update path to openssl(1) in testssl wrapper

run distcheck rather than just dist, cmake tests

.gitignore

@@ -41,6 +41,10 @@ Makefile.in
 *.def
 *.pc
 
+# man pages
+*.1
+*.3
+
 # tests
 test-driver
 *.log
@@ -107,14 +111,16 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
-!/apps/apps_win.c
-!/apps/poll_win.c
-!/apps/certhash_disabled.c
-/apps/*.h
-/apps/*.c
-/apps/*.cnf
-/apps/*.pem
-/apps/openssl
+!/apps/nc/readpassphrase.c
+/apps/nc/*.h
+/apps/nc/*.c
+/apps/nc/nc*
+/apps/openssl/*.h
+/apps/openssl/*.c
+/apps/openssl/*.cnf
+/apps/openssl/*.pem
+/apps/openssl/openssl
+/apps/openssl/compat/strtonum.c
 
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
@@ -141,7 +147,4 @@ include/openssl/*.h
 openbsd/
 
 *.tar.gz
-apps/*.1*
-man/*.3
-man/*.1
 man/Makefile.am

.travis.yml

@@ -1,24 +1,24 @@
 language: c
 matrix:
-        include:
-                - compiler: clang
-                  os: osx
-                  env: ARCH=native
-                - compiler: gcc
-                  os: osx
-                  env: ARCH=native
-                - compiler: clang
-                  os: linux
-                  env: ARCH=native
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=native
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=mingw32
-                - compiler: gcc
-                  os: linux
-                  env: ARCH=mingw64
+  include:
+    - compiler: clang
+      os: osx
+      env: ARCH=native
+    - compiler: gcc
+      os: osx
+      env: ARCH=native
+    - compiler: clang
+      os: linux
+      env: ARCH=native
+    - compiler: gcc
+      os: linux
+      env: ARCH=native
+    - compiler: gcc
+      os: linux
+      env: ARCH=mingw32
+    - compiler: gcc
+      os: linux
+      env: ARCH=mingw64
 
 script:
-        "./scripts/travis"
+  "./scripts/travis"

ChangeLog

@@ -28,35 +28,63 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.2.6
+2.3.0 - SSLv3 removed, libtls API changes, portability improvements
 
-	* Deprecated the SSL_OP_SINGLE_DH_USE flag.
+	* SSLv3 is now permanently removed from the tree.
 
-2.2.5 - Reliability Update
+	* The libtls API is changed from the 2.2.x series.
 
-	* Fixes from OpenSSL 1.0.1q
-	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
-	                   validation.
-	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+	  The read/write functions work correctly with external event
+	  libraries.  See the tls_init man page for examples of using libtls
+	  correctly in asynchronous mode.
 
-	* The following OpenSSL CVEs did not apply to LibreSSL
-	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
-	                   squaring procedure.
-	 - CVE-2015-3196 - Double free race condition of the identify hint
-	                   data.
+	  Client-side verification is now supported, with the client supplying
+	  the certificate to the server.
 
-	 See https://marc.info/?l=openbsd-announce&m=144925068504102
+	  Also, when using tls_connect_fds, tls_connect_socket or
+	  tls_accept_fds, libtls no longer implicitly closes the passed in
+	  sockets. The caller is responsible for closing them in this case.
 
-2.2.4 - Build and bug fixes
+	* When loading a DSA key from an raw (without DH parameters) ASN.1
+	  serialization, perform some consistency checks on its `p' and `q'
+	  values, and return an error if the checks failed.
 
-	* Backported build fixes for CMake on Windows, OSX and Linux
+	  Thanks for Georgi Guninski (guninski at guninski dot com) for
+	  mentioning the possibility of a weak (non prime) q value and
+	  providing a test case.
 
-	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
-	  reported by Qualys Security.
-	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
-	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
+	  See
+	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
+	  for a longer discussion.
 
-	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
+	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
+	  of the result key without error. A coding error could cause software
+	  to use much shorter keys than intended.
+
+	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
+	  longer supported.
+
+	* The engine command and parameters are removed from the openssl(1).
+	  Previous releases removed dynamic and builtin engine support
+	  already.
+
+	* SHA-0 is removed, which was withdrawn shortly after publication 20
+	  years ago.
+
+	* Added Certplus CA root certificate to the default cert.pem file.
+
+	* New interface OPENSSL_cpu_caps is provided that does not allow
+	  software to inadvertently modify cpu capability flags.
+	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+
+	* The out_len argument of AEAD changed from ssize_t to size_t.
+
+	* Deduplicated DTLS code, sharing bugfixes and improvements with
+	  TLS.
+
+	* Converted 'nc' to use libtls for client and server operations; it is
+	  included in the libressl-portable distribution as an example of how
+	  to use the library.
 
 2.2.3 - Bug fixes, build enhancements
 

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CFLAGS =
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
+AM_CFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat
+AM_CPPFLAGS = -DLIBRESSL_INTERNAL

OPENBSD_BRANCH

@@ -1 +1 @@
-OPENBSD_5_8
+master

apps/CMakeLists.txt

@@ -2,77 +2,77 @@ include_directories(
 	.
 	../include
 	../include/compat
+	./openssl
 )
 
 set(
 	OPENSSL_SRC
-	apps.c
-	asn1pars.c
-	ca.c
-	ciphers.c
-	cms.c
-	crl.c
-	crl2p7.c
-	dgst.c
-	dh.c
-	dhparam.c
-	dsa.c
-	dsaparam.c
-	ec.c
-	ecparam.c
-	enc.c
-	engine.c
-	errstr.c
-	gendh.c
-	gendsa.c
-	genpkey.c
-	genrsa.c
-	nseq.c
-	ocsp.c
-	openssl.c
-	passwd.c
-	pkcs12.c
-	pkcs7.c
-	pkcs8.c
-	pkey.c
-	pkeyparam.c
-	pkeyutl.c
-	prime.c
-	rand.c
-	req.c
-	rsa.c
-	rsautl.c
-	s_cb.c
-	s_client.c
-	s_server.c
-	s_socket.c
-	s_time.c
-	sess_id.c
-	smime.c
-	speed.c
-	spkac.c
-	ts.c
-	verify.c
-	version.c
-	x509.c
+	openssl/apps.c
+	openssl/asn1pars.c
+	openssl/ca.c
+	openssl/ciphers.c
+	openssl/cms.c
+	openssl/crl.c
+	openssl/crl2p7.c
+	openssl/dgst.c
+	openssl/dh.c
+	openssl/dhparam.c
+	openssl/dsa.c
+	openssl/dsaparam.c
+	openssl/ec.c
+	openssl/ecparam.c
+	openssl/enc.c
+	openssl/errstr.c
+	openssl/gendh.c
+	openssl/gendsa.c
+	openssl/genpkey.c
+	openssl/genrsa.c
+	openssl/nseq.c
+	openssl/ocsp.c
+	openssl/openssl.c
+	openssl/passwd.c
+	openssl/pkcs12.c
+	openssl/pkcs7.c
+	openssl/pkcs8.c
+	openssl/pkey.c
+	openssl/pkeyparam.c
+	openssl/pkeyutl.c
+	openssl/prime.c
+	openssl/rand.c
+	openssl/req.c
+	openssl/rsa.c
+	openssl/rsautl.c
+	openssl/s_cb.c
+	openssl/s_client.c
+	openssl/s_server.c
+	openssl/s_socket.c
+	openssl/s_time.c
+	openssl/sess_id.c
+	openssl/smime.c
+	openssl/speed.c
+	openssl/spkac.c
+	openssl/ts.c
+	openssl/verify.c
+	openssl/version.c
+	openssl/x509.c
 )
 
 if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_disabled.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} poll_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
 if(HAVE_STRTONUM)
 	add_definitions(-DHAVE_STRTONUM)
 else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} strtonum.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
 endif()
 
 add_executable(openssl ${OPENSSL_SRC})

apps/Makefile.am

@@ -1,118 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-bin_PROGRAMS = openssl
+SUBDIRS = openssl nc
 
