-detail $DESTDIR/coverage.tmp
 echo "Code coverage report is available under $DESTDIR"
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -1,5 +0,0 @@
 install(DIRECTORY .
        DESTINATION include
        PATTERN "CMakeLists.txt" EXCLUDE
        PATTERN "compat" EXCLUDE
        PATTERN "Makefile.*" EXCLUDE)
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,39 +1,31 @@
 include $(top_srcdir)/Makefile.am.common
 EXTRA_DIST = CMakeLists.txt
 SUBDIRS = openssl
-noinst_HEADERS = pqueue.h
+noinst_HEADERS = err.h
-noinst_HEADERS += compat/dirent.h
+noinst_HEADERS += netdb.h
-noinst_HEADERS += compat/dirent_msvc.h
+noinst_HEADERS += poll.h
-noinst_HEADERS += compat/err.h
+noinst_HEADERS += pqueue.h
-noinst_HEADERS += compat/netdb.h
+noinst_HEADERS += stdio.h
-noinst_HEADERS += compat/poll.h
+noinst_HEADERS += stdlib.h
-noinst_HEADERS += compat/stdio.h
+noinst_HEADERS += string.h
-noinst_HEADERS += compat/stdlib.h
+noinst_HEADERS += syslog.h
-noinst_HEADERS += compat/string.h
+noinst_HEADERS += unistd.h
-noinst_HEADERS += compat/time.h
+noinst_HEADERS += win32netcompat.h
 noinst_HEADERS += compat/unistd.h
 noinst_HEADERS += compat/win32netcompat.h
-noinst_HEADERS += compat/arpa/inet.h
+noinst_HEADERS += arpa/inet.h
 noinst_HEADERS += compat/arpa/nameser.h
-noinst_HEADERS += compat/machine/endian.h
+noinst_HEADERS += machine/endian.h
-noinst_HEADERS += compat/netinet/in.h
+noinst_HEADERS += netinet/in.h
-noinst_HEADERS += compat/netinet/tcp.h
+noinst_HEADERS += netinet/tcp.h
-noinst_HEADERS += compat/sys/cdefs.h
+noinst_HEADERS += sys/ioctl.h
-noinst_HEADERS += compat/sys/ioctl.h
+noinst_HEADERS += sys/mman.h
-noinst_HEADERS += compat/sys/mman.h
+noinst_HEADERS += sys/select.h
-noinst_HEADERS += compat/sys/param.h
+noinst_HEADERS += sys/socket.h
-noinst_HEADERS += compat/sys/select.h
+noinst_HEADERS += sys/times.h
-noinst_HEADERS += compat/sys/stat.h
+noinst_HEADERS += sys/types.h
-noinst_HEADERS += compat/sys/socket.h
+noinst_HEADERS += sys/uio.h
 noinst_HEADERS += compat/sys/time.h
 noinst_HEADERS += compat/sys/types.h
 noinst_HEADERS += compat/sys/uio.h
 include_HEADERS = tls.h
--- a/include/arpa/inet.h
+++ b/include/arpa/inet.h
@@ -0,0 +1,10 @@
 /*
 * Public domain
 * arpa/inet.h compatibility shim
 */
 #ifndef _WIN32
 #include_next <arpa/inet.h>
 #else
 #include <win32netcompat.h>
 #endif
--- a/include/compat/arpa/inet.h
+++ b/include/compat/arpa/inet.h
@@ -1,19 +0,0 @@
 /*
 * Public domain
 * arpa/inet.h compatibility shim
 */
 #ifndef _WIN32
 #include_next <arpa/inet.h>
 #else
 #include <win32netcompat.h>
 #ifndef AI_ADDRCONFIG
 #define AI_ADDRCONFIG               0x00000400
 #endif
 #endif
 #ifndef HAVE_INET_PTON
 int inet_pton(int af, const char * src, void * dst);
 #endif
--- a/include/compat/arpa/nameser.h
+++ b/include/compat/arpa/nameser.h
@@ -1,23 +0,0 @@
 /*
 * Public domain
 * arpa/inet.h compatibility shim
 */
 #ifndef _WIN32
 #include_next <arpa/nameser.h>
 #else
 #include <win32netcompat.h>
 #ifndef INADDRSZ
 #define INADDRSZ 4
 #endif
 #ifndef IN6ADDRSZ
 #define IN6ADDRSZ 16
 #endif
 #ifndef INT16SZ
 #define INT16SZ	2
 #endif
 #endif
--- a/include/compat/dirent.h
+++ b/include/compat/dirent.h
@@ -1,17 +0,0 @@
 /*
 * Public domain
 * dirent.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_DIRENT_H
 #define LIBCRYPTOCOMPAT_DIRENT_H
 #ifdef _MSC_VER
 #include <windows.h>
 #include <dirent_msvc.h>
 #else
 #include_next <dirent.h>
 #endif
 #endif
--- a/include/compat/dirent_msvc.h
+++ b/include/compat/dirent_msvc.h
@@ -1,611 +0,0 @@
 /*
 * dirent.h - dirent API for Microsoft Visual Studio
 *
 * Copyright (C) 2006-2012 Toni Ronkko
 *
 * Permission is hereby granted, free of charge, to any person obtaining
 * a copy of this software and associated documentation files (the
 * ``Software''), to deal in the Software without restriction, including
 * without limitation the rights to use, copy, modify, merge, publish,
 * distribute, sublicense, and/or sell copies of the Software, and to
 * permit persons to whom the Software is furnished to do so, subject to
 * the following conditions:
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND, EXPRESS
 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 * IN NO EVENT SHALL TONI RONKKO BE LIABLE FOR ANY CLAIM, DAMAGES OR
 * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 * OTHER DEALINGS IN THE SOFTWARE.
 *
 * $Id: dirent.h,v 1.20 2014/03/19 17:52:23 tronkko Exp $
 */
 #ifndef DIRENT_MSVC_H
 #define DIRENT_MSVC_H
 #include <windows.h>
 #if _MSC_VER >= 1900
 #include <../ucrt/stdio.h>
 #include <../ucrt/wchar.h>
 #include <../ucrt/string.h>
 #include <../ucrt/stdlib.h>
 #include <../ucrt/sys/types.h>
 #include <../ucrt/errno.h>
 #else
 #include <../include/stdio.h>
 #include <../include/wchar.h>
 #include <../include/string.h>
 #include <../include/stdlib.h>
 #include <../include/sys/types.h>
 #include <../include/errno.h>
 #endif
 #include <stdarg.h>
 #include <sys/stat.h>
 /* Indicates that d_type field is available in dirent structure */
 #define _DIRENT_HAVE_D_TYPE
 /* Indicates that d_namlen field is available in dirent structure */
 #define _DIRENT_HAVE_D_NAMLEN
 /* Maximum length of file name */
 #if !defined(PATH_MAX)
 #   define PATH_MAX MAX_PATH
 #endif
 #if !defined(FILENAME_MAX)
 #   define FILENAME_MAX MAX_PATH
 #endif
 #if !defined(NAME_MAX)
 #   define NAME_MAX FILENAME_MAX
 #endif
 /* Return the exact length of d_namlen without zero terminator */
 #define _D_EXACT_NAMLEN(p)((p)->d_namlen)
 /* Return number of bytes needed to store d_namlen */
 #define _D_ALLOC_NAMLEN(p)(PATH_MAX)
 /* Wide-character version */
 struct _wdirent {
 	long d_ino;                         /* Always zero */
 	unsigned short d_reclen;            /* Structure size */
 	size_t d_namlen;                    /* Length of name without \0 */
 	int d_type;                         /* File type */
 	wchar_t d_name[PATH_MAX];           /* File name */
 };
 typedef struct _wdirent _wdirent;
 struct _WDIR {
 	struct _wdirent ent;                /* Current directory entry */
 	WIN32_FIND_DATAW data;              /* Private file data */
 	int cached;                         /* True if data is valid */
 	HANDLE handle;                      /* Win32 search handle */
 	wchar_t *patt;                      /* Initial directory name */
 };
 typedef struct _WDIR _WDIR;
 static _WDIR *_wopendir(const wchar_t *dirname);
 static struct _wdirent *_wreaddir(_WDIR *dirp);
 static int _wclosedir(_WDIR *dirp);
 static void _wrewinddir(_WDIR* dirp);
 /* Multi-byte character versions */
 struct dirent {
 	long d_ino;                         /* Always zero */
 	unsigned short d_reclen;            /* Structure size */
 	size_t d_namlen;                    /* Length of name without \0 */
 	int d_type;                         /* File type */
 	char d_name[PATH_MAX];              /* File name */
 };
 typedef struct dirent dirent;
 struct DIR {
 	struct dirent ent;
 	struct _WDIR *wdirp;
 };
 typedef struct DIR DIR;
 static DIR *opendir(const char *dirname);
 static struct dirent *readdir(DIR *dirp);
 static int closedir(DIR *dirp);
 static void rewinddir(DIR* dirp);
 /* Internal utility functions */
 static WIN32_FIND_DATAW *dirent_first(_WDIR *dirp);
 static WIN32_FIND_DATAW *dirent_next(_WDIR *dirp);
 static int dirent_mbstowcs_s(
 	size_t *pReturnValue,
 	wchar_t *wcstr,
 	size_t sizeInWords,
 	const char *mbstr,
 	size_t count);
 static int dirent_wcstombs_s(
 	size_t *pReturnValue,
 	char *mbstr,
 	size_t sizeInBytes,
 	const wchar_t *wcstr,
 	size_t count);
 /*
 * Open directory stream DIRNAME for read and return a pointer to the
 * internal working area that is used to retrieve individual directory
 * entries.
