update path to openssl(1) in testssl wrapper

run distcheck rather than just dist, cmake tests

.gitignore

@@ -41,10 +41,15 @@ Makefile.in
 *.def
 *.pc
 
+# man pages
+*.1
+*.3
+
 # tests
 test-driver
 *.log
 *.trs
+!tests/optionstest.c
 tests/aes_wrap*
 tests/arc4random_fork*
 tests/cipher*
@@ -60,7 +65,6 @@ tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
-!tests/optionstest.c
 
 # ctags stuff
 TAGS
@@ -70,8 +74,8 @@ autom4te.cache
 # Libtool adds these, at least sometimes
 INSTALL
 /COPYING
-m4/l*
 !m4/check*.m4
+m4/l*
 
 aclocal.m4
 compile
@@ -106,17 +110,18 @@ tls/*.h
 include/pqueue.h
 include/tls.h
 include/openssl/*.h
-include/openssl/*.he
 
-/apps/*.h
+!/apps/nc/readpassphrase.c
-/apps/*.c
+/apps/nc/*.h
-/apps/openssl
+/apps/nc/*.c
-/apps/openssl.cnf
+/apps/nc/nc*
-!/apps/apps_win.c
+/apps/openssl/*.h
-!/apps/poll_win.c
+/apps/openssl/*.c
-!/apps/certhash_disabled.c
+/apps/openssl/*.cnf
+/apps/openssl/*.pem
+/apps/openssl/openssl
+/apps/openssl/compat/strtonum.c
 
-/crypto
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
@@ -126,14 +131,15 @@ include/openssl/*.he
 !/crypto/compat/inet_pton.c
 !/crypto/compat/ui_openssl_win.c
 !/crypto/CMakeLists.txt
+/crypto
 
+!/libtls-standalone/compat/Makefile.am
 /libtls-standalone/include/*.h
 /libtls-standalone/src/*.c
 /libtls-standalone/src/*.h
 /libtls-standalone/src
 /libtls-standalone/tests/test
 /libtls-standalone/compat
-!/libtls-standalone/compat/Makefile.am
 /libtls-standalone/VERSION
 /libtls-standalone/m4
 /libtls-standalone/man
@@ -141,7 +147,4 @@ include/openssl/*.he
 openbsd/
 
 *.tar.gz
-apps/*.1*
-man/*.3
-man/*.1
 man/Makefile.am

.travis.yml

@@ -1,24 +1,24 @@
 language: c
 matrix:
-        include:
+  include:
-                - compiler: clang
+    - compiler: clang
-                  os: osx
+      os: osx
-                  env: ARCH=native
+      env: ARCH=native
-                - compiler: gcc
+    - compiler: gcc
-                  os: osx
+      os: osx
-                  env: ARCH=native
+      env: ARCH=native
-                - compiler: clang
+    - compiler: clang
-                  os: linux
+      os: linux
-                  env: ARCH=native
+      env: ARCH=native
-                - compiler: gcc
+    - compiler: gcc
-                  os: linux
+      os: linux
-                  env: ARCH=native
+      env: ARCH=native
-                - compiler: gcc
+    - compiler: gcc
-                  os: linux
+      os: linux
-                  env: ARCH=mingw32
+      env: ARCH=mingw32
-                - compiler: gcc
+    - compiler: gcc
-                  os: linux
+      os: linux
-                  env: ARCH=mingw64
+      env: ARCH=mingw64
 
 script:
-        "./scripts/travis"
+  "./scripts/travis"

CMakeLists.txt

@@ -1,11 +1,27 @@
 cmake_minimum_required (VERSION 2.8)
 include(CheckFunctionExists)
+include(CheckLibraryExists)
 include(CheckIncludeFiles)
 
 project (LibreSSL)
 
 enable_testing()
 
+file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+string(STRIP ${SSL_VERSION} SSL_VERSION)
+string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
+string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
+
+file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
+string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
+string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
+
+file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+string(STRIP ${TLS_VERSION} TLS_VERSION)
+string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
+string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
+
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
@@ -21,6 +37,8 @@ add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
 add_definitions(-DOPENSSL_NO_ASM)
 
+set(CMAKE_POSITION_INDEPENDENT_CODE true)
+
 if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
@@ -142,11 +160,23 @@ set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
+	if (HAVE_CLOCK_GETTIME)
+		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
+	endif()
+endif()
+
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
+	set(BUILD_SHARED true)
+endif()
 
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(apps)
 add_subdirectory(tls)
+add_subdirectory(include)
 if(NOT MSVC)
+	add_subdirectory(man)
 	add_subdirectory(tests)
 endif()

ChangeLog

@@ -28,6 +28,78 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.3.0 - SSLv3 removed, libtls API changes, portability improvements
+
+	* SSLv3 is now permanently removed from the tree.
+
+	* The libtls API is changed from the 2.2.x series.
+
+	  The read/write functions work correctly with external event
+	  libraries.  See the tls_init man page for examples of using libtls
+	  correctly in asynchronous mode.
+
+	  Client-side verification is now supported, with the client supplying
+	  the certificate to the server.
+
+	  Also, when using tls_connect_fds, tls_connect_socket or
+	  tls_accept_fds, libtls no longer implicitly closes the passed in
+	  sockets. The caller is responsible for closing them in this case.
+
+	* When loading a DSA key from an raw (without DH parameters) ASN.1
+	  serialization, perform some consistency checks on its `p' and `q'
+	  values, and return an error if the checks failed.
+
+	  Thanks for Georgi Guninski (guninski at guninski dot com) for
+	  mentioning the possibility of a weak (non prime) q value and
+	  providing a test case.
+
+	  See
+	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
+	  for a longer discussion.
+
+	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
+	  of the result key without error. A coding error could cause software
+	  to use much shorter keys than intended.
+
+	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
+	  longer supported.
+
+	* The engine command and parameters are removed from the openssl(1).
+	  Previous releases removed dynamic and builtin engine support
+	  already.
+
+	* SHA-0 is removed, which was withdrawn shortly after publication 20
+	  years ago.
+
+	* Added Certplus CA root certificate to the default cert.pem file.
+
+	* New interface OPENSSL_cpu_caps is provided that does not allow
+	  software to inadvertently modify cpu capability flags.
+	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+
+	* The out_len argument of AEAD changed from ssize_t to size_t.
+
+	* Deduplicated DTLS code, sharing bugfixes and improvements with
+	  TLS.
+
+	* Converted 'nc' to use libtls for client and server operations; it is
+	  included in the libressl-portable distribution as an example of how
+	  to use the library.
+
+2.2.3 - Bug fixes, build enhancements
+
+	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
+	  include TLS extensions, resulting in such handshakes being aborted.
+	  This release corrects the handling of such messages. Thanks to
+	  Ligushka from github for reporting the issue.
+
+	* Added install target for cmake builds. Thanks to TheNietsnie from
+	  github.
+
+	* Updated pkgconfig files to correctly report the release version
+	  number, not the individual library ABI version numbers. Thanks to
+	  Jan Engelhardt for reporting the issue.
+
 2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
 
 	* Switched 'openssl dhparam' default from 512 to 2048 bits

README.md

@@ -13,7 +13,7 @@ LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all
 new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet
 present in OpenSSL. The current common API subset is OpenSSL 1.0.1.
 
-LibreSSL it is not ABI compatible with any release of OpenSSL, or necessarily
+LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily
 earlier releases of LibreSSL. You will need to relink your programs to
 LibreSSL in order to use it, just as in moving between major versions of OpenSSL.
 LibreSSL's installed library version numbers are incremented to account for
@@ -62,7 +62,7 @@ If you have checked this source using Git, follow these initial steps to
 prepare the source tree for building:
 
 1. Ensure you have the following packages installed:
-   automake, autoconf, bash, git, libtool, perl, pod2man
+   automake, autoconf, git, libtool, perl, pod2man
 2. Run './autogen.sh' to prepare the source tree for building or
    run './dist.sh' to prepare a tarball.
 

README.windows

@@ -6,9 +6,8 @@ GCC or Clang as the compiler. Contrary to its name, mingw-w64 supports both
 then LibreSSL should integrate very nicely. Old versions of the mingw-w64
 toolchain, such as the one packaged with Ubuntu 12.04, may have trouble
 building LibreSSL. Please try it with a recent toolchain if you encounter
-troubles. If you are building under Cygwin, only builds with the mingw-w64
+troubles. Cygwin provides an easy method of installing the latest mingw-w64
-compiler are supported, though you can easily use Cygwin to drive the build
+cross compilers on Windows.
-process.
 