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES = apps.c
-openssl_SOURCES += asn1pars.c
-openssl_SOURCES += ca.c
-openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
-openssl_SOURCES += crl.c
-openssl_SOURCES += crl2p7.c
-openssl_SOURCES += dgst.c
-openssl_SOURCES += dh.c
-openssl_SOURCES += dhparam.c
-openssl_SOURCES += dsa.c
-openssl_SOURCES += dsaparam.c
-openssl_SOURCES += ec.c
-openssl_SOURCES += ecparam.c
-openssl_SOURCES += enc.c
-openssl_SOURCES += engine.c
-openssl_SOURCES += errstr.c
-openssl_SOURCES += gendh.c
-openssl_SOURCES += gendsa.c
-openssl_SOURCES += genpkey.c
-openssl_SOURCES += genrsa.c
-openssl_SOURCES += nseq.c
-openssl_SOURCES += ocsp.c
-openssl_SOURCES += openssl.c
-openssl_SOURCES += passwd.c
-openssl_SOURCES += pkcs12.c
-openssl_SOURCES += pkcs7.c
-openssl_SOURCES += pkcs8.c
-openssl_SOURCES += pkey.c
-openssl_SOURCES += pkeyparam.c
-openssl_SOURCES += pkeyutl.c
-openssl_SOURCES += prime.c
-openssl_SOURCES += rand.c
-openssl_SOURCES += req.c
-openssl_SOURCES += rsa.c
-openssl_SOURCES += rsautl.c
-openssl_SOURCES += s_cb.c
-openssl_SOURCES += s_client.c
-openssl_SOURCES += s_server.c
-openssl_SOURCES += s_socket.c
-openssl_SOURCES += s_time.c
-openssl_SOURCES += sess_id.c
-openssl_SOURCES += smime.c
-openssl_SOURCES += speed.c
-openssl_SOURCES += spkac.c
-openssl_SOURCES += ts.c
-openssl_SOURCES += verify.c
-openssl_SOURCES += version.c
-openssl_SOURCES += x509.c
-
-if BUILD_CERTHASH
-openssl_SOURCES += certhash.c
-else
-openssl_SOURCES += certhash_disabled.c
-endif
-
-if HOST_WIN
-openssl_SOURCES += apps_win.c
-else
-openssl_SOURCES += apps_posix.c
-endif
-
-if !HAVE_POLL
-if HOST_WIN
-openssl_SOURCES += poll_win.c
-endif
-endif
-
-if !HAVE_STRTONUM
-openssl_SOURCES += strtonum.c
-endif
-
-noinst_HEADERS = apps.h
-noinst_HEADERS += progs.h
-noinst_HEADERS += s_apps.h
-noinst_HEADERS += testdsa.h
-noinst_HEADERS += testrsa.h
-noinst_HEADERS += timeouts.h
-
-EXTRA_DIST = cert.pem
-EXTRA_DIST += openssl.cnf
-EXTRA_DIST += x509v3.cnf
-EXTRA_DIST += CMakeLists.txt
-
-install-exec-hook:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
-			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
-		else \
-			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
-		fi \
-	done
-
-uninstall-local:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
-			rm -f "$$OPENSSLDIR/$$i"; \
-		fi \
-	done
+EXTRA_DIST = CMakeLists.txt

apps/apps_win.c

@@ -1,29 +0,0 @@
-/*
- * Public domain
- *
- * Dongsheng Song <dongsheng.song@gmail.com>
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <windows.h>
-
-#include "apps.h"
-
-double
-app_tminterval(int stop, int usertime)
-{
-	static unsigned __int64 tmstart;
-	union {
-		unsigned __int64 u64;
-		FILETIME ft;
-	} ct, et, kt, ut;
-
-	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
-}

apps/nc/Makefile.am

@@ -0,0 +1,36 @@
+include $(top_srcdir)/Makefile.am.common
+
+if BUILD_NC
+
+noinst_PROGRAMS = nc
+
+EXTRA_DIST = nc.1
+
+nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+nc_LDADD += $(top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(top_builddir)/ssl/libssl.la
+nc_LDADD += $(top_builddir)/tls/libtls.la
+
+CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+
+nc_SOURCES = atomicio.c
+nc_SOURCES += netcat.c
+nc_SOURCES += socks.c
+noinst_HEADERS = atomicio.h
+noinst_HEADERS += compat/sys/socket.h
+
+nc_SOURCES += compat/socket.c
+
+if !HAVE_ACCEPT4
+nc_SOURCES += compat/accept4.c
+endif
+
+if !HAVE_READPASSPHRASE
+nc_SOURCES += compat/readpassphrase.c
+endif
+
+if !HAVE_STRTONUM
+nc_SOURCES += compat/strtonum.c
+endif
+
+endif

apps/nc/compat/accept4.c

@@ -0,0 +1,17 @@
+#include <sys/socket.h>
+#include <fcntl.h>
+
+int
+accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
+{
+	int rets = accept(s, addr, addrlen);
+	if (rets == -1)
+		return s;
+
+	if (flags & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	return rets;
+}

