More changelog updates

- add tls_ext_alpn entry for automake and cmake
- add tests/tls_ext_alpn* to .gitignore

.gitignore

@@ -49,14 +49,16 @@ Makefile.in
 test-driver
 *.log
 *.trs
-!tests/optionstest.c
 tests/aes_wrap*
 tests/arc4random_fork*
+tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
+tests/rfc5280time*
 tests/timingsafe*
+tests/tls_ext_alpn*
 tests/*test
 tests/tests.h
 tests/*test.c
@@ -65,6 +67,8 @@ tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+!tests/optionstest.c
+!tests/*.test
 
 # ctags stuff
 TAGS
@@ -111,16 +115,18 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
-!/apps/nc/readpassphrase.c
 /apps/nc/*.h
 /apps/nc/*.c
 /apps/nc/nc*
+!/apps/nc/readpassphrase.c
 /apps/openssl/*.h
 /apps/openssl/*.c
 /apps/openssl/*.cnf
 /apps/openssl/*.pem
 /apps/openssl/openssl
 /apps/openssl/compat/strtonum.c
+!/apps/openssl/apps_win.c
+!/apps/openssl/certhash_win.c
 
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
@@ -129,6 +135,7 @@ include/openssl/*.h
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
+!/crypto/compat/timegm.c
 !/crypto/compat/ui_openssl_win.c
 !/crypto/CMakeLists.txt
 /crypto

CMakeLists.txt

@@ -1,9 +1,10 @@
-cmake_minimum_required (VERSION 2.8)
+cmake_minimum_required (VERSION 2.8.8)
 include(CheckFunctionExists)
 include(CheckLibraryExists)
 include(CheckIncludeFiles)
+include(CheckTypeSize)
 
-project (LibreSSL)
+project (LibreSSL C)
 
 enable_testing()
 
@@ -22,6 +23,17 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
+option(ENABLE_ASM "Enable assembly" ON)
+option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
+option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
+set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
+
+set(BUILD_NC true)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
+	add_definitions(-fno-common)
+endif()
+
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
@@ -33,9 +45,34 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
 endif()
 
+if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
+	set(BUILD_NC false)
+endif()
+
+if(WIN32)
+	set(BUILD_NC false)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	if(CMAKE_C_COMPILER MATCHES "gcc")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
+	else()
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
+	endif()
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
+endif()
+
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
-add_definitions(-DOPENSSL_NO_ASM)
 
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 
@@ -43,14 +80,17 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 
-if(MSVC)
-	add_definitions(-Dinline=__inline)
+if(WIN32)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+endif()
+
+if(MSVC)
+	add_definitions(-Dinline=__inline)
 
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
@@ -96,7 +136,7 @@ if(HAVE_STRLCAT)
 	add_definitions(-DHAVE_STRLCAT)
 endif()
 
-check_function_exists(strlcat HAVE_STRLCPY)
+check_function_exists(strlcpy HAVE_STRLCPY)
 if(HAVE_STRLCPY)
 	add_definitions(-DHAVE_STRLCPY)
 endif()
@@ -106,8 +146,8 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 
-if(MSVC)
-	set(HAVE_STRNLEN)
+if(WIN32)
+	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)
@@ -121,11 +161,21 @@ if(HAVE_STRSEP)
 	add_definitions(-DHAVE_STRSEP)
 endif()
 
+check_function_exists(timegm HAVE_TIMEGM)
+if(HAVE_TIMEGM)
+	add_definitions(-DHAVE_TIMEGM)
+endif()
+
 check_function_exists(arc4random_buf HAVE_ARC4RANDOM_BUF)
 if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)
 endif()
 
+check_function_exists(arc4random_uniform HAVE_ARC4RANDOM_UNIFORM)
+if(HAVE_ARC4RANDOM_UNIFORM)
+	add_definitions(-DHAVE_ARC4RANDOM_UNIFORM)
+endif()
+
 check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
 if(HAVE_EXPLICIT_BZERO)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
@@ -151,11 +201,28 @@ if(HAVE_MEMCMP)
 	add_definitions(-DHAVE_MEMCMP)
 endif()
 
+check_function_exists(memmem HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+	add_definitions(-DHAVE_MEMMEM)
+endif()
+
 check_include_files(err.h HAVE_ERR_H)
 if(HAVE_ERR_H)
 	add_definitions(-DHAVE_ERR_H)
 endif()
 
+if(ENABLE_ASM)
+	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
+		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
+			set(HOST_ASM_ELF_X86_64 true)
+		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+			set(HOST_ASM_ELF_X86_64 true)
+		endif()
+	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
+		set(HOST_ASM_MACOSX_X86_64 true)
+	endif()
+endif()
+
 set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
@@ -166,11 +233,25 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
 	endif()
 endif()
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
+endif()
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
+endif()
 
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
 	set(BUILD_SHARED true)
 endif()
 
+check_type_size(time_t SIZEOF_TIME_T)
+if(SIZEOF_TIME_T STREQUAL "4")
+	set(SMALL_TIME_T true)
+	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
+	                " ** It will behave incorrectly when handling valid RFC5280 dates")
+endif()
+add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
+
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(apps)
@@ -180,3 +261,11 @@ if(NOT MSVC)
 	add_subdirectory(man)
 	add_subdirectory(tests)
 endif()
+
+configure_file(
+	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
+	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+	IMMEDIATE @ONLY)
+
+add_custom_target(uninstall
+	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

ChangeLog

@@ -28,6 +28,256 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.5.0 - New APIs, bug fixes and improvements
+
+	* libtls now supports ALPN and SNI
+
+	* libtls adds a new callback interface for integrating custom IO
+	  functions. Thanks to Tobias Pape.
+
+	* libtls now handles 4 cipher suite groups:
+	    "secure" (TLSv1.2+AEAD+PFS)
+	    "compat" (HIGH:!aNULL)
+	    "legacy" (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+
+	    This allows for flexibility and finer grained control, rather than
+	    having two extremes (an issue raised by Marko Kreen some time ago).
+
+	* Tightened error handling for tls_config_set_ciphers().
+
+	* libtls now always loads CA, key and certificate files at the time the
+	  configuration function is called. This simplifies code and results in
+	  a single memory based code path being used to provide data to libssl.
+
+	* Add support for OCSP intermediate certificates.
+
+	* Added functions used by stunnel and exim from BoringSSL - this
+	  brings in X509_check_host, X509_check_email, X509_check_ip, and
+	  X509_check_ip_asc.
+
+	* Added initial support for iOS, thanks to Jacob Berkman.
+
+	* Improved behavior of arc4random on Windows when using memory leak
+	  analysis software.
+
+	* Correctly handle an EOF that occurs prior to the TLS handshake
+	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
+	  Kreen.
+
+	* Limit the support of the "backward compatible" ssl2 handshake to
+	  only be used if TLS 1.0 is enabled.
+
+	* Fix incorrect results in certain cases on 64-bit systems when
+	  BN_mod_word() can return incorrect results. BN_mod_word() now can
+	  return an error condition. Thanks to Brian Smith.
+
+	* Added constant-time updates to address CVE-2016-0702
+
+	* Fixed undefined behavior in BN_GF2m_mod_arr()
+
+	* Removed unused Cryptographic Message Support (CMS)
+
+	* More conversions of long long idioms to time_t
+
+	* Improved compatibility by avoiding printing NULL strings with
+	  printf.
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.4.2 - Bug fixes and improvements
+
+	* Fixed loading default certificate locations with openssl s_client.
+
+	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
+
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
+2.4.1 - Security fix
+
+	* Correct a problem that prevents the DSA signing algorithm from
+	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
+	  This issue was reported by Cesar Pereida (Aalto University), Billy
+	  Brumley (Tampere University of Technology), and Yuval Yarom (The
+	  University of Adelaide and NICTA). The fix was developed by Cesar
+	  Pereida.
+
+2.4.0 - Build improvements, new features
+
+	* Many improvements to the CMake build infrastructure, including
+	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
+	  Inoguchi for this work.
+
+	* Added missing error handling around bn_wexpand() calls.
+
+	* Added explicit_bzero calls for freed ASN.1 objects.
+
+	* Fixed X509_*set_object functions to return 0 on allocation failure.
+
+	* Implemented the IETF ChaCha20-Poly1305 cipher suites.
+
+	* Changed default EVP_aead_chacha20_poly1305() implementation to the
+	  IETF version, which is now the default.
+
+	* Fixed password prompts from openssl(1) to properly handle ^C.
+
+	* Reworked error handling in libtls so that configuration errors are
+	  visible.
+
+	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
+
+	* Manpage fixes and updates
+
+2.3.5 - Reliability fix
+
+	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
+
+2.3.4 - Security Update
+
+	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
+	From OpenSSL.
+
+	* Minor build fixes
+
+2.3.3 - OpenBSD 5.9 release branch tagged
+
+	* Reworked build scripts to better sync with OpenNTPD-portable
+
+	* Fixed broken manpage links
+
+	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
+
+	* Fixed HP-UX builds
+
+	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
+	  binary builds
+
+	* cert.pem has been reorganized and synced with Mozilla's certificate store
+
+2.3.2 - Compatibility and Reliability fixes
+
+	* Changed format of LIBRESSL_VERSION_NUMBER to match that of
+	  OPENSSL_VERSION_NUMBER, see:
+	  https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
+
+	* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
+	  construction introduced in RFC 7539, which is different than that
+	  already used in TLS with EVP_aead_chacha20_poly1305()
+
+	* Avoid a potential undefined C99+ behavior due to shift overflow in
+	  AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
+
+	* More man pages converted from pod to mdoc format
+
+	* Added COMODO RSA Certification Authority and QuoVadis
+	  root certificates to cert.pem
+
+	* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
+	  Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
+	  certificate from cert.pem
+
+	* Added support for building nc(1) on Solaris
+
+	* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
+
+	* Improved console handling with openssl(1) on Windows
+
+	* Ensure the network stack is enabled on Windows when running
+	  tls_init()
+
+	* Fixed incorrect TLS certificate loading by nc(1)
+
+	* Added support for Solaris 11.3's getentropy(2) system call
+
+	* Enabled support for using NetBSD 7.0's arc4random(3) implementation
+
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
+
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+	                   squaring procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint
+	                   data.
+
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
+
+2.3.1 - ASN.1 and time handling cleanups
+
+	* ASN.1 cleanups and RFC5280 compliance fixes.
+
+	* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
+	  now checks if the host OS supports 64-bit time_t.
+
+	* Fixed a leak in SSL_new in the error path.
+
+	* Support always extracting the peer cipher and version with libtls.
+
+	* Added ability to check certificate validity times with libtls,
+	  tls_peer_cert_notbefore and tls_peer_cert_notafter.
+
+	* Changed tls_connect_servername to use the first address that resolves with
+	  getaddrinfo().
+
+	* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
+	  initial commit in 2004).
+
+	* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
+	  by Qualys Security.
+
+	* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
+	  sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
+
+	* Reject too small bits value in BN_generate_prime_ex(), so that it does
+	  not risk becoming negative in probable_prime_dh_safe(), reported by
+		Franck Denis.
+
+	* Enable nc(1) builds on more platforms.
+
 2.3.0 - SSLv3 removed, libtls API changes, portability improvements
 
 	* SSLv3 is now permanently removed from the tree.

Makefile.am

@@ -5,4 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += CMakeLists.txt cmake_uninstall.cmake.in
+
+.PHONY: install_sw
+install_sw: install

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat
-AM_CPPFLAGS = -DLIBRESSL_INTERNAL
+AM_CFLAGS =
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL

README.md

@@ -30,7 +30,7 @@ At the time of this writing, LibreSSL is know to build and work on:
 
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
-* NetBSD (tested with 6.1.5)
+* NetBSD (7.0 or later recommended)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)

apps/CMakeLists.txt

@@ -1,81 +1,2 @@
-include_directories(
-	.
-	../include
-	../include/compat
-	./openssl
-)
-
-set(
-	OPENSSL_SRC
-	openssl/apps.c
-	openssl/asn1pars.c
-	openssl/ca.c
-	openssl/ciphers.c
-	openssl/cms.c
-	openssl/crl.c
-	openssl/crl2p7.c
-	openssl/dgst.c
-	openssl/dh.c
-	openssl/dhparam.c
-	openssl/dsa.c
-	openssl/dsaparam.c
-	openssl/ec.c
-	openssl/ecparam.c
-	openssl/enc.c
-	openssl/errstr.c
-	openssl/gendh.c
-	openssl/gendsa.c
-	openssl/genpkey.c
-	openssl/genrsa.c
-	openssl/nseq.c
-	openssl/ocsp.c
-	openssl/openssl.c
-	openssl/passwd.c
-	openssl/pkcs12.c
-	openssl/pkcs7.c
-	openssl/pkcs8.c
-	openssl/pkey.c
-	openssl/pkeyparam.c
-	openssl/pkeyutl.c
-	openssl/prime.c
-	openssl/rand.c
-	openssl/req.c
-	openssl/rsa.c
-	openssl/rsautl.c
-	openssl/s_cb.c
-	openssl/s_client.c
-	openssl/s_server.c
-	openssl/s_socket.c
-	openssl/s_time.c
-	openssl/sess_id.c
-	openssl/smime.c
-	openssl/speed.c
-	openssl/spkac.c
-	openssl/ts.c
-	openssl/verify.c
-	openssl/version.c
-	openssl/x509.c
-)
-
-if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
-endif()
-
-if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
-endif()
-
-add_executable(openssl ${OPENSSL_SRC})
-target_link_libraries(openssl ${OPENSSL_LIBS})
-
-install(TARGETS openssl DESTINATION bin)
+add_subdirectory(openssl)
+add_subdirectory(nc)

apps/nc/CMakeLists.txt

@@ -0,0 +1,60 @@
+if(BUILD_NC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	NC_SRC
+	atomicio.c
+	netcat.c
+	socks.c
+	compat/socket.c
+)
+
+check_function_exists(b64_ntop HAVE_B64_NTOP)
+if(HAVE_B64_NTOP)
+	add_definitions(-DHAVE_B64_NTOP)
+else()
+	set(NC_SRC ${NC_SRC} compat/base64.c)
+endif()
+
+check_function_exists(accept4 HAVE_ACCEPT4)
+if(HAVE_ACCEPT4)
+	add_definitions(-DHAVE_ACCEPT4)
+else()
+	set(NC_SRC ${NC_SRC} compat/accept4.c)
+endif()
+
+check_function_exists(readpassphrase HAVE_READPASSPHRASE)
+if(HAVE_READPASSPHRASE)
+	add_definitions(-DHAVE_READPASSPHRASE)
+else()
+	set(NC_SRC ${NC_SRC} compat/readpassphrase.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(NC_SRC ${NC_SRC} compat/strtonum.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(nc ${NC_SRC})
+target_link_libraries(nc tls ${OPENSSL_LIBS})
+
+if(ENABLE_NC)
+	install(TARGETS nc DESTINATION bin)
+	install(FILES nc.1 DESTINATION share/man/man1)
+endif()
+
+endif()

apps/nc/Makefile.am

@@ -2,16 +2,21 @@ include $(top_srcdir)/Makefile.am.common
 
 if BUILD_NC
 
+if ENABLE_NC
+bin_PROGRAMS = nc
+else
 noinst_PROGRAMS = nc
+endif
 
 EXTRA_DIST = nc.1
+EXTRA_DIST += CMakeLists.txt
 
 nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(top_builddir)/crypto/libcrypto.la
-nc_LDADD += $(top_builddir)/ssl/libssl.la
-nc_LDADD += $(top_builddir)/tls/libtls.la
+nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
+nc_LDADD += $(abs_top_builddir)/tls/libtls.la
 
-CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
 
 nc_SOURCES = atomicio.c
 nc_SOURCES += netcat.c
@@ -21,6 +26,10 @@ noinst_HEADERS += compat/sys/socket.h
 
 nc_SOURCES += compat/socket.c
 
+if !HAVE_B64_NTOP
+nc_SOURCES += compat/base64.c
+endif
+
 if !HAVE_ACCEPT4
 nc_SOURCES += compat/accept4.c
 endif

apps/nc/compat/base64.c

@@ -0,0 +1,315 @@
+/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+static const char Base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+	   output will be an integral multiple of 4 characters
+	   with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+	   characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+	   characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(src, srclength, target, targsize)
+	u_char const *src;
+	size_t srclength;
+	char *target;
+	size_t targsize;
+{
+	size_t datalength = 0;
+	u_char input[3];
+	u_char output[4];
+	int i;
+
+	while (2 < srclength) {
+		input[0] = *src++;
+		input[1] = *src++;
+		input[2] = *src++;
+		srclength -= 3;
+
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		output[3] = input[2] & 0x3f;
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		target[datalength++] = Base64[output[2]];
+		target[datalength++] = Base64[output[3]];
+	}
+    
+	/* Now we worry about padding. */
+	if (0 != srclength) {
+		/* Get what's left. */
+		input[0] = input[1] = input[2] = '\0';
+		for (i = 0; i < srclength; i++)
+			input[i] = *src++;
+	
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		if (srclength == 1)
+			target[datalength++] = Pad64;
+		else
+			target[datalength++] = Base64[output[2]];
+		target[datalength++] = Pad64;
+	}
+	if (datalength >= targsize)
+		return (-1);
+	target[datalength] = '\0';	/* Returned value doesn't count \0. */
+	return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(src, target, targsize)
+	char const *src;
+	u_char *target;
+	size_t targsize;
+{
+	int tarindex, state, ch;
+	u_char nextbyte;
+	char *pos;
+
+	state = 0;
+	tarindex = 0;
+
+	while ((ch = (unsigned char)*src++) != '\0') {
+		if (isspace(ch))	/* Skip whitespace anywhere. */
+			continue;
+
+		if (ch == Pad64)
+			break;
+
+		pos = strchr(Base64, ch);
+		if (pos == 0) 		/* A non-base64 character. */
+			return (-1);
+
+		switch (state) {
+		case 0:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] = (pos - Base64) << 2;
+			}
+			state = 1;
+			break;
+		case 1:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 4;
+				nextbyte = ((pos - Base64) & 0x0f) << 4;
+				if (tarindex + 1 < targsize)
+					target[tarindex+1] = nextbyte;
+				else if (nextbyte)
+					return (-1);
+			}
+			tarindex++;
+			state = 2;
+			break;
+		case 2:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 2;
+				nextbyte = ((pos - Base64) & 0x03) << 6;
+				if (tarindex + 1 < targsize)
+					target[tarindex+1] = nextbyte;
+				else if (nextbyte)
+					return (-1);
+			}
+			tarindex++;
+			state = 3;
+			break;
+		case 3:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] |= (pos - Base64);
+			}
+			tarindex++;
+			state = 0;
+			break;
+		}
+	}
+
+	/*
+	 * We are done decoding Base-64 chars.  Let's see if we ended
+	 * on a byte boundary, and/or with erroneous trailing characters.
+	 */
+
+	if (ch == Pad64) {			/* We got a pad char. */
+		ch = (unsigned char)*src++;	/* Skip it, get next. */
+		switch (state) {
+		case 0:		/* Invalid = in first position */
+		case 1:		/* Invalid = in second position */
+			return (-1);
+
+		case 2:		/* Valid, means one byte of info */
+			/* Skip any number of spaces. */
+			for (; ch != '\0'; ch = (unsigned char)*src++)
+				if (!isspace(ch))
+					break;
+			/* Make sure there is another trailing = sign. */
+			if (ch != Pad64)
+				return (-1);
+			ch = (unsigned char)*src++;		/* Skip the = */
+			/* Fall through to "single trailing =" case. */
+			/* FALLTHROUGH */
+
+		case 3:		/* Valid, means two bytes of info */
+			/*
+			 * We know this char is an =.  Is there anything but
+			 * whitespace after it?
+			 */
+			for (; ch != '\0'; ch = (unsigned char)*src++)
+				if (!isspace(ch))
+					return (-1);
+
+			/*
+			 * Now make sure for cases 2 and 3 that the "extra"
+			 * bits that slopped past the last full byte were
+			 * zeros.  If we don't check them, they become a
+			 * subliminal channel.
+			 */
+			if (target && tarindex < targsize &&
+			    target[tarindex] != 0)
+				return (-1);
+		}
+	} else {
+		/*
+		 * We ended by seeing the end of the string.  Make sure we
+		 * have no partial bytes lying around.
+		 */
+		if (state != 0)
+			return (-1);
+	}
+
+	return (tarindex);
+}

apps/nc/compat/readpassphrase.c

@@ -141,11 +141,11 @@ restart:
 			if (p < end) {
 				if ((flags & RPP_SEVENBIT))
 					ch &= 0x7f;
-				if (isalpha(ch)) {
+				if (isalpha((unsigned char)ch)) {
 					if ((flags & RPP_FORCELOWER))
-						ch = (char)tolower(ch);
+						ch = (char)tolower((unsigned char)ch);
 					if ((flags & RPP_FORCEUPPER))
-						ch = (char)toupper(ch);
+						ch = (char)toupper((unsigned char)ch);
 				}
 				*p++ = ch;
 			}

apps/openssl/CMakeLists.txt

@@ -0,0 +1,88 @@
+include_directories(
+	.
+	../../include
+	../../include/compat
+)
+
+set(
+	OPENSSL_SRC
+	apps.c
+	asn1pars.c
+	ca.c
+	ciphers.c
+	crl.c
+	crl2p7.c
+	dgst.c
+	dh.c
+	dhparam.c
+	dsa.c
+	dsaparam.c
+	ec.c
+	ecparam.c
+	enc.c
+	errstr.c
+	gendh.c
+	gendsa.c
+	genpkey.c
+	genrsa.c
+	nseq.c
+	ocsp.c
+	openssl.c
+	passwd.c
+	pkcs12.c
+	pkcs7.c
+	pkcs8.c
+	pkey.c
+	pkeyparam.c
+	pkeyutl.c
+	prime.c
+	rand.c
+	req.c
+	rsa.c
+	rsautl.c
+	s_cb.c
+	s_client.c
+	s_server.c
+	s_socket.c
+	s_time.c
+	sess_id.c
+	smime.c
+	speed.c
+	spkac.c
+	ts.c
+	verify.c
+	version.c
+	x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)
+install(FILES openssl.1 DESTINATION share/man/man1)
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	set(CONF_DIR "${OPENSSLDIR}")
+else()
+	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
+endif()
+install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+install(DIRECTORY DESTINATION ${CONF_DIR}/cert)

apps/openssl/Makefile.am

@@ -5,14 +5,13 @@ bin_PROGRAMS = openssl
 dist_man_MANS = openssl.1
 
 openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
 
 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c
@@ -60,11 +59,11 @@ openssl_SOURCES += x509.c
 if BUILD_CERTHASH
 openssl_SOURCES += certhash.c
 else
-openssl_SOURCES += compat/certhash_win.c
+openssl_SOURCES += certhash_win.c
 endif
 
 if HOST_WIN
-openssl_SOURCES += compat/apps_win.c
+openssl_SOURCES += apps_win.c
 else
 openssl_SOURCES += apps_posix.c
 endif
@@ -89,6 +88,7 @@ noinst_HEADERS += timeouts.h
 EXTRA_DIST = cert.pem
 EXTRA_DIST += openssl.cnf
 EXTRA_DIST += x509v3.cnf
+EXTRA_DIST += CMakeLists.txt
 
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \

apps/openssl/apps_win.c

@@ -10,7 +10,7 @@
 #include <io.h>
 #include <fcntl.h>
 
-#include <apps.h>
+#include "apps.h"
 
 double
 app_tminterval(int stop, int usertime)

apps/openssl/certhash_win.c

@@ -3,7 +3,7 @@
  * certhash dummy implementation for platforms without symlinks
  */
 
-#include <apps.h>
+#include "apps.h"
 
 int
 certhash_main(int argc, char **argv)

autogen.sh

@@ -9,3 +9,7 @@ autoreconf -i -f
 sed 's/-fuse-linker-plugin)/-fuse-linker-plugin|-fstack-protector*)/' \
   ltmain.sh > ltmain.sh.fixed
 mv -f ltmain.sh.fixed ltmain.sh
+
+# Update config scripts and fixup permissions
+find . ! -perm -u=w -exec chmod u+w {} \;
+cp scripts/config.* .

cmake_uninstall.cmake.in

@@ -0,0 +1,21 @@
+if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+	message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+
+file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
+string(REGEX REPLACE "\n" ";" files "${files}")
+foreach(file ${files})
+	message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
+	if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		exec_program(
+			"@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
+			OUTPUT_VARIABLE rm_out
+			RETURN_VALUE rm_retval
+			)
+		if(NOT "${rm_retval}" STREQUAL 0)
+			message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
+		endif(NOT "${rm_retval}" STREQUAL 0)
+	else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
+	endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+endforeach(file)

configure.ac

@@ -49,8 +49,10 @@ AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
 AC_CHECK_FUNC([funopen])
 
 CHECK_LIBC_COMPAT
-CHECK_LIBC_CRYPTO_COMPAT
+CHECK_SYSCALL_COMPAT
+CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
+CHECK_B64_NTOP
 
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
@@ -112,6 +114,9 @@ AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
     [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 
+# Check if time_t is sized correctly
+AC_CHECK_SIZEOF([time_t], [time.h])
+
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile
@@ -130,4 +135,12 @@ AC_CONFIG_FILES([
 	openssl.pc
 ])
 
+AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
+if test "$ac_cv_sizeof_time_t" = "4"; then
+    echo " ** Warning, this system is unable to represent times past 2038"
+    echo " ** It will behave incorrectly when handling valid RFC5280 dates"
+fi
+
+AC_REQUIRE_AUX_FILE([tap-driver.sh])
+
 AC_OUTPUT

crypto/CMakeLists.txt

@@ -8,16 +8,107 @@ include_directories(
 	modes
 )
 
+if(HOST_ASM_ELF_X86_64)
+	set(
+		ASM_X86_64_ELF_SRC
+		aes/aes-elf-x86_64.s
+		aes/bsaes-elf-x86_64.s
+		aes/vpaes-elf-x86_64.s
+		aes/aesni-elf-x86_64.s
+		aes/aesni-sha1-elf-x86_64.s
+		bn/modexp512-elf-x86_64.s
+		bn/mont-elf-x86_64.s
+		bn/mont5-elf-x86_64.s
+		bn/gf2m-elf-x86_64.s
+		camellia/cmll-elf-x86_64.s
+		md5/md5-elf-x86_64.s
+		modes/ghash-elf-x86_64.s
+		rc4/rc4-elf-x86_64.s
+		rc4/rc4-md5-elf-x86_64.s
+		sha/sha1-elf-x86_64.s
+		sha/sha256-elf-x86_64.S
+		sha/sha512-elf-x86_64.S
+		whrlpool/wp-elf-x86_64.s
+		cpuid-elf-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_ELF_SRC})
+	set_property(SOURCE ${ASM_X86_64_ELF_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if(HOST_ASM_MACOSX_X86_64)
+	set(
+		ASM_X86_64_MACOSX_SRC
+		aes/aes-macosx-x86_64.s
+		aes/bsaes-macosx-x86_64.s
+		aes/vpaes-macosx-x86_64.s
+		aes/aesni-macosx-x86_64.s
+		aes/aesni-sha1-macosx-x86_64.s
+		bn/modexp512-macosx-x86_64.s
+		bn/mont-macosx-x86_64.s
+		bn/mont5-macosx-x86_64.s
+		bn/gf2m-macosx-x86_64.s
+		camellia/cmll-macosx-x86_64.s
+		md5/md5-macosx-x86_64.s
+		modes/ghash-macosx-x86_64.s
+		rc4/rc4-macosx-x86_64.s
+		rc4/rc4-md5-macosx-x86_64.s
+		sha/sha1-macosx-x86_64.s
+		sha/sha256-macosx-x86_64.S
+		sha/sha512-macosx-x86_64.S
+		whrlpool/wp-macosx-x86_64.s
+		cpuid-macosx-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
+	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
+	set(
+		CRYPTO_SRC
+		${CRYPTO_SRC}
+		aes/aes_cbc.c
+		aes/aes_core.c
+		camellia/camellia.c
+		camellia/cmll_cbc.c
+		rc4/rc4_enc.c
+		rc4/rc4_skey.c
+		whrlpool/wp_block.c
+	)
+endif()
+
 set(
 	CRYPTO_SRC
-
-	aes/aes_cbc.c
-	aes/aes_core.c
-	camellia/camellia.c
-	camellia/cmll_cbc.c
-	rc4/rc4_enc.c
-	rc4/rc4_skey.c
-	whrlpool/wp_block.c
+	${CRYPTO_SRC}
 	cpt_err.c
 	cryptlib.c
 	cversion.c
@@ -42,7 +133,6 @@ set(
 	asn1/a_digest.c
 	asn1/a_dup.c
 	asn1/a_enum.c
-	asn1/a_gentm.c
 	asn1/a_i2d_fp.c
 	asn1/a_int.c
 	asn1/a_mbstr.c
@@ -54,8 +144,8 @@ set(
 	asn1/a_strex.c
 	asn1/a_strnid.c
 	asn1/a_time.c
+	asn1/a_time_tm.c
 	asn1/a_type.c
-	asn1/a_utctm.c
 	asn1/a_utf8.c
 	asn1/a_verify.c
 	asn1/ameth_lib.c
@@ -595,6 +685,10 @@ if(NOT HAVE_STRNDUP)
 	endif()
 endif()
 