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:

VERSION

@@ -1,2 +0,0 @@
-2.2.2
-

apps/CMakeLists.txt

@@ -2,78 +2,80 @@ include_directories(
 	.
 	../include
 	../include/compat
+	./openssl
 )
 
 set(
 	OPENSSL_SRC
-	apps.c
+	openssl/apps.c
-	asn1pars.c
+	openssl/asn1pars.c
-	ca.c
+	openssl/ca.c
-	ciphers.c
+	openssl/ciphers.c
-	cms.c
+	openssl/cms.c
-	crl.c
+	openssl/crl.c
-	crl2p7.c
+	openssl/crl2p7.c
-	dgst.c
+	openssl/dgst.c
-	dh.c
+	openssl/dh.c
-	dhparam.c
+	openssl/dhparam.c
-	dsa.c
+	openssl/dsa.c
-	dsaparam.c
+	openssl/dsaparam.c
-	ec.c
+	openssl/ec.c
-	ecparam.c
+	openssl/ecparam.c
-	enc.c
+	openssl/enc.c
-	engine.c
+	openssl/errstr.c
-	errstr.c
+	openssl/gendh.c
-	gendh.c
+	openssl/gendsa.c
-	gendsa.c
+	openssl/genpkey.c
-	genpkey.c
+	openssl/genrsa.c
-	genrsa.c
+	openssl/nseq.c
-	nseq.c
+	openssl/ocsp.c
-	ocsp.c
+	openssl/openssl.c
-	openssl.c
+	openssl/passwd.c
-	passwd.c
+	openssl/pkcs12.c
-	pkcs12.c
+	openssl/pkcs7.c
-	pkcs7.c
+	openssl/pkcs8.c
-	pkcs8.c
+	openssl/pkey.c
-	pkey.c
+	openssl/pkeyparam.c
-	pkeyparam.c
+	openssl/pkeyutl.c
-	pkeyutl.c
+	openssl/prime.c
-	prime.c
+	openssl/rand.c
-	rand.c
+	openssl/req.c
-	req.c
+	openssl/rsa.c
-	rsa.c
+	openssl/rsautl.c
-	rsautl.c
+	openssl/s_cb.c
-	s_cb.c
+	openssl/s_client.c
-	s_client.c
+	openssl/s_server.c
-	s_server.c
+	openssl/s_socket.c
-	s_socket.c
+	openssl/s_time.c
-	s_time.c
+	openssl/sess_id.c
-	sess_id.c
+	openssl/smime.c
-	smime.c
+	openssl/speed.c
-	speed.c
+	openssl/spkac.c
-	spkac.c
+	openssl/ts.c
-	ts.c
+	openssl/verify.c
-	verify.c
+	openssl/version.c
-	version.c
+	openssl/x509.c
-	x509.c
 )
 
 if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_disabled.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} poll_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
 if(HAVE_STRTONUM)
 	add_definitions(-DHAVE_STRTONUM)
 else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} strtonum.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
 endif()
 
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)

apps/Makefile.am

@@ -1,118 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-bin_PROGRAMS = openssl
+SUBDIRS = openssl nc
 
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+EXTRA_DIST = CMakeLists.txt
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES = apps.c
-openssl_SOURCES += asn1pars.c
-openssl_SOURCES += ca.c
-openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
-openssl_SOURCES += crl.c
-openssl_SOURCES += crl2p7.c
-openssl_SOURCES += dgst.c
-openssl_SOURCES += dh.c
-openssl_SOURCES += dhparam.c
-openssl_SOURCES += dsa.c
-openssl_SOURCES += dsaparam.c
-openssl_SOURCES += ec.c
-openssl_SOURCES += ecparam.c
-openssl_SOURCES += enc.c
-openssl_SOURCES += engine.c
-openssl_SOURCES += errstr.c
-openssl_SOURCES += gendh.c
-openssl_SOURCES += gendsa.c
-openssl_SOURCES += genpkey.c
-openssl_SOURCES += genrsa.c
-openssl_SOURCES += nseq.c
-openssl_SOURCES += ocsp.c
-openssl_SOURCES += openssl.c
-openssl_SOURCES += passwd.c
-openssl_SOURCES += pkcs12.c
-openssl_SOURCES += pkcs7.c
-openssl_SOURCES += pkcs8.c
-openssl_SOURCES += pkey.c
-openssl_SOURCES += pkeyparam.c
-openssl_SOURCES += pkeyutl.c
-openssl_SOURCES += prime.c
-openssl_SOURCES += rand.c
-openssl_SOURCES += req.c
-openssl_SOURCES += rsa.c
-openssl_SOURCES += rsautl.c
-openssl_SOURCES += s_cb.c
-openssl_SOURCES += s_client.c
-openssl_SOURCES += s_server.c
-openssl_SOURCES += s_socket.c
-openssl_SOURCES += s_time.c
-openssl_SOURCES += sess_id.c
-openssl_SOURCES += smime.c
-openssl_SOURCES += speed.c
-openssl_SOURCES += spkac.c
-openssl_SOURCES += ts.c
-openssl_SOURCES += verify.c
-openssl_SOURCES += version.c
-openssl_SOURCES += x509.c
-
-if BUILD_CERTHASH
-openssl_SOURCES += certhash.c
-else
-openssl_SOURCES += certhash_disabled.c
-endif
-
-if HOST_WIN
-openssl_SOURCES += apps_win.c
-else
-openssl_SOURCES += apps_posix.c
-endif
-
-if !HAVE_POLL
-if HOST_WIN
-openssl_SOURCES += poll_win.c
-endif
-endif
-
-if !HAVE_STRTONUM
-openssl_SOURCES += strtonum.c
-endif
-
-noinst_HEADERS = apps.h
-noinst_HEADERS += progs.h
-noinst_HEADERS += s_apps.h
-noinst_HEADERS += testdsa.h
-noinst_HEADERS += testrsa.h
-noinst_HEADERS += timeouts.h
-
-EXTRA_DIST = cert.pem
-EXTRA_DIST += openssl.cnf
-EXTRA_DIST += x509v3.cnf
-EXTRA_DIST += CMakeLists.txt
-
-install-exec-hook:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
-			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
-		else \
-			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
-		fi \
-	done
-
-uninstall-local:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
-			rm -f "$$OPENSSLDIR/$$i"; \
-		fi \
-	done

apps/apps_win.c

@@ -1,29 +0,0 @@
-/*
- * Public domain
- *
- * Dongsheng Song <dongsheng.song@gmail.com>
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <windows.h>
-
-#include "apps.h"
-
-double
-app_tminterval(int stop, int usertime)
-{
-	static unsigned __int64 tmstart;
-	union {
-		unsigned __int64 u64;
-		FILETIME ft;
-	} ct, et, kt, ut;
-
-	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
-}

apps/nc/Makefile.am

@@ -0,0 +1,36 @@
+include $(top_srcdir)/Makefile.am.common
+
+if BUILD_NC
+
+noinst_PROGRAMS = nc
+
+EXTRA_DIST = nc.1
+
+nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+nc_LDADD += $(top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(top_builddir)/ssl/libssl.la
+nc_LDADD += $(top_builddir)/tls/libtls.la
+
+CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+
+nc_SOURCES = atomicio.c
+nc_SOURCES += netcat.c
+nc_SOURCES += socks.c
+noinst_HEADERS = atomicio.h
+noinst_HEADERS += compat/sys/socket.h
+
+nc_SOURCES += compat/socket.c
+
+if !HAVE_ACCEPT4
+nc_SOURCES += compat/accept4.c
+endif
+
+if !HAVE_READPASSPHRASE
+nc_SOURCES += compat/readpassphrase.c
+endif
+
+if !HAVE_STRTONUM
+nc_SOURCES += compat/strtonum.c
+endif
+
+endif

apps/nc/compat/accept4.c

@@ -0,0 +1,17 @@
+#include <sys/socket.h>
+#include <fcntl.h>
+
+int
+accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
+{
+	int rets = accept(s, addr, addrlen);
+	if (rets == -1)
+		return s;
+
+	if (flags & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	return rets;
+}