apps/nc/compat/readpassphrase.c

@@ -0,0 +1,205 @@
+/*	$OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $	*/
+
+/*
+ * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
+
+#include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <readpassphrase.h>
+
+#ifndef _PATH_TTY
+# define _PATH_TTY "/dev/tty"
+#endif
+
+#ifdef TCSASOFT
+# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
+#else
+# define _T_FLUSH	(TCSAFLUSH)
+#endif
+
+/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
+#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
+#  define _POSIX_VDISABLE       VDISABLE
+#endif
+
+#ifndef _NSIG
+# ifdef NSIG
+#  define _NSIG NSIG
+# else
+#  define _NSIG 128
+# endif
+#endif
+
+static volatile sig_atomic_t signo[_NSIG];
+
+static void handler(int);
+
+char *
+readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
+{
+	ssize_t bytes_written = 0;
+	ssize_t nr;
+	int input, output, save_errno, i, need_restart;
+	char ch, *p, *end;
+	struct termios term, oterm;
+	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
+	struct sigaction savetstp, savettin, savettou, savepipe;
+
+	/* I suppose we could alloc on demand in this case (XXX). */
+	if (bufsiz == 0) {
+		errno = EINVAL;
+		return(NULL);
+	}
+
+restart:
+	for (i = 0; i < _NSIG; i++)
+		signo[i] = 0;
+	nr = -1;
+	save_errno = 0;
+	need_restart = 0;
+	/*
+	 * Read and write to /dev/tty if available.  If not, read from
+	 * stdin and write to stderr unless a tty is required.
+	 */
+	if ((flags & RPP_STDIN) ||
+	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
+		if (flags & RPP_REQUIRE_TTY) {
+			errno = ENOTTY;
+			return(NULL);
+		}
+		input = STDIN_FILENO;
+		output = STDERR_FILENO;
+	}
+
+	/*
+	 * Catch signals that would otherwise cause the user to end
+	 * up with echo turned off in the shell.  Don't worry about
+	 * things like SIGXCPU and SIGVTALRM for now.
+	 */
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;		/* don't restart system calls */
+	sa.sa_handler = handler;
+	(void)sigaction(SIGALRM, &sa, &savealrm);
+	(void)sigaction(SIGHUP, &sa, &savehup);
+	(void)sigaction(SIGINT, &sa, &saveint);
+	(void)sigaction(SIGPIPE, &sa, &savepipe);
+	(void)sigaction(SIGQUIT, &sa, &savequit);
+	(void)sigaction(SIGTERM, &sa, &saveterm);
+	(void)sigaction(SIGTSTP, &sa, &savetstp);
+	(void)sigaction(SIGTTIN, &sa, &savettin);
+	(void)sigaction(SIGTTOU, &sa, &savettou);
+
+	/* Turn off echo if possible. */
+	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
+		memcpy(&term, &oterm, sizeof(term));
+		if (!(flags & RPP_ECHO_ON))
+			term.c_lflag &= ~(ECHO | ECHONL);
+#ifdef VSTATUS
+		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
+			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
+#endif
+		(void)tcsetattr(input, _T_FLUSH, &term);
+	} else {
+		memset(&term, 0, sizeof(term));
+		term.c_lflag |= ECHO;
+		memset(&oterm, 0, sizeof(oterm));
+		oterm.c_lflag |= ECHO;
+	}
+
+	/* No I/O if we are already backgrounded. */
+	if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
+		if (!(flags & RPP_STDIN))
+			bytes_written = write(output, prompt, strlen(prompt));
+		end = buf + bufsiz - 1;
+		p = buf;
+		while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
+			if (p < end) {
+				if ((flags & RPP_SEVENBIT))
+					ch &= 0x7f;
+				if (isalpha(ch)) {
+					if ((flags & RPP_FORCELOWER))
+						ch = (char)tolower(ch);
+					if ((flags & RPP_FORCEUPPER))
+						ch = (char)toupper(ch);
+				}
+				*p++ = ch;
+			}
+		}
+		*p = '\0';
+		save_errno = errno;
+		if (!(term.c_lflag & ECHO))
+			bytes_written = write(output, "\n", 1);
+	}
+
+	(void) bytes_written;
+
+	/* Restore old terminal settings and signals. */
+	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
+		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
+		    errno == EINTR)
+			continue;
+	}
+	(void)sigaction(SIGALRM, &savealrm, NULL);
+	(void)sigaction(SIGHUP, &savehup, NULL);
+	(void)sigaction(SIGINT, &saveint, NULL);
+	(void)sigaction(SIGQUIT, &savequit, NULL);
+	(void)sigaction(SIGPIPE, &savepipe, NULL);
+	(void)sigaction(SIGTERM, &saveterm, NULL);
+	(void)sigaction(SIGTSTP, &savetstp, NULL);
+	(void)sigaction(SIGTTIN, &savettin, NULL);
+	(void)sigaction(SIGTTOU, &savettou, NULL);
+	if (input != STDIN_FILENO)
+		(void)close(input);
+
+	/*
+	 * If we were interrupted by a signal, resend it to ourselves
+	 * now that we have restored the signal handlers.
+	 */
+	for (i = 0; i < _NSIG; i++) {
+		if (signo[i]) {
+			kill(getpid(), i);
+			switch (i) {
+			case SIGTSTP:
+			case SIGTTIN:
+			case SIGTTOU:
+				need_restart = 1;
+			}
+		}
+	}
+	if (need_restart)
+		goto restart;
+
+	if (save_errno)
+		errno = save_errno;
+	return(nr == -1 ? NULL : buf);
+}
+
+static void handler(int s)
+{
+	signo[s] = 1;
+}

apps/nc/compat/socket.c

@@ -0,0 +1,29 @@
+#define SOCKET_FLAGS_PRIV
+
+#include <sys/socket.h>
+
+#ifdef NEED_SOCKET_FLAGS
+
+#include <fcntl.h>
+
+int
+_socket(int domain, int type, int protocol)
+{
+	int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
+	int flags;
+	if (s == -1)
+		return s;
+
+	if (type & SOCK_CLOEXEC) {
+		flags = fcntl(s, F_GETFD);
+		fcntl(s, F_SETFD, flags | FD_CLOEXEC);
+	}
+
+	if (type & SOCK_NONBLOCK) {
+		flags = fcntl(s, F_GETFL);
+		fcntl(s, F_SETFL, flags | O_NONBLOCK);
+	}
+	return s;
+}
+
+#endif

apps/nc/compat/strtonum.c

@@ -0,0 +1,65 @@
+/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define	INVALID		1
+#define	TOOSMALL	2
+#define	TOOLARGE	3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+	long long ll = 0;
+	int error = 0;
+	char *ep;
+	struct errval {
+		const char *errstr;
+		int err;
+	} ev[4] = {
+		{ NULL,		0 },
+		{ "invalid",	EINVAL },
+		{ "too small",	ERANGE },
+		{ "too large",	ERANGE },
+	};
+
+	ev[0].err = errno;
+	errno = 0;
+	if (minval > maxval) {
+		error = INVALID;
+	} else {
+		ll = strtoll(numstr, &ep, 10);
+		if (numstr == ep || *ep != '\0')
+			error = INVALID;
+		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+			error = TOOSMALL;
+		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+			error = TOOLARGE;
+	}
+	if (errstrp != NULL)
+		*errstrp = ev[error].errstr;
+	errno = ev[error].err;
+	if (error)
+		ll = 0;
+
+	return (ll);
+}

apps/nc/compat/sys/socket.h

@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/socket.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/socket.h>
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
+int _socket(int domain, int type, int protocol);
+#ifndef SOCKET_FLAGS_PRIV
+#define socket(d, t, p) _socket(d, t, p)
+#endif
+#endif
+
+#ifndef SOCK_NONBLOCK
+#define	SOCK_NONBLOCK		0x4000	/* set O_NONBLOCK */
+#endif
+
+#ifndef SOCK_CLOEXEC
+#define	SOCK_CLOEXEC		0x8000	/* set FD_CLOEXEC */
+#endif
+
+#ifndef HAVE_ACCEPT4
+int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
+#endif
+
+#else
+#include <win32netcompat.h>
+#endif