 */
 static _WDIR*
 _wopendir(const wchar_t *dirname)
 {
 	_WDIR *dirp = NULL;
 	int error;
 	/* Must have directory name */
 	if (dirname == NULL  ||  dirname[0] == '\0') {
 		_set_errno(ENOENT);
 		return NULL;
 	}
 	/* Allocate new _WDIR structure */
 	dirp =(_WDIR*) malloc(sizeof(struct _WDIR));
 	if (dirp != NULL) {
 		DWORD n;
 		/* Reset _WDIR structure */
 		dirp->handle = INVALID_HANDLE_VALUE;
 		dirp->patt = NULL;
 		dirp->cached = 0;
 		/* Compute the length of full path plus zero terminator */
 		n = GetFullPathNameW(dirname, 0, NULL, NULL);
 		/* Allocate room for absolute directory name and search pattern */
 		dirp->patt =(wchar_t*) malloc(sizeof(wchar_t) * n + 16);
 		if (dirp->patt) {
 			/*
 			 * Convert relative directory name to an absolute one.  This
 			 * allows rewinddir() to function correctly even when current
 			 * working directory is changed between opendir() and rewinddir().
 			 */
 			n = GetFullPathNameW(dirname, n, dirp->patt, NULL);
 			if (n > 0) {
 				wchar_t *p;
 				/* Append search pattern \* to the directory name */
 				p = dirp->patt + n;
 				if (dirp->patt < p) {
 					switch(p[-1]) {
 					case '\\':
 					case '/':
 					case ':':
 						/* Directory ends in path separator, e.g. c:\temp\ */
 						/*NOP*/;
 						break;
 					default:
 						/* Directory name doesn't end in path separator */
 						*p++ = '\\';
 					}
 				}
 				*p++ = '*';
 				*p = '\0';
 				/* Open directory stream and retrieve the first entry */
 				if (dirent_first(dirp)) {
 					/* Directory stream opened successfully */
 					error = 0;
 				} else {
 					/* Cannot retrieve first entry */
 					error = 1;
 					_set_errno(ENOENT);
 				}
 			} else {
 				/* Cannot retrieve full path name */
 				_set_errno(ENOENT);
 				error = 1;
 			}
 		} else {
 			/* Cannot allocate memory for search pattern */
 			error = 1;
 		}
 	} else {
 		/* Cannot allocate _WDIR structure */
 		error = 1;
 	}
 	/* Clean up in case of error */
 	if (error  &&  dirp) {
 		_wclosedir(dirp);
 		dirp = NULL;
 	}
 	return dirp;
 }
 /*
 * Read next directory entry.  The directory entry is returned in dirent
 * structure in the d_name field.  Individual directory entries returned by
 * this function include regular files, sub-directories, pseudo-directories
 * "." and ".." as well as volume labels, hidden files and system files.
 */
 static struct _wdirent*
 _wreaddir(_WDIR *dirp)
 {
 	WIN32_FIND_DATAW *datap;
 	struct _wdirent *entp;
 	/* Read next directory entry */
 	datap = dirent_next(dirp);
 	if (datap) {
 		size_t n;
 		DWORD attr;
 		/* Pointer to directory entry to return */
 		entp = &dirp->ent;
 		/*
 		 * Copy file name as wide-character string.  If the file name is too
 		 * long to fit in to the destination buffer, then truncate file name
 		 * to PATH_MAX characters and zero-terminate the buffer.
 		 */
 		n = 0;
 		while(n + 1 < PATH_MAX  &&  datap->cFileName[n] != 0) {
 			entp->d_name[n] = datap->cFileName[n];
 			n++;
 		}
 		dirp->ent.d_name[n] = 0;
 		/* Length of file name excluding zero terminator */
 		entp->d_namlen = n;
 		/* File type */
 		attr = datap->dwFileAttributes;
 		if ((attr & FILE_ATTRIBUTE_DEVICE) != 0) {
 			entp->d_type = DT_CHR;
 		} else if ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0) {
 			entp->d_type = DT_DIR;
 		} else {
 			entp->d_type = DT_REG;
 		}
 		/* Reset dummy fields */
 		entp->d_ino = 0;
 		entp->d_reclen = sizeof(struct _wdirent);
 	} else {
 		/* Last directory entry read */
 		entp = NULL;
 	}
 	return entp;
 }
 /*
 * Close directory stream opened by opendir() function.  This invalidates the
 * DIR structure as well as any directory entry read previously by
 * _wreaddir().
 */
 static int
 _wclosedir(_WDIR *dirp)
 {
 	int ok;
 	if (dirp) {
 		/* Release search handle */
 		if (dirp->handle != INVALID_HANDLE_VALUE) {
 			FindClose(dirp->handle);
 			dirp->handle = INVALID_HANDLE_VALUE;
 		}
 		/* Release search pattern */
 		if (dirp->patt) {
 			free(dirp->patt);
 			dirp->patt = NULL;
 		}
 		/* Release directory structure */
 		free(dirp);
 		ok = /*success*/0;
 	} else {
 		/* Invalid directory stream */
 		_set_errno(EBADF);
 		ok = /*failure*/-1;
 	}
 	return ok;
 }
 /*
 * Rewind directory stream such that _wreaddir() returns the very first
 * file name again.
 */
 static void
 _wrewinddir(_WDIR* dirp)
 {
 	if (dirp) {
 		/* Release existing search handle */
 		if (dirp->handle != INVALID_HANDLE_VALUE) {
 			FindClose(dirp->handle);
 		}
 		/* Open new search handle */
 		dirent_first(dirp);
 	}
 }
 /* Get first directory entry(internal) */
 static WIN32_FIND_DATAW*
 dirent_first(_WDIR *dirp)
 {
 	WIN32_FIND_DATAW *datap;
 	/* Open directory and retrieve the first entry */
 	dirp->handle = FindFirstFileW(dirp->patt, &dirp->data);
 	if (dirp->handle != INVALID_HANDLE_VALUE) {
 		/* a directory entry is now waiting in memory */
 		datap = &dirp->data;
 		dirp->cached = 1;
 	} else {
 		/* Failed to re-open directory: no directory entry in memory */
 		dirp->cached = 0;
 		datap = NULL;
 	}
 	return datap;
 }
 /* Get next directory entry(internal) */
 static WIN32_FIND_DATAW*
 dirent_next(_WDIR *dirp)
 {
 	WIN32_FIND_DATAW *p;
 	/* Get next directory entry */
 	if (dirp->cached != 0) {
 		/* A valid directory entry already in memory */
 		p = &dirp->data;
 		dirp->cached = 0;
 	} else if (dirp->handle != INVALID_HANDLE_VALUE) {
 		/* Get the next directory entry from stream */
 		if (FindNextFileW(dirp->handle, &dirp->data) != FALSE) {
 			/* Got a file */
 			p = &dirp->data;
 		} else {
 			/* The very last entry has been processed or an error occured */
 			FindClose(dirp->handle);
 			dirp->handle = INVALID_HANDLE_VALUE;
 			p = NULL;
 		}
 	} else {
 		/* End of directory stream reached */
 		p = NULL;
 	}
 	return p;
 }
 /*
 * Open directory stream using plain old C-string.
 */
 static DIR*
 opendir(const char *dirname)
 {
 	struct DIR *dirp;
 	int error;
 	/* Must have directory name */
 	if (dirname == NULL  ||  dirname[0] == '\0') {
 		_set_errno(ENOENT);
 		return NULL;
 	}
 	/* Allocate memory for DIR structure */
 	dirp =(DIR*) malloc(sizeof(struct DIR));
 	if (dirp) {
 		wchar_t wname[PATH_MAX];
 		size_t n;
 		/* Convert directory name to wide-character string */
 		error = dirent_mbstowcs_s(&n, wname, PATH_MAX, dirname, PATH_MAX);
 		if (!error) {
 			/* Open directory stream using wide-character name */
 			dirp->wdirp = _wopendir(wname);
 			if (dirp->wdirp) {
 				/* Directory stream opened */
 				error = 0;
 			} else {
 				/* Failed to open directory stream */
 				error = 1;
 			}
 		} else {
 			/*
 			 * Cannot convert file name to wide-character string.  This
 			 * occurs if the string contains invalid multi-byte sequences or
 			 * the output buffer is too small to contain the resulting
 			 * string.
 			 */
 			error = 1;
 		}
 	} else {
 		/* Cannot allocate DIR structure */
 		error = 1;
 	}
 	/* Clean up in case of error */
 	if (error  &&  dirp) {
 		free(dirp);
 		dirp = NULL;
 	}
 	return dirp;
 }
 /*
 * Read next directory entry.
 *
 * When working with text consoles, please note that file names returned by
 * readdir() are represented in the default ANSI code page while any output to
 * console is typically formatted on another code page.  Thus, non-ASCII
 * characters in file names will not usually display correctly on console.  The
 * problem can be fixed in two ways:(1) change the character set of console
 * to 1252 using chcp utility and use Lucida Console font, or(2) use
 * _cprintf function when writing to console.  The _cprinf() will re-encode
 * ANSI strings to the console code page so many non-ASCII characters will
 * display correcly.
 */
 static struct dirent*
 readdir(DIR *dirp)
 {
 	WIN32_FIND_DATAW *datap;
 	struct dirent *entp;
 	/* Read next directory entry */
 	datap = dirent_next(dirp->wdirp);
 	if (datap) {
 		size_t n;
 		int error;
 		/* Attempt to convert file name to multi-byte string */
 		error = dirent_wcstombs_s(
 			&n, dirp->ent.d_name, PATH_MAX, datap->cFileName, PATH_MAX);
 		/*
 		 * If the file name cannot be represented by a multi-byte string,
 		 * then attempt to use old 8+3 file name.  This allows traditional
 		 * Unix-code to access some file names despite of unicode
 		 * characters, although file names may seem unfamiliar to the user.
 		 *
 		 * Be ware that the code below cannot come up with a short file
 		 * name unless the file system provides one.  At least
 		 * VirtualBox shared folders fail to do this.
 		 */
 		if (error && datap->cAlternateFileName[0] != '\0') {
 			error = dirent_wcstombs_s(
 			    &n, dirp->ent.d_name, PATH_MAX,
 			    datap->cAlternateFileName, PATH_MAX);
 		}
 		if (!error) {
 			DWORD attr;
 			/* Initialize directory entry for return */
 			entp = &dirp->ent;
 			/* Length of file name excluding zero terminator */
 			entp->d_namlen = n - 1;
 			/* File attributes */
 			attr = datap->dwFileAttributes;
 			if ((attr & FILE_ATTRIBUTE_DEVICE) != 0) {
 				entp->d_type = DT_CHR;
 			} else if ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0) {
 				entp->d_type = DT_DIR;
 			} else {
 				entp->d_type = DT_REG;
 			}
 			/* Reset dummy fields */
 			entp->d_ino = 0;
 			entp->d_reclen = sizeof(struct dirent);
 		} else {
 			/*
 			 * Cannot convert file name to multi-byte string so construct
 			 * an errornous directory entry and return that.  Note that
 			 * we cannot return NULL as that would stop the processing
 			 * of directory entries completely.