apps/nc/compat/readpassphrase.c

@@ -0,0 +1,205 @@
+/*	$OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $	*/
+
+/*
+ * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
+
+#include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <readpassphrase.h>
+
+#ifndef _PATH_TTY
+# define _PATH_TTY "/dev/tty"
+#endif
+
+#ifdef TCSASOFT
+# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
+#else
+# define _T_FLUSH	(TCSAFLUSH)
+#endif
+
+/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
+#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
+#  define _POSIX_VDISABLE       VDISABLE
+#endif
+
+#ifndef _NSIG
+# ifdef NSIG
+#  define _NSIG NSIG
+# else
+#  define _NSIG 128
+# endif
+#endif
+
+static volatile sig_atomic_t signo[_NSIG];
+
+static void handler(int);
+
+char *
+readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
+{
+	ssize_t bytes_written = 0;
+	ssize_t nr;
+	int input, output, save_errno, i, need_restart;
+	char ch, *p, *end;
+	struct termios term, oterm;
+	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
+	struct sigaction savetstp, savettin, savettou, savepipe;
+
+	/* I suppose we could alloc on demand in this case (XXX). */
+	if (bufsiz == 0) {
+		errno = EINVAL;
+		return(NULL);
+	}
+
+restart:
+	for (i = 0; i < _NSIG; i++)
+		signo[i] = 0;
+	nr = -1;
+	save_errno = 0;
+	need_restart = 0;
+	/*
+	 * Read and write to /dev/tty if available.  If not, read from
+	 * stdin and write to stderr unless a tty is required.
+	 */
+	if ((flags & RPP_STDIN) ||
+	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
+		if (flags & RPP_REQUIRE_TTY) {
+			errno = ENOTTY;
+			return(NULL);
+		}
+		input = STDIN_FILENO;
+		output = STDERR_FILENO;
+	}
+
+	/*
+	 * Catch signals that would otherwise cause the user to end
+	 * up with echo turned off in the shell.  Don't worry about
+	 * things like SIGXCPU and SIGVTALRM for now.
+	 */
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;		/* don't restart system calls */
+	sa.sa_handler = handler;
+	(void)sigaction(SIGALRM, &sa, &savealrm);
+	(void)sigaction(SIGHUP, &sa, &savehup);
+	(void)sigaction(SIGINT, &sa, &saveint);
+	(void)sigaction(SIGPIPE, &sa, &savepipe);
+	(void)sigaction(SIGQUIT, &sa, &savequit);
+	(void)sigaction(SIGTERM, &sa, &saveterm);
+	(void)sigaction(SIGTSTP, &sa, &savetstp);
+	(void)sigaction(SIGTTIN, &sa, &savettin);
+	(void)sigaction(SIGTTOU, &sa, &savettou);
+
+	/* Turn off echo if possible. */
+	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
+		memcpy(&term, &oterm, sizeof(term));
+		if (!(flags & RPP_ECHO_ON))
+			term.c_lflag &= ~(ECHO | ECHONL);
+#ifdef VSTATUS
+		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
+			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
+#endif
+		(void)tcsetattr(input, _T_FLUSH, &term);
+	} else {
+		memset(&term, 0, sizeof(term));
+		term.c_lflag |= ECHO;
+		memset(&oterm, 0, sizeof(oterm));
+		oterm.c_lflag |= ECHO;
+	}
+
+	/* No I/O if we are already backgrounded. */
+	if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
+		if (!(flags & RPP_STDIN))
+			bytes_written = write(output, prompt, strlen(prompt));
+		end = buf + bufsiz - 1;
+		p = buf;
+		while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
+			if (p < end) {
+				if ((flags & RPP_SEVENBIT))
+					ch &= 0x7f;
+				if (isalpha(ch)) {
+					if ((flags & RPP_FORCELOWER))
+						ch = (char)tolower(ch);
+					if ((flags & RPP_FORCEUPPER))
+						ch = (char)toupper(ch);
+				}
+				*p++ = ch;
+			}
+		}
+		*p = '\0';
+		save_errno = errno;
+		if (!(term.c_lflag & ECHO))
+			bytes_written = write(output, "\n", 1);
+	}
+
+	(void) bytes_written;
+
+	/* Restore old terminal settings and signals. */
+	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
+		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
+		    errno == EINTR)
+			continue;
+	}
+	(void)sigaction(SIGALRM, &savealrm, NULL);
+	(void)sigaction(SIGHUP, &savehup, NULL);
+	(void)sigaction(SIGINT, &saveint, NULL);
+	(void)sigaction(SIGQUIT, &savequit, NULL);
+	(void)sigaction(SIGPIPE, &savepipe, NULL);
+	(void)sigaction(SIGTERM, &saveterm, NULL);
+	(void)sigaction(SIGTSTP, &savetstp, NULL);
+	(void)sigaction(SIGTTIN, &savettin, NULL);
+	(void)sigaction(SIGTTOU, &savettou, NULL);
+	if (input != STDIN_FILENO)
+		(void)close(input);
+
+	/*
+	 * If we were interrupted by a signal, resend it to ourselves
+	 * now that we have restored the signal handlers.
+	 */
+	for (i = 0; i < _NSIG; i++) {
+		if (signo[i]) {
+			kill(getpid(), i);
+			switch (i) {
+			case SIGTSTP:
+			case SIGTTIN:
+			case SIGTTOU:
+				need_restart = 1;
+			}
+		}
+	}
+	if (need_restart)
+		goto restart;
+
+	if (save_errno)
+		errno = save_errno;
+	return(nr == -1 ? NULL : buf);
+}
+
+static void handler(int s)
+{
+	signo[s] = 1;
+}

apps/nc/compat/socket.c

@@ -0,0 +1,29 @@
+#define SOCKET_FLAGS_PRIV
+
+#include <sys/socket.h>
+
+#ifdef NEED_SOCKET_FLAGS
+
+#include <fcntl.h>
+
+int
+_socket(int domain, int type, int protocol)
+{
+	int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
+	int flags;
+	if (s == -1)
+		return s;
+
+	if (type & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(s, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	if (type & SOCK_NONBLOCK) {
+		flags = fcntl(s, F_GETFL);
+		fcntl(s, F_SETFL, flags | O_NONBLOCK);
+	}
+	return s;
+}
+
+#endif

apps/nc/compat/strtonum.c

@@ -0,0 +1,65 @@
+/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define	INVALID		1
+#define	TOOSMALL	2
+#define	TOOLARGE	3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+	long long ll = 0;
+	int error = 0;
+	char *ep;
+	struct errval {
+		const char *errstr;
+		int err;
+	} ev[4] = {
+		{ NULL,		0 },
+		{ "invalid",	EINVAL },
+		{ "too small",	ERANGE },
+		{ "too large",	ERANGE },
+	};
+
+	ev[0].err = errno;
+	errno = 0;
+	if (minval > maxval) {
+		error = INVALID;
+	} else {
+		ll = strtoll(numstr, &ep, 10);
+		if (numstr == ep || *ep != '\0')
+			error = INVALID;
+		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+			error = TOOSMALL;
+		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+			error = TOOLARGE;
+	}
+	if (errstrp != NULL)
+		*errstrp = ev[error].errstr;
+	errno = ev[error].err;
+	if (error)
+		ll = 0;
+
+	return (ll);
+}

apps/nc/compat/sys/socket.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/socket.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/socket.h>
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
+int _socket(int domain, int type, int protocol);
+#ifndef SOCKET_FLAGS_PRIV
+#define socket(d, t, p) _socket(d, t, p)
+#endif
+#endif
+
+#ifndef SOCK_NONBLOCK
+#define	SOCK_NONBLOCK		0x4000	/* set O_NONBLOCK */
+#endif
+
+#ifndef SOCK_CLOEXEC
+#define	SOCK_CLOEXEC		0x8000	/* set FD_CLOEXEC */
+#endif
+
+#ifndef HAVE_ACCEPT4
+int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
+#endif
+
+#else
+#include <win32netcompat.h>
+#endif

apps/openssl/Makefile.am

@@ -0,0 +1,118 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = openssl
+
+dist_man_MANS = openssl.1
+
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += compat/certhash_win.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += compat/apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += compat/poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += compat/strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+
+EXTRA_DIST = cert.pem
+EXTRA_DIST += openssl.cnf
+EXTRA_DIST += x509v3.cnf
+
+install-exec-hook:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	mkdir -p "$$OPENSSLDIR/certs"; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+		else \
+			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
+		fi \
+	done
+
+uninstall-local:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+			rm -f "$$OPENSSLDIR/$$i"; \
+		fi \
+	done

apps/openssl/compat/apps_win.c

@@ -0,0 +1,60 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include <io.h>
+#include <fcntl.h>
+
+#include <apps.h>
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}
+
+int
+setup_ui(void)
+{
+	ui_method = UI_create_method("OpenSSL application user interface");
+	UI_method_set_opener(ui_method, ui_open);
+	UI_method_set_reader(ui_method, ui_read);
+	UI_method_set_writer(ui_method, ui_write);
+	UI_method_set_closer(ui_method, ui_close);
+
+	/*
+	 * Set STDIO to binary
+	 */
+	_setmode(_fileno(stdin), _O_BINARY);
+	_setmode(_fileno(stdout), _O_BINARY);
+	_setmode(_fileno(stderr), _O_BINARY);
+
+	return 0;
+}
+
+void
+destroy_ui(void)
+{
+	if (ui_method) {
+		UI_destroy_method(ui_method);
+		ui_method = NULL;
+	}
+}

apps/openssl/compat/certhash_win.c

@@ -3,7 +3,7 @@
  * certhash dummy implementation for platforms without symlinks
  */
 