apps/openssl/Makefile.am

@@ -0,0 +1,118 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = openssl
+
+dist_man_MANS = openssl.1
+
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += compat/certhash_win.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += compat/apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += compat/poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += compat/strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+
+EXTRA_DIST = cert.pem
+EXTRA_DIST += openssl.cnf
+EXTRA_DIST += x509v3.cnf
+
+install-exec-hook:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	mkdir -p "$$OPENSSLDIR/certs"; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+		else \
+			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
+		fi \
+	done
+
+uninstall-local:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+			rm -f "$$OPENSSLDIR/$$i"; \
+		fi \
+	done

apps/openssl/compat/apps_win.c

@@ -0,0 +1,60 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include <io.h>
+#include <fcntl.h>
+
+#include <apps.h>
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}
+
+int
+setup_ui(void)
+{
+	ui_method = UI_create_method("OpenSSL application user interface");
+	UI_method_set_opener(ui_method, ui_open);
+	UI_method_set_reader(ui_method, ui_read);
+	UI_method_set_writer(ui_method, ui_write);
+	UI_method_set_closer(ui_method, ui_close);
+
+	/*
+	 * Set STDIO to binary
+	 */
+	_setmode(_fileno(stdin), _O_BINARY);
+	_setmode(_fileno(stdout), _O_BINARY);
+	_setmode(_fileno(stderr), _O_BINARY);
+
+	return 0;
+}
+
+void
+destroy_ui(void)
+{
+	if (ui_method) {
+		UI_destroy_method(ui_method);
+		ui_method = NULL;
+	}
+}

apps/openssl/compat/certhash_win.c

@@ -3,7 +3,7 @@
  * certhash dummy implementation for platforms without symlinks
  */
 
-#include "apps.h"
+#include <apps.h>
 
 int
 certhash_main(int argc, char **argv)

check-release.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+set -e
+
+ver=$1
+dir=libressl-$ver
+tarball=$dir.tar.gz
+tag=v$ver
+
+if [ -z "$LIBRESSL_SSH" ]; then
+	if ! curl -v 1>/dev/null 2>&1; then
+		download="curl -O"
+	elif echo quit | ftp 1>/dev/null 2>&1; then
+		download=ftp
+	else
+		echo "need 'ftp' or 'curl' to verify"
+		exit
+	fi
+fi
+
+if [ "$ver" = "" ]; then
+	echo "please specify a version to check, e.g. $0 2.1.2"
+	exit
+fi
+
+if [ ! -e releases/$tarball ]; then
+	mkdir -p releases
+	rm -f $tarball
+	if [ -z "$LIBRESSL_SSH" ]; then
+		$download http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$tarball releases/
+		mv $tarball releases
+	else
+		scp $LIBRESSL_SSH/$tarball releases
+	fi
+	(cd releases; tar zxvf $tarball)
+fi
+
+if [ ! -e gen-releases/$tarball ]; then
+	rm -fr tests man include ssl crypto libtls-standalone/VERSION INSTALL
+	git checkout OPENBSD_BRANCH update.sh tests man include ssl crypto
+	git checkout $tag
+	echo "libressl-$tag" > OPENBSD_BRANCH
+	sed -i 's/git pull --rebase//' update.sh
+	./autogen.sh
+	./configure --enable-libtls
+	make dist
+
+	mkdir -p gen-releases
+	mv $tarball gen-releases
+
+	git checkout OPENBSD_BRANCH update.sh
+	git checkout master
+fi
+
+(cd gen-releases; rm -fr $dir; tar zxf $tarball)
+(cd releases; rm -fr $dir; tar zxf $tarball)
+
+echo "differences between release and regenerated release tag:"
+diff -urN \
+	-x *.3 \
+	-x Makefile.in \
+	-x aclocal.m4 \
+	-x compile \
+	-x config.guess \
+	-x config.sub \
+	-x configure \
+	-x depcomp \
+	-x install-sh \
+	-x missing \
+	-x test-driver \
+	releases/$dir gen-releases/$dir

configure.ac

@@ -52,8 +52,6 @@ CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 CHECK_VA_COPY
 
-AC_CHECK_HEADERS([err.h])
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -86,6 +84,10 @@ case $host_cpu in
 		AS_IF([test "x$BSWAP4" = "xyes"],,
 		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
+	*amd64*)
+		host_cpu=x86_64
+		;;
+
 esac
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
@@ -119,6 +121,8 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/openssl/Makefile
+	apps/nc/Makefile
 	man/Makefile
 	libcrypto.pc
 	libssl.pc

crypto/CMakeLists.txt

@@ -263,7 +263,6 @@ set(
 	ecdh/ech_err.c
 	ecdh/ech_key.c
 	ecdh/ech_lib.c
-	ecdh/ech_ossl.c
 	ecdsa/ecs_asn1.c
 	ecdsa/ecs_err.c
 	ecdsa/ecs_lib.c
@@ -335,7 +334,6 @@ set(
 	evp/m_md5.c
 	evp/m_null.c
 	evp/m_ripemd.c
-	evp/m_sha.c
 	evp/m_sha1.c
 	evp/m_sigver.c
 	evp/m_streebog.c
@@ -473,8 +471,6 @@ set(
 	sha/sha1dgst.c
 	sha/sha256.c
 	sha/sha512.c
-	sha/sha_dgst.c
-	sha/sha_one.c
 	stack/stack.c
 	ts/ts_asn1.c
 	ts/ts_conf.c

crypto/Makefile.am

@@ -1,8 +1,8 @@
 include $(top_srcdir)/Makefile.am.common
 
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CFLAGS += -I$(top_srcdir)/crypto/modes
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -14,8 +14,7 @@ EXTRA_DIST += compat/strcasecmp.c
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
-libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
+libcrypto_la_CPPFLAGS = -DLIBRESSL_INTERNAL
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
@@ -420,7 +419,6 @@ noinst_HEADERS += ec/ec_lcl.h
 libcrypto_la_SOURCES += ecdh/ech_err.c
 libcrypto_la_SOURCES += ecdh/ech_key.c
 libcrypto_la_SOURCES += ecdh/ech_lib.c
-libcrypto_la_SOURCES += ecdh/ech_ossl.c
 noinst_HEADERS += ecdh/ech_locl.h
 
 # ecdsa
@@ -503,7 +501,6 @@ libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
-libcrypto_la_SOURCES += evp/m_sha.c
 libcrypto_la_SOURCES += evp/m_sha1.c
 libcrypto_la_SOURCES += evp/m_sigver.c
 libcrypto_la_SOURCES += evp/m_streebog.c
@@ -697,8 +694,6 @@ libcrypto_la_SOURCES += sha/sha1_one.c
 libcrypto_la_SOURCES += sha/sha1dgst.c
 libcrypto_la_SOURCES += sha/sha256.c
 libcrypto_la_SOURCES += sha/sha512.c
-libcrypto_la_SOURCES += sha/sha_dgst.c
-libcrypto_la_SOURCES += sha/sha_one.c
 noinst_HEADERS += sha/sha_locl.h
 