 			 */
 			entp = &dirp->ent;
 			entp->d_name[0] = '?';
 			entp->d_name[1] = '\0';
 			entp->d_namlen = 1;
 			entp->d_type = DT_UNKNOWN;
 			entp->d_ino = 0;
 			entp->d_reclen = 0;
 		}
 	} else {
 		/* No more directory entries */
 		entp = NULL;
 	}
 	return entp;
 }
 /*
 * Close directory stream.
 */
 static int
 closedir(DIR *dirp)
 {
 	int ok;
 	if (dirp) {
 		/* Close wide-character directory stream */
 		ok = _wclosedir(dirp->wdirp);
 		dirp->wdirp = NULL;
 		/* Release multi-byte character version */
 		free(dirp);
 	} else {
 		/* Invalid directory stream */
 		_set_errno(EBADF);
 		ok = /*failure*/-1;
 	}
 	return ok;
 }
 /*
 * Rewind directory stream to beginning.
 */
 static void
 rewinddir(DIR* dirp)
 {
 	/* Rewind wide-character string directory stream */
 	_wrewinddir(dirp->wdirp);
 }
 /* Convert multi-byte string to wide character string */
 static int
 dirent_mbstowcs_s(size_t *pReturnValue, wchar_t *wcstr,
 	size_t sizeInWords, const char *mbstr, size_t count)
 {
 	return mbstowcs_s(pReturnValue, wcstr, sizeInWords, mbstr, count);
 }
 /* Convert wide-character string to multi-byte string */
 static int
 dirent_wcstombs_s(size_t *pReturnValue, char *mbstr,
 	size_t sizeInBytes, /* max size of mbstr */
 	const wchar_t *wcstr, size_t count)
 {
 	return wcstombs_s(pReturnValue, mbstr, sizeInBytes, wcstr, count);
 }
 #endif /*DIRENT_H*/
--- a/include/compat/err.h
+++ b/include/compat/err.h
@@ -1,33 +0,0 @@
 /*
 * Public domain
 * err.h compatibility shim
 */
 #ifdef HAVE_ERR_H
 #include_next <err.h>
 #else
 #ifndef LIBCRYPTOCOMPAT_ERR_H
 #define LIBCRYPTOCOMPAT_ERR_H
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 #define err(exitcode, format, ...) \
  errx(exitcode, format ": %s", ## __VA_ARGS__, strerror(errno))
 #define errx(exitcode, format, ...) \
  do { warnx(format, ## __VA_ARGS__); exit(exitcode); } while (0)
 #define warn(format, ...) \
  warnx(format ": %s", ## __VA_ARGS__, strerror(errno))
 #define warnx(format, ...) \
  fprintf(stderr, format "\n", ## __VA_ARGS__)
 #endif
 #endif
--- a/include/compat/stdio.h
+++ b/include/compat/stdio.h
@@ -1,45 +0,0 @@
 /*
 * Public domain
 * stdio.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_STDIO_H
 #define LIBCRYPTOCOMPAT_STDIO_H
 #ifdef _MSC_VER
 #if _MSC_VER >= 1900
 #include <../ucrt/stdlib.h>
 #include <../ucrt/corecrt_io.h>
 #include <../ucrt/stdio.h>
 #else
 #include <../include/stdio.h>
 #endif
 #else
 #include_next <stdio.h>
 #endif
 #ifndef HAVE_ASPRINTF
 #include <stdarg.h>
 int vasprintf(char **str, const char *fmt, va_list ap);
 int asprintf(char **str, const char *fmt, ...);
 #endif
 #ifdef _WIN32
 void posix_perror(const char *s);
 FILE * posix_fopen(const char *path, const char *mode);
 int posix_rename(const char *oldpath, const char *newpath);
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define perror(errnum) posix_perror(errnum)
 #define fopen(path, mode) posix_fopen(path, mode)
 #define rename(oldpath, newpath) posix_rename(oldpath, newpath)
 #endif
 #ifdef _MSC_VER
 #define snprintf _snprintf
 #endif
 #endif
 #endif
--- a/include/compat/string.h
+++ b/include/compat/string.h
@@ -1,86 +0,0 @@
 /*
 * Public domain
 * string.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_STRING_H
 #define LIBCRYPTOCOMPAT_STRING_H
 #ifdef _MSC_VER
 #if _MSC_VER >= 1900
 #include <../ucrt/string.h>
 #else
 #include <../include/string.h>
 #endif
 #else
 #include_next <string.h>
 #endif
 #include <sys/types.h>
 #if defined(__sun) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
 * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
 */
 #include <strings.h>
 #endif
 #ifndef HAVE_STRCASECMP
 int strcasecmp(const char *s1, const char *s2);
 int strncasecmp(const char *s1, const char *s2, size_t len);
 #endif
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif
 #ifndef HAVE_STRLCAT
 size_t strlcat(char *dst, const char *src, size_t siz);
 #endif
 #ifndef HAVE_STRNDUP
 char * strndup(const char *str, size_t maxlen);
 /* the only user of strnlen is strndup, so only build it if needed */
 #ifndef HAVE_STRNLEN
 size_t strnlen(const char *str, size_t maxlen);
 #endif
 #endif
 #ifndef HAVE_STRSEP
 char *strsep(char **stringp, const char *delim);
 #endif
 #ifndef HAVE_EXPLICIT_BZERO
 void explicit_bzero(void *, size_t);
 #endif
 #ifndef HAVE_TIMINGSAFE_BCMP
 int timingsafe_bcmp(const void *b1, const void *b2, size_t n);
 #endif
 #ifndef HAVE_TIMINGSAFE_MEMCMP
 int timingsafe_memcmp(const void *b1, const void *b2, size_t len);
 #endif
 #ifndef HAVE_MEMMEM
 void * memmem(const void *big, size_t big_len, const void *little,
 	size_t little_len);
 #endif
 #ifdef _WIN32
 #include <errno.h>
 static inline char  *
 posix_strerror(int errnum)
 {
 	if (errnum == ECONNREFUSED) {
 		return "Connection refused";
 	}
 	return strerror(errnum);
 }
 #define strerror(errnum) posix_strerror(errnum)
 #endif
 #endif
--- a/include/compat/sys/cdefs.h
+++ b/include/compat/sys/cdefs.h
@@ -1,31 +0,0 @@
 /*
 * Public domain
 * sys/cdefs.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
 #define LIBCRYPTOCOMPAT_SYS_CDEFS_H
 #ifdef _WIN32
 #define __warn_references(sym,msg)
 #else
 #include_next <sys/cdefs.h>
 #ifndef __warn_references
 #if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
 #define __warn_references(sym,msg)          \
  __asm__(".section .gnu.warning." __STRING(sym)  \
         " ; .ascii \"" msg "\" ; .text");
 #else
 #define __warn_references(sym,msg)
 #endif
 #endif /* __warn_references */
 #endif /* _WIN32 */
 #endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */
--- a/include/compat/sys/param.h
+++ b/include/compat/sys/param.h
@@ -1,15 +0,0 @@
 /*
 * Public domain
 * sys/param.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_SYS_PARAM_H
 #define LIBCRYPTOCOMPAT_SYS_PARAM_H
 #ifdef _MSC_VER
 #include <winsock2.h>
 #else
 #include_next <sys/param.h>
 #endif
 #endif
--- a/include/compat/sys/stat.h
+++ b/include/compat/sys/stat.h
@@ -1,100 +0,0 @@
 /*
 * Public domain
 * sys/stat.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_SYS_STAT_H
 #define LIBCRYPTOCOMPAT_SYS_STAT_H
 #ifndef _MSC_VER
 #include_next <sys/stat.h>
 #else
 #include <windows.h>
 #if _MSC_VER >= 1900
 #include <../ucrt/sys/stat.h>
 #else
 #include <../include/sys/stat.h>
 #endif
 /* File type and permission flags for stat() */
 #if !defined(S_IFMT)
 #   define S_IFMT   _S_IFMT                     /* File type mask */
 #endif
 #if !defined(S_IFDIR)
 #   define S_IFDIR  _S_IFDIR                    /* Directory */
 #endif
 #if !defined(S_IFCHR)
 #   define S_IFCHR  _S_IFCHR                    /* Character device */
 #endif
 #if !defined(S_IFFIFO)
 #   define S_IFFIFO _S_IFFIFO                   /* Pipe */
 #endif
 #if !defined(S_IFREG)
 #   define S_IFREG  _S_IFREG                    /* Regular file */
 #endif
 #if !defined(S_IREAD)
 #   define S_IREAD  _S_IREAD                    /* Read permission */
 #endif
 #if !defined(S_IWRITE)
 #   define S_IWRITE _S_IWRITE                   /* Write permission */
 #endif
 #if !defined(S_IEXEC)
 #   define S_IEXEC  _S_IEXEC                    /* Execute permission */
 #endif
 #if !defined(S_IFIFO)
 #   define S_IFIFO _S_IFIFO                     /* Pipe */
 #endif
 #if !defined(S_IFBLK)
 #   define S_IFBLK   0                          /* Block device */
 #endif
 #if !defined(S_IFLNK)
 #   define S_IFLNK   0                          /* Link */
 #endif
 #if !defined(S_IFSOCK)
 #   define S_IFSOCK  0                          /* Socket */
 #endif
 #if defined(_MSC_VER)
 #   define S_IRUSR  S_IREAD                     /* Read user */
 #   define S_IWUSR  S_IWRITE                    /* Write user */
 #   define S_IXUSR  0                           /* Execute user */
 #   define S_IRGRP  0                           /* Read group */
 #   define S_IWGRP  0                           /* Write group */
 #   define S_IXGRP  0                           /* Execute group */
 #   define S_IROTH  0                           /* Read others */
 #   define S_IWOTH  0                           /* Write others */
 #   define S_IXOTH  0                           /* Execute others */
 #endif
 /* File type flags for d_type */
 #define DT_UNKNOWN  0
 #define DT_REG      S_IFREG
 #define DT_DIR      S_IFDIR
 #define DT_FIFO     S_IFIFO
 #define DT_SOCK     S_IFSOCK
 #define DT_CHR      S_IFCHR
 #define DT_BLK      S_IFBLK
 #define DT_LNK      S_IFLNK
 /* Macros for converting between st_mode and d_type */
 #define IFTODT(mode) ((mode) & S_IFMT)
 #define DTTOIF(type) (type)
 /*
 * File type macros.  Note that block devices, sockets and links cannot be
 * distinguished on Windows and the macros S_ISBLK, S_ISSOCK and S_ISLNK are
 * only defined for compatibility.  These macros should always return false
 * on Windows.