+if(NOT HAVE_TIMEGM)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
+endif()
+
 if(NOT HAVE_EXPLICIT_BZERO)
 	if(CMAKE_HOST_WIN32)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero_win.c)
@@ -614,18 +708,24 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_hpux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
 	endif()
 endif()
 
+if(NOT HAVE_ARC4RANDOM_UNIFORM)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
+endif()
+
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
 endif()
@@ -634,11 +734,30 @@ if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
 endif()
 
+if(NOT ENABLE_ASM)
+	add_definitions(-DOPENSSL_NO_ASM)
+else()
+	if(CMAKE_HOST_WIN32)
+		add_definitions(-DOPENSSL_NO_ASM)
+	endif()
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\")
+else()
+	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
+endif()
+
 if (BUILD_SHARED)
 	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	if (WIN32)
+		target_link_libraries(crypto-shared crypto Ws2_32.lib)
+		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
+	endif()
+	set_target_properties(crypto-shared PROPERTIES
+		OUTPUT_NAME crypto${CRYPTO_POSTFIX} ARCHIVE_OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
 	install(TARGETS crypto crypto-shared DESTINATION lib)

crypto/Makefile.am

@@ -1,8 +1,9 @@
 include $(top_srcdir)/Makefile.am.common
 
-AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -13,8 +14,12 @@ EXTRA_DIST += CMakeLists.txt
 EXTRA_DIST += compat/strcasecmp.c
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
-libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = -DLIBRESSL_INTERNAL
+libcrypto_la_LIBADD = libcompat.la
+if !HAVE_EXPLICIT_BZERO
+libcrypto_la_LIBADD += libcompatnoopt.la
+endif
+libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
+libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
@@ -30,13 +35,15 @@ else
 libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"$(sysconfdir)/ssl\"
 endif
 
-noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
+noinst_LTLIBRARIES = libcompat.la
 
 # compatibility functions that need to be built without optimizations
+if !HAVE_EXPLICIT_BZERO
+noinst_LTLIBRARIES += libcompatnoopt.la
+
 libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 
-if !HAVE_EXPLICIT_BZERO
 if HOST_WIN
 libcompatnoopt_la_SOURCES += compat/explicit_bzero_win.c
 else
@@ -72,6 +79,10 @@ if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
 
+if !HAVE_TIMEGM
+libcompat_la_SOURCES += compat/timegm.c
+endif
+
 if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
@@ -118,6 +129,7 @@ libcrypto_la_SOURCES += mem_dbg.c
 libcrypto_la_SOURCES += o_init.c
 libcrypto_la_SOURCES += o_str.c
 libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
@@ -140,7 +152,6 @@ libcrypto_la_SOURCES += asn1/a_d2i_fp.c
 libcrypto_la_SOURCES += asn1/a_digest.c
 libcrypto_la_SOURCES += asn1/a_dup.c
 libcrypto_la_SOURCES += asn1/a_enum.c
-libcrypto_la_SOURCES += asn1/a_gentm.c
 libcrypto_la_SOURCES += asn1/a_i2d_fp.c
 libcrypto_la_SOURCES += asn1/a_int.c
 libcrypto_la_SOURCES += asn1/a_mbstr.c
@@ -152,8 +163,8 @@ libcrypto_la_SOURCES += asn1/a_sign.c
 libcrypto_la_SOURCES += asn1/a_strex.c
 libcrypto_la_SOURCES += asn1/a_strnid.c
 libcrypto_la_SOURCES += asn1/a_time.c
+libcrypto_la_SOURCES += asn1/a_time_tm.c
 libcrypto_la_SOURCES += asn1/a_type.c
-libcrypto_la_SOURCES += asn1/a_utctm.c
 libcrypto_la_SOURCES += asn1/a_utf8.c
 libcrypto_la_SOURCES += asn1/a_verify.c
 libcrypto_la_SOURCES += asn1/ameth_lib.c

crypto/Makefile.am.arc4random

@@ -1,5 +1,6 @@
 if !HAVE_ARC4RANDOM_BUF
 libcompat_la_SOURCES += compat/arc4random.c
+libcompat_la_SOURCES += compat/arc4random_uniform.c
 
 if !HAVE_GETENTROPY
 if HOST_AIX

crypto/compat/posix_win.c

@@ -12,6 +12,7 @@
 #include <ws2tcpip.h>
 
 #include <errno.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -38,6 +39,20 @@ posix_fopen(const char *path, const char *mode)
 	return fopen(path, mode);
 }
 
+char *
+posix_fgets(char *s, int size, FILE *stream)
+{
+	char *ret = fgets(s, size, stream);
+	if (ret != NULL) {
+		size_t end = strlen(ret);
+		if (end >= 2 && ret[end - 2] == '\r' && ret[end - 1] == '\n') {
+			ret[end - 2] = '\n';
+			ret[end - 1] = '\0';
+		}
+	}
+	return ret;
+}
+
 int
 posix_rename(const char *oldpath, const char *newpath)
 {

crypto/compat/timegm.c

@@ -0,0 +1,220 @@
+/*
+ * ----------------------------------------------------------------------
+ * Copyright © 2005-2014 Rich Felker, et al.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ * ----------------------------------------------------------------------
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <time.h>
+
+/* 2000-03-01 (mod 400 year, immediately after feb29 */
+#define LEAPOCH (946684800LL + 86400*(31+29))
+
+#define DAYS_PER_400Y (365*400 + 97)
+#define DAYS_PER_100Y (365*100 + 24)
+#define DAYS_PER_4Y   (365*4   + 1)
+
+static int __month_to_secs(int month, int is_leap)
+{
+	static const int secs_through_month[] = {
+		0, 31*86400, 59*86400, 90*86400,
+		120*86400, 151*86400, 181*86400, 212*86400,
+		243*86400, 273*86400, 304*86400, 334*86400 };
+	int t = secs_through_month[month];
+	if (is_leap && month >= 2) t+=86400;
+	return t;
+}
+
+static long long __year_to_secs(long long year, int *is_leap)
+{
+	if (year-2ULL <= 136) {
+		int y = year;
+		int leaps = (y-68)>>2;
+		if (!((y-68)&3)) {
+			leaps--;
+			if (is_leap) *is_leap = 1;
+		} else if (is_leap) *is_leap = 0;
+		return 31536000*(y-70) + 86400*leaps;
+	}
+
+	int cycles, centuries, leaps, rem;
+
+	if (!is_leap) is_leap = &(int){0};
+	cycles = (year-100) / 400;
+	rem = (year-100) % 400;
+	if (rem < 0) {
+		cycles--;
+		rem += 400;
+	}
+	if (!rem) {
+		*is_leap = 1;
+		centuries = 0;
+		leaps = 0;
+	} else {
+		if (rem >= 200) {
+			if (rem >= 300) centuries = 3, rem -= 300;
+			else centuries = 2, rem -= 200;
+		} else {
+			if (rem >= 100) centuries = 1, rem -= 100;
+			else centuries = 0;
+		}
+		if (!rem) {
+			*is_leap = 0;
+			leaps = 0;
+		} else {
+			leaps = rem / 4U;
+			rem %= 4U;
+			*is_leap = !rem;
+		}
+	}
+
+	leaps += 97*cycles + 24*centuries - *is_leap;
+
+	return (year-100) * 31536000LL + leaps * 86400LL + 946684800 + 86400;
+}
+
+static long long __tm_to_secs(const struct tm *tm)
+{
+	int is_leap;
+	long long year = tm->tm_year;
+	int month = tm->tm_mon;
+	if (month >= 12 || month < 0) {
+		int adj = month / 12;
+		month %= 12;
+		if (month < 0) {
+			adj--;
+			month += 12;
+		}
+		year += adj;
+	}
+	long long t = __year_to_secs(year, &is_leap);
+	t += __month_to_secs(month, is_leap);
+	t += 86400LL * (tm->tm_mday-1);
+	t += 3600LL * tm->tm_hour;
+	t += 60LL * tm->tm_min;
+	t += tm->tm_sec;
+	return t;
+}
+
+static int __secs_to_tm(long long t, struct tm *tm)
+{
+	long long days, secs;
+	int remdays, remsecs, remyears;
+	int qc_cycles, c_cycles, q_cycles;
+	int years, months;
+	int wday, yday, leap;
+	static const char days_in_month[] = {31,30,31,30,31,31,30,31,30,31,31,29};
+
+	/* Reject time_t values whose year would overflow int */
+	if (t < INT_MIN * 31622400LL || t > INT_MAX * 31622400LL)
+		return -1;
+
+	secs = t - LEAPOCH;
+	days = secs / 86400;
+	remsecs = secs % 86400;
+	if (remsecs < 0) {
+		remsecs += 86400;
+		days--;
+	}
+
+	wday = (3+days)%7;
+	if (wday < 0) wday += 7;
+
+	qc_cycles = days / DAYS_PER_400Y;
+	remdays = days % DAYS_PER_400Y;
+	if (remdays < 0) {
+		remdays += DAYS_PER_400Y;
+		qc_cycles--;
+	}
+
+	c_cycles = remdays / DAYS_PER_100Y;
+	if (c_cycles == 4) c_cycles--;
+	remdays -= c_cycles * DAYS_PER_100Y;
+
+	q_cycles = remdays / DAYS_PER_4Y;
+	if (q_cycles == 25) q_cycles--;
+	remdays -= q_cycles * DAYS_PER_4Y;
+
+	remyears = remdays / 365;
+	if (remyears == 4) remyears--;
+	remdays -= remyears * 365;
+
+	leap = !remyears && (q_cycles || !c_cycles);
+	yday = remdays + 31 + 28 + leap;
+	if (yday >= 365+leap) yday -= 365+leap;
+
+	years = remyears + 4*q_cycles + 100*c_cycles + 400*qc_cycles;
+
+	for (months=0; days_in_month[months] <= remdays; months++)
+		remdays -= days_in_month[months];
+
+	if (years+100 > INT_MAX || years+100 < INT_MIN)
+		return -1;
+
+	tm->tm_year = years + 100;
+	tm->tm_mon = months + 2;
+	if (tm->tm_mon >= 12) {
+		tm->tm_mon -=12;
+		tm->tm_year++;
+	}
+	tm->tm_mday = remdays + 1;
+	tm->tm_wday = wday;
+	tm->tm_yday = yday;
+
+	tm->tm_hour = remsecs / 3600;
+	tm->tm_min = remsecs / 60 % 60;
+	tm->tm_sec = remsecs % 60;
+
+	return 0;
+}
+
+#ifdef _WIN32
+struct tm *__gmtime_r(const time_t *t, struct tm *tm)
+{
+	if (__secs_to_tm(*t, tm) < 0) {
+		errno = EOVERFLOW;
+		return 0;
+	}
+	tm->tm_isdst = 0;
+	return tm;
+}
+#endif
+
+time_t timegm(struct tm *tm)
+{
+	struct tm new;
+	long long t = __tm_to_secs(tm);
+	if (__secs_to_tm(t, &new) < 0) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+#if SIZEOF_TIME_T != 8
+	if (t > (long long)INT_MAX || t < (long long)INT_MIN) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+#endif
+	*tm = new;
+	tm->tm_isdst = 0;
+	return t;
+}

crypto/compat/ui_openssl_win.c

@@ -302,8 +302,12 @@ open_console(UI *ui)
 	tty_out = stderr;
 
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
-		return GetConsoleMode(handle, &console_mode);
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
+			return GetConsoleMode(handle, &console_mode);
+		else
+			return 1;
+	}
 	return 0;
 }
 
@@ -311,8 +315,12 @@ static int
 noecho_console(UI *ui)
 {
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
-		return SetConsoleMode(handle, console_mode & ~ENABLE_ECHO_INPUT);
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
+			return SetConsoleMode(handle, console_mode & ~ENABLE_ECHO_INPUT);
+		else
+			return 1;
+	}
 	return 0;
 }
 
@@ -320,8 +328,12 @@ static int
 echo_console(UI *ui)
 {
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
-		return SetConsoleMode(handle, console_mode);
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
+			return SetConsoleMode(handle, console_mode);
+		else
+			return 1;
+	}
 	return 0;
 }
 

dist-win.sh

@@ -22,7 +22,7 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST
+	CC=$HOST-gcc ./configure --host=$HOST --with-openssldir=c:/libressl/ssl
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check

include/CMakeLists.txt

@@ -2,4 +2,4 @@ install(DIRECTORY .
         DESTINATION include
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
-        PATTERN "Makefile.*" EXCLUDE)
+        PATTERN "Makefile*" EXCLUDE)

include/Makefile.am

@@ -8,9 +8,11 @@ noinst_HEADERS = pqueue.h
 noinst_HEADERS += compat/dirent.h
 noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
+noinst_HEADERS += compat/limits.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
 noinst_HEADERS += compat/readpassphrase.h
+noinst_HEADERS += compat/resolv.h
 noinst_HEADERS += compat/stdio.h
 noinst_HEADERS += compat/stdlib.h
 noinst_HEADERS += compat/string.h
@@ -27,7 +29,6 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
-noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h

include/compat/err.h

@@ -13,20 +13,66 @@
 #define LIBCRYPTOCOMPAT_ERR_H
 
 #include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 
-#define err(exitcode, format, ...) \
-  errx(exitcode, format ": %s", ## __VA_ARGS__, strerror(errno))
+static inline void
+err(int eval, const char *fmt, ...)
+{
+	int sverrno = errno;
+	va_list ap;
 
-#define errx(exitcode, format, ...) \
-  do { warnx(format, ## __VA_ARGS__); exit(exitcode); } while (0)
+	va_start(ap, fmt);
+	if (fmt != NULL) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, ": ");
+	}
+	fprintf(stderr, "%s\n", strerror(sverrno));
+	exit(eval);
+	va_end(ap);
+}
 
-#define warn(format, ...) \
-  warnx(format ": %s", ## __VA_ARGS__, strerror(errno))
+static inline void
+errx(int eval, const char *fmt, ...)
+{
+	va_list ap;
 
-#define warnx(format, ...) \
-  fprintf(stderr, format "\n", ## __VA_ARGS__)
+	va_start(ap, fmt);
+	if (fmt != NULL)
+		vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	exit(eval);
+	va_end(ap);
+}
+
+static inline void
+warn(const char *fmt, ...)
+{
+	int sverrno = errno;
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, ": ");
+	}
+	fprintf(stderr, "%s\n", strerror(sverrno));
+	va_end(ap);
+}
+
+static inline void
+warnx(const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL)
+		vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	va_end(ap);
+}
 