 # stack

crypto/compat/ui_openssl_win.c

@@ -286,7 +286,7 @@ error:
 	if (ps >= 1)
 		popsig();
 
-	OPENSSL_cleanse(result, BUFSIZ);
+	explicit_bzero(result, BUFSIZ);
 	return ok;
 }
 

dist-win.sh

@@ -29,20 +29,11 @@ for ARCH in X86 X64; do
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 
 	mkdir -p $DIST/$ARCHDIR
-	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
-		cp -a stage-$ARCHDIR/usr/local/include $DIST
-		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
-		sed -i -e "s/__attr.*;/;/"  \
-		       -e "s/sys\/time.h/winsock2.h/" \
-		       $DIST/include/openssl/*.h $DIST/include/*.h
+		cp -r stage-$ARCHDIR/usr/local/include $DIST
 	fi
 
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
-	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)

gen-openbsd-tags.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+for tag in `git tag`; do
+	branch=master
+	if [[ $tag = v2.0* ]]; then
+		branch=OPENBSD_5_6
+	elif [[ $tag = v2.1* ]]; then
+		branch=OPENBSD_5_7
+	elif [[ $tag = v2.2* ]]; then
+		branch=OPENBSD_5_8
+	elif [[ $tag = v2.3* ]]; then
+		branch=OPENBSD_5_9
+	fi
+	# adjust for 9 hour timezone delta between trees
+	release_ts=$((`git show -s --format=%ct $tag|tail -n1` + 32400))
+	commit=`git -C openbsd rev-list -n 1 --before=$release_ts $branch`
+	git -C openbsd tag -f libressl-$tag $commit
+	echo Tagged $tag as $commit in openbsd
+done

include/Makefile.am

@@ -10,6 +10,7 @@ noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
+noinst_HEADERS += compat/readpassphrase.h
 noinst_HEADERS += compat/stdio.h
 noinst_HEADERS += compat/stdlib.h
 noinst_HEADERS += compat/string.h
@@ -23,6 +24,7 @@ noinst_HEADERS += compat/arpa/nameser.h
 noinst_HEADERS += compat/machine/endian.h
 
 noinst_HEADERS += compat/netinet/in.h
+noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
 noinst_HEADERS += compat/sys/cdefs.h
@@ -30,8 +32,8 @@ noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h
 noinst_HEADERS += compat/sys/select.h
-noinst_HEADERS += compat/sys/stat.h
 noinst_HEADERS += compat/sys/socket.h
+noinst_HEADERS += compat/sys/stat.h
 noinst_HEADERS += compat/sys/time.h
 noinst_HEADERS += compat/sys/types.h
 noinst_HEADERS += compat/sys/uio.h

include/compat/netinet/ip.h

@@ -0,0 +1,43 @@
+/*
+ * Public domain
+ * netinet/ip.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <netinet/ip.h>
+#else
+#include <win32netcompat.h>
+#endif
+
+/*
+ * Definitions for DiffServ Codepoints as per RFC2474
+ */
+#ifndef IPTOS_DSCP_CS0
+#define	IPTOS_DSCP_CS0		0x00
+#define	IPTOS_DSCP_CS1		0x20
+#define	IPTOS_DSCP_CS2		0x40
+#define	IPTOS_DSCP_CS3		0x60
+#define	IPTOS_DSCP_CS4		0x80
+#define	IPTOS_DSCP_CS5		0xa0
+#define	IPTOS_DSCP_CS6		0xc0
+#define	IPTOS_DSCP_CS7		0xe0
+#endif
+
+#ifndef IPTOS_DSCP_AF11
+#define	IPTOS_DSCP_AF11		0x28
+#define	IPTOS_DSCP_AF12		0x30
+#define	IPTOS_DSCP_AF13		0x38
+#define	IPTOS_DSCP_AF21		0x48
+#define	IPTOS_DSCP_AF22		0x50
+#define	IPTOS_DSCP_AF23		0x58
+#define	IPTOS_DSCP_AF31		0x68
+#define	IPTOS_DSCP_AF32		0x70
+#define	IPTOS_DSCP_AF33		0x78
+#define	IPTOS_DSCP_AF41		0x88
+#define	IPTOS_DSCP_AF42		0x90
+#define	IPTOS_DSCP_AF43		0x98
+#endif
+
+#ifndef IPTOS_DSCP_EF
+#define	IPTOS_DSCP_EF		0xb8
+#endif

include/compat/readpassphrase.h

@@ -0,0 +1,48 @@
+/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
+
+/*
+ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+#ifdef HAVE_READPASSPHRASE_H
+
+#include_next <readpassphrase.h>
+
+#else
+
+#ifndef _READPASSPHRASE_H_
+#define _READPASSPHRASE_H_
+
+#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
+#define RPP_ECHO_ON     0x01		/* Leave echo on. */
+#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
+#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
+#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
+#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
+#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+char * readpassphrase(const char *, char *, size_t, int);
+__END_DECLS
+
+#endif /* !_READPASSPHRASE_H_ */
+
+#endif

m4/check-libc.m4

@@ -1,11 +1,15 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
+# Check for libc headers
+AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
+AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll readpassphrase reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])

m4/check-os-options.m4

@@ -15,8 +15,10 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
+		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
@@ -34,15 +36,19 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
+		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
+		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
+		BUILD_NC=yes
+		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
@@ -65,6 +71,7 @@ case $host_os in
 	*) ;;
 esac
 
+AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
@@ -72,6 +79,7 @@ AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
+AM_CONDITIONAL([HOST_OPENBSD], [test x$HOST_OS = xopenbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])

man/links

@@ -446,7 +446,6 @@ EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
-EVP_DigestInit.3,EVP_sha.3
 EVP_DigestInit.3,EVP_sha1.3
 EVP_DigestInit.3,EVP_sha224.3
 EVP_DigestInit.3,EVP_sha256.3
@@ -1104,8 +1103,11 @@ tls_init.3,tls_config_clear_keys.3
 tls_init.3,tls_config_free.3
 tls_init.3,tls_config_insecure_noverifycert.3
 tls_init.3,tls_config_insecure_noverifyname.3
+tls_init.3,tls_config_insecure_noverifytime.3
 tls_init.3,tls_config_new.3
 tls_init.3,tls_config_parse_protocols.3
+tls_init.3,tls_config_prefer_ciphers_client.3
+tls_init.3,tls_config_prefer_ciphers_server.3
 tls_init.3,tls_config_set_ca_file.3
 tls_init.3,tls_config_set_ca_mem.3
 tls_init.3,tls_config_set_ca_path.3
@@ -1119,14 +1121,24 @@ tls_init.3,tls_config_set_key_mem.3
 tls_init.3,tls_config_set_protocols.3
 tls_init.3,tls_config_set_verify_depth.3
 tls_init.3,tls_config_verify.3
+tls_init.3,tls_config_verify_client.3
+tls_init.3,tls_config_verify_client_optional.3
 tls_init.3,tls_configure.3
+tls_init.3,tls_conn_cipher.3
+tls_init.3,tls_conn_version.3
 tls_init.3,tls_connect.3
 tls_init.3,tls_connect_fds.3
 tls_init.3,tls_connect_servername.3
 tls_init.3,tls_connect_socket.3
 tls_init.3,tls_error.3
 tls_init.3,tls_free.3
+tls_init.3,tls_handshake.3
 tls_init.3,tls_load_file.3
+tls_init.3,tls_peer_cert_contains_name.3
+tls_init.3,tls_peer_cert_hash.3
+tls_init.3,tls_peer_cert_issuer.3
+tls_init.3,tls_peer_cert_provided.3
+tls_init.3,tls_peer_cert_subject.3
 tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3