-#include "apps.h"
+#include <apps.h>
 
 int
 certhash_main(int argc, char **argv)

check-release.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+set -e
+
+ver=$1
+dir=libressl-$ver
+tarball=$dir.tar.gz
+tag=v$ver
+
+if [ -z "$LIBRESSL_SSH" ]; then
+	if ! curl -v 1>/dev/null 2>&1; then
+		download="curl -O"
+	elif echo quit | ftp 1>/dev/null 2>&1; then
+		download=ftp
+	else
+		echo "need 'ftp' or 'curl' to verify"
+		exit
+	fi
+fi
+
+if [ "$ver" = "" ]; then
+	echo "please specify a version to check, e.g. $0 2.1.2"
+	exit
+fi
+
+if [ ! -e releases/$tarball ]; then
+	mkdir -p releases
+	rm -f $tarball
+	if [ -z "$LIBRESSL_SSH" ]; then
+		$download http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$tarball releases/
+		mv $tarball releases
+	else
+		scp $LIBRESSL_SSH/$tarball releases
+	fi
+	(cd releases; tar zxvf $tarball)
+fi
+
+if [ ! -e gen-releases/$tarball ]; then
+	rm -fr tests man include ssl crypto libtls-standalone/VERSION INSTALL
+	git checkout OPENBSD_BRANCH update.sh tests man include ssl crypto
+	git checkout $tag
+	echo "libressl-$tag" > OPENBSD_BRANCH
+	sed -i 's/git pull --rebase//' update.sh
+	./autogen.sh
+	./configure --enable-libtls
+	make dist
+
+	mkdir -p gen-releases
+	mv $tarball gen-releases
+
+	git checkout OPENBSD_BRANCH update.sh
+	git checkout master
+fi
+
+(cd gen-releases; rm -fr $dir; tar zxf $tarball)
+(cd releases; rm -fr $dir; tar zxf $tarball)
+
+echo "differences between release and regenerated release tag:"
+diff -urN \
+	-x *.3 \
+	-x Makefile.in \
+	-x aclocal.m4 \
+	-x compile \
+	-x config.guess \
+	-x config.sub \
+	-x configure \
+	-x depcomp \
+	-x install-sh \
+	-x missing \
+	-x test-driver \
+	releases/$dir gen-releases/$dir

configure.ac

@@ -52,8 +52,6 @@ CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 CHECK_VA_COPY
 
-AC_CHECK_HEADERS([err.h])
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -86,6 +84,10 @@ case $host_cpu in
 		AS_IF([test "x$BSWAP4" = "xyes"],,
 		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
+	*amd64*)
+		host_cpu=x86_64
+		;;
+
 esac
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
@@ -119,6 +121,8 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/openssl/Makefile
+	apps/nc/Makefile
 	man/Makefile
 	libcrypto.pc
 	libssl.pc

crypto/CMakeLists.txt

@@ -263,7 +263,6 @@ set(
 	ecdh/ech_err.c
 	ecdh/ech_key.c
 	ecdh/ech_lib.c
-	ecdh/ech_ossl.c
 	ecdsa/ecs_asn1.c
 	ecdsa/ecs_err.c
 	ecdsa/ecs_lib.c
@@ -335,7 +334,6 @@ set(
 	evp/m_md5.c
 	evp/m_null.c
 	evp/m_ripemd.c
-	evp/m_sha.c
 	evp/m_sha1.c
 	evp/m_sigver.c
 	evp/m_streebog.c
@@ -473,8 +471,6 @@ set(
 	sha/sha1dgst.c
 	sha/sha256.c
 	sha/sha512.c
-	sha/sha_dgst.c
-	sha/sha_one.c
 	stack/stack.c
 	ts/ts_asn1.c
 	ts/ts_conf.c
@@ -638,4 +634,16 @@ if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
 endif()
 
-add_library(crypto ${CRYPTO_SRC})
+if (BUILD_SHARED)
+	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
+	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
+	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	set_target_properties(crypto-shared PROPERTIES VERSION
+		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
+	install(TARGETS crypto crypto-shared DESTINATION lib)
+else()
+	add_library(crypto STATIC ${CRYPTO_SRC})
+	install(TARGETS crypto DESTINATION lib)
+endif()
+

crypto/Makefile.am

@@ -9,6 +9,9 @@ lib_LTLIBRARIES = libcrypto.la
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
+# needed for a CMake target
+EXTRA_DIST += compat/strcasecmp.c
+
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
 libcrypto_la_CPPFLAGS = -DLIBRESSL_INTERNAL
@@ -416,7 +419,6 @@ noinst_HEADERS += ec/ec_lcl.h
 libcrypto_la_SOURCES += ecdh/ech_err.c
 libcrypto_la_SOURCES += ecdh/ech_key.c
 libcrypto_la_SOURCES += ecdh/ech_lib.c
-libcrypto_la_SOURCES += ecdh/ech_ossl.c
 noinst_HEADERS += ecdh/ech_locl.h
 
 # ecdsa
@@ -499,7 +501,6 @@ libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
-libcrypto_la_SOURCES += evp/m_sha.c
 libcrypto_la_SOURCES += evp/m_sha1.c
 libcrypto_la_SOURCES += evp/m_sigver.c
 libcrypto_la_SOURCES += evp/m_streebog.c
@@ -693,8 +694,6 @@ libcrypto_la_SOURCES += sha/sha1_one.c
 libcrypto_la_SOURCES += sha/sha1dgst.c
 libcrypto_la_SOURCES += sha/sha256.c
 libcrypto_la_SOURCES += sha/sha512.c
-libcrypto_la_SOURCES += sha/sha_dgst.c
-libcrypto_la_SOURCES += sha/sha_one.c
 noinst_HEADERS += sha/sha_locl.h
 
 # stack

crypto/compat/ui_openssl_win.c

@@ -286,7 +286,7 @@ error:
 	if (ps >= 1)
 		popsig();
 
-	OPENSSL_cleanse(result, BUFSIZ);
+	explicit_bzero(result, BUFSIZ);
 	return ok;
 }
 

dist-win.sh

@@ -29,20 +29,11 @@ for ARCH in X86 X64; do
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 
 	mkdir -p $DIST/$ARCHDIR
-	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
-		cp -a stage-$ARCHDIR/usr/local/include $DIST
+		cp -r stage-$ARCHDIR/usr/local/include $DIST
-		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e "s/__attr.*;/;/"  \
-		       -e "s/sys\/time.h/winsock2.h/" \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
 	fi
 