 #endif
 

include/compat/limits.h

@@ -0,0 +1,17 @@
+/*
+ * Public domain
+ * limits.h compatibility shim
+ */
+
+#ifdef _MSC_VER
+#include <../include/limits.h>
+#else
+#include_next <limits.h>
+#endif
+
+#ifdef __hpux
+#include <sys/param.h>
+#ifndef PATH_MAX
+#define PATH_MAX MAXPATHLEN
+#endif
+#endif

include/compat/netinet/ip.h

@@ -3,6 +3,10 @@
  * netinet/ip.h compatibility shim
  */
 
+#if defined(__hpux)
+#include <netinet/in_systm.h>
+#endif
+
 #ifndef _WIN32
 #include_next <netinet/ip.h>
 #else

include/compat/readpassphrase.h

@@ -37,11 +37,7 @@
 #define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
 #define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
 
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
 char * readpassphrase(const char *, char *, size_t, int);
-__END_DECLS
 
 #endif /* !_READPASSPHRASE_H_ */
 

include/compat/resolv.h

@@ -0,0 +1,24 @@
+/*
+ * Public domain
+ * resolv.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_RESOLV_H
+#define LIBCRYPTOCOMPAT_RESOLV_H
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/resolv.h>
+#else
+#include <../include/resolv.h>
+#endif
+#else
+#include_next <resolv.h>
+#endif
+
+#ifndef HAVE_B64_NTOP
+int b64_ntop(unsigned char const *, size_t, char *, size_t);
+int b64_pton(char const *, unsigned char *, size_t);
+#endif
+
+#endif

include/compat/stdio.h

@@ -28,11 +28,13 @@ int asprintf(char **str, const char *fmt, ...);
 
 void posix_perror(const char *s);
 FILE * posix_fopen(const char *path, const char *mode);
+char * posix_fgets(char *s, int size, FILE *stream);
 int posix_rename(const char *oldpath, const char *newpath);
 
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define perror(errnum) posix_perror(errnum)
 #define fopen(path, mode) posix_fopen(path, mode)
+#define fgets(s, size, stream) posix_fgets(s, size, stream)
 #define rename(oldpath, newpath) posix_rename(oldpath, newpath)
 #endif
 

include/compat/stdlib.h

@@ -22,6 +22,7 @@
 #ifndef HAVE_ARC4RANDOM_BUF
 uint32_t arc4random(void);
 void arc4random_buf(void *_buf, size_t n);
+uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
 #ifndef HAVE_REALLOCARRAY

include/compat/string.h

@@ -18,9 +18,10 @@
 
 #include <sys/types.h>
 
-#if defined(__sun) || defined(__hpux)
+#if defined(__sun) || defined(_AIX) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX,
+ * Solaris, and HPUX.
  */
 #include <strings.h>
 #endif

include/compat/sys/cdefs.h

@@ -1,31 +0,0 @@
-/*
- * Public domain
- * sys/cdefs.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
-#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
-
-#ifdef _WIN32
-
-#define __warn_references(sym,msg)
-
-#else
-
-#include_next <sys/cdefs.h>
-
-#ifndef __warn_references
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-
-#endif /* _WIN32 */
-
-#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/types.h

@@ -44,4 +44,25 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif
 
+#ifdef _WIN32
+#define __warn_references(sym,msg)
+#else
+
+#ifndef __warn_references
+
+#ifndef __STRING
+#define __STRING(x) #x
+#endif
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+#endif /* _WIN32 */
+
 #endif

include/compat/time.h

@@ -9,7 +9,15 @@
 #else
 #include <../include/time.h>
 #endif
-#define gmtime_r(tp, tm) ((gmtime_s((tm), (tp)) == 0) ? (tm) : NULL)
 #else
 #include_next <time.h>
 #endif
+
+#ifdef _WIN32
+struct tm *__gmtime_r(const time_t * t, struct tm * tm);
+#define gmtime_r(tp, tm) __gmtime_r(tp, tm)
+#endif
+
+#ifndef HAVE_TIMEGM
+time_t timegm(struct tm *tm);
+#endif

include/compat/unistd.h

@@ -27,6 +27,15 @@ unsigned int sleep(unsigned int seconds);
 
 #ifndef HAVE_GETENTROPY
 int getentropy(void *buf, size_t buflen);
+#else
+/*
+ * Solaris 11.3 adds getentropy(2), but defines the function in sys/random.h
+ */
+#if defined(__sun)
+#include <sys/random.h>
+#endif
 #endif
 
+#define pledge(request, paths) 0
+
 #endif

include/compat/win32netcompat.h

@@ -11,14 +11,19 @@
 #ifdef _WIN32
 
 #include <ws2tcpip.h>
-
-#define SHUT_RDWR SD_BOTH
-#define SHUT_RD   SD_RECEIVE
-#define SHUT_WR   SD_SEND
-
 #include <errno.h>
 #include <unistd.h>
 
+#ifndef SHUT_RDWR
+#define SHUT_RDWR SD_BOTH
+#endif
+#ifndef SHUT_RD
+#define SHUT_RD   SD_RECEIVE
+#endif
+#ifndef SHUT_WR
+#define SHUT_WR   SD_SEND
+#endif
+
 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 
 int posix_close(int fd);

libcrypto.pc.in

@@ -11,5 +11,5 @@ Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
-Libs.private: @LIBS@
+Libs.private: @LIBS@ @PLATFORM_LDADD@
 Cflags: -I${includedir}

libssl.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto
 Conflicts:
 Libs: -L${libdir} -lssl
-Libs.private: @LIBS@ -lcrypto
+Libs.private: @LIBS@ -lcrypto @PLATFORM_LDADD@
 Cflags: -I${includedir}

libtls-standalone/include/string.h

@@ -18,9 +18,10 @@
 
 #include <sys/types.h>
 
-#if defined(__sun) || defined(__hpux)
+#if defined(__sun) || defined(_AIX) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX,
+ * Solaris, and HPUX.
  */
 #include <strings.h>
 #endif

libtls-standalone/src/Makefile.am

@@ -8,6 +8,7 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 
 libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c

libtls-standalone/tests/test.c

@@ -5,7 +5,7 @@ int main()
 {
 	struct tls *tls;
 	struct tls_config *tls_config;
-	size_t written, read;
+	ssize_t written, read;
 	char buf[4096];
 
 	if (tls_init() != 0) {
@@ -31,10 +31,10 @@ int main()
 	if (tls_connect(tls, "google.com", "443") != 0)
 		goto err;
 
-	if (tls_write(tls, "GET /\r\n", 7, &written) != 0)
+	if ((written = tls_write(tls, "GET /\r\n", 7)) < 0)
 		goto err;
 
-	if (tls_read(tls, buf, sizeof(buf), &read) != 0)
+	if ((read = tls_read(tls, buf, sizeof(buf))) < 0)
 		goto err;
 
 	buf[read - 1] = '\0';

libtls.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl
+Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@
 Cflags: -I${includedir}

m4/check-libc.m4

@@ -2,13 +2,12 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll readpassphrase reallocarray])
+AC_CHECK_FUNCS([asprintf inet_pton memmem readpassphrase reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
-AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
+AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
-AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
@@ -17,13 +16,42 @@ AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
 AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
+AM_CONDITIONAL([HAVE_TIMEGM], [test "x$ac_cv_func_timegm" = xyes])
 ])
 
-AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
-# Check crypto-related libc functions
-AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
+AC_DEFUN([CHECK_SYSCALL_COMPAT], [
+AC_CHECK_FUNCS([accept4 pledge poll])
+AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
+AM_CONDITIONAL([HAVE_PLEDGE], [test "x$ac_cv_func_pledge" = xyes])
+AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+])
+
+AC_DEFUN([CHECK_B64_NTOP], [
+AC_SEARCH_LIBS([b64_ntop],[resolv])
+AC_SEARCH_LIBS([__b64_ntop],[resolv])
+AC_CACHE_CHECK([for b64_ntop], ac_cv_have_b64_ntop_arg, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+		]], [[ b64_ntop(NULL, 0, NULL, 0); ]])],
+	[ ac_cv_have_b64_ntop_arg="yes" ],
+	[ ac_cv_have_b64_ntop_arg="no"
+	])
+])
+AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
+])
+
+AC_DEFUN([CHECK_CRYPTO_COMPAT], [
+# Check crypto-related libc functions and syscalls
+AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
+AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_ARC4RANDOM_UNIFORM], [test "x$ac_cv_func_arc4random_uniform" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
@@ -31,15 +59,15 @@ AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp"
 
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$HOST_OS" != xdarwin \
-	   -a "x$HOST_OS" != xfreebsd \
-	   -a "x$HOST_OS" != xnetbsd \
+	[test "x$USE_BUILTIN_ARC4RANDOM" != xyes \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
 # Check for getentropy fallback dependencies
 AC_CHECK_FUNC([getauxval])
-AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
-AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+AC_SEARCH_LIBS([clock_gettime],[rt posix4])
+AC_CHECK_FUNC([clock_gettime])
+AC_SEARCH_LIBS([dl_iterate_phdr],[dl])
+AC_CHECK_FUNC([dl_iterate_phdr])
 ])
 
 AC_DEFUN([CHECK_VA_COPY], [

m4/check-os-options.m4

@@ -1,7 +1,7 @@
-# This must be called before AC_PROG_CC
 AC_DEFUN([CHECK_OS_OPTIONS], [
 
 CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
+BUILD_NC=yes
 
 case $host_os in
 	*aix*)
@@ -15,14 +15,21 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
-		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
-		AC_SUBST([PROG_LDADD], ['-lresolv'])
+		# weak seed on failure to open /dev/random, based on latest
+		# public source:
+		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
+		USE_BUILTIN_ARC4RANDOM=yes
+		# Not available on iOS
+		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
 		HOST_ABI=elf
+		# fork detection missing, weak seed on failure
+		# https://svnweb.freebsd.org/base/head/lib/libc/gen/arc4random.c?revision=268642&view=markup
+		USE_BUILTIN_ARC4RANDOM=yes
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
@@ -36,24 +43,32 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
-		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
+		HOST_ABI=elf
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/param.h>
+#if __NetBSD_Version__ < 700000001
+        undefined
+#endif
+                       ]], [[]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
-		BUILD_NC=yes
 		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
+		BUILD_NC=no
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
@@ -71,7 +86,11 @@ case $host_os in
 	*) ;;
 esac
 
-AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
+AC_ARG_ENABLE([nc],
+	AS_HELP_STRING([--enable-nc], [Enable installing TLS-enabled nc(1)]))
+AM_CONDITIONAL([ENABLE_NC], [test "x$enable_nc" = xyes])
+AM_CONDITIONAL([BUILD_NC],  [test x$BUILD_NC = xyes -o "x$enable_nc" = xyes])
+
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])