man/update_links.sh

@@ -3,7 +3,7 @@
 # Run this periodically to ensure that the manpage links are up to date
 
 echo "# This is an auto-generated file by $0" > links
-sudo makewhatis
+doas makewhatis
 for i in `ls -1 *.3`; do
   name=`echo $i|cut -d. -f1`
   links=`sqlite3 /usr/share/man/mandoc.db \

patches/arc4random.c.patch

@@ -1,15 +0,0 @@
---- crypto/compat/arc4random.c.orig	2015-07-20 07:41:17.000000000 -0600
-+++ crypto/compat/arc4random.c	2015-07-20 07:41:58.000000000 -0600
-@@ -36,8 +36,11 @@
- #define KEYSTREAM_ONLY
- #include "chacha_private.h"
- 
-+#ifndef min
- #define min(a, b) ((a) < (b) ? (a) : (b))
--#ifdef __GNUC__
-+#endif
-+
-+#if defined(__GNUC__) || defined(_MSC_VER)
- #define inline __inline
- #else				/* !__GNUC__ */
- #define inline

patches/netcat.c.patch

@@ -0,0 +1,155 @@
+--- apps/nc/netcat.c.orig	Sun Sep 13 08:12:39 2015
++++ apps/nc/netcat.c	Sun Sep 13 19:15:13 2015
+@@ -98,9 +98,13 @@
+ int	Dflag;					/* sodebug */
+ int	Iflag;					/* TCP receive buffer size */
+ int	Oflag;					/* TCP send buffer size */
++#ifdef TCP_MD5SIG
+ int	Sflag;					/* TCP MD5 signature option */
++#endif
+ int	Tflag = -1;				/* IP Type of Service */
++#ifdef SO_RTABLE
+ int	rtableid = -1;
++#endif
+ 
+ int	usetls;					/* use TLS */
+ char    *Cflag;					/* Public cert file */
+@@ -150,7 +154,7 @@
+ 	struct servent *sv;
+ 	socklen_t len;
+ 	struct sockaddr_storage cliaddr;
+-	char *proxy;
++	char *proxy = NULL;
+ 	const char *errstr, *proxyhost = "", *proxyport = NULL;
+ 	struct addrinfo proxyhints;
+ 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
+@@ -251,12 +255,14 @@
+ 		case 'u':
+ 			uflag = 1;
+ 			break;
++#ifdef SO_RTABLE
+ 		case 'V':
+ 			rtableid = (int)strtonum(optarg, 0,
+ 			    RT_TABLEID_MAX, &errstr);
+ 			if (errstr)
+ 				errx(1, "rtable %s: %s", errstr, optarg);
+ 			break;
++#endif
+ 		case 'v':
+ 			vflag = 1;
+ 			break;
+@@ -289,9 +295,11 @@
+ 				errx(1, "TCP send window %s: %s",
+ 				    errstr, optarg);
+ 			break;
++#ifdef TCP_MD5SIG
+ 		case 'S':
+ 			Sflag = 1;
+ 			break;
++#endif
+ 		case 'T':
+ 			errstr = NULL;
+ 			errno = 0;
+@@ -776,7 +784,10 @@
+ remote_connect(const char *host, const char *port, struct addrinfo hints)
+ {
+ 	struct addrinfo *res, *res0;
+-	int s, error, on = 1;
++	int s, error;
++#ifdef SO_BINDANY
++	int on = 1;
++#endif
+ 
+ 	if ((error = getaddrinfo(host, port, &hints, &res)))
+ 		errx(1, "getaddrinfo: %s", gai_strerror(error));
+@@ -787,16 +798,20 @@
+ 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
+ 			continue;
+ 
++#ifdef SO_RTABLE
+ 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
+ 		    &rtableid, sizeof(rtableid)) == -1))
+ 			err(1, "setsockopt SO_RTABLE");
++#endif
+ 
+ 		/* Bind to a local port or source address if specified. */
+ 		if (sflag || pflag) {
+ 			struct addrinfo ahints, *ares;
+ 
++#ifdef SO_BINDANY
+ 			/* try SO_BINDANY, but don't insist */
+ 			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
++#endif
+ 			memset(&ahints, 0, sizeof(struct addrinfo));
+ 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
+@@ -865,7 +880,10 @@
+ local_listen(char *host, char *port, struct addrinfo hints)
+ {
+ 	struct addrinfo *res, *res0;
+-	int s, ret, x = 1;
++	int s;
++#ifdef SO_REUSEPORT
++	int ret, x = 1;
++#endif
+ 	int error;
+ 
+ 	/* Allow nodename to be null. */
+@@ -887,13 +905,17 @@
+ 		    res0->ai_protocol)) < 0)
+ 			continue;
+ 
++#ifdef SO_RTABLE
+ 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
+ 		    &rtableid, sizeof(rtableid)) == -1))
+ 			err(1, "setsockopt SO_RTABLE");
++#endif
+ 
++#ifdef SO_REUSEPORT
+ 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
+ 		if (ret == -1)
+ 			err(1, NULL);
++#endif
+ 
+ 		set_common_sockopts(s, res0->ai_family);
+ 
+@@ -1337,11 +1359,13 @@
+ {
+ 	int x = 1;
+ 
++#ifdef TCP_MD5SIG
+ 	if (Sflag) {
+ 		if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
+ 			&x, sizeof(x)) == -1)
+ 			err(1, NULL);
+ 	}
++#endif
+ 	if (Dflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
+ 			&x, sizeof(x)) == -1)
+@@ -1516,15 +1540,19 @@
+ 	\t-P proxyuser\tUsername for proxy authentication\n\
+ 	\t-p port\t	Specify local port for remote connects\n\
+ 	\t-R CAfile	CA bundle\n\
+-	\t-r		Randomize remote ports\n\
+-	\t-S		Enable the TCP MD5 signature option\n\
+-	\t-s source	Local source address\n\
++	\t-r		Randomize remote ports\n"
++#ifdef TCP_MD5SIG
++	"\t-S		Enable the TCP MD5 signature option\n"
++#endif
++	"\t-s source	Local source address\n\
+ 	\t-T keyword	TOS value or TLS options\n\
+ 	\t-t		Answer TELNET negotiation\n\
+ 	\t-U		Use UNIX domain socket\n\
+-	\t-u		UDP mode\n\
+-	\t-V rtable	Specify alternate routing table\n\
+-	\t-v		Verbose\n\
++	\t-u		UDP mode\n"
++#ifdef SO_RTABLE
++	"\t-V rtable	Specify alternate routing table\n"
++#endif
++	"\t-v		Verbose\n\
+ 	\t-w timeout	Timeout for connects and final net reads\n\
+ 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
+ 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/openssl.c.patch