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
-	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)

dist.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-rm -f man/*.1 man/*.3
+rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
 make distcheck

gen-openbsd-tags.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+for tag in `git tag`; do
+	branch=master
+	if [[ $tag = v2.0* ]]; then
+		branch=OPENBSD_5_6
+	elif [[ $tag = v2.1* ]]; then
+		branch=OPENBSD_5_7
+	elif [[ $tag = v2.2* ]]; then
+		branch=OPENBSD_5_8
+	elif [[ $tag = v2.3* ]]; then
+		branch=OPENBSD_5_9
+	fi
+	# adjust for 9 hour timezone delta between trees
+	release_ts=$((`git show -s --format=%ct $tag|tail -n1` + 32400))
+	commit=`git -C openbsd rev-list -n 1 --before=$release_ts $branch`
+	git -C openbsd tag -f libressl-$tag $commit
+	echo Tagged $tag as $commit in openbsd
+done

include/CMakeLists.txt

@@ -0,0 +1,5 @@
+install(DIRECTORY .
+        DESTINATION include
+        PATTERN "CMakeLists.txt" EXCLUDE
+        PATTERN "compat" EXCLUDE
+        PATTERN "Makefile.*" EXCLUDE)

include/Makefile.am

@@ -1,5 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
+EXTRA_DIST = CMakeLists.txt
+
 SUBDIRS = openssl
 
 noinst_HEADERS = pqueue.h
@@ -8,6 +10,7 @@ noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
+noinst_HEADERS += compat/readpassphrase.h
 noinst_HEADERS += compat/stdio.h
 noinst_HEADERS += compat/stdlib.h
 noinst_HEADERS += compat/string.h
@@ -21,6 +24,7 @@ noinst_HEADERS += compat/arpa/nameser.h
 noinst_HEADERS += compat/machine/endian.h
 
 noinst_HEADERS += compat/netinet/in.h
+noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
 noinst_HEADERS += compat/sys/cdefs.h
@@ -28,8 +32,8 @@ noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h
 noinst_HEADERS += compat/sys/select.h
-noinst_HEADERS += compat/sys/stat.h
 noinst_HEADERS += compat/sys/socket.h
+noinst_HEADERS += compat/sys/stat.h
 noinst_HEADERS += compat/sys/time.h
 noinst_HEADERS += compat/sys/types.h
 noinst_HEADERS += compat/sys/uio.h

include/compat/netinet/ip.h

@@ -0,0 +1,43 @@
+/*
+ * Public domain
+ * netinet/ip.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <netinet/ip.h>
+#else
+#include <win32netcompat.h>
+#endif
+
+/*
+ * Definitions for DiffServ Codepoints as per RFC2474
+ */
+#ifndef IPTOS_DSCP_CS0
+#define	IPTOS_DSCP_CS0		0x00
+#define	IPTOS_DSCP_CS1		0x20
+#define	IPTOS_DSCP_CS2		0x40
+#define	IPTOS_DSCP_CS3		0x60
+#define	IPTOS_DSCP_CS4		0x80
+#define	IPTOS_DSCP_CS5		0xa0
+#define	IPTOS_DSCP_CS6		0xc0
+#define	IPTOS_DSCP_CS7		0xe0
+#endif
+
+#ifndef IPTOS_DSCP_AF11
+#define	IPTOS_DSCP_AF11		0x28
+#define	IPTOS_DSCP_AF12		0x30
+#define	IPTOS_DSCP_AF13		0x38
+#define	IPTOS_DSCP_AF21		0x48
+#define	IPTOS_DSCP_AF22		0x50
+#define	IPTOS_DSCP_AF23		0x58
+#define	IPTOS_DSCP_AF31		0x68
+#define	IPTOS_DSCP_AF32		0x70
+#define	IPTOS_DSCP_AF33		0x78
+#define	IPTOS_DSCP_AF41		0x88
+#define	IPTOS_DSCP_AF42		0x90
+#define	IPTOS_DSCP_AF43		0x98
+#endif
+
+#ifndef IPTOS_DSCP_EF
+#define	IPTOS_DSCP_EF		0xb8
+#endif

include/compat/readpassphrase.h

@@ -0,0 +1,48 @@
+/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
+
+/*
+ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+#ifdef HAVE_READPASSPHRASE_H
+
+#include_next <readpassphrase.h>
+
+#else
+
+#ifndef _READPASSPHRASE_H_
+#define _READPASSPHRASE_H_
+
+#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
+#define RPP_ECHO_ON     0x01		/* Leave echo on. */
+#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
+#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
+#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
+#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
+#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+char * readpassphrase(const char *, char *, size_t, int);
+__END_DECLS
+
+#endif /* !_READPASSPHRASE_H_ */
+
+#endif

include/compat/stdio.h

@@ -7,7 +7,13 @@
 #define LIBCRYPTOCOMPAT_STDIO_H
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#include <../ucrt/corecrt_io.h>
+#include <../ucrt/stdio.h>
+#else
 #include <../include/stdio.h>
+#endif
 #else
 #include_next <stdio.h>
 #endif

include/compat/stdlib.h

@@ -4,7 +4,11 @@
  */
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
 #include <../include/stdlib.h>
+#endif
 #else
 #include_next <stdlib.h>
 #endif

include/compat/string.h

@@ -7,7 +7,11 @@
 #define LIBCRYPTOCOMPAT_STRING_H
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
 #include <../include/string.h>
+#endif
 #else
 #include_next <string.h>
 #endif

include/compat/sys/stat.h

@@ -11,7 +11,11 @@
 #else
 
 #include <windows.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/stat.h>
+#else
 #include <../include/sys/stat.h>
+#endif
 
 /* File type and permission flags for stat() */
 #if !defined(S_IFMT)

include/compat/sys/types.h

@@ -4,7 +4,11 @@
  */
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/sys/types.h>
+#else
 #include <../include/sys/types.h>
+#endif
 #else
 #include_next <sys/types.h>
 #endif

include/compat/time.h

@@ -4,7 +4,11 @@
  */
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/time.h>
+#else
 #include <../include/time.h>
+#endif
 #define gmtime_r(tp, tm) ((gmtime_s((tm), (tp)) == 0) ? (tm) : NULL)
 #else
 #include_next <time.h>

libcrypto.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @LIBCRYPTO_VERSION@
+Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto

libssl.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libssl
 Description: Secure Sockets Layer and cryptography libraries
-Version: @LIBSSL_VERSION@
+Version: @VERSION@
 Requires:
 Requires.private: libcrypto
 Conflicts:

libtls-standalone/include/string.h

@@ -7,7 +7,11 @@
 #define LIBCRYPTOCOMPAT_STRING_H
 
 #ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/string.h>
+#else
 #include <../include/string.h>
+#endif
 #else
 #include_next <string.h>
 #endif

libtls.pc.in

@@ -7,7 +7,7 @@ includedir=@includedir@
 
 Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
-Version: @LIBTLS_VERSION@
+Version: @VERSION@
 Requires:
 Requires.private: libcrypto libssl
 Conflicts:

m4/check-libc.m4

@@ -1,11 +1,15 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
+# Check for libc headers
+AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
+AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll readpassphrase reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])

m4/check-os-options.m4

@@ -15,8 +15,10 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
+		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
@@ -34,15 +36,19 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
+		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
+		BUILD_NC=yes
+		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
@@ -65,6 +71,7 @@ case $host_os in
 	*) ;;
 esac
 
+AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
@@ -72,6 +79,7 @@ AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_OPENBSD], [test x$HOST_OS = xopenbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])

man/CMakeLists.txt

@@ -0,0 +1,9 @@
+install(DIRECTORY .
+    DESTINATION share/man/man3
+    FILES_MATCHING PATTERN "*.3"
+    )
+
+install(DIRECTORY .
+    DESTINATION share/man/man1
+    FILES_MATCHING PATTERN "*.1"
+    )

man/links

@@ -446,7 +446,6 @@ EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
-EVP_DigestInit.3,EVP_sha.3
 EVP_DigestInit.3,EVP_sha1.3
 EVP_DigestInit.3,EVP_sha224.3
 EVP_DigestInit.3,EVP_sha256.3
@@ -1104,8 +1103,11 @@ tls_init.3,tls_config_clear_keys.3
 tls_init.3,tls_config_free.3
 tls_init.3,tls_config_insecure_noverifycert.3
 tls_init.3,tls_config_insecure_noverifyname.3
+tls_init.3,tls_config_insecure_noverifytime.3
 tls_init.3,tls_config_new.3
 tls_init.3,tls_config_parse_protocols.3
+tls_init.3,tls_config_prefer_ciphers_client.3
+tls_init.3,tls_config_prefer_ciphers_server.3
 tls_init.3,tls_config_set_ca_file.3
 tls_init.3,tls_config_set_ca_mem.3
 tls_init.3,tls_config_set_ca_path.3
@@ -1119,14 +1121,24 @@ tls_init.3,tls_config_set_key_mem.3
 tls_init.3,tls_config_set_protocols.3
 tls_init.3,tls_config_set_verify_depth.3
 tls_init.3,tls_config_verify.3
+tls_init.3,tls_config_verify_client.3
+tls_init.3,tls_config_verify_client_optional.3
 tls_init.3,tls_configure.3
+tls_init.3,tls_conn_cipher.3
+tls_init.3,tls_conn_version.3
 tls_init.3,tls_connect.3
 tls_init.3,tls_connect_fds.3
 tls_init.3,tls_connect_servername.3
 tls_init.3,tls_connect_socket.3
 tls_init.3,tls_error.3
 tls_init.3,tls_free.3
+tls_init.3,tls_handshake.3
 tls_init.3,tls_load_file.3
+tls_init.3,tls_peer_cert_contains_name.3
+tls_init.3,tls_peer_cert_hash.3
+tls_init.3,tls_peer_cert_issuer.3
+tls_init.3,tls_peer_cert_provided.3
+tls_init.3,tls_peer_cert_subject.3
 tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3