man/links

@@ -230,6 +230,8 @@ CRYPTO_set_locking_callback.3,CRYPTO_THREADID_current.3
 CRYPTO_set_locking_callback.3,CRYPTO_THREADID_get_callback.3
 CRYPTO_set_locking_callback.3,CRYPTO_THREADID_hash.3
 CRYPTO_set_locking_callback.3,CRYPTO_THREADID_set_callback.3
+CRYPTO_set_locking_callback.3,CRYPTO_THREADID_set_numeric.3
+CRYPTO_set_locking_callback.3,CRYPTO_THREADID_set_pointer.3
 CRYPTO_set_locking_callback.3,CRYPTO_add.3
 CRYPTO_set_locking_callback.3,CRYPTO_add_lock.3
 CRYPTO_set_locking_callback.3,CRYPTO_destroy_dynlockid.3
@@ -301,6 +303,24 @@ DSA_set_method.3,DSA_set_default_method.3
 DSA_set_method.3,DSA_set_default_openssl_method.3
 DSA_sign.3,DSA_sign_setup.3
 DSA_sign.3,DSA_verify.3
+ECDSA_SIG_new.3,ECDSA_OpenSSL.3
+ECDSA_SIG_new.3,ECDSA_SIG_free.3
+ECDSA_SIG_new.3,ECDSA_do_sign.3
+ECDSA_SIG_new.3,ECDSA_do_sign_ex.3
+ECDSA_SIG_new.3,ECDSA_do_verify.3
+ECDSA_SIG_new.3,ECDSA_get_default_method.3
+ECDSA_SIG_new.3,ECDSA_get_ex_data.3
+ECDSA_SIG_new.3,ECDSA_get_ex_new_index.3
+ECDSA_SIG_new.3,ECDSA_set_default_method.3
+ECDSA_SIG_new.3,ECDSA_set_ex_data.3
+ECDSA_SIG_new.3,ECDSA_set_method.3
+ECDSA_SIG_new.3,ECDSA_sign.3
+ECDSA_SIG_new.3,ECDSA_sign_ex.3
+ECDSA_SIG_new.3,ECDSA_sign_setup.3
+ECDSA_SIG_new.3,ECDSA_size.3
+ECDSA_SIG_new.3,ECDSA_verify.3
+ECDSA_SIG_new.3,d2i_ECDSA_SIG.3
+ECDSA_SIG_new.3,i2d_ECDSA_SIG.3
 EC_GFp_simple_method.3,EC_GF2m_simple_method.3
 EC_GFp_simple_method.3,EC_GFp_mont_method.3
 EC_GFp_simple_method.3,EC_GFp_nist_method.3
@@ -418,6 +438,17 @@ ERR_print_errors.3,ERR_print_errors_fp.3
 ERR_put_error.3,ERR_add_error_data.3
 ERR_remove_state.3,ERR_remove_thread_state.3
 ERR_set_mark.3,ERR_pop_to_mark.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_CTX_cleanup.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_CTX_open.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_CTX_seal.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_key_length.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_max_overhead.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_max_tag_len.3
+EVP_AEAD_CTX_init.3,EVP_AEAD_nonce_length.3
+EVP_AEAD_CTX_init.3,EVP_aead_aes_128_gcm.3
+EVP_AEAD_CTX_init.3,EVP_aead_aes_256_gcm.3
+EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305.3
+EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305_ietf.3
 EVP_DigestInit.3,EVP_DigestFinal.3
 EVP_DigestInit.3,EVP_DigestFinal_ex.3
 EVP_DigestInit.3,EVP_DigestInit_ex.3
@@ -552,7 +583,6 @@ EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_padding.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_pss_saltlen.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_signature_md.3
-EVP_PKEY_CTX_ctrl.3,EVP_PKEY_ctrl_str.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_get_default_digest_nid.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_dup.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_free.3
@@ -565,7 +595,6 @@ EVP_PKEY_derive.3,EVP_PKEY_derive_init.3
 EVP_PKEY_derive.3,EVP_PKEY_derive_set_peer.3
 EVP_PKEY_encrypt.3,EVP_PKEY_encrypt_init.3
 EVP_PKEY_get_default_digest.3,EVP_PKEY_get_default_digest_nid.3
-EVP_PKEY_keygen.3,EVP_PKEVP_PKEY_CTX_set_app_data.3
 EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_app_data.3
 EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_cb.3
 EVP_PKEY_keygen.3,EVP_PKEY_CTX_get_keygen_info.3
@@ -736,7 +765,6 @@ RSA_print.3,DSAparams_print_fp.3
 RSA_print.3,RSA_print_fp.3
 RSA_private_encrypt.3,RSA_public_decrypt.3
 RSA_public_encrypt.3,RSA_private_decrypt.3
-RSA_set_method.3,RSA_PKCS1_RSAref.3
 RSA_set_method.3,RSA_PKCS1_SSLeay.3
 RSA_set_method.3,RSA_flags.3
 RSA_set_method.3,RSA_get_default_method.3
@@ -796,7 +824,6 @@ SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_get_get_cb.3
 SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_get_new_cb.3
 SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_get_remove_cb.3
 SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_new_cb.3
-SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove.3
 SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove_cb.3
 SSL_CTX_sess_set_get_cb.3,get_session_cb.3
 SSL_CTX_sess_set_get_cb.3,new_session_cb.3
@@ -822,7 +849,6 @@ SSL_CTX_set_mode.3,SSL_CTX_get_mode.3
 SSL_CTX_set_mode.3,SSL_get_mode.3
 SSL_CTX_set_mode.3,SSL_set_mode.3
 SSL_CTX_set_msg_callback.3,SSL_CTX_set_msg_callback_arg.3
-SSL_CTX_set_msg_callback.3,SSL_get_msg_callback_arg.3
 SSL_CTX_set_msg_callback.3,SSL_set_msg_callback.3
 SSL_CTX_set_msg_callback.3,SSL_set_msg_callback_arg.3
 SSL_CTX_set_options.3,SSL_CTX_clear_options.3
@@ -906,7 +932,6 @@ SSL_get_session.3,SSL_get1_session.3
 SSL_library_init.3,OpenSSL_add_ssl_algorithms.3
 SSL_library_init.3,SSLeay_add_ssl_algorithms.3
 SSL_rstate_string.3,SSL_rstate_string_long.3
-SSL_set_connect_state.3,SSL_get_accept_state.3
 SSL_set_connect_state.3,SSL_set_accept_state.3
 SSL_set_fd.3,SSL_set_rfd.3
 SSL_set_fd.3,SSL_set_wfd.3
@@ -916,6 +941,30 @@ SSL_want.3,SSL_want_nothing.3
 SSL_want.3,SSL_want_read.3
 SSL_want.3,SSL_want_write.3
 SSL_want.3,SSL_want_x509_lookup.3
+UI_new.3,ERR_load_UI_strings.3
+UI_new.3,UI_OpenSSL.3
+UI_new.3,UI_add_error_string.3
+UI_new.3,UI_add_info_string.3
+UI_new.3,UI_add_input_boolean.3
+UI_new.3,UI_add_input_string.3
+UI_new.3,UI_add_user_data.3
+UI_new.3,UI_add_verify_string.3
+UI_new.3,UI_construct_prompt.3
+UI_new.3,UI_ctrl.3
+UI_new.3,UI_dup_error_string.3
+UI_new.3,UI_dup_info_string.3
+UI_new.3,UI_dup_input_boolean.3
+UI_new.3,UI_dup_input_string.3
+UI_new.3,UI_dup_verify_string.3
+UI_new.3,UI_free.3
+UI_new.3,UI_get0_result.3
+UI_new.3,UI_get0_user_data.3
+UI_new.3,UI_get_default_method.3
+UI_new.3,UI_get_method.3
+UI_new.3,UI_new_method.3
+UI_new.3,UI_process.3
+UI_new.3,UI_set_default_method.3
+UI_new.3,UI_set_method.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_NID.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_OBJ.3
 X509_NAME_ENTRY_get_object.3,X509_NAME_ENTRY_create_by_txt.3
@@ -962,38 +1011,37 @@ X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_purpose.3
 X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_time.3
 X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
 X509_new.3,X509_free.3
-bn_internal.3,bn_add_words.3
-bn_internal.3,bn_check_top.3
-bn_internal.3,bn_cmp_words.3
-bn_internal.3,bn_div_words.3
-bn_internal.3,bn_dump.3
-bn_internal.3,bn_expand.3
-bn_internal.3,bn_expand2.3
-bn_internal.3,bn_fix_top.3
-bn_internal.3,bn_mul_add_words.3
-bn_internal.3,bn_mul_comba4.3
-bn_internal.3,bn_mul_comba8.3
-bn_internal.3,bn_mul_high.3
-bn_internal.3,bn_mul_low_normal.3
-bn_internal.3,bn_mul_low_recursive.3
-bn_internal.3,bn_mul_normal.3
-bn_internal.3,bn_mul_part_recursive.3
-bn_internal.3,bn_mul_recursive.3
-bn_internal.3,bn_mul_words.3
-bn_internal.3,bn_print.3
-bn_internal.3,bn_set_high.3
-bn_internal.3,bn_set_low.3
-bn_internal.3,bn_set_max.3
-bn_internal.3,bn_sqr_comba4.3
-bn_internal.3,bn_sqr_comba8.3
-bn_internal.3,bn_sqr_normal.3
-bn_internal.3,bn_sqr_recursive.3
-bn_internal.3,bn_sqr_words.3
-bn_internal.3,bn_sub_words.3
-bn_internal.3,bn_wexpand.3
-bn_internal.3,mul.3
-bn_internal.3,mul_add.3
-bn_internal.3,sqr.3
+bn_dump.3,bn_add_words.3
+bn_dump.3,bn_check_top.3
+bn_dump.3,bn_cmp_words.3
+bn_dump.3,bn_div_words.3
+bn_dump.3,bn_expand.3
+bn_dump.3,bn_expand2.3
+bn_dump.3,bn_fix_top.3
+bn_dump.3,bn_mul_add_words.3
+bn_dump.3,bn_mul_comba4.3
+bn_dump.3,bn_mul_comba8.3
+bn_dump.3,bn_mul_high.3
+bn_dump.3,bn_mul_low_normal.3
+bn_dump.3,bn_mul_low_recursive.3
+bn_dump.3,bn_mul_normal.3
+bn_dump.3,bn_mul_part_recursive.3
+bn_dump.3,bn_mul_recursive.3
+bn_dump.3,bn_mul_words.3
+bn_dump.3,bn_print.3
+bn_dump.3,bn_set_high.3
+bn_dump.3,bn_set_low.3
+bn_dump.3,bn_set_max.3
+bn_dump.3,bn_sqr_comba4.3
+bn_dump.3,bn_sqr_comba8.3
+bn_dump.3,bn_sqr_normal.3
+bn_dump.3,bn_sqr_recursive.3
+bn_dump.3,bn_sqr_words.3
+bn_dump.3,bn_sub_words.3
+bn_dump.3,bn_wexpand.3
+bn_dump.3,mul.3
+bn_dump.3,mul_add.3
+bn_dump.3,sqr.3
 crypto.3,crypto_dispatch.3
 crypto.3,crypto_done.3
 crypto.3,crypto_freereq.3
@@ -1021,12 +1069,11 @@ d2i_ECPKParameters.3,d2i_ECPKParameters_fp.3
 d2i_ECPKParameters.3,i2d_ECPKParameters.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,d2i_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_fp.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_bio.3
-d2i_PKCS8PrivateKey.3,i2d_PKCS8PrivateKey_nid_fp.3
+d2i_PKCS8PrivateKey_bio.3,d2i_PKCS8PrivateKey_fp.3
+d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_bio.3
+d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_fp.3
+d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_nid_bio.3
+d2i_PKCS8PrivateKey_bio.3,i2d_PKCS8PrivateKey_nid_fp.3
 d2i_RSAPublicKey.3,d2i_Netscape_RSA.3
 d2i_RSAPublicKey.3,d2i_RSAPrivateKey.3
 d2i_RSAPublicKey.3,d2i_RSA_PUBKEY.3
@@ -1053,25 +1100,9 @@ d2i_X509_REQ.3,i2d_X509_REQ.3
 d2i_X509_REQ.3,i2d_X509_REQ_bio.3
 d2i_X509_REQ.3,i2d_X509_REQ_fp.3
 d2i_X509_SIG.3,i2d_X509_SIG.3
-ecdsa.3,ECDSA_OpenSSL.3
-ecdsa.3,ECDSA_SIG_free.3
-ecdsa.3,ECDSA_SIG_new.3
-ecdsa.3,ECDSA_do_sign.3
-ecdsa.3,ECDSA_do_sign_ex.3
-ecdsa.3,ECDSA_do_verify.3
-ecdsa.3,ECDSA_get_default_method.3
-ecdsa.3,ECDSA_get_ex_data.3
-ecdsa.3,ECDSA_get_ex_new_index.3
-ecdsa.3,ECDSA_set_default_method.3
-ecdsa.3,ECDSA_set_ex_data.3
-ecdsa.3,ECDSA_set_method.3
-ecdsa.3,ECDSA_sign.3
-ecdsa.3,ECDSA_sign_ex.3
-ecdsa.3,ECDSA_sign_setup.3
-ecdsa.3,ECDSA_size.3
-ecdsa.3,ECDSA_verify.3
-ecdsa.3,d2i_ECDSA_SIG.3
-ecdsa.3,i2d_ECDSA_SIG.3
+des_read_pw.3,des_read_2passwords.3
+des_read_pw.3,des_read_password.3
+des_read_pw.3,des_read_pw_string.3
 engine.3,ENGINE_add.3
 engine.3,ENGINE_by_id.3
 engine.3,ENGINE_finish.3
@@ -1082,19 +1113,23 @@ engine.3,ENGINE_get_prev.3
 engine.3,ENGINE_init.3
 engine.3,ENGINE_load_builtin_engines.3
 engine.3,ENGINE_remove.3
+lh_new.3,DECLARE_LHASH_OF.3
+lh_new.3,LHASH_COMP_FN_TYPE.3
+lh_new.3,LHASH_DOALL_ARG_FN_TYPE.3
+lh_new.3,LHASH_DOALL_FN_TYPE.3
+lh_new.3,LHASH_HASH_FN_TYPE.3
+lh_new.3,lh_delete.3
+lh_new.3,lh_doall.3
+lh_new.3,lh_doall_arg.3
+lh_new.3,lh_error.3
+lh_new.3,lh_free.3
+lh_new.3,lh_insert.3
+lh_new.3,lh_retrieve.3
 lh_stats.3,lh_node_stats.3
 lh_stats.3,lh_node_stats_bio.3
 lh_stats.3,lh_node_usage_stats.3
 lh_stats.3,lh_node_usage_stats_bio.3
 lh_stats.3,lh_stats_bio.3
-lhash.3,lh_delete.3
-lhash.3,lh_doall.3
-lhash.3,lh_doall_arg.3
-lhash.3,lh_error.3
-lhash.3,lh_free.3
-lhash.3,lh_insert.3
-lhash.3,lh_new.3
-lhash.3,lh_retrieve.3
 tls_init.3,tls_accept_fds.3
 tls_init.3,tls_accept_socket.3
 tls_init.3,tls_client.3
@@ -1137,38 +1172,11 @@ tls_init.3,tls_load_file.3
 tls_init.3,tls_peer_cert_contains_name.3
 tls_init.3,tls_peer_cert_hash.3
 tls_init.3,tls_peer_cert_issuer.3
+tls_init.3,tls_peer_cert_notafter.3
+tls_init.3,tls_peer_cert_notbefore.3
 tls_init.3,tls_peer_cert_provided.3
 tls_init.3,tls_peer_cert_subject.3
 tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3
 tls_init.3,tls_write.3
-ui.3,ERR_load_UI_strings.3
-ui.3,UI_OpenSSL.3
-ui.3,UI_add_error_string.3
-ui.3,UI_add_info_string.3
-ui.3,UI_add_input_boolean.3
-ui.3,UI_add_input_string.3
-ui.3,UI_add_user_data.3
-ui.3,UI_add_verify_string.3
-ui.3,UI_construct_prompt.3
-ui.3,UI_ctrl.3
-ui.3,UI_dup_error_string.3
-ui.3,UI_dup_info_string.3
-ui.3,UI_dup_input_boolean.3
-ui.3,UI_dup_input_string.3
-ui.3,UI_dup_verify_string.3
-ui.3,UI_free.3
-ui.3,UI_get0_result.3
-ui.3,UI_get0_user_data.3
-ui.3,UI_get_default_method.3
-ui.3,UI_get_method.3
-ui.3,UI_new.3
-ui.3,UI_new_method.3
-ui.3,UI_process.3
-ui.3,UI_set_default_method.3
-ui.3,UI_set_method.3
-ui_compat.3,des_read_2passwords.3
-ui_compat.3,des_read_password.3
-ui_compat.3,des_read_pw.3
-ui_compat.3,des_read_pw_string.3

man/update_links.sh

@@ -11,7 +11,7 @@ for i in `ls -1 *.3`; do
   for j in $links; do
     a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
     b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
-    if [ $a != $b ]; then
+    if [[ $a != $b && $a != *"<type>"* ]]; then
       echo $name.3,$j.3 >> links
     fi
   done

patches/modes_lcl.h

@@ -0,0 +1,21 @@
+--- openbsd/src/lib/libssl/src/crypto/modes/modes_lcl.h	Sat Dec  6 17:15:50 2014
++++ crypto/modes/modes_lcl.h	Sun Jul 17 17:45:27 2016
+@@ -43,14 +43,16 @@
+ 			asm ("bswapl %0"		\
+ 			: "+r"(ret));	ret;		})
+ # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
+-#  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
++#  if (__ARM_ARCH >= 6)
++#   define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
+ 			asm ("rev %0,%0; rev %1,%1"	\
+ 			: "+r"(hi),"+r"(lo));		\
+ 			(u64)hi<<32|lo;			})
+-#  define BSWAP4(x) ({	u32 ret;			\
++#   define BSWAP4(x) ({	u32 ret;			\
+ 			asm ("rev %0,%1"		\
+ 			: "=r"(ret) : "r"((u32)(x)));	\
+ 			ret;				})
++#  endif
+ # endif
+ #endif
+ #endif

patches/netcat.c.patch

@@ -1,6 +1,6 @@
---- apps/nc/netcat.c.orig	Sun Sep 13 08:12:39 2015
-+++ apps/nc/netcat.c	Sun Sep 13 19:15:13 2015
-@@ -98,9 +98,13 @@
+--- apps/nc/netcat.c.orig	Sun Sep  4 05:37:35 2016
++++ apps/nc/netcat.c	Sun Sep  4 05:40:24 2016
+@@ -92,9 +92,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -14,7 +14,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -150,7 +154,7 @@
+@@ -146,7 +150,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
@@ -23,7 +23,7 @@
  	const char *errstr, *proxyhost = "", *proxyport = NULL;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -251,12 +255,14 @@
+@@ -256,12 +260,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -38,7 +38,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -289,9 +295,11 @@
+@@ -294,9 +300,11 @@
  				errx(1, "TCP send window %s: %s",
  				    errstr, optarg);
  			break;
@@ -50,29 +50,31 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -776,7 +784,10 @@
+@@ -320,9 +328,11 @@
+ 	argc -= optind;
+ 	argv += optind;
+ 
++#ifdef SO_RTABLE
+ 	if (rtableid >= 0)
+ 		if (setrtable(rtableid) == -1)
+ 			err(1, "setrtable");
++#endif
+ 
+ 	if (family == AF_UNIX) {
+ 		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
+@@ -825,7 +835,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, error, on = 1;
-+	int s, error;
+-	int s = -1, error, on = 1, save_errno;
++	int s = -1, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
- 	if ((error = getaddrinfo(host, port, &hints, &res)))
+ 	if ((error = getaddrinfo(host, port, &hints, &res0)))
  		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -787,16 +798,20 @@
- 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
- 			continue;
- 
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
- 		/* Bind to a local port or source address if specified. */
+@@ -839,8 +852,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -81,39 +83,33 @@
  			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
  			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -865,7 +880,10 @@
+@@ -911,7 +926,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, ret, x = 1;
-+	int s;
+-	int s = -1, ret, x = 1, save_errno;
++	int s = -1, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -887,13 +905,17 @@
- 		    res0->ai_protocol)) < 0)
+@@ -932,9 +950,11 @@
+ 		    res->ai_protocol)) < 0)
  			continue;
  