 */
 #define	S_ISFIFO(mode) (((mode) & S_IFMT) == S_IFIFO)
 #define	S_ISDIR(mode)  (((mode) & S_IFMT) == S_IFDIR)
 #define	S_ISREG(mode)  (((mode) & S_IFMT) == S_IFREG)
 #define	S_ISLNK(mode)  (((mode) & S_IFMT) == S_IFLNK)
 #define	S_ISSOCK(mode) (((mode) & S_IFMT) == S_IFSOCK)
 #define	S_ISCHR(mode)  (((mode) & S_IFMT) == S_IFCHR)
 #define	S_ISBLK(mode)  (((mode) & S_IFMT) == S_IFBLK)
 #endif
 #endif
--- a/include/compat/sys/time.h
+++ b/include/compat/sys/time.h
@@ -1,16 +0,0 @@
 /*
 * Public domain
 * sys/time.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_SYS_TIME_H
 #define LIBCRYPTOCOMPAT_SYS_TIME_H
 #ifdef _MSC_VER
 #include <winsock2.h>
 int gettimeofday(struct timeval *tp, void *tzp);
 #else
 #include_next <sys/time.h>
 #endif
 #endif
--- a/include/compat/sys/types.h
+++ b/include/compat/sys/types.h
@@ -1,47 +0,0 @@
 /*
 * Public domain
 * sys/types.h compatibility shim
 */
 #ifdef _MSC_VER
 #if _MSC_VER >= 1900
 #include <../ucrt/sys/types.h>
 #else
 #include <../include/sys/types.h>
 #endif
 #else
 #include_next <sys/types.h>
 #endif
 #ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H
 #define LIBCRYPTOCOMPAT_SYS_TYPES_H
 #include <stdint.h>
 #ifdef __MINGW32__
 #include <_bsd_types.h>
 #endif
 #ifdef _MSC_VER
 typedef unsigned char   u_char;
 typedef unsigned short  u_short;
 typedef unsigned int    u_int;
 #include <basetsd.h>
 typedef SSIZE_T ssize_t;
 #ifndef SSIZE_MAX
 #ifdef _WIN64
 #define SSIZE_MAX _I64_MAX
 #else
 #define SSIZE_MAX INT_MAX
 #endif
 #endif
 #endif
 #if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
 # define __bounded__(x, y, z)
 #endif
 #endif
--- a/include/compat/time.h
+++ b/include/compat/time.h
@@ -1,15 +0,0 @@
 /*
 * Public domain
 * sys/time.h compatibility shim
 */
 #ifdef _MSC_VER
 #if _MSC_VER >= 1900
 #include <../ucrt/time.h>
 #else
 #include <../include/time.h>
 #endif
 #define gmtime_r(tp, tm) ((gmtime_s((tm), (tp)) == 0) ? (tm) : NULL)
 #else
 #include_next <time.h>
 #endif
--- a/include/compat/win32netcompat.h
+++ b/include/compat/win32netcompat.h
@@ -1,48 +0,0 @@
 /*
 * Public domain
 *
 * BSD socket emulation code for Winsock2
 * Brent Cook <bcook@openbsd.org>
 */
 #ifndef LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
 #define LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
 #ifdef _WIN32
 #include <ws2tcpip.h>
 #define SHUT_RDWR SD_BOTH
 #define SHUT_RD   SD_RECEIVE
 #define SHUT_WR   SD_SEND
 #include <errno.h>
 #include <unistd.h>
 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 int posix_close(int fd);
 ssize_t posix_read(int fd, void *buf, size_t count);
 ssize_t posix_write(int fd, const void *buf, size_t count);
 int posix_getsockopt(int sockfd, int level, int optname,
 	void *optval, socklen_t *optlen);
 int posix_setsockopt(int sockfd, int level, int optname,
 	const void *optval, socklen_t optlen);
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
 #define close(fd) posix_close(fd)
 #define read(fd, buf, count) posix_read(fd, buf, count)
 #define write(fd, buf, count) posix_write(fd, buf, count)
 #define getsockopt(sockfd, level, optname, optval, optlen) \
 	posix_getsockopt(sockfd, level, optname, optval, optlen)
 #define setsockopt(sockfd, level, optname, optval, optlen) \
 	posix_setsockopt(sockfd, level, optname, optval, optlen)
 #endif
 #endif
 #endif
--- a/include/err.h
+++ b/include/err.h
@@ -0,0 +1,33 @@
 /*
 * Public domain
 * err.h compatibility shim
 */
 #ifdef HAVE_ERR_H
 #include_next <err.h>
 #else
 #ifndef LIBCRYPTOCOMPAT_ERR_H
 #define LIBCRYPTOCOMPAT_ERR_H
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 #define err(exitcode, format, args...) \
  errx(exitcode, format ": %s", ## args, strerror(errno))
 #define errx(exitcode, format, args...) \
  do { warnx(format, ## args); exit(exitcode); } while (0)
 #define warn(format, args...) \
  warnx(format ": %s", ## args, strerror(errno))
 #define warnx(format, args...) \
  fprintf(stderr, format "\n", ## args)
 #endif
 #endif
--- a/include/compat/machine/endian.h
+++ b/include/compat/machine/endian.h
--- a/include/compat/netdb.h
+++ b/include/compat/netdb.h
--- a/include/compat/netinet/in.h
+++ b/include/compat/netinet/in.h
--- a/include/compat/netinet/tcp.h
+++ b/include/compat/netinet/tcp.h
--- a/include/compat/poll.h
+++ b/include/compat/poll.h
@@ -14,7 +14,7 @@
 #ifndef LIBCRYPTOCOMPAT_POLL_H
 #define LIBCRYPTOCOMPAT_POLL_H
-#ifndef _WIN32
+#ifdef HAVE_POLL
 #include_next <poll.h>
 #else
--- a/include/stdio.h
+++ b/include/stdio.h
@@ -0,0 +1,30 @@
 /*
 * Public domain
 * stdio.h compatibility shim
 */
 #include_next <stdio.h>
 #ifndef LIBCRYPTOCOMPAT_STDIO_H
 #define LIBCRYPTOCOMPAT_STDIO_H
 #ifndef HAVE_ASPRINTF
 #include <stdarg.h>
 int vasprintf(char **str, const char *fmt, va_list ap);
 int asprintf(char **str, const char *fmt, ...);
 #endif
 #ifdef _WIN32
 #include <errno.h>
 #include <string.h>
 static inline void
 posix_perror(const char *s)
 {
 	fprintf(stderr, "%s: %s\n", s, strerror(errno));
 }
 #define perror(errnum) posix_perror(errnum)
 #endif
 #endif
--- a/include/compat/stdlib.h
+++ b/include/compat/stdlib.h
@@ -3,20 +3,13 @@
 * Public domain
 */
 #ifdef _MSC_VER
 #if _MSC_VER >= 1900
 #include <../ucrt/stdlib.h>
 #else
 #include <../include/stdlib.h>
 #endif
 #else
 #include_next <stdlib.h>
 #endif
 #ifndef LIBCRYPTOCOMPAT_STDLIB_H
 #define LIBCRYPTOCOMPAT_STDLIB_H
-#include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/time.h>
 #include <stdint.h>
 #ifndef HAVE_ARC4RANDOM_BUF
--- a/libtls-standalone/include/string.h
+++ b/libtls-standalone/include/string.h
@@ -3,19 +3,11 @@
 * string.h compatibility shim
 */
 #include_next <string.h>
 #ifndef LIBCRYPTOCOMPAT_STRING_H
 #define LIBCRYPTOCOMPAT_STRING_H
 #ifdef _MSC_VER
 #if _MSC_VER >= 1900
 #include <../ucrt/string.h>
 #else
 #include <../include/string.h>
 #endif
 #else
 #include_next <string.h>
 #endif
 #include <sys/types.h>
 #if defined(__sun) || defined(__hpux)
@@ -25,11 +17,6 @@
 #include <strings.h>
 #endif
 #ifndef HAVE_STRCASECMP
 int strcasecmp(const char *s1, const char *s2);
 int strncasecmp(const char *s1, const char *s2, size_t len);
 #endif
 #ifndef HAVE_STRLCPY
 size_t strlcpy(char *dst, const char *src, size_t siz);
 #endif
--- a/include/compat/sys/ioctl.h
+++ b/include/compat/sys/ioctl.h
--- a/include/compat/sys/mman.h
+++ b/include/compat/sys/mman.h
--- a/include/compat/sys/select.h
+++ b/include/compat/sys/select.h
--- a/include/compat/sys/socket.h
+++ b/include/compat/sys/socket.h
--- a/include/sys/times.h
+++ b/include/sys/times.h
@@ -0,0 +1,10 @@
 /*
 * Public domain
 * sys/times.h compatibility shim
 */
 #ifndef _WIN32
 #include_next <sys/times.h>
 #else
 #include <win32netcompat.h>
 #endif
--- a/include/sys/types.h
+++ b/include/sys/types.h
@@ -0,0 +1,21 @@
 /*
 * Public domain
 * sys/types.h compatibility shim
 */
 #include_next <sys/types.h>
 #ifndef LIBCRYPTOCOMPAT_SYS_TYPES_H
 #define LIBCRYPTOCOMPAT_SYS_TYPES_H
 #include <stdint.h>
 #ifdef __MINGW32__
 #include <_bsd_types.h>
 #endif
 #if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
 # define __bounded__(x, y, z)
 #endif
 #endif
--- a/include/compat/sys/uio.h
+++ b/include/compat/sys/uio.h
--- a/include/syslog.h
+++ b/include/syslog.h
@@ -0,0 +1,38 @@
 /*
 * Public domain
 * syslog.h compatibility shim
 */
 #ifndef LIBCRYPTOCOMPAT_SYSLOG_H
 #define LIBCRYPTOCOMPAT_SYSLOG_H
 #ifndef _WIN32
 #include_next <syslog.h>
 #else
 /* priorities */
 #define LOG_EMERG 0
 #define LOG_ALERT 1
 #define LOG_CRIT 2
 #define LOG_ERR 3
 #define LOG_WARNING 4
 #define LOG_NOTICE 5
 #define LOG_INFO 6
 #define LOG_DEBUG 7
 /* facility codes */
 #define LOG_KERN (0<<3)
 #define LOG_USER (1<<3)
 #define LOG_DAEMON (3<<3)
 /* flags for openlog */
 #define LOG_PID 0x01
 #define LOG_CONS 0x02
 extern void openlog(const char *ident, int option, int facility);
 extern void syslog(int priority, const char *fmt, ...)