man/update_links.sh

@@ -3,7 +3,7 @@
 # Run this periodically to ensure that the manpage links are up to date
 
 echo "# This is an auto-generated file by $0" > links
-sudo makewhatis
+doas makewhatis
 for i in `ls -1 *.3`; do
   name=`echo $i|cut -d. -f1`
   links=`sqlite3 /usr/share/man/mandoc.db \

patches/arc4random.c.patch

@@ -1,15 +0,0 @@
---- crypto/compat/arc4random.c.orig	2015-07-20 07:41:17.000000000 -0600
-+++ crypto/compat/arc4random.c	2015-07-20 07:41:58.000000000 -0600
-@@ -36,8 +36,11 @@
- #define KEYSTREAM_ONLY
- #include "chacha_private.h"
- 
-+#ifndef min
- #define min(a, b) ((a) < (b) ? (a) : (b))
--#ifdef __GNUC__
-+#endif
-+
-+#if defined(__GNUC__) || defined(_MSC_VER)
- #define inline __inline
- #else				/* !__GNUC__ */
- #define inline

patches/netcat.c.patch

@@ -0,0 +1,155 @@
+--- apps/nc/netcat.c.orig	Sun Sep 13 08:12:39 2015
++++ apps/nc/netcat.c	Sun Sep 13 19:15:13 2015
+@@ -98,9 +98,13 @@
+ int	Dflag;					/* sodebug */
+ int	Iflag;					/* TCP receive buffer size */
+ int	Oflag;					/* TCP send buffer size */
++#ifdef TCP_MD5SIG
+ int	Sflag;					/* TCP MD5 signature option */
++#endif
+ int	Tflag = -1;				/* IP Type of Service */
++#ifdef SO_RTABLE
+ int	rtableid = -1;
++#endif
+ 
+ int	usetls;					/* use TLS */
+ char    *Cflag;					/* Public cert file */
+@@ -150,7 +154,7 @@
+ 	struct servent *sv;
+ 	socklen_t len;
+ 	struct sockaddr_storage cliaddr;
+-	char *proxy;
++	char *proxy = NULL;
+ 	const char *errstr, *proxyhost = "", *proxyport = NULL;
+ 	struct addrinfo proxyhints;
+ 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
+@@ -251,12 +255,14 @@
+ 		case 'u':
+ 			uflag = 1;
+ 			break;
++#ifdef SO_RTABLE
+ 		case 'V':
+ 			rtableid = (int)strtonum(optarg, 0,
+ 			    RT_TABLEID_MAX, &errstr);
+ 			if (errstr)
+ 				errx(1, "rtable %s: %s", errstr, optarg);
+ 			break;
++#endif
+ 		case 'v':
+ 			vflag = 1;
+ 			break;
+@@ -289,9 +295,11 @@
+ 				errx(1, "TCP send window %s: %s",
+ 				    errstr, optarg);
+ 			break;
++#ifdef TCP_MD5SIG
+ 		case 'S':
+ 			Sflag = 1;
+ 			break;
++#endif
+ 		case 'T':
+ 			errstr = NULL;
+ 			errno = 0;
+@@ -776,7 +784,10 @@
+ remote_connect(const char *host, const char *port, struct addrinfo hints)
+ {
+ 	struct addrinfo *res, *res0;
+-	int s, error, on = 1;
++	int s, error;
++#ifdef SO_BINDANY
++	int on = 1;
++#endif
+ 
+ 	if ((error = getaddrinfo(host, port, &hints, &res)))
+ 		errx(1, "getaddrinfo: %s", gai_strerror(error));
+@@ -787,16 +798,20 @@
+ 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
+ 			continue;
+ 
++#ifdef SO_RTABLE
+ 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
+ 		    &rtableid, sizeof(rtableid)) == -1))
+ 			err(1, "setsockopt SO_RTABLE");
++#endif
+ 
+ 		/* Bind to a local port or source address if specified. */
+ 		if (sflag || pflag) {
+ 			struct addrinfo ahints, *ares;
+ 
++#ifdef SO_BINDANY
+ 			/* try SO_BINDANY, but don't insist */
+ 			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
++#endif
+ 			memset(&ahints, 0, sizeof(struct addrinfo));
+ 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
+@@ -865,7 +880,10 @@
+ local_listen(char *host, char *port, struct addrinfo hints)
+ {
+ 	struct addrinfo *res, *res0;
+-	int s, ret, x = 1;
++	int s;
++#ifdef SO_REUSEPORT
++	int ret, x = 1;
++#endif
+ 	int error;
+ 
+ 	/* Allow nodename to be null. */
+@@ -887,13 +905,17 @@
+ 		    res0->ai_protocol)) < 0)
+ 			continue;
+ 
++#ifdef SO_RTABLE
+ 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
+ 		    &rtableid, sizeof(rtableid)) == -1))
+ 			err(1, "setsockopt SO_RTABLE");
++#endif
+ 
++#ifdef SO_REUSEPORT
+ 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
+ 		if (ret == -1)
+ 			err(1, NULL);
++#endif
+ 
+ 		set_common_sockopts(s, res0->ai_family);
+ 
+@@ -1337,11 +1359,13 @@
+ {
+ 	int x = 1;
+ 
++#ifdef TCP_MD5SIG
+ 	if (Sflag) {
+ 		if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
+ 			&x, sizeof(x)) == -1)
+ 			err(1, NULL);
+ 	}
++#endif
+ 	if (Dflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
+ 			&x, sizeof(x)) == -1)
+@@ -1516,15 +1540,19 @@
+ 	\t-P proxyuser\tUsername for proxy authentication\n\
+ 	\t-p port\t	Specify local port for remote connects\n\
+ 	\t-R CAfile	CA bundle\n\
+-	\t-r		Randomize remote ports\n\
+-	\t-S		Enable the TCP MD5 signature option\n\
+-	\t-s source	Local source address\n\
++	\t-r		Randomize remote ports\n"
++#ifdef TCP_MD5SIG
++	"\t-S		Enable the TCP MD5 signature option\n"
++#endif
++	"\t-s source	Local source address\n\
+ 	\t-T keyword	TOS value or TLS options\n\
+ 	\t-t		Answer TELNET negotiation\n\
+ 	\t-U		Use UNIX domain socket\n\
+-	\t-u		UDP mode\n\
+-	\t-V rtable	Specify alternate routing table\n\
+-	\t-v		Verbose\n\
++	\t-u		UDP mode\n"
++#ifdef SO_RTABLE
++	"\t-V rtable	Specify alternate routing table\n"
++#endif
++	"\t-v		Verbose\n\
+ 	\t-w timeout	Timeout for connects and final net reads\n\
+ 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
+ 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/openssl.c.patch

@@ -1,26 +1,6 @@
---- apps/openssl.c.orig	2015-07-20 02:01:42.000000000 -0600
+--- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
-+++ apps/openssl.c	2015-07-20 02:02:00.000000000 -0600
++++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
-@@ -130,6 +130,19 @@
+@@ -399,7 +399,9 @@
- #include <openssl/engine.h>
- #endif
-
-+#ifdef _WIN32
-+#include <io.h>
-+#include <fcntl.h>
-+static void set_stdio_binary(void)
-+{
-+	_setmode(_fileno(stdin), _O_BINARY);
-+	_setmode(_fileno(stdout), _O_BINARY);
-+	_setmode(_fileno(stderr), _O_BINARY);
-+}
-+#else
-+static void set_stdio_binary(void) {};
-+#endif
-+
- #include "progs.h"
- #include "s_apps.h"
-
-@@ -204,7 +216,9 @@
  static void
  openssl_startup(void)
  {
@@ -28,13 +8,5 @@
  	signal(SIGPIPE, SIG_IGN);
 +#endif
  