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
 +#ifdef SO_REUSEPORT
  		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
  		if (ret == -1)
  			err(1, NULL);
 +#endif
  
- 		set_common_sockopts(s, res0->ai_family);
+ 		set_common_sockopts(s, res->ai_family);
  
-@@ -1337,11 +1359,13 @@
+@@ -1392,11 +1412,13 @@
  {
  	int x = 1;
  
@@ -127,29 +123,49 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1516,15 +1540,19 @@
+@@ -1433,13 +1455,17 @@
+ 	}
+ 
+ 	if (minttl != -1) {
++#ifdef IP_MINTTL
+ 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+ 		    IP_MINTTL, &minttl, sizeof(minttl)))
+ 			err(1, "set IP min TTL");
++#endif
+ 
+-		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
++#ifdef IPV6_MINHOPCOUNT
++		if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
+ 			err(1, "set IPv6 min hop count");
++#endif
+ 	}
+ }
+ 
+@@ -1596,14 +1622,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\
 -	\t-r		Randomize remote ports\n\
 -	\t-S		Enable the TCP MD5 signature option\n\
--	\t-s source	Local source address\n\
 +	\t-r		Randomize remote ports\n"
 +#ifdef TCP_MD5SIG
-+	"\t-S		Enable the TCP MD5 signature option\n"
++        "\
++	\t-S		Enable the TCP MD5 signature option\n"
 +#endif
-+	"\t-s source	Local source address\n\
++        "\
+ 	\t-s source	Local source address\n\
  	\t-T keyword	TOS value or TLS options\n\
  	\t-t		Answer TELNET negotiation\n\
  	\t-U		Use UNIX domain socket\n\
 -	\t-u		UDP mode\n\
 -	\t-V rtable	Specify alternate routing table\n\
--	\t-v		Verbose\n\
 +	\t-u		UDP mode\n"
 +#ifdef SO_RTABLE
-+	"\t-V rtable	Specify alternate routing table\n"
++        "\
++	\t-V rtable	Specify alternate routing table\n"
 +#endif
-+	"\t-v		Verbose\n\
++        "\
+ 	\t-v		Verbose\n\
  	\t-w timeout	Timeout for connects and final net reads\n\
  	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
- 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/rfc5280.c.patch

@@ -0,0 +1,82 @@
+--- tests/rfc5280time.c.orig	Mon Nov  2 20:00:31 2015
++++ tests/rfc5280time.c	Mon Nov  2 20:03:12 2015
+@@ -91,6 +91,7 @@
+ 		.data = "20150923032700Z",
+ 		.time = 1442978820,
+ 	},
++#if SIZEOF_TIME_T == 8
+ 	{
+ 		/* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */
+ 		.str = "00000101000000Z",
+@@ -103,6 +104,7 @@
+ 		.data = "20491231235959Z",
+ 		.time = 2524607999LL,
+ 	},
++#endif
+ 	{
+ 		/* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */
+ 		.str = "19500101000000Z",
+@@ -112,6 +114,7 @@
+ };
+ 
+ struct rfc5280_time_test rfc5280_gentime_tests[] = {
++#if SIZEOF_TIME_T == 8
+ 	{
+ 		/* Biggest RFC 5280 time */
+ 		.str = "99991231235959Z",
+@@ -129,6 +132,7 @@
+ 		.data = "20500101000000Z",
+ 		.time =  2524608000LL,
+ 	},
++#endif
+ };
+ struct rfc5280_time_test rfc5280_utctime_tests[] = {
+ 	{
+@@ -141,11 +145,13 @@
+ 		.data = "540226230640Z",
+ 		.time = -500000000,
+ 	},
++#if SIZEOF_TIME_T == 8
+ 	{
+ 		.str = "491231235959Z",
+ 		.data = "491231235959Z",
+ 		.time = 2524607999LL,
+ 	},
++#endif
+ 	{
+ 		.str = "700101000000Z",
+ 		.data = "700101000000Z",
+@@ -273,14 +279,14 @@
+ 
+ 	if ((i = X509_cmp_time(gt, &att->time)) != -1) {
+ 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
+-		    test_no, i, att->time);
++		    test_no, i, (long long)att->time);
+ 		goto done;
+ 	}
+ 
+ 	att->time--;
+ 	if ((i = X509_cmp_time(gt, &att->time)) != 1) {
+ 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
+-		    test_no, i, att->time);
++		    test_no, i, (long long)att->time);
+ 		goto done;
+ 	}
+ 	att->time++;
+@@ -325,14 +331,14 @@
+ 
+ 	if ((i = X509_cmp_time(ut, &att->time)) != -1) {
+ 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
+-		    test_no, i, att->time);
++		    test_no, i, (long long)att->time);
+ 		goto done;
+ 	}
+ 
+ 	att->time--;
+ 	if ((i = X509_cmp_time(ut, &att->time)) != 1) {
+ 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
+-		    test_no, i, att->time);
++		    test_no, i, (long long)att->time);
+ 		goto done;
+ 	}
+ 	att->time++;

patches/ssl_txt.c.patch

@@ -0,0 +1,19 @@
+--- ssl/ssl_txt.orig	Sun Jul 17 17:26:59 2016
++++ ssl/ssl_txt.c	Sun Jul 17 17:35:44 2016
+@@ -82,6 +82,7 @@
+  * OTHERWISE.
+  */
+ 
++#include <inttypes.h>
+ #include <stdio.h>
+ 
+ #include <openssl/buffer.h>
+@@ -163,7 +164,7 @@
+ 	}
+ 
+ 	if (x->time != 0) {
+-		if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
++		if (BIO_printf(bp, "\n    Start Time: %"PRId64, (int64_t)x->time) <= 0)
+ 			goto err;
+ 	}
+ 	if (x->timeout != 0L) {

patches/tls_internal.h.patch

@@ -0,0 +1,12 @@
+--- ./openbsd/src/lib/libtls/tls_internal.h	Thu Oct 15 16:12:24 2015
++++ ./tls/tls_internal.h	Sun Dec  6 20:18:17 2015
+@@ -24,7 +24,9 @@
+ 
+ #include <openssl/ssl.h>
+ 
++#ifndef _PATH_SSL_CA_FILE
+ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
+ #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"

patches/windows_headers.patch

@@ -1,6 +1,6 @@
-diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
---- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
+diff -u include/openssl.orig/dtls1.h include/openssl/dtls1.h
+--- include/openssl.orig/dtls1.h	Mon Dec  7 07:58:32 2015
++++ include/openssl/dtls1.h	Mon Dec  7 07:56:14 2015
 @@ -60,7 +60,11 @@
  #ifndef HEADER_DTLS1_H
  #define HEADER_DTLS1_H
@@ -13,9 +13,9 @@ diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
  
  #include <stdio.h>
  #include <stdlib.h>
-diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
---- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
+diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
+--- include/openssl.orig/opensslconf.h	Mon Dec  7 07:58:32 2015
++++ include/openssl/opensslconf.h	Mon Dec  7 07:56:14 2015
 @@ -1,6 +1,10 @@
  #include <openssl/opensslfeatures.h>
  /* crypto/opensslconf.h.in */
@@ -27,10 +27,10 @@ diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
  /* Generate 80386 code? */
  #undef I386_ONLY
  
-diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
---- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
-@@ -100,6 +100,22 @@
+diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
+--- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
++++ include/openssl/ossl_typ.h	Mon Dec  7 07:56:14 2015
+@@ -80,6 +80,22 @@
  typedef struct ASN1_ITEM_st ASN1_ITEM;
  typedef struct asn1_pctx_st ASN1_PCTX;
  
@@ -53,9 +53,9 @@ diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
  #ifdef BIGNUM
  #undef BIGNUM
  #endif
-diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
---- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
+diff -u include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
+--- include/openssl.orig/pkcs7.h	Mon Dec  7 07:58:32 2015
++++ include/openssl/pkcs7.h	Mon Dec  7 07:56:14 2015
 @@ -69,6 +69,18 @@
  extern "C" {
  #endif
@@ -75,9 +75,9 @@ diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
  /*
  Encryption_ID		DES-CBC
  Digest_ID		MD5
-diff -urN include/openssl.orig/x509.h include/openssl/x509.h
---- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
+diff -u include/openssl.orig/x509.h include/openssl/x509.h
+--- include/openssl.orig/x509.h	Mon Dec  7 07:58:32 2015
++++ include/openssl/x509.h	Mon Dec  7 07:56:14 2015
 @@ -112,6 +112,19 @@
  extern "C" {
  #endif

ssl/CMakeLists.txt

@@ -52,7 +52,12 @@ if (BUILD_SHARED)
 	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	if (WIN32)
+		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
+	endif()
+	set_target_properties(ssl-shared PROPERTIES
+		OUTPUT_NAME ssl${SSL_POSTFIX} ARCHIVE_OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
 	install(TARGETS ssl ssl-shared DESTINATION lib)

ssl/Makefile.am

@@ -6,7 +6,7 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
-libssl_la_LIBADD = ../crypto/libcrypto.la
+libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
 libssl_la_SOURCES += bs_ber.c