 	__attribute__ ((__format__ (__printf__, 2, 3)));
 extern void closelog (void);
 #endif
 #endif /* LIBCRYPTOCOMPAT_SYSLOG_H */
--- a/include/compat/unistd.h
+++ b/include/compat/unistd.h
@@ -3,30 +3,17 @@
 * unistd.h compatibility shim
 */
 #include_next <unistd.h>
 #ifndef LIBCRYPTOCOMPAT_UNISTD_H
 #define LIBCRYPTOCOMPAT_UNISTD_H
 #ifndef _MSC_VER
 #include_next <unistd.h>
 #else
 #include <stdlib.h>
 #include <io.h>
 #include <process.h>
 #define R_OK    4
 #define W_OK    2
 #define X_OK    0
 #define F_OK    0
 #define access _access
 unsigned int sleep(unsigned int seconds);
 #endif
 #ifndef HAVE_GETENTROPY
 int getentropy(void *buf, size_t buflen);
 #endif
 #ifndef HAVE_ISSETUGID
 int issetugid(void);
 #endif
 #endif
--- a/crypto/compat/posix_win.c
+++ b/crypto/compat/posix_win.c
@@ -2,48 +2,23 @@
 * Public domain
 *
 * BSD socket emulation code for Winsock2
 * File IO compatibility shims
 * Brent Cook <bcook@openbsd.org>
 */
-#define NO_REDEF_POSIX_FUNCTIONS
+#ifndef LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
 #define LIBCRYPTOCOMPAT_WIN32NETCOMPAT_H
 #ifdef _WIN32
 #include <windows.h>
 #include <ws2tcpip.h>
 #define SHUT_RDWR SD_BOTH
 #define SHUT_RD   SD_RECEIVE
 #define SHUT_WR   SD_SEND
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 void
 posix_perror(const char *s)
 {
 	fprintf(stderr, "%s: %s\n", s, strerror(errno));
 }
 FILE *
 posix_fopen(const char *path, const char *mode)
 {
 	if (strchr(mode, 'b') == NULL) {
 		char *bin_mode = NULL;
 		if (asprintf(&bin_mode, "%sb", mode) == -1)
 			return NULL;
 		FILE *f = fopen(path, bin_mode);
 		free(bin_mode);
 		return f;
 	}
 	return fopen(path, mode);
 }
 int
 posix_rename(const char *oldpath, const char *newpath)
 {
 	return MoveFileEx(oldpath, newpath, MOVEFILE_REPLACE_EXISTING) ? 0 : -1;
 }
 static int
 wsa_errno(int err)
 {
@@ -106,7 +81,7 @@ wsa_errno(int err)
 	return -1;
 }
-int
+static inline int
 posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
 {
 	int rc = connect(sockfd, addr, addrlen);
@@ -115,7 +90,9 @@ posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
 	return rc;
 }
-int
+#define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
 static inline int
 posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
@@ -126,7 +103,9 @@ posix_close(int fd)
 	return 0;
 }
-ssize_t
+#define close(fd) posix_close(fd)
 static inline ssize_t
 posix_read(int fd, void *buf, size_t count)
 {
 	ssize_t rc = recv(fd, buf, count, 0);
@@ -138,7 +117,9 @@ posix_read(int fd, void *buf, size_t count)
 	return rc;
 }
-ssize_t
+#define read(fd, buf, count) posix_read(fd, buf, count)
 static inline ssize_t
 posix_write(int fd, const void *buf, size_t count)
 {
 	ssize_t rc = send(fd, buf, count, 0);
@@ -150,7 +131,9 @@ posix_write(int fd, const void *buf, size_t count)
 	return rc;
 }
-int
+#define write(fd, buf, count) posix_write(fd, buf, count)
 static inline int
 posix_getsockopt(int sockfd, int level, int optname,
 	void *optval, socklen_t *optlen)
 {
@@ -159,7 +142,10 @@ posix_getsockopt(int sockfd, int level, int optname,
 }
-int
+#define getsockopt(sockfd, level, optname, optval, optlen) \
 	posix_getsockopt(sockfd, level, optname, optval, optlen)
 static inline int
 posix_setsockopt(int sockfd, int level, int optname,
 	const void *optval, socklen_t optlen)
 {
@@ -167,33 +153,9 @@ posix_setsockopt(int sockfd, int level, int optname,
 	return rc == 0 ? 0 : wsa_errno(WSAGetLastError());
 }
-#ifdef _MSC_VER
+#define setsockopt(sockfd, level, optname, optval, optlen) \
-int gettimeofday(struct timeval * tp, struct timezone * tzp)
+	posix_setsockopt(sockfd, level, optname, optval, optlen)
-{
+
-	/*
+#endif
 	 * Note: some broken versions only have 8 trailing zero's, the correct
 	 * epoch has 9 trailing zero's
 	 */
 	static const uint64_t EPOCH = ((uint64_t) 116444736000000000ULL);
 	SYSTEMTIME  system_time;
 	FILETIME    file_time;
 	uint64_t    time;
 	GetSystemTime(&system_time);
 	SystemTimeToFileTime(&system_time, &file_time);
 	time = ((uint64_t)file_time.dwLowDateTime);
 	time += ((uint64_t)file_time.dwHighDateTime) << 32;
 	tp->tv_sec = (long)((time - EPOCH) / 10000000L);
 	tp->tv_usec = (long)(system_time.wMilliseconds * 1000);
 	return 0;
 }
 unsigned int sleep(unsigned int seconds)
 {
 	Sleep(seconds * 1000);
 	return seconds;
 }
 #endif
--- a/libcrypto.pc.in
+++ b/libcrypto.pc.in
@@ -7,7 +7,7 @@ includedir=@includedir@
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBCRYPTO_VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
--- a/libssl.pc.in
+++ b/libssl.pc.in
@@ -7,7 +7,7 @@ includedir=@includedir@
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @VERSION@
+Version: @LIBSSL_VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:
--- a/libtls-standalone/COPYING
+++ b/libtls-standalone/COPYING
@@ -1,13 +0,0 @@
 libtls is ISC licensed as per OpenBSD's normal licensing policy.