- 	CRYPTO_malloc_init();
  	OpenSSL_add_all_algorithms();
-@@ -216,6 +230,7 @@
+ 	SSL_library_init();
- #endif
-
- 	setup_ui_method();
-+	set_stdio_binary();
- }
-
- static void

patches/opensslconf.h.patch

@@ -1,13 +0,0 @@
---- include/openssl/opensslconf.h.orig	2015-07-19 23:21:47.000000000 -0600
-+++ include/openssl/opensslconf.h	2015-07-19 23:21:17.000000000 -0600
-@@ -1,6 +1,10 @@
- #include <openssl/opensslfeatures.h>
- /* crypto/opensslconf.h.in */
-
-+#if defined(_MSC_VER) && !defined(__attribute__)
-+#define __attribute__(a)
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
-

patches/ossl_typ.h.patch

@@ -1,25 +0,0 @@
---- include/openssl/ossl_typ.h.orig	2015-07-06 13:21:18.788571423 -0700
-+++ include/openssl/ossl_typ.h	2015-07-06 13:24:14.906468003 -0700
-@@ -100,6 +100,22 @@
- typedef struct ASN1_ITEM_st ASN1_ITEM;
- typedef struct asn1_pctx_st ASN1_PCTX;
-
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#undef OCSP_REQUEST
-+#undef OCSP_RESPONSE
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#endif
-+
- #ifdef BIGNUM
- #undef BIGNUM
- #endif

patches/pkcs7.h.patch

@@ -1,21 +0,0 @@
---- include/openssl/pkcs7.h.orig	2015-07-06 13:26:27.369203527 -0700
-+++ include/openssl/pkcs7.h	2015-07-06 13:27:37.637051967 -0700
-@@ -69,6 +69,18 @@
- extern "C" {
- #endif
-
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#undef PKCS7_SIGNER_INFO
-+#endif
-+
- /*
- Encryption_ID		DES-CBC
- Digest_ID		MD5

patches/windows_headers.patch

@@ -0,0 +1,100 @@
+diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
+--- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
+@@ -60,7 +60,11 @@
+ #ifndef HEADER_DTLS1_H
+ #define HEADER_DTLS1_H
+ 
++#if defined(_WIN32)
++#include <winsock2.h>
++#else
+ #include <sys/time.h>
++#endif
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
+--- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
+@@ -1,6 +1,10 @@
+ #include <openssl/opensslfeatures.h>
+ /* crypto/opensslconf.h.in */
+ 
++#if defined(_MSC_VER) && !defined(__attribute__)
++#define __attribute__(a)
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+ 
+diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
+--- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
+@@ -100,6 +100,22 @@
+ typedef struct ASN1_ITEM_st ASN1_ITEM;
+ typedef struct asn1_pctx_st ASN1_PCTX;
+ 
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#undef OCSP_REQUEST
++#undef OCSP_RESPONSE
++#undef PKCS7_ISSUER_AND_SERIAL
++#endif
++
+ #ifdef BIGNUM
+ #undef BIGNUM
+ #endif
+diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
+--- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
+@@ -69,6 +69,18 @@
+ extern "C" {
+ #endif
+ 
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef PKCS7_ISSUER_AND_SERIAL
++#undef PKCS7_SIGNER_INFO
++#endif
++
+ /*
+ Encryption_ID		DES-CBC
+ Digest_ID		MD5
+diff -urN include/openssl.orig/x509.h include/openssl/x509.h
+--- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
+@@ -112,6 +112,19 @@
+ extern "C" {
+ #endif
+ 
++#if defined(_WIN32)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#endif
++
+ #define X509_FILETYPE_PEM	1
+ #define X509_FILETYPE_ASN1	2
+ #define X509_FILETYPE_DEFAULT	3

patches/x509.h.patch

@@ -1,22 +0,0 @@
---- include/openssl/x509.h.orig	2015-07-06 13:15:15.059306046 -0700
-+++ include/openssl/x509.h	2015-07-06 13:16:10.506118278 -0700
-@@ -112,6 +112,19 @@
- extern "C" {
- #endif
-
-+#if defined(_WIN32)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#endif
-+
- #define X509_FILETYPE_PEM	1
- #define X509_FILETYPE_ASN1	2
- #define X509_FILETYPE_DEFAULT	3

scripts/travis

@@ -4,12 +4,31 @@ set -e
 ./autogen.sh
 
 if [ "x$ARCH" = "xnative" ]; then
+	# test autotools
 	./configure
+	make -j 4 distcheck
+
+	# make distribution
+	make dist
+	tar zxvf libressl-*.tar.gz
+	cd libressl-*
+	mkdir build
+	cd build
+
+	# test cmake and ninja
 	if [ `uname` = "Darwin" ]; then
-		# OS X runs out of resources if we run 'make -j check'
+		cmake ..
-		make check
+		make
+		make test
 	else
-		make -j distcheck
+		sudo apt-get update
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:kalakris/cmake
+		sudo apt-get update
+		sudo apt-get install -y cmake ninja-build
+		cmake -GNinja ..
+		ninja
+		ninja test
 	fi
 else
 	CPU=i686

ssl/CMakeLists.txt

@@ -4,9 +4,8 @@ include_directories(
 	../include/compat
 )
 
-add_library(
+set(
-	ssl
+	SSL_SRC
-
 	bio_ssl.c
 	bs_ber.c
 	bs_cbb.c
@@ -22,15 +21,12 @@ add_library(
 	pqueue.c
 	s23_clnt.c
 	s23_lib.c
-	s23_meth.c
 	s23_pkt.c
 	s23_srvr.c
 	s3_both.c
 	s3_cbc.c
 	s3_clnt.c
-	s3_enc.c
 	s3_lib.c
-	s3_meth.c
 	s3_pkt.c
 	s3_srvr.c
 	ssl_algs.c
@@ -51,3 +47,16 @@ add_library(
 	t1_reneg.c
 	t1_srvr.c
 )
+
+if (BUILD_SHARED)
+	add_library(ssl-objects OBJECT ${SSL_SRC})
+	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
+	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
+	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
+		SOVERSION ${SSL_MAJOR_VERSION})
+	install(TARGETS ssl ssl-shared DESTINATION lib)
+else()
+	add_library(ssl STATIC ${SSL_SRC})
+	install(TARGETS ssl DESTINATION lib)
+endif()

ssl/Makefile.am

@@ -23,15 +23,12 @@ libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
 libssl_la_SOURCES += s23_clnt.c
 libssl_la_SOURCES += s23_lib.c
-libssl_la_SOURCES += s23_meth.c
 libssl_la_SOURCES += s23_pkt.c
 libssl_la_SOURCES += s23_srvr.c
 libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
 libssl_la_SOURCES += s3_clnt.c
-libssl_la_SOURCES += s3_enc.c
 libssl_la_SOURCES += s3_lib.c
-libssl_la_SOURCES += s3_meth.c
 libssl_la_SOURCES += s3_pkt.c
 libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c

tests/CMakeLists.txt

@@ -5,7 +5,8 @@ include_directories(
 	../crypto/modes
 	../crypto/asn1
 	../ssl
-	../apps
+	../apps/openssl
+	../apps/openssl/compat
 )
 
 set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
@@ -75,6 +76,11 @@ add_executable(cipherstest cipherstest.c)
 target_link_libraries(cipherstest ${OPENSSL_LIBS})
 add_test(cipherstest cipherstest)
 
+# clienttest
+add_executable(clienttest clienttest.c)
+target_link_libraries(clienttest ${OPENSSL_LIBS})
+add_test(clienttest clienttest)
+
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${OPENSSL_LIBS})
@@ -236,11 +242,6 @@ add_executable(sha512test sha512test.c)
 target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
-# shatest
-add_executable(shatest shatest.c)
-target_link_libraries(shatest ${OPENSSL_LIBS})
-add_test(shatest shatest)
-
 # ssltest
 #add_executable(ssltest ssltest.c)
 #target_link_libraries(ssltest ${OPENSSL_LIBS})
@@ -264,3 +265,8 @@ add_test(timingsafe timingsafe)
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})
 add_test(utf8test utf8test)
+
+# verifytest
+add_executable(verifytest verifytest.c)
+target_link_libraries(verifytest tls ${OPENSSL_LIBS})
+add_test(verifytest verifytest)

tests/Makefile.am

@@ -3,11 +3,13 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps
+AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
+AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
+LDADD += $(top_builddir)/tls/libtls.la
 