tap-driver.sh

@@ -0,0 +1,651 @@
+#! /bin/sh
+# Copyright (C) 2011-2014 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+scriptversion=2013-12-23.17; # UTC
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+me=tap-driver.sh
+
+fatal ()
+{
+  echo "$me: fatal: $*" >&2
+  exit 1
+}
+
+usage_error ()
+{
+  echo "$me: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <<END
+Usage:
+  tap-driver.sh --test-name=NAME --log-file=PATH --trs-file=PATH
+                [--expect-failure={yes|no}] [--color-tests={yes|no}]
+                [--enable-hard-errors={yes|no}] [--ignore-exit]
+                [--diagnostic-string=STRING] [--merge|--no-merge]
+                [--comments|--no-comments] [--] TEST-COMMAND
+The '--test-name', '-log-file' and '--trs-file' options are mandatory.
+END
+}
+
+# TODO: better error handling in option parsing (in particular, ensure
+# TODO: $log_file, $trs_file and $test_name are defined).
+test_name= # Used for reporting.
+log_file=  # Where to save the result and output of the test script.
+trs_file=  # Where to save the metadata of the test run.
+expect_failure=0
+color_tests=0
+merge=0
+ignore_exit=0
+comments=0
+diag_string='#'
+while test $# -gt 0; do
+  case $1 in
+  --help) print_usage; exit $?;;
+  --version) echo "$me $scriptversion"; exit $?;;
+  --test-name) test_name=$2; shift;;
+  --log-file) log_file=$2; shift;;
+  --trs-file) trs_file=$2; shift;;
+  --color-tests) color_tests=$2; shift;;
+  --expect-failure) expect_failure=$2; shift;;
+  --enable-hard-errors) shift;; # No-op.
+  --merge) merge=1;;
+  --no-merge) merge=0;;
+  --ignore-exit) ignore_exit=1;;
+  --comments) comments=1;;
+  --no-comments) comments=0;;
+  --diagnostic-string) diag_string=$2; shift;;
+  --) shift; break;;
+  -*) usage_error "invalid option: '$1'";;
+  esac
+  shift
+done
+
+test $# -gt 0 || usage_error "missing test command"
+
+case $expect_failure in
+  yes) expect_failure=1;;
+    *) expect_failure=0;;
+esac
+
+if test $color_tests = yes; then
+  init_colors='
+    color_map["red"]="" # Red.
+    color_map["grn"]="" # Green.
+    color_map["lgn"]="" # Light green.
+    color_map["blu"]="" # Blue.
+    color_map["mgn"]="" # Magenta.
+    color_map["std"]=""     # No color.
+    color_for_result["ERROR"] = "mgn"
+    color_for_result["PASS"]  = "grn"
+    color_for_result["XPASS"] = "red"
+    color_for_result["FAIL"]  = "red"
+    color_for_result["XFAIL"] = "lgn"
+    color_for_result["SKIP"]  = "blu"'
+else
+  init_colors=''
+fi
+
+# :; is there to work around a bug in bash 3.2 (and earlier) which
+# does not always set '$?' properly on redirection failure.
+# See the Autoconf manual for more details.
+:;{
+  (
+    # Ignore common signals (in this subshell only!), to avoid potential
+    # problems with Korn shells.  Some Korn shells are known to propagate
+    # to themselves signals that have killed a child process they were
+    # waiting for; this is done at least for SIGINT (and usually only for
+    # it, in truth).  Without the `trap' below, such a behaviour could
+    # cause a premature exit in the current subshell, e.g., in case the
+    # test command it runs gets terminated by a SIGINT.  Thus, the awk
+    # script we are piping into would never seen the exit status it
+    # expects on its last input line (which is displayed below by the
+    # last `echo $?' statement), and would thus die reporting an internal
+    # error.
+    # For more information, see the Autoconf manual and the threads:
+    # <http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00004.html>
+    # <http://mail.opensolaris.org/pipermail/ksh93-integration-discuss/2009-February/004121.html>
+    trap : 1 3 2 13 15
+    if test $merge -gt 0; then
+      exec 2>&1
+    else
+      exec 2>&3
+    fi
+    "$@"
+    echo $?
+  ) | LC_ALL=C ${AM_TAP_AWK-awk} \
+        -v me="$me" \
+        -v test_script_name="$test_name" \
+        -v log_file="$log_file" \
+        -v trs_file="$trs_file" \
+        -v expect_failure="$expect_failure" \
+        -v merge="$merge" \
+        -v ignore_exit="$ignore_exit" \
+        -v comments="$comments" \
+        -v diag_string="$diag_string" \
+'
+# TODO: the usages of "cat >&3" below could be optimized when using
+#       GNU awk, and/on on systems that supports /dev/fd/.
+
+# Implementation note: in what follows, `result_obj` will be an
+# associative array that (partly) simulates a TAP result object
+# from the `TAP::Parser` perl module.
+
+## ----------- ##
+##  FUNCTIONS  ##
+## ----------- ##
+
+function fatal(msg)
+{
+  print me ": " msg | "cat >&2"
+  exit 1
+}
+
+function abort(where)
+{
+  fatal("internal error " where)
+}
+
+# Convert a boolean to a "yes"/"no" string.
+function yn(bool)
+{
+  return bool ? "yes" : "no";
+}
+
+function add_test_result(result)
+{
+  if (!test_results_index)
+    test_results_index = 0
+  test_results_list[test_results_index] = result
+  test_results_index += 1
+  test_results_seen[result] = 1;
+}
+
+# Whether the test script should be re-run by "make recheck".
+function must_recheck()
+{
+  for (k in test_results_seen)
+    if (k != "XFAIL" && k != "PASS" && k != "SKIP")
+      return 1
+  return 0
+}
+
+# Whether the content of the log file associated to this test should
+# be copied into the "global" test-suite.log.
+function copy_in_global_log()
+{
+  for (k in test_results_seen)
+    if (k != "PASS")
+      return 1
+  return 0
+}
+
+function get_global_test_result()
+{
+    if ("ERROR" in test_results_seen)
+      return "ERROR"
+    if ("FAIL" in test_results_seen || "XPASS" in test_results_seen)
+      return "FAIL"
+    all_skipped = 1
+    for (k in test_results_seen)
+      if (k != "SKIP")
+        all_skipped = 0
+    if (all_skipped)
+      return "SKIP"
+    return "PASS";
+}
+
+function stringify_result_obj(result_obj)
+{
+  if (result_obj["is_unplanned"] || result_obj["number"] != testno)
+    return "ERROR"
+
+  if (plan_seen == LATE_PLAN)
+    return "ERROR"
+
+  if (result_obj["directive"] == "TODO")
+    return result_obj["is_ok"] ? "XPASS" : "XFAIL"
+
+  if (result_obj["directive"] == "SKIP")
+    return result_obj["is_ok"] ? "SKIP" : COOKED_FAIL;
+
+  if (length(result_obj["directive"]))
+      abort("in function stringify_result_obj()")
+
+  return result_obj["is_ok"] ? COOKED_PASS : COOKED_FAIL
+}
+
+function decorate_result(result)
+{
+  color_name = color_for_result[result]
+  if (color_name)
+    return color_map[color_name] "" result "" color_map["std"]
+  # If we are not using colorized output, or if we do not know how
+  # to colorize the given result, we should return it unchanged.
+  return result
+}
+
+function report(result, details)
+{
+  if (result ~ /^(X?(PASS|FAIL)|SKIP|ERROR)/)
+    {
+      msg = ": " test_script_name
+      add_test_result(result)
+    }
+  else if (result == "#")
+    {
+      msg = " " test_script_name ":"
+    }
+  else
+    {
+      abort("in function report()")
+    }
+  if (length(details))
+    msg = msg " " details
+  # Output on console might be colorized.
+  print decorate_result(result) msg
+  # Log the result in the log file too, to help debugging (this is
+  # especially true when said result is a TAP error or "Bail out!").
+  print result msg | "cat >&3";
+}
+
+function testsuite_error(error_message)
+{
+  report("ERROR", "- " error_message)
+}
+
+function handle_tap_result()
+{
+  details = result_obj["number"];
+  if (length(result_obj["description"]))
+    details = details " " result_obj["description"]
+
+  if (plan_seen == LATE_PLAN)
+    {
+      details = details " # AFTER LATE PLAN";
+    }
+  else if (result_obj["is_unplanned"])
+    {
+       details = details " # UNPLANNED";
+    }
+  else if (result_obj["number"] != testno)
+    {
+       details = sprintf("%s # OUT-OF-ORDER (expecting %d)",
+                         details, testno);
+    }
+  else if (result_obj["directive"])
+    {
+      details = details " # " result_obj["directive"];
+      if (length(result_obj["explanation"]))
+        details = details " " result_obj["explanation"]
+    }
+
+  report(stringify_result_obj(result_obj), details)
+}
+
+# `skip_reason` should be empty whenever planned > 0.
+function handle_tap_plan(planned, skip_reason)
+{
+  planned += 0 # Avoid getting confused if, say, `planned` is "00"
+  if (length(skip_reason) && planned > 0)
+    abort("in function handle_tap_plan()")
+  if (plan_seen)
+    {
+      # Error, only one plan per stream is acceptable.
+      testsuite_error("multiple test plans")
+      return;
+    }
+  planned_tests = planned
+  # The TAP plan can come before or after *all* the TAP results; we speak
+  # respectively of an "early" or a "late" plan.  If we see the plan line
+  # after at least one TAP result has been seen, assume we have a late
+  # plan; in this case, any further test result seen after the plan will
+  # be flagged as an error.
+  plan_seen = (testno >= 1 ? LATE_PLAN : EARLY_PLAN)
+  # If testno > 0, we have an error ("too many tests run") that will be
+  # automatically dealt with later, so do not worry about it here.  If
+  # $plan_seen is true, we have an error due to a repeated plan, and that
+  # has already been dealt with above.  Otherwise, we have a valid "plan
+  # with SKIP" specification, and should report it as a particular kind
+  # of SKIP result.
+  if (planned == 0 && testno == 0)
+    {
+      if (length(skip_reason))
+        skip_reason = "- "  skip_reason;
+      report("SKIP", skip_reason);
+    }
+}
+
+function extract_tap_comment(line)
+{
+  if (index(line, diag_string) == 1)
+    {
+      # Strip leading `diag_string` from `line`.
+      line = substr(line, length(diag_string) + 1)
+      # And strip any leading and trailing whitespace left.
+      sub("^[ \t]*", "", line)
+      sub("[ \t]*$", "", line)
+      # Return what is left (if any).
+      return line;
+    }
+  return "";
+}
+
+# When this function is called, we know that line is a TAP result line,
+# so that it matches the (perl) RE "^(not )?ok\b".
+function setup_result_obj(line)
+{
+  # Get the result, and remove it from the line.
+  result_obj["is_ok"] = (substr(line, 1, 2) == "ok" ? 1 : 0)
+  sub("^(not )?ok[ \t]*", "", line)
+
+  # If the result has an explicit number, get it and strip it; otherwise,
+  # automatically assing the next progresive number to it.
+  if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/)
+    {
+      match(line, "^[0-9]+")
+      # The final `+ 0` is to normalize numbers with leading zeros.
+      result_obj["number"] = substr(line, 1, RLENGTH) + 0
+      line = substr(line, RLENGTH + 1)
+    }
+  else
+    {
+      result_obj["number"] = testno
+    }
+
+  if (plan_seen == LATE_PLAN)
+    # No further test results are acceptable after a "late" TAP plan
+    # has been seen.
+    result_obj["is_unplanned"] = 1
+  else if (plan_seen && testno > planned_tests)
+    result_obj["is_unplanned"] = 1
+  else
+    result_obj["is_unplanned"] = 0
+
+  # Strip trailing and leading whitespace.
+  sub("^[ \t]*", "", line)
+  sub("[ \t]*$", "", line)
+
+  # This will have to be corrected if we have a "TODO"/"SKIP" directive.
+  result_obj["description"] = line
+  result_obj["directive"] = ""
+  result_obj["explanation"] = ""
+
+  if (index(line, "#") == 0)
+    return # No possible directive, nothing more to do.
+
+  # Directives are case-insensitive.
+  rx = "[ \t]*#[ \t]*([tT][oO][dD][oO]|[sS][kK][iI][pP])[ \t]*"
+
+  # See whether we have the directive, and if yes, where.
+  pos = match(line, rx "$")
+  if (!pos)
+    pos = match(line, rx "[^a-zA-Z0-9_]")
+
+  # If there was no TAP directive, we have nothing more to do.
+  if (!pos)
+    return
+
+  # Let`s now see if the TAP directive has been escaped.  For example:
+  #  escaped:     ok \# SKIP
+  #  not escaped: ok \\# SKIP
+  #  escaped:     ok \\\\\# SKIP
+  #  not escaped: ok \ # SKIP
+  if (substr(line, pos, 1) == "#")
+    {
+      bslash_count = 0
+      for (i = pos; i > 1 && substr(line, i - 1, 1) == "\\"; i--)
+        bslash_count += 1
+      if (bslash_count % 2)
+        return # Directive was escaped.
+    }
+
+  # Strip the directive and its explanation (if any) from the test
+  # description.
+  result_obj["description"] = substr(line, 1, pos - 1)
+  # Now remove the test description from the line, that has been dealt
+  # with already.
+  line = substr(line, pos)
+  # Strip the directive, and save its value (normalized to upper case).
+  sub("^[ \t]*#[ \t]*", "", line)
+  result_obj["directive"] = toupper(substr(line, 1, 4))
+  line = substr(line, 5)
+  # Now get the explanation for the directive (if any), with leading
+  # and trailing whitespace removed.
+  sub("^[ \t]*", "", line)
+  sub("[ \t]*$", "", line)
+  result_obj["explanation"] = line
+}
+
+function get_test_exit_message(status)
+{
+  if (status == 0)
+    return ""
+  if (status !~ /^[1-9][0-9]*$/)
+    abort("getting exit status")
+  if (status < 127)
+    exit_details = ""
+  else if (status == 127)
+    exit_details = " (command not found?)"
+  else if (status >= 128 && status <= 255)
+    exit_details = sprintf(" (terminated by signal %d?)", status - 128)
+  else if (status > 256 && status <= 384)
+    # We used to report an "abnormal termination" here, but some Korn
+    # shells, when a child process die due to signal number n, can leave
+    # in $? an exit status of 256+n instead of the more standard 128+n.
+    # Apparently, both behaviours are allowed by POSIX (2008), so be
+    # prepared to handle them both.  See also Austing Group report ID
+    # 0000051 <http://www.austingroupbugs.net/view.php?id=51>
+    exit_details = sprintf(" (terminated by signal %d?)", status - 256)
+  else
+    # Never seen in practice.
+    exit_details = " (abnormal termination)"
+  return sprintf("exited with status %d%s", status, exit_details)
+}
+
+function write_test_results()
+{
+  print ":global-test-result: " get_global_test_result() > trs_file
+  print ":recheck: "  yn(must_recheck()) > trs_file
+  print ":copy-in-global-log: " yn(copy_in_global_log()) > trs_file
+  for (i = 0; i < test_results_index; i += 1)
+    print ":test-result: " test_results_list[i] > trs_file
+  close(trs_file);
+}
+
+BEGIN {
+
+## ------- ##
+##  SETUP  ##
+## ------- ##
+
+'"$init_colors"'
+
+# Properly initialized once the TAP plan is seen.
+planned_tests = 0
+
+COOKED_PASS = expect_failure ? "XPASS": "PASS";
+COOKED_FAIL = expect_failure ? "XFAIL": "FAIL";
+
+# Enumeration-like constants to remember which kind of plan (if any)
+# has been seen.  It is important that NO_PLAN evaluates "false" as
+# a boolean.
+NO_PLAN = 0
+EARLY_PLAN = 1
+LATE_PLAN = 2
+
+testno = 0     # Number of test results seen so far.
+bailed_out = 0 # Whether a "Bail out!" directive has been seen.
+
+# Whether the TAP plan has been seen or not, and if yes, which kind
+# it is ("early" is seen before any test result, "late" otherwise).
+plan_seen = NO_PLAN
+
+## --------- ##
+##  PARSING  ##
+## --------- ##
+
+is_first_read = 1
+
+while (1)
+  {
+    # Involutions required so that we are able to read the exit status
+    # from the last input line.
+    st = getline
+    if (st < 0) # I/O error.
+      fatal("I/O error while reading from input stream")
+    else if (st == 0) # End-of-input
+      {
+        if (is_first_read)
+          abort("in input loop: only one input line")
+        break
+      }
+    if (is_first_read)
+      {
+        is_first_read = 0
+        nextline = $0
+        continue
+      }
+    else
+      {
+        curline = nextline
+        nextline = $0
+        $0 = curline
+      }
+    # Copy any input line verbatim into the log file.
+    print | "cat >&3"
+    # Parsing of TAP input should stop after a "Bail out!" directive.
+    if (bailed_out)
+      continue
+
+    # TAP test result.
+    if ($0 ~ /^(not )?ok$/ || $0 ~ /^(not )?ok[^a-zA-Z0-9_]/)
+      {
+        testno += 1
+        setup_result_obj($0)
+        handle_tap_result()
+      }
+    # TAP plan (normal or "SKIP" without explanation).
+    else if ($0 ~ /^1\.\.[0-9]+[ \t]*$/)
+      {
+        # The next two lines will put the number of planned tests in $0.
+        sub("^1\\.\\.", "")
+        sub("[^0-9]*$", "")
+        handle_tap_plan($0, "")
+        continue
+      }
+    # TAP "SKIP" plan, with an explanation.
+    else if ($0 ~ /^1\.\.0+[ \t]*#/)
+      {
+        # The next lines will put the skip explanation in $0, stripping
+        # any leading and trailing whitespace.  This is a little more
+        # tricky in truth, since we want to also strip a potential leading
+        # "SKIP" string from the message.
+        sub("^[^#]*#[ \t]*(SKIP[: \t][ \t]*)?", "")
+        sub("[ \t]*$", "");
+        handle_tap_plan(0, $0)
+      }
+    # "Bail out!" magic.
+    # Older versions of prove and TAP::Harness (e.g., 3.17) did not
+    # recognize a "Bail out!" directive when preceded by leading
+    # whitespace, but more modern versions (e.g., 3.23) do.  So we
+    # emulate the latter, "more modern" behaviour.
+    else if ($0 ~ /^[ \t]*Bail out!/)
+      {
+        bailed_out = 1
+        # Get the bailout message (if any), with leading and trailing
+        # whitespace stripped.  The message remains stored in `$0`.
+        sub("^[ \t]*Bail out![ \t]*", "");
+        sub("[ \t]*$", "");
+        # Format the error message for the
+        bailout_message = "Bail out!"
+        if (length($0))
+          bailout_message = bailout_message " " $0
+        testsuite_error(bailout_message)
+      }
+    # Maybe we have too look for dianogtic comments too.
+    else if (comments != 0)
+      {
+        comment = extract_tap_comment($0);
+        if (length(comment))
+          report("#", comment);
+      }
+  }
+
+## -------- ##
+##  FINISH  ##
+## -------- ##
+
+# A "Bail out!" directive should cause us to ignore any following TAP
+# error, as well as a non-zero exit status from the TAP producer.
+if (!bailed_out)
+  {
+    if (!plan_seen)
+      {
+        testsuite_error("missing test plan")
+      }
+    else if (planned_tests != testno)
+      {
+        bad_amount = testno > planned_tests ? "many" : "few"
+        testsuite_error(sprintf("too %s tests run (expected %d, got %d)",
+                                bad_amount, planned_tests, testno))
+      }
+    if (!ignore_exit)
+      {
+        # Fetch exit status from the last line.
+        exit_message = get_test_exit_message(nextline)
+        if (exit_message)
+          testsuite_error(exit_message)
+      }
+  }
+
+write_test_results()
+
+exit 0
+
+} # End of "BEGIN" block.
+'
+
+# TODO: document that we consume the file descriptor 3 :-(
+} 3>"$log_file"
+
+test $? -eq 0 || fatal "I/O or internal error"
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:

tests/CMakeLists.txt

@@ -9,14 +9,13 @@ include_directories(
 	../apps/openssl/compat
 )
 