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--- a/libtls-standalone/ChangeLog
+++ b/libtls-standalone/ChangeLog
--- a/libtls-standalone/Makefile.am
+++ b/libtls-standalone/Makefile.am
@@ -1,7 +0,0 @@
 SUBDIRS = include compat src tests man
 ACLOCAL_AMFLAGS = -I m4
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libtls.pc
 EXTRA_DIST = README VERSION
--- a/libtls-standalone/README
+++ b/libtls-standalone/README
--- a/libtls-standalone/compat/Makefile.am
+++ b/libtls-standalone/compat/Makefile.am
@@ -1,45 +0,0 @@
 #
 # Copyright (c) 2014-2015 Brent Cook
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
 noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
 # compatibility functions that need to be built without optimizations
 libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 if !HAVE_EXPLICIT_BZERO
 libcompatnoopt_la_SOURCES += explicit_bzero.c
 endif
 # other compatibility functions
 libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libcompat_la_SOURCES =
 libcompat_la_LIBADD = $(PLATFORM_LDADD)
 if !HAVE_ASPRINTF
 libcompat_la_SOURCES += bsd-asprintf.c
 endif
 if !HAVE_STRLCPY
 libcompat_la_SOURCES += strlcpy.c
 endif
 if !HAVE_STRSEP
 libcompat_la_SOURCES += strsep.c
 endif
 include Makefile.am.arc4random
--- a/libtls-standalone/configure.ac
+++ b/libtls-standalone/configure.ac
@@ -1,52 +0,0 @@
 # Copyright (c) 2014-2015 Brent Cook
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
 AC_SUBST([LIBTLS_VERSION], m4_esyscmd([sed -e 's/\./:/g' VERSION | tr -d '\n']))
 AC_CANONICAL_HOST
 AM_INIT_AUTOMAKE([subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 # This must be called before AC_PROG_CC
 USER_CFLAGS="$CFLAGS"
 AC_PROG_CC
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
 AC_PROG_LIBTOOL
 LT_INIT
 CHECK_OS_OPTIONS
 CHECK_C_HARDENING_OPTIONS
 DISABLE_COMPILER_WARNINGS
 CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile
 	compat/Makefile
 	man/Makefile
 	src/Makefile
 	tests/Makefile
 	libtls.pc
 ])
 AC_OUTPUT
--- a/libtls-standalone/include/Makefile.am
+++ b/libtls-standalone/include/Makefile.am
@@ -1,5 +0,0 @@
 noinst_HEADERS = stdlib.h
 noinst_HEADERS += string.h
 noinst_HEADERS += unistd.h
 include_HEADERS = tls.h
--- a/libtls-standalone/libtls.pc.in
+++ b/libtls-standalone/libtls.pc.in
@@ -1,16 +0,0 @@
 #libtls pkg-config source file
 prefix=@prefix@
 exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
 Version: @LIBTLS_VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
 Libs.private: @LIBS@ -lcrypto -lssl
 Cflags: -I${includedir}
--- a/libtls-standalone/src/Makefile.am
+++ b/libtls-standalone/src/Makefile.am
@@ -1,16 +0,0 @@
 AM_CFLAGS = -I$(top_srcdir)/include
 lib_LTLIBRARIES = libtls.la
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
 libtls_la_LIBADD = -lcrypto -lssl -lcrypto $(PLATFORM_LDADD)
 libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
--- a/libtls-standalone/tests/Makefile.am
+++ b/libtls-standalone/tests/Makefile.am
@@ -1,7 +0,0 @@
 AM_CFLAGS = -I$(top_srcdir)/include
 check_PROGRAMS = test
 TESTS = test
 test_SOURCES = test.c
 test_LDADD = -lcrypto -lssl $(top_builddir)/src/libtls.la
--- a/libtls-standalone/tests/test.c
+++ b/libtls-standalone/tests/test.c
@@ -1,51 +0,0 @@
 #include <stdio.h>
 #include <tls.h>
 int main()
 {
 	struct tls *tls;
 	struct tls_config *tls_config;
 	size_t written, read;
 	char buf[4096];
 	if (tls_init() != 0) {
 		fprintf(stderr, "tls_init failed");
 		return 1;
 	}
 	if ((tls = tls_client()) == NULL)
 		goto err;
 	if ((tls_config = tls_config_new()) == NULL)
 		goto err;
 	if (tls_config_set_ciphers(tls_config, "compat") != 0)
 		goto err;
 	tls_config_insecure_noverifycert(tls_config);
 	tls_config_insecure_noverifyname(tls_config);
 	if (tls_configure(tls, tls_config) != 0)
 		goto err;
 	if (tls_connect(tls, "google.com", "443") != 0)
 		goto err;
 	if (tls_write(tls, "GET /\r\n", 7, &written) != 0)
 		goto err;
 	if (tls_read(tls, buf, sizeof(buf), &read) != 0)
 		goto err;
 	buf[read - 1] = '\0';
 	puts(buf);
 	if (tls_close(tls) != 0)
 		goto err;
 	return 0;
 err:
 	fprintf(stderr, "%s\n", tls_error(tls));
 	return 1;
 }
--- a/libtls.pc.in
+++ b/libtls.pc.in
@@ -7,7 +7,7 @@ includedir=@includedir@
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
-Version: @VERSION@
+Version: @LIBTLS_VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:
--- a/m4/check-hardening-options.m4
+++ b/m4/check-hardening-options.m4
@@ -1,109 +0,0 @@
 AC_DEFUN([CHECK_CFLAG], [
 	 AC_LANG_ASSERT(C)
 	 AC_MSG_CHECKING([if $saved_CC supports "$1"])
 	 old_cflags="$CFLAGS"
 	 CFLAGS="$1 -Wall -Werror"
 	 AC_TRY_LINK([
 		      #include <stdio.h>
 		      ],
 		     [printf("Hello")],
 		     AC_MSG_RESULT([yes])
 		     CFLAGS=$old_cflags
 		     HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
 		     AC_MSG_RESULT([no])
 		     CFLAGS=$old_cflags
 		     [$2])
 ])
 AC_DEFUN([CHECK_LDFLAG], [
 	 AC_LANG_ASSERT(C)
 	 AC_MSG_CHECKING([if $saved_LD supports "$1"])
 	 old_ldflags="$LDFLAGS"
 	 LDFLAGS="$1 -Wall -Werror"
 	 AC_TRY_LINK([
 		      #include <stdio.h>
 		      ],
 		     [printf("Hello")],
 		     AC_MSG_RESULT([yes])
 		     LDFLAGS=$old_ldflags
 		     HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
 		     AC_MSG_RESULT([no])
 		     LDFLAGS=$old_ldflags
 		     [$2])
 ])
 AC_DEFUN([DISABLE_AS_EXECUTABLE_STACK], [
 	save_cflags="$CFLAGS"
 	CFLAGS=
 	AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
 	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 	__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
 		[AC_MSG_RESULT([yes])]
 		[AM_CFLAGS=-DHAVE_GNU_STACK],
 		[AC_MSG_RESULT([no])]
 	)
 	CFLAGS="$save_cflags $AM_CFLAGS"
 ])
 AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [
 	AC_ARG_ENABLE([hardening],
 		[AS_HELP_STRING([--disable-hardening],
 				[Disable options to frustrate memory corruption exploits])],
 		[], [enable_hardening=yes])
 	AC_ARG_ENABLE([windows-ssp],
 		[AS_HELP_STRING([--enable-windows-ssp],
 				[Enable building the stack smashing protection on
 				 Windows. This currently distributing libssp-0.dll.])])
 	# We want to check for compiler flag support. Prior to clang v5.1, there was no
 	# way to make clang's "argument unused" warning fatal.  So we invoke the
 	# compiler through a wrapper script that greps for this message.
 	saved_CC="$CC"
 	saved_LD="$LD"
 	flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
 	CC="$flag_wrap $CC"
 	LD="$flag_wrap $LD"
 	AS_IF([test "x$enable_hardening" = "xyes"], [
 		# Tell GCC to NOT optimize based on signed arithmetic overflow
 		CHECK_CFLAG([[-fno-strict-overflow]])
 		# _FORTIFY_SOURCE replaces builtin functions with safer versions.
 		CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
 		# Enable read only relocations
 		CHECK_LDFLAG([[-Wl,-z,relro]])
 		CHECK_LDFLAG([[-Wl,-z,now]])
 		# Windows security flags
 		AS_IF([test "x$HOST_OS" = "xwin"], [
 			CHECK_LDFLAG([[-Wl,--nxcompat]])
 			CHECK_LDFLAG([[-Wl,--dynamicbase]])
 			CHECK_LDFLAG([[-Wl,--high-entropy-va]])
 		])
 		# Use stack-protector-strong if available; if not, fallback to
 		# stack-protector-all which is considered to be overkill
 		AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
 			CHECK_CFLAG([[-fstack-protector-strong]],
 				CHECK_CFLAG([[-fstack-protector-all]],
 					AC_MSG_WARN([compiler does not appear to support stack protection])
 				)
 			)
 			AS_IF([test "x$HOST_OS" = "xwin"], [
 				AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
 			])
 		])
 	])
 	# Restore CC, LD
 	CC="$saved_CC"
 	LD="$saved_LD"
 	CFLAGS="$CFLAGS $HARDEN_CFLAGS"
 	LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
 ])
--- a/m4/check-libc.m4
+++ b/m4/check-libc.m4
@@ -1,66 +0,0 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for general libc functions
 AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
 AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
 ])
 AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
 # Check crypto-related libc functions
 AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp" = xyes])
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
 	[test "x$HOST_OS" != xdarwin \
 	   -a "x$HOST_OS" != xfreebsd \
 	   -a "x$HOST_OS" != xnetbsd \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 # Check for getentropy fallback dependencies
 AC_CHECK_FUNC([getauxval])
 AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
 AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 ])
 AC_DEFUN([CHECK_VA_COPY], [
 AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
 va_list x,y;
 		]], [[ va_copy(x,y); ]])],
 	[ ac_cv_have_va_copy="yes" ],
 	[ ac_cv_have_va_copy="no"
 	])
 ])
 if test "x$ac_cv_have_va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE_VA_COPY], [1], [Define if va_copy exists])
 fi
 AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <stdarg.h>
 va_list x,y;
 		]], [[ __va_copy(x,y); ]])],
 	[ ac_cv_have___va_copy="yes" ], [ ac_cv_have___va_copy="no"
 	])
 ])
 if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
--- a/m4/check-os-options.m4
+++ b/m4/check-os-options.m4
@@ -1,77 +0,0 @@
 # This must be called before AC_PROG_CC
 AC_DEFUN([CHECK_OS_OPTIONS], [
 CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
 case $host_os in
 	*aix*)
 		HOST_OS=aix
 		if test "`echo $CC | cut -d ' ' -f 1`" != "gcc" ; then
 			CFLAGS="-qnoansialias $USER_CFLAGS"
 		fi
 		AC_SUBST([PLATFORM_LDADD], ['-lperfstat -lpthread'])
 		;;
 	*cygwin*)
 		HOST_OS=cygwin
 		;;
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
 		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
 		HOST_OS=hpux;
 		if test "`echo $CC | cut -d ' ' -f 1`" = "gcc" ; then
 			CFLAGS="$CFLAGS -mlp64"
 		else
 			CFLAGS="-g -O2 +DD64 +Otype_safety=off $USER_CFLAGS"
 		fi
 		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT"
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
 		CFLAGS="$CFLAGS -static-libgcc"
 		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;
 	*) ;;
 esac
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
 AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])
--- a/m4/disable-compiler-warnings.m4
+++ b/m4/disable-compiler-warnings.m4
@@ -1,29 +0,0 @@
 AC_DEFUN([DISABLE_COMPILER_WARNINGS], [
 # Clang throws a lot of warnings when it does not understand a flag. Disable
 # this warning for now so other warnings are visible.
 AC_MSG_CHECKING([if compiling with clang])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
 #ifndef __clang__
 	not clang
 #endif
 	]])],
 	[CLANG=yes],
 	[CLANG=no]
 )
 AC_MSG_RESULT([$CLANG])
 AS_IF([test "x$CLANG" = "xyes"], [CLANG_FLAGS=-Qunused-arguments])
 CFLAGS="$CFLAGS $CLANG_FLAGS"
 LDFLAGS="$LDFLAGS $CLANG_FLAGS"
 # Removing the dependency on -Wno-pointer-sign should be a goal. These are
 # largely unsigned char */char* mismatches in asn1 functions.
 save_cflags="$CFLAGS"
 CFLAGS=-Wno-pointer-sign
 AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
 	[AC_MSG_RESULT([yes])]
 	[AM_CFLAGS=-Wno-pointer-sign],
 	[AC_MSG_RESULT([no])]
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
 ])
--- a/man/CMakeLists.txt
+++ b/man/CMakeLists.txt
@@ -1,9 +0,0 @@
 install(DIRECTORY .
    DESTINATION share/man/man3
    FILES_MATCHING PATTERN "*.3"
    )
 install(DIRECTORY .