 TESTS =
 check_PROGRAMS =
@@ -89,6 +91,11 @@ TESTS += cipherstest
 check_PROGRAMS += cipherstest
 cipherstest_SOURCES = cipherstest.c
 
+# clienttest
+TESTS += clienttest
+check_PROGRAMS += clienttest
+clienttest_SOURCES = clienttest.c
+
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -208,9 +215,10 @@ pbkdf2_SOURCES = pbkdf2.c
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
 if ENABLE_EXTRATESTS
-TESTS += pidwraptest
+TESTS += pidwraptest.sh
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
+EXTRA_DIST += pidwraptest.sh
 endif
 
 # pkcs7test
@@ -265,11 +273,6 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
-# shatest
-TESTS += shatest
-check_PROGRAMS += shatest
-shatest_SOURCES = shatest.c
-
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
@@ -300,3 +303,7 @@ TESTS += utf8test
 check_PROGRAMS += utf8test
 utf8test_SOURCES = utf8test.c
 
+# verifytest
+TESTS += verifytest
+check_PROGRAMS += verifytest
+verifytest_SOURCES = verifytest.c

tests/ssltest.sh

@@ -6,9 +6,9 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl
+openssl_bin=../apps/openssl/openssl
-if [ -e ../apps/openssl.exe ]; then
+if [ -e ../apps/openssl/openssl.exe ]; then
-	openssl_bin=../apps/openssl.exe
+	openssl_bin=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,9 +4,9 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl
+cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl.exe ]; then
+if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,9 +2,9 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl
+cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl.exe ]; then
+if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+	cmd=../apps/openssl/openssl.exe
 fi
 
 cat openssl.cnf >$test;

tests/testrsa.sh

@@ -4,9 +4,9 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl
+cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl.exe ]; then
+if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -9,7 +9,9 @@ set(
 	tls.c
 	tls_client.c
 	tls_config.c
+	tls_conninfo.c
 	tls_server.c
+	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )
@@ -19,4 +21,16 @@ if(NOT HAVE_STRCASECMP)
 	set(TLS_SRC ${TLS_SRC} strsep.c)
 endif()
 
-add_library(tls ${TLS_SRC})
+if (BUILD_SHARED)
+	add_library(tls-objects OBJECT ${TLS_SRC})
+	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
+	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
+	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
+		SOVERSION ${TLS_MAJOR_VERSION})
+	install(TARGETS tls tls-shared DESTINATION lib)
+else()
+	add_library(tls STATIC ${TLS_SRC})
+	install(TARGETS tls DESTINATION lib)
+endif()
+

tls/Makefile.am

@@ -11,7 +11,9 @@ libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
+libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h

update.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/sh
 set -e
 
 openbsd_branch=`cat OPENBSD_BRANCH`
@@ -25,20 +25,21 @@ libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
 libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
-openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
+libtls_regress=$CWD/openbsd/src/regress/lib/libtls
+app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
-source $libcrypto_src/crypto/shlib_version
+. $libcrypto_src/crypto/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-source $libssl_src/ssl/shlib_version
+. $libssl_src/ssl/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
 
-source $libtls_src/shlib_version
+. $libtls_src/shlib_version
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
@@ -52,34 +53,40 @@ do_mv() {
 		rm -f "$1"
 	fi
 }
-CP='cp -p'
 MV='do_mv'
 
+do_cp_libc() {
+	sed "/DEF_WEAK/d" < "$1" > "$2"/`basename "$1"`
+}
+CP_LIBC='do_cp_libc'
+
+CP='cp -p'
+
 $CP $libssl_src/src/LICENSE COPYING
 
 $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
-	$CP $libc_src/crypt/arc4random.c \
+	for j in $libc_src/crypt/arc4random.c \
-		$libc_src/crypt/chacha_private.h \
+	    $libc_src/crypt/chacha_private.h \
-		$libc_src/string/explicit_bzero.c \
+	    $libc_src/string/explicit_bzero.c \
-		$libc_src/stdlib/reallocarray.c \
+	    $libc_src/stdlib/reallocarray.c \
-		$libc_src/string/strcasecmp.c \
+	    $libc_src/string/strcasecmp.c \
-		$libc_src/string/strlcpy.c \
+	    $libc_src/string/strlcpy.c \
-		$libc_src/string/strlcat.c \
+	    $libc_src/string/strlcat.c \
-		$libc_src/string/strndup.c \
+	    $libc_src/string/strndup.c \
-		$libc_src/string/strnlen.c \
+	    $libc_src/string/strnlen.c \
-		$libc_src/string/timingsafe_bcmp.c \
+	    $libc_src/string/timingsafe_bcmp.c \
-		$libc_src/string/timingsafe_memcmp.c \
+	    $libc_src/string/timingsafe_memcmp.c \
-		$libcrypto_src/crypto/getentropy_*.c \
+	    $libcrypto_src/crypto/getentropy_*.c \
-		$libcrypto_src/crypto/arc4random_*.h \
+	    $libcrypto_src/crypto/arc4random_*.h; do
-		$i
+		$CP_LIBC $j $i
+	done
 done
 
 $CP include/compat/stdlib.h \
@@ -143,7 +150,7 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui
 asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
-	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
 	#if defined(HAVE_GNU_STACK)
 	.section .note.GNU-stack,"",%progbits
 	#endif
@@ -152,7 +159,7 @@ gen_asm_stdout() {
 }
 gen_asm() {
 	perl $asm_src/$2 $1 $3.tmp
-	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
 	#if defined(HAVE_GNU_STACK)
 	.section .note.GNU-stack,"",%progbits
 	#endif
@@ -191,8 +198,10 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-$CP $libc_src/string/strsep.c tls
+
-$CP $libc_src/string/strsep.c libtls-standalone/compat
+$CP_LIBC $libc_src/string/strsep.c tls
+$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
+
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
 	m4/disable*.m4 \
@@ -200,15 +209,28 @@ $CP m4/check*.m4 \
 sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 	libtls-standalone/compat/Makefile.am.arc4random
 
+# copy nc(1) source
+echo "copying nc(1) source"
+$CP $app_src/nc/nc.1 apps/nc
+rm -f apps/nc/*.c apps/nc/*.h
+$CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
+	if [ -e $app_src/nc/$i ]; then
+		$CP $app_src/nc/$i apps/nc
+	fi
+done
+
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $libc_src/stdlib/strtonum.c apps
+$CP $app_src/openssl/openssl.1 apps/openssl
-$CP $libcrypto_src/cert.pem apps
+rm -f apps/openssl/*.c apps/openssl/*.h
-$CP $libcrypto_src/openssl.cnf apps
+$CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
-$CP $libcrypto_src/x509v3.cnf apps
+$CP $libcrypto_src/cert.pem apps/openssl
-for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
+$CP $libcrypto_src/openssl.cnf apps/openssl
-	if [ -e $openssl_app_src/$i ]; then
+$CP $libcrypto_src/x509v3.cnf apps/openssl
-		$CP $openssl_app_src/$i apps
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
+	if [ -e $app_src/openssl/$i ]; then
+		$CP $app_src/openssl/$i apps/openssl
 	fi
 done
 
@@ -231,7 +253,7 @@ $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP $libc_src/string/memmem.c tests
+$CP_LIBC $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -243,6 +265,11 @@ $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
+# copy libtls tests
+for i in `find $libtls_regress -name '*.c'`; do
+	 $CP "$i" tests
+done
+
 chmod 755 tests/testssl
 
 # add headers
@@ -273,17 +300,15 @@ add_man_links() {
 	done
 }
 
-# apply local patches (Windows support)
+# apply local patches
 for i in patches/*.patch; do
     patch -p0 < $i
 done
 
 # copy manpages
 echo "copying manpages"
-echo dist_man_MANS= > man/Makefile.am
+echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
-
+echo dist_man_MANS = >> man/Makefile.am
-$CP $openssl_app_src/openssl.1 man
-echo "dist_man_MANS += openssl.1" >> man/Makefile.am
 
 $CP $libtls_src/tls_init.3 man
 echo "dist_man_MANS += tls_init.3" >> man/Makefile.am