-set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
+add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
 
 # aeadtest
-#add_executable(aeadtest aeadtest.c)
-#target_link_libraries(aeadtest ${OPENSSL_LIBS})
-#add_test(aeadtest aeadtest.sh)
-#configure_file(aeadtests.txt aeadtests.txt COPYONLY)
-#configure_file(aeadtest.sh aeadtest.sh COPYONLY)
+add_executable(aeadtest aeadtest.c)
+target_link_libraries(aeadtest ${OPENSSL_LIBS})
+add_test(aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtest.sh)
+set_tests_properties(aeadtest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
@@ -25,7 +24,7 @@ add_test(aes_wrap aes_wrap)
 
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
-if(NOT CMAKE_HOST_WIN32)
+if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
 add_executable(arc4randomforktest arc4randomforktest.c)
 target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
 add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
@@ -36,6 +35,11 @@ add_executable(asn1test asn1test.c)
 target_link_libraries(asn1test ${OPENSSL_LIBS})
 add_test(asn1test asn1test)
 
+# asn1time
+add_executable(asn1time asn1time.c)
+target_link_libraries(asn1time ${OPENSSL_LIBS})
+add_test(asn1time asn1time)
+
 # base64test
 add_executable(base64test base64test.c)
 target_link_libraries(base64test ${OPENSSL_LIBS})
@@ -46,6 +50,14 @@ add_executable(bftest bftest.c)
 target_link_libraries(bftest ${OPENSSL_LIBS})
 add_test(bftest bftest)
 
+# biotest
+# the BIO tests rely on resolver results that are OS and environment-specific
+if(ENABLE_EXTRATESTS)
+	add_executable(biotest biotest.c)
+	target_link_libraries(biotest ${OPENSSL_LIBS})
+	add_test(biotest biotest)
+endif()
+
 # bntest
 add_executable(bntest bntest.c)
 target_link_libraries(bntest ${OPENSSL_LIBS})
@@ -122,19 +134,21 @@ target_link_libraries(enginetest ${OPENSSL_LIBS})
 add_test(enginetest enginetest)
 
 # evptest
-#add_executable(evptest evptest.c)
-#target_link_libraries(evptest ${OPENSSL_LIBS})
-#add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
+add_executable(evptest evptest.c)
+target_link_libraries(evptest ${OPENSSL_LIBS})
+add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
+set_tests_properties(evptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if(NOT CMAKE_HOST_WIN32)
-add_executable(explicit_bzero explicit_bzero.c)
+if(HAVE_MEMMEM)
+	add_executable(explicit_bzero explicit_bzero.c)
+else()
+	add_executable(explicit_bzero explicit_bzero.c memmem.c)
+endif()
 target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
 add_test(explicit_bzero explicit_bzero)
-#if !HAVE_MEMMEM
-#explicit_bzero_SOURCES += memmem.c
-#endif
 endif()
 
 # exptest
@@ -182,6 +196,13 @@ add_executable(mont mont.c)
 target_link_libraries(mont ${OPENSSL_LIBS})
 add_test(mont mont)
 
+# ocsp_test
+if(ENABLE_EXTRATESTS)
+	add_executable(ocsp_test ocsp_test.c)
+	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
+	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
+endif()
+
 # optionstest
 add_executable(optionstest optionstest.c)
 target_link_libraries(optionstest ${OPENSSL_LIBS})
@@ -192,6 +213,15 @@ add_executable(pbkdf2 pbkdf2.c)
 target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
 add_test(pbkdf2 pbkdf2)
 
+# pidwraptest
+# pidwraptest relies on an OS-specific way to give out pids and is generally
+# awkward on systems with slow fork
+if(ENABLE_EXTRATESTS)
+	add_executable(pidwraptest pidwraptest.c)
+	target_link_libraries(pidwraptest ${OPENSSL_LIBS})
+	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
+endif()
+
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
 target_link_libraries(pkcs7test ${OPENSSL_LIBS})
@@ -203,9 +233,10 @@ target_link_libraries(poly1305test ${OPENSSL_LIBS})
 add_test(poly1305test poly1305test)
 
 # pq_test
-#add_executable(pq_test pq_test.c)
-#target_link_libraries(pq_test ${OPENSSL_LIBS})
-#add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+add_executable(pq_test pq_test.c)
+target_link_libraries(pq_test ${OPENSSL_LIBS})
+add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # randtest
 add_executable(randtest randtest.c)
@@ -222,6 +253,15 @@ add_executable(rc4test rc4test.c)
 target_link_libraries(rc4test ${OPENSSL_LIBS})
 add_test(rc4test rc4test)
 
+# rfc5280time
+add_executable(rfc5280time rfc5280time.c)
+target_link_libraries(rfc5280time ${OPENSSL_LIBS})
+if(SMALL_TIME_T)
+	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
+else()
+	add_test(rfc5280time rfc5280time)
+endif()
+
 # rmdtest
 add_executable(rmdtest rmdtest.c)
 target_link_libraries(rmdtest ${OPENSSL_LIBS})
@@ -243,24 +283,33 @@ target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
 # ssltest
-#add_executable(ssltest ssltest.c)
-#target_link_libraries(ssltest ${OPENSSL_LIBS})
-#add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+add_executable(ssltest ssltest.c)
+target_link_libraries(ssltest ${OPENSSL_LIBS})
+add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testdsa
-#add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testenc
 add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
+set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testrsa
-#add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # timingsafe
 add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${OPENSSL_LIBS})
 add_test(timingsafe timingsafe)
 
+# tls_ext_alpn
+add_executable(tls_ext_alpn tls_ext_alpn.c)
+target_link_libraries(tls_ext_alpn ${OPENSSL_LIBS})
+add_test(tls_ext_alpn tls_ext_alpn)
+
 # utf8test
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})

tests/Makefile.am

@@ -5,11 +5,14 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
+AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(top_builddir)/ssl/libssl.la
-LDADD += $(top_builddir)/crypto/libcrypto.la
-LDADD += $(top_builddir)/tls/libtls.la
+LDADD += $(abs_top_builddir)/ssl/libssl.la
+LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+LDADD += $(abs_top_builddir)/tls/libtls.la
+
+TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 
 TESTS =
 check_PROGRAMS =
@@ -42,6 +45,11 @@ TESTS += asn1test
 check_PROGRAMS += asn1test
 asn1test_SOURCES = asn1test.c
 
+# asn1time
+TESTS += asn1time
+check_PROGRAMS += asn1time
+asn1time_SOURCES = asn1time.c
+
 # base64test
 TESTS += base64test
 check_PROGRAMS += base64test
@@ -201,6 +209,14 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
+# ocsp_test
+if ENABLE_EXTRATESTS
+TESTS += ocsptest.sh
+check_PROGRAMS += ocsp_test
+ocsp_test_SOURCES = ocsp_test.c
+endif
+EXTRA_DIST += ocsptest.sh
+
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest
@@ -218,8 +234,8 @@ if ENABLE_EXTRATESTS
 TESTS += pidwraptest.sh
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
-EXTRA_DIST += pidwraptest.sh
 endif
+EXTRA_DIST += pidwraptest.sh
 
 # pkcs7test
 TESTS += pkcs7test
@@ -253,6 +269,16 @@ TESTS += rc4test
 check_PROGRAMS += rc4test
 rc4test_SOURCES = rc4test.c
 
+# rfc5280time
+check_PROGRAMS += rfc5280time
+rfc5280time_SOURCES = rfc5280time.c
+if SMALL_TIME_T
+TESTS += rfc5280time_small.test
+else
+TESTS += rfc5280time
+endif
+EXTRA_DIST += rfc5280time_small.test
+
 # rmdtest
 TESTS += rmdtest
 check_PROGRAMS += rmdtest
@@ -298,6 +324,11 @@ TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
+# tls_ext_alpn
+TESTS += tls_ext_alpn
+check_PROGRAMS += tls_ext_alpn
+tls_ext_alpn_SOURCES = tls_ext_alpn.c
+
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test

tests/ocsptest.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+TEST=./ocsp_test
+if [ -e ./ocsp_test.exe ]; then
+	TEST=./ocsp_test.exe
+fi
+$TEST www.amazon.com 443
+$TEST cloudflare.com 443

tests/rfc5280time_small.test

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+echo 1..2
+TEST=./rfc5280time
+if [ -e ./rfc5280time.exe ]; then
+	TEST=./rfc5280time.exe
+fi
+$TEST
+echo "ok 1"
+echo "ok 2 - rfc5280time_64-bit # SKIP this system is unable to represent times past 2038"

tests/ssltest.sh

@@ -6,9 +6,16 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	openssl_bin=../apps/openssl/openssl.exe
+if [ -d ../apps/openssl ]; then
+	openssl_bin=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
+		openssl_bin=../apps/openssl/openssl.exe
+	fi
+else
+	openssl_bin=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		openssl_bin=../apps/openssl.exe
+	fi
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,9 +4,16 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+if [ -d ../apps/openssl ]; then
+	cmd=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
+		cmd=../apps/openssl/openssl.exe
+	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,12 +2,23 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+if [ -d ../apps/openssl ]; then
+	cmd=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
+		cmd=../apps/openssl/openssl.exe
+	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
 fi
 
-cat openssl.cnf >$test;
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+cat $srcdir/openssl.cnf >$test;
 
 echo cat
 $cmd enc < $test > $test.cipher

tests/testrsa.sh

@@ -4,9 +4,16 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+if [ -d ../apps/openssl ]; then
+	cmd=../apps/openssl/openssl
+	if [ -e ../apps/openssl/openssl.exe ]; then
+		cmd=../apps/openssl/openssl.exe
+	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -7,6 +7,7 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
+	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
@@ -17,15 +18,26 @@ set(
 )
 
 
-if(NOT HAVE_STRCASECMP)
+if(NOT HAVE_STRSEP)
 	set(TLS_SRC ${TLS_SRC} strsep.c)
 endif()
 
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
 if (BUILD_SHARED)
 	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	if (WIN32)
+		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
+	endif()
+	set_target_properties(tls-shared PROPERTIES
+		OUTPUT_NAME tls${TLS_POSTFIX} ARCHIVE_OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
 	install(TARGETS tls tls-shared DESTINATION lib)

tls/Makefile.am

@@ -6,10 +6,20 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
+libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
+libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
+libtls_la_LIBADD += $(PLATFORM_LDADD)
+
+libtls_la_CPPFLAGS = $(AM_CPPFLAGS)
+if OPENSSLDIR_DEFINED
+libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
+else
+libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
+endif
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c

update.sh

@@ -29,12 +29,12 @@ libtls_regress=$CWD/openbsd/src/regress/lib/libtls
 app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
-. $libcrypto_src/crypto/shlib_version
+. $libcrypto_src/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-. $libssl_src/ssl/shlib_version
+. $libssl_src/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -62,17 +62,18 @@ CP_LIBC='do_cp_libc'
 
 CP='cp -p'
 
-$CP $libssl_src/src/LICENSE COPYING
+$CP $libssl_src/LICENSE COPYING
 
-$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
-$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/src/ssl/pqueue.h include
+$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
+$CP $libcrypto_src/opensslfeatures.h include/openssl
+$CP $libssl_src/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
 	for j in $libc_src/crypt/arc4random.c \
+	    $libc_src/crypt/arc4random_uniform.c \
 	    $libc_src/crypt/chacha_private.h \
 	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/stdlib/reallocarray.c \
@@ -83,8 +84,8 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/string/strnlen.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h; do
+	    $libcrypto_src/arc4random/getentropy_*.c \
+	    $libcrypto_src/arc4random/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -98,20 +99,20 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 
-(cd $libssl_src/src/crypto/objects/;
+(cd $libcrypto_src/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
 copy_hdrs() {
 	for file in $2; do
-		$CP $libssl_src/src/$1/$file include/openssl
+		$CP $1/$file include/openssl
 	done
 }
 
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
@@ -119,15 +120,15 @@ copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
 	gost/gost.h"
 
-copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-$CP $libssl_src/src/crypto/opensslv.h include/openssl
+$CP $libcrypto_src/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"
 
@@ -138,8 +139,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libssl_src/src/crypto/$i ]; then
-			$CP $libssl_src/src/crypto/$i crypto/$i
+		if [ -e $libcrypto_src/$i ]; then
+			$CP $libcrypto_src/$i crypto/$i
 		fi
 	fi
 done
@@ -147,7 +148,7 @@ $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 
 # generate assembly crypto algorithms
-asm_src=$libssl_src/src/crypto
+asm_src=$libcrypto_src
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -223,7 +224,6 @@ done
 # copy openssl(1) source
 echo "copying openssl(1) source"
 $CP $app_src/openssl/openssl.1 apps/openssl
-rm -f apps/openssl/*.c apps/openssl/*.h
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
 $CP $libcrypto_src/cert.pem apps/openssl
 $CP $libcrypto_src/openssl.cnf apps/openssl
@@ -238,7 +238,7 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/src/ssl/$i ssl
+	$CP $libssl_src/$i ssl
 done
 
 # copy libcrypto tests
@@ -301,8 +301,13 @@ add_man_links() {
 }
 
 # apply local patches
+PATCH=patch
+# Prefer gnu patch on AIX systems, if available
+if [ -x /opt/freeware/bin/patch ]; then
+    PATCH=/opt/freeware/bin/patch
+fi
 for i in patches/*.patch; do
-    patch -p0 < $i
+    $PATCH -p0 < $i
 done
 
 # copy manpages
@@ -315,7 +320,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 
 (cd man
 	# update new-style manpages
-	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
+	for i in `ls -1 $libssl_src/doc/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
@@ -328,7 +333,7 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 	done
 
 	# convert remaining POD manpages
-	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
+	for i in `ls -1 $libcrypto_src/doc/*.pod | sort`; do
 		BASE=`echo $i|sed -e "s/\.pod//"`
 		NAME=`basename "$BASE"`
 		# reformat file if new