    DESTINATION share/man/man1
    FILES_MATCHING PATTERN "*.1"
    )
--- a/man/Makefile.am.tpl
+++ b/man/Makefile.am.tpl
@@ -0,0 +1,2 @@
 include $(top_srcdir)/Makefile.am.common
 dist_man_MANS=
--- a/man/links
+++ b/man/links
--- a/man/update_links.sh
+++ b/man/update_links.sh
@@ -1,18 +0,0 @@
 #!/bin/sh
 # Run this periodically to ensure that the manpage links are up to date
 echo "# This is an auto-generated file by $0" > links
 sudo makewhatis
 for i in `ls -1 *.3`; do
  name=`echo $i|cut -d. -f1`
  links=`sqlite3 /usr/share/man/mandoc.db \
    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
  for j in $links; do
    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
    if [ $a != $b ]; then
      echo $name.3,$j.3 >> links
    fi
  done
 done
--- a/patches/arc4random.c.patch
+++ b/patches/arc4random.c.patch
@@ -1,15 +0,0 @@
 --- crypto/compat/arc4random.c.orig	2015-07-20 07:41:17.000000000 -0600
 +++ crypto/compat/arc4random.c	2015-07-20 07:41:58.000000000 -0600
@@ -36,8 +36,11 @@
 #define KEYSTREAM_ONLY
 #include "chacha_private.h"
 +#ifndef min
 #define min(a, b) ((a) < (b) ? (a) : (b))
 -#ifdef __GNUC__
 +#endif
 +
 +#if defined(__GNUC__) || defined(_MSC_VER)
 #define inline __inline
 #else				/* !__GNUC__ */
 #define inline
--- a/patches/openssl.c.patch
+++ b/patches/openssl.c.patch
@@ -1,40 +0,0 @@
 --- apps/openssl.c.orig	2015-07-20 02:01:42.000000000 -0600
 +++ apps/openssl.c	2015-07-20 02:02:00.000000000 -0600
@@ -130,6 +130,19 @@
 #include <openssl/engine.h>
 #endif
 +#ifdef _WIN32
 +#include <io.h>
 +#include <fcntl.h>
 +static void set_stdio_binary(void)
 +{
 +	_setmode(_fileno(stdin), _O_BINARY);
 +	_setmode(_fileno(stdout), _O_BINARY);
 +	_setmode(_fileno(stderr), _O_BINARY);
 +}
 +#else
 +static void set_stdio_binary(void) {};
 +#endif
 +
 #include "progs.h"
 #include "s_apps.h"
@@ -204,7 +216,9 @@
 static void
 openssl_startup(void)
 {
 +#ifndef _WIN32
 	signal(SIGPIPE, SIG_IGN);
 +#endif
 	CRYPTO_malloc_init();
 	OpenSSL_add_all_algorithms();
@@ -216,6 +230,7 @@
 #endif
 	setup_ui_method();
 +	set_stdio_binary();
 }
 static void
--- a/patches/opensslconf.h.patch
+++ b/patches/opensslconf.h.patch
@@ -1,13 +0,0 @@
 --- include/openssl/opensslconf.h.orig	2015-07-19 23:21:47.000000000 -0600
 +++ include/openssl/opensslconf.h	2015-07-19 23:21:17.000000000 -0600
@@ -1,6 +1,10 @@
 #include <openssl/opensslfeatures.h>
 /* crypto/opensslconf.h.in */
 +#if defined(_MSC_VER) && !defined(__attribute__)
 +#define __attribute__(a)
 +#endif
 +
 /* Generate 80386 code? */
 #undef I386_ONLY
--- a/patches/ossl_typ.h.patch
+++ b/patches/ossl_typ.h.patch
@@ -1,25 +0,0 @@
 --- include/openssl/ossl_typ.h.orig	2015-07-06 13:21:18.788571423 -0700
 +++ include/openssl/ossl_typ.h	2015-07-06 13:24:14.906468003 -0700
@@ -100,6 +100,22 @@
 typedef struct ASN1_ITEM_st ASN1_ITEM;
 typedef struct asn1_pctx_st ASN1_PCTX;
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
 +#pragma message("Warning, overriding WinCrypt defines")
 +#else
 +#warning overriding WinCrypt defines
 +#endif
 +#endif
 +#undef X509_NAME
 +#undef X509_CERT_PAIR
 +#undef X509_EXTENSIONS
 +#undef OCSP_REQUEST
 +#undef OCSP_RESPONSE
 +#undef PKCS7_ISSUER_AND_SERIAL
 +#endif
 +
 #ifdef BIGNUM
 #undef BIGNUM
 #endif
--- a/patches/pkcs7.h.patch
+++ b/patches/pkcs7.h.patch
@@ -1,21 +0,0 @@
 --- include/openssl/pkcs7.h.orig	2015-07-06 13:26:27.369203527 -0700
 +++ include/openssl/pkcs7.h	2015-07-06 13:27:37.637051967 -0700
@@ -69,6 +69,18 @@
 extern "C" {
 #endif
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
 +#pragma message("Warning, overriding WinCrypt defines")
 +#else
 +#warning overriding WinCrypt defines
 +#endif
 +#endif
 +#undef PKCS7_ISSUER_AND_SERIAL
 +#undef PKCS7_SIGNER_INFO
 +#endif
 +
 /*
 Encryption_ID		DES-CBC
 Digest_ID		MD5
--- a/patches/win_bio_sock_init.diff
+++ b/patches/win_bio_sock_init.diff
@@ -0,0 +1,44 @@
 diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
 index e7dd11c..cfd4593 100644
 --- a/src/usr.bin/openssl/openssl.c
 +++ b/src/usr.bin/openssl/openssl.c
@@ -253,6 +253,11 @@ main(int argc, char **argv)
 	arg.data = NULL;
 	arg.count = 0;
 +	if (BIO_sock_init() != 1) {
 +		fprintf(stderr, "BIO_sock_init failed\n");
 +		exit(1);
 +	}
 +
 	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
 	if (bio_err == NULL) {
 		fprintf(stderr, "openssl: failed to initialise bio_err\n");
 diff --git a/src/usr.bin/openssl/s_socket.c b/src/usr.bin/openssl/s_socket.c
 index 3b96b1a..2ce31eb 100644
 --- a/src/usr.bin/openssl/s_socket.c
 +++ b/src/usr.bin/openssl/s_socket.c
@@ -85,11 +85,6 @@ init_client(int *sock, char *host, char *port, int type, int af)
 	struct addrinfo hints, *ai_top, *ai;
 	int i, s;
 -	if (BIO_sock_init() != 1) {
 -		BIO_printf(bio_err, "BIO_sock_init failed\n");
 -		return (0);
 -	}
 -
 	memset(&hints, '\0', sizeof(hints));
 	hints.ai_family = af;
 	hints.ai_socktype = type;
@@ -181,11 +176,6 @@ init_server_long(int *sock, int port, char *ip, int type)
 	struct sockaddr_in server;
 	int s = -1;
 -	if (BIO_sock_init() != 1) {
 -		BIO_printf(bio_err, "BIO_sock_init failed\n");
 -		return (0);
 -	}
 -
 	memset((char *) &server, 0, sizeof(server));
 	server.sin_family = AF_INET;
 	server.sin_port = htons((unsigned short) port);
--- a/patches/x509.h.patch
+++ b/patches/x509.h.patch
@@ -1,22 +0,0 @@
 --- include/openssl/x509.h.orig	2015-07-06 13:15:15.059306046 -0700
 +++ include/openssl/x509.h	2015-07-06 13:16:10.506118278 -0700
@@ -112,6 +112,19 @@
 extern "C" {
 #endif
 +#if defined(_WIN32)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
 +#pragma message("Warning, overriding WinCrypt defines")
 +#else
 +#warning overriding WinCrypt defines
 +#endif
 +#endif
 +#undef X509_NAME
 +#undef X509_CERT_PAIR
 +#undef X509_EXTENSIONS
 +#endif
 +
 #define X509_FILETYPE_PEM	1
 #define X509_FILETYPE_ASN1	2
 #define X509_FILETYPE_DEFAULT	3
--- a/scripts/travis
+++ b/scripts/travis
@@ -4,29 +4,12 @@ set -e
 ./autogen.sh
 if [ "x$ARCH" = "xnative" ]; then
 	# test autotools
 	./configure
 	make -j 4 check
 	# make distribution
 	make dist
 	tar zxvf libressl-*.tar.gz
 	cd libressl-*
 	mkdir build
 	cd build
 	# test cmake and ninja
 	if [ `uname` = "Darwin" ]; then
-		cmake ..
+		# OS X runs out of resources if we run 'make -j check'
-		make
+		make check
 	else
-		sudo apt-get update
+		make -j distcheck
 		sudo apt-get install -y python-software-properties
 		sudo apt-add-repository -y ppa:kalakris/cmake
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
 		ninja
 	fi
 else
 	CPU=i686
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -1,65 +0,0 @@
 include_directories(
 	.
 	../include
 	../include/compat
 )
 set(
 	SSL_SRC
 	bio_ssl.c
 	bs_ber.c
 	bs_cbb.c
 	bs_cbs.c
 	d1_both.c
 	d1_clnt.c
 	d1_enc.c
 	d1_lib.c
 	d1_meth.c
 	d1_pkt.c
 	d1_srtp.c
 	d1_srvr.c
 	pqueue.c
 	s23_clnt.c
 	s23_lib.c
 	s23_meth.c
 	s23_pkt.c
 	s23_srvr.c
 	s3_both.c
 	s3_cbc.c
 	s3_clnt.c
 	s3_enc.c
 	s3_lib.c
 	s3_meth.c
 	s3_pkt.c
 	s3_srvr.c
 	ssl_algs.c
 	ssl_asn1.c
 	ssl_cert.c
 	ssl_ciph.c
 	ssl_err.c
 	ssl_err2.c
 	ssl_lib.c
 	ssl_rsa.c
 	ssl_sess.c
 	ssl_stat.c
 	ssl_txt.c
 	t1_clnt.c
 	t1_enc.c
 	t1_lib.c
 	t1_meth.c
 	t1_reneg.c
 	t1_srvr.c
 )
 if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
 	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
 	install(TARGETS ssl ssl-shared DESTINATION lib)
 else()
 	add_library(ssl STATIC ${SSL_SRC})
 	install(TARGETS ssl DESTINATION lib)
 endif()
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@@ -3,9 +3,9 @@ include $(top_srcdir)/Makefile.am.common
 lib_LTLIBRARIES = libssl.la
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
 libssl_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
 libssl_la_LIBADD = ../crypto/libcrypto.la
 libssl_la_SOURCES = bio_ssl.c
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -1,266 +0,0 @@
 include_directories(
 	.