@@ -1,26 +1,6 @@
---- apps/openssl.c.orig	2015-07-20 02:01:42.000000000 -0600
-+++ apps/openssl.c	2015-07-20 02:02:00.000000000 -0600
-@@ -130,6 +130,19 @@
- #include <openssl/engine.h>
- #endif
-
-+#ifdef _WIN32
-+#include <io.h>
-+#include <fcntl.h>
-+static void set_stdio_binary(void)
-+{
-+	_setmode(_fileno(stdin), _O_BINARY);
-+	_setmode(_fileno(stdout), _O_BINARY);
-+	_setmode(_fileno(stderr), _O_BINARY);
-+}
-+#else
-+static void set_stdio_binary(void) {};
-+#endif
-+
- #include "progs.h"
- #include "s_apps.h"
-
-@@ -204,7 +216,9 @@
+--- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
++++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
+@@ -399,7 +399,9 @@
  static void
  openssl_startup(void)
  {
@@ -28,13 +8,5 @@
  	signal(SIGPIPE, SIG_IGN);
 +#endif
  
- 	CRYPTO_malloc_init();
  	OpenSSL_add_all_algorithms();
-@@ -216,6 +230,7 @@
- #endif
-
- 	setup_ui_method();
-+	set_stdio_binary();
- }
-
- static void
+ 	SSL_library_init();

patches/opensslconf.h.patch

@@ -1,13 +0,0 @@
---- include/openssl/opensslconf.h.orig	2015-07-19 23:21:47.000000000 -0600
-+++ include/openssl/opensslconf.h	2015-07-19 23:21:17.000000000 -0600
-@@ -1,6 +1,10 @@
- #include <openssl/opensslfeatures.h>
- /* crypto/opensslconf.h.in */
-
-+#if defined(_MSC_VER) && !defined(__attribute__)
-+#define __attribute__(a)
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
-

patches/ossl_typ.h.patch

@@ -1,25 +0,0 @@
---- include/openssl/ossl_typ.h.orig	2015-07-06 13:21:18.788571423 -0700
-+++ include/openssl/ossl_typ.h	2015-07-06 13:24:14.906468003 -0700
-@@ -100,6 +100,22 @@
- typedef struct ASN1_ITEM_st ASN1_ITEM;
- typedef struct asn1_pctx_st ASN1_PCTX;
-
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#undef OCSP_REQUEST
-+#undef OCSP_RESPONSE
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#endif
-+
- #ifdef BIGNUM
- #undef BIGNUM
- #endif

patches/pkcs7.h.patch

@@ -1,21 +0,0 @@
---- include/openssl/pkcs7.h.orig	2015-07-06 13:26:27.369203527 -0700
-+++ include/openssl/pkcs7.h	2015-07-06 13:27:37.637051967 -0700
-@@ -69,6 +69,18 @@
- extern "C" {
- #endif
-
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#undef PKCS7_SIGNER_INFO
-+#endif
-+
- /*
- Encryption_ID		DES-CBC
- Digest_ID		MD5

patches/windows_headers.patch

@@ -0,0 +1,100 @@
+diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
+--- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
+@@ -60,7 +60,11 @@
+ #ifndef HEADER_DTLS1_H
+ #define HEADER_DTLS1_H
+ 
++#if defined(_WIN32)
++#include <winsock2.h>
++#else
+ #include <sys/time.h>
++#endif
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
+--- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
+@@ -1,6 +1,10 @@
+ #include <openssl/opensslfeatures.h>
+ /* crypto/opensslconf.h.in */
+ 
++#if defined(_MSC_VER) && !defined(__attribute__)
++#define __attribute__(a)
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+ 
+diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
+--- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
+@@ -100,6 +100,22 @@
+ typedef struct ASN1_ITEM_st ASN1_ITEM;
+ typedef struct asn1_pctx_st ASN1_PCTX;
+ 
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#undef OCSP_REQUEST
++#undef OCSP_RESPONSE
++#undef PKCS7_ISSUER_AND_SERIAL
++#endif
++
+ #ifdef BIGNUM
+ #undef BIGNUM
+ #endif
+diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
+--- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
+@@ -69,6 +69,18 @@
+ extern "C" {
+ #endif
+ 
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef PKCS7_ISSUER_AND_SERIAL
++#undef PKCS7_SIGNER_INFO
++#endif
++
+ /*
+ Encryption_ID		DES-CBC
+ Digest_ID		MD5
+diff -urN include/openssl.orig/x509.h include/openssl/x509.h
+--- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
++++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
+@@ -112,6 +112,19 @@
+ extern "C" {
+ #endif
+ 
++#if defined(_WIN32)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#endif
++
+ #define X509_FILETYPE_PEM	1
+ #define X509_FILETYPE_ASN1	2
+ #define X509_FILETYPE_DEFAULT	3

patches/x509.h.patch

@@ -1,22 +0,0 @@
---- include/openssl/x509.h.orig	2015-07-06 13:15:15.059306046 -0700
-+++ include/openssl/x509.h	2015-07-06 13:16:10.506118278 -0700
-@@ -112,6 +112,19 @@
- extern "C" {
- #endif
-
-+#if defined(_WIN32)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#endif
-+
- #define X509_FILETYPE_PEM	1
- #define X509_FILETYPE_ASN1	2
- #define X509_FILETYPE_DEFAULT	3

scripts/travis

@@ -6,7 +6,7 @@ set -e
 if [ "x$ARCH" = "xnative" ]; then
 	# test autotools
 	./configure
-	make -j 4 check
+	make -j 4 distcheck
 
 	# make distribution
 	make dist
@@ -19,6 +19,7 @@ if [ "x$ARCH" = "xnative" ]; then
 	if [ `uname` = "Darwin" ]; then
 		cmake ..
 		make
+		make test
 	else
 		sudo apt-get update
 		sudo apt-get install -y python-software-properties
@@ -27,6 +28,7 @@ if [ "x$ARCH" = "xnative" ]; then
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
 		ninja
+		ninja test
 	fi
 else
 	CPU=i686

ssl/CMakeLists.txt

@@ -21,15 +21,12 @@ set(
 	pqueue.c
 	s23_clnt.c
 	s23_lib.c
-	s23_meth.c
 	s23_pkt.c
 	s23_srvr.c
 	s3_both.c
 	s3_cbc.c
 	s3_clnt.c
-	s3_enc.c
 	s3_lib.c
-	s3_meth.c
 	s3_pkt.c
 	s3_srvr.c
 	ssl_algs.c

ssl/Makefile.am

@@ -23,15 +23,12 @@ libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
 libssl_la_SOURCES += s23_clnt.c
 libssl_la_SOURCES += s23_lib.c
-libssl_la_SOURCES += s23_meth.c
 libssl_la_SOURCES += s23_pkt.c
 libssl_la_SOURCES += s23_srvr.c
 libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
 libssl_la_SOURCES += s3_clnt.c
-libssl_la_SOURCES += s3_enc.c
 libssl_la_SOURCES += s3_lib.c
-libssl_la_SOURCES += s3_meth.c
 libssl_la_SOURCES += s3_pkt.c
 libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c

tests/CMakeLists.txt

@@ -5,7 +5,8 @@ include_directories(
 	../crypto/modes
 	../crypto/asn1
 	../ssl
-	../apps
+	../apps/openssl
+	../apps/openssl/compat
 )
 
 set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
@@ -75,6 +76,11 @@ add_executable(cipherstest cipherstest.c)
 target_link_libraries(cipherstest ${OPENSSL_LIBS})
 add_test(cipherstest cipherstest)
 