 	../include
 	../include/compat
 	../crypto/modes
 	../crypto/asn1
 	../ssl
 	../apps
 )
 set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
 # aeadtest
 #add_executable(aeadtest aeadtest.c)
 #target_link_libraries(aeadtest ${OPENSSL_LIBS})
 #add_test(aeadtest aeadtest.sh)
 #configure_file(aeadtests.txt aeadtests.txt COPYONLY)
 #configure_file(aeadtest.sh aeadtest.sh COPYONLY)
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
 target_link_libraries(aes_wrap ${OPENSSL_LIBS})
 add_test(aes_wrap aes_wrap)
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
 if(NOT CMAKE_HOST_WIN32)
 add_executable(arc4randomforktest arc4randomforktest.c)
 target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
 add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()
 # asn1test
 add_executable(asn1test asn1test.c)
 target_link_libraries(asn1test ${OPENSSL_LIBS})
 add_test(asn1test asn1test)
 # base64test
 add_executable(base64test base64test.c)
 target_link_libraries(base64test ${OPENSSL_LIBS})
 add_test(base64test base64test)
 # bftest
 add_executable(bftest bftest.c)
 target_link_libraries(bftest ${OPENSSL_LIBS})
 add_test(bftest bftest)
 # bntest
 add_executable(bntest bntest.c)
 target_link_libraries(bntest ${OPENSSL_LIBS})
 add_test(bntest bntest)
 # bytestringtest
 add_executable(bytestringtest bytestringtest.c)
 target_link_libraries(bytestringtest ${OPENSSL_LIBS})
 add_test(bytestringtest bytestringtest)
 # casttest
 add_executable(casttest casttest.c)
 target_link_libraries(casttest ${OPENSSL_LIBS})
 add_test(casttest casttest)
 # chachatest
 add_executable(chachatest chachatest.c)
 target_link_libraries(chachatest ${OPENSSL_LIBS})
 add_test(chachatest chachatest)
 # cipher_list
 add_executable(cipher_list cipher_list.c)
 target_link_libraries(cipher_list ${OPENSSL_LIBS})
 add_test(cipher_list cipher_list)
 # cipherstest
 add_executable(cipherstest cipherstest.c)
 target_link_libraries(cipherstest ${OPENSSL_LIBS})
 add_test(cipherstest cipherstest)
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${OPENSSL_LIBS})
 add_test(cts128test cts128test)
 # destest
 add_executable(destest destest.c)
 target_link_libraries(destest ${OPENSSL_LIBS})
 add_test(destest destest)
 # dhtest
 add_executable(dhtest dhtest.c)
 target_link_libraries(dhtest ${OPENSSL_LIBS})
 add_test(dhtest dhtest)
 # dsatest
 add_executable(dsatest dsatest.c)
 target_link_libraries(dsatest ${OPENSSL_LIBS})
 add_test(dsatest dsatest)
 # ecdhtest
 add_executable(ecdhtest ecdhtest.c)
 target_link_libraries(ecdhtest ${OPENSSL_LIBS})
 add_test(ecdhtest ecdhtest)
 # ecdsatest
 add_executable(ecdsatest ecdsatest.c)
 target_link_libraries(ecdsatest ${OPENSSL_LIBS})
 add_test(ecdsatest ecdsatest)
 # ectest
 add_executable(ectest ectest.c)
 target_link_libraries(ectest ${OPENSSL_LIBS})
 add_test(ectest ectest)
 # enginetest
 add_executable(enginetest enginetest.c)
 target_link_libraries(enginetest ${OPENSSL_LIBS})
 add_test(enginetest enginetest)
 # evptest
 #add_executable(evptest evptest.c)
 #target_link_libraries(evptest ${OPENSSL_LIBS})
 #add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if(NOT CMAKE_HOST_WIN32)
 add_executable(explicit_bzero explicit_bzero.c)
 target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
 add_test(explicit_bzero explicit_bzero)
 #if !HAVE_MEMMEM
 #explicit_bzero_SOURCES += memmem.c
 #endif
 endif()
 # exptest
 add_executable(exptest exptest.c)
 target_link_libraries(exptest ${OPENSSL_LIBS})
 add_test(exptest exptest)
 # gcm128test
 add_executable(gcm128test gcm128test.c)
 target_link_libraries(gcm128test ${OPENSSL_LIBS})
 add_test(gcm128test gcm128test)
 # gost2814789t
 add_executable(gost2814789t gost2814789t.c)
 target_link_libraries(gost2814789t ${OPENSSL_LIBS})
 add_test(gost2814789t gost2814789t)
 # hmactest
 add_executable(hmactest hmactest.c)
 target_link_libraries(hmactest ${OPENSSL_LIBS})
 add_test(hmactest hmactest)
 # ideatest
 add_executable(ideatest ideatest.c)
 target_link_libraries(ideatest ${OPENSSL_LIBS})
 add_test(ideatest ideatest)
 # igetest
 add_executable(igetest igetest.c)
 target_link_libraries(igetest ${OPENSSL_LIBS})
 add_test(igetest igetest)
 # md4test
 add_executable(md4test md4test.c)
 target_link_libraries(md4test ${OPENSSL_LIBS})
 add_test(md4test md4test)
 # md5test
 add_executable(md5test md5test.c)
 target_link_libraries(md5test ${OPENSSL_LIBS})
 add_test(md5test md5test)
 # mont
 add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_LIBS})
 add_test(mont mont)
 # optionstest
 add_executable(optionstest optionstest.c)
 target_link_libraries(optionstest ${OPENSSL_LIBS})
 add_test(optionstest optionstest)
 # pbkdf2
 add_executable(pbkdf2 pbkdf2.c)
 target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
 add_test(pbkdf2 pbkdf2)
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
 target_link_libraries(pkcs7test ${OPENSSL_LIBS})
 add_test(pkcs7test pkcs7test)
 # poly1305test
 add_executable(poly1305test poly1305test.c)
 target_link_libraries(poly1305test ${OPENSSL_LIBS})
 add_test(poly1305test poly1305test)
 # pq_test
 #add_executable(pq_test pq_test.c)
 #target_link_libraries(pq_test ${OPENSSL_LIBS})
 #add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
 # randtest
 add_executable(randtest randtest.c)
 target_link_libraries(randtest ${OPENSSL_LIBS})
 add_test(randtest randtest)
 # rc2test
 add_executable(rc2test rc2test.c)
 target_link_libraries(rc2test ${OPENSSL_LIBS})
 add_test(rc2test rc2test)
 # rc4test
 add_executable(rc4test rc4test.c)
 target_link_libraries(rc4test ${OPENSSL_LIBS})
 add_test(rc4test rc4test)
 # rmdtest
 add_executable(rmdtest rmdtest.c)
 target_link_libraries(rmdtest ${OPENSSL_LIBS})
 add_test(rmdtest rmdtest)
 # sha1test
 add_executable(sha1test sha1test.c)
 target_link_libraries(sha1test ${OPENSSL_LIBS})
 add_test(sha1test sha1test)
 # sha256test
 add_executable(sha256test sha256test.c)
 target_link_libraries(sha256test ${OPENSSL_LIBS})
 add_test(sha256test sha256test)
 # sha512test
 add_executable(sha512test sha512test.c)
 target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 # shatest
 add_executable(shatest shatest.c)
 target_link_libraries(shatest ${OPENSSL_LIBS})
 add_test(shatest shatest)
 # ssltest
 #add_executable(ssltest ssltest.c)
 #target_link_libraries(ssltest ${OPENSSL_LIBS})
 #add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
 # testdsa
 #add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
 # testenc
 add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
 # testrsa
 #add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
 # timingsafe
 add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${OPENSSL_LIBS})
 add_test(timingsafe timingsafe)
 # utf8test
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})
 add_test(utf8test utf8test)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Brent Cook	20323ee367	update for 2.1.10	2016-01-28 12:28:22 -06:00
Brent Cook	5b093cd0c8	update version and changelog for 2.1.9	2015-12-05 13:13:12 -06:00
Brent Cook	6494230957	update for 2.1.8	2015-10-15 16:16:13 -05:00
Brent Cook	ce063e4989	2.1.7 security update	2015-06-11 09:00:29 -05:00
Brent Cook	89c5dc6bcf	update changelog for 2.1.6	2015-03-19 01:13:01 -05:00
Brent Cook	2a7498cc7f	bump version to 2.1.6	2015-03-19 00:40:37 -05:00
Brent Cook	f705e901a5	enable libtls by default The API/ABI for the LibreSSL 2.1.x series is now fixed, so we can safely enable libtls it by default. This is useful for new OpenNTPD and OpenSMTPD releases as well. ok deraadt@ beck@ sthen@	2015-03-19 00:40:26 -05:00
Brent Cook	13034da4d8	expand on changelog	2015-03-09 07:22:18 -05:00
Brent Cook	58f869bfd5	use correct patch level	2015-03-09 07:11:28 -05:00
Brent Cook	1eea14957d	clarify 2.1.5 release note Specify that we are rejecting server ephemeral DH keys < 1024 bits.	2015-03-08 22:34:48 -05:00
Brent Cook	44d308df41	track the OPENBSD_5_7 tag	2015-03-08 22:04:14 -05:00
`@@ -1,2 +1,2 @@`
	`AM_CFLAGS =`	`AM_CPPFLAGS = -I$(top_srcdir)/include`
	`AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL`	`AM_CPPFLAGS += -DLIBRESSL_INTERNAL`
		`@@ -0,0 +1,2 @@`
							`include $(top_srcdir)/Makefile.am.common`
							`dist_man_MANS=`