+# clienttest
+add_executable(clienttest clienttest.c)
+target_link_libraries(clienttest ${OPENSSL_LIBS})
+add_test(clienttest clienttest)
+
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${OPENSSL_LIBS})
@@ -236,11 +242,6 @@ add_executable(sha512test sha512test.c)
 target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
-# shatest
-add_executable(shatest shatest.c)
-target_link_libraries(shatest ${OPENSSL_LIBS})
-add_test(shatest shatest)
-
 # ssltest
 #add_executable(ssltest ssltest.c)
 #target_link_libraries(ssltest ${OPENSSL_LIBS})
@@ -264,3 +265,8 @@ add_test(timingsafe timingsafe)
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})
 add_test(utf8test utf8test)
+
+# verifytest
+add_executable(verifytest verifytest.c)
+target_link_libraries(verifytest tls ${OPENSSL_LIBS})
+add_test(verifytest verifytest)

tests/Makefile.am

@@ -3,11 +3,13 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps
+AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
+AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
+LDADD += $(top_builddir)/tls/libtls.la
 
 TESTS =
 check_PROGRAMS =
@@ -89,6 +91,11 @@ TESTS += cipherstest
 check_PROGRAMS += cipherstest
 cipherstest_SOURCES = cipherstest.c
 
+# clienttest
+TESTS += clienttest
+check_PROGRAMS += clienttest
+clienttest_SOURCES = clienttest.c
+
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -208,9 +215,10 @@ pbkdf2_SOURCES = pbkdf2.c
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
 if ENABLE_EXTRATESTS
-TESTS += pidwraptest
+TESTS += pidwraptest.sh
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
+EXTRA_DIST += pidwraptest.sh
 endif
 
 # pkcs7test
@@ -265,11 +273,6 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
-# shatest
-TESTS += shatest
-check_PROGRAMS += shatest
-shatest_SOURCES = shatest.c
-
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
@@ -300,3 +303,7 @@ TESTS += utf8test
 check_PROGRAMS += utf8test
 utf8test_SOURCES = utf8test.c
 
+# verifytest
+TESTS += verifytest
+check_PROGRAMS += verifytest
+verifytest_SOURCES = verifytest.c

tests/ssltest.sh

@@ -6,9 +6,9 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	openssl_bin=../apps/openssl.exe
+openssl_bin=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	openssl_bin=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,9 +4,9 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,9 +2,9 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 cat openssl.cnf >$test;

tests/testrsa.sh

@@ -4,9 +4,9 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl
-if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl.exe
+cmd=../apps/openssl/openssl
+if [ -e ../apps/openssl/openssl.exe ]; then
+	cmd=../apps/openssl/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -9,7 +9,9 @@ set(
 	tls.c
 	tls_client.c
 	tls_config.c
+	tls_conninfo.c
 	tls_server.c
+	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )

tls/Makefile.am

@@ -11,7 +11,9 @@ libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
+libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h

update.sh

@@ -25,7 +25,8 @@ libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
 libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
-openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
+libtls_regress=$CWD/openbsd/src/regress/lib/libtls
+app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
 . $libcrypto_src/crypto/shlib_version
@@ -52,21 +53,26 @@ do_mv() {
 		rm -f "$1"
 	fi
 }
-CP='cp -p'
 MV='do_mv'
 
+do_cp_libc() {
+	sed "/DEF_WEAK/d" < "$1" > "$2"/`basename "$1"`
+}
+CP_LIBC='do_cp_libc'
+
+CP='cp -p'
+
 $CP $libssl_src/src/LICENSE COPYING
 
 $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
-	$CP $libc_src/crypt/arc4random.c \
+	for j in $libc_src/crypt/arc4random.c \
 	    $libc_src/crypt/chacha_private.h \
 	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/stdlib/reallocarray.c \
@@ -78,8 +84,9 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
 	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h \
-	    $i
+	    $libcrypto_src/crypto/arc4random_*.h; do
+		$CP_LIBC $j $i
+	done
 done
 
 $CP include/compat/stdlib.h \
@@ -191,8 +198,10 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-$CP $libc_src/string/strsep.c tls
-$CP $libc_src/string/strsep.c libtls-standalone/compat
+
+$CP_LIBC $libc_src/string/strsep.c tls
+$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
+
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
 	m4/disable*.m4 \
@@ -200,15 +209,28 @@ $CP m4/check*.m4 \
 sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 	libtls-standalone/compat/Makefile.am.arc4random
 
+# copy nc(1) source
+echo "copying nc(1) source"
+$CP $app_src/nc/nc.1 apps/nc
+rm -f apps/nc/*.c apps/nc/*.h
+$CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
+	if [ -e $app_src/nc/$i ]; then
+		$CP $app_src/nc/$i apps/nc
+	fi
+done
+
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $libc_src/stdlib/strtonum.c apps
-$CP $libcrypto_src/cert.pem apps
-$CP $libcrypto_src/openssl.cnf apps
-$CP $libcrypto_src/x509v3.cnf apps
-for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
-	if [ -e $openssl_app_src/$i ]; then
-		$CP $openssl_app_src/$i apps
+$CP $app_src/openssl/openssl.1 apps/openssl
+rm -f apps/openssl/*.c apps/openssl/*.h
+$CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
+$CP $libcrypto_src/cert.pem apps/openssl
+$CP $libcrypto_src/openssl.cnf apps/openssl
+$CP $libcrypto_src/x509v3.cnf apps/openssl
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
+	if [ -e $app_src/openssl/$i ]; then
+		$CP $app_src/openssl/$i apps/openssl
 	fi
 done
 
@@ -231,7 +253,7 @@ $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP $libc_src/string/memmem.c tests
+$CP_LIBC $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -243,6 +265,11 @@ $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
+# copy libtls tests
+for i in `find $libtls_regress -name '*.c'`; do
+	 $CP "$i" tests
+done
+
 chmod 755 tests/testssl
 
 # add headers
@@ -273,7 +300,7 @@ add_man_links() {
 	done
 }
 
-# apply local patches (Windows support)
+# apply local patches
 for i in patches/*.patch; do
     patch -p0 < $i
 done
@@ -283,9 +310,6 @@ echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
 echo dist_man_MANS = >> man/Makefile.am
 
-$CP $openssl_app_src/openssl.1 man
-echo "dist_man_MANS += openssl.1" >> man/Makefile.am
-
 $CP $libtls_src/tls_init.3 man
 echo "dist_man_MANS += tls_init.3" >> man/Makefile.am