update changelog to get the right openbsd source tags

The build system incorrectly set include directives in AM_CFLAGS which
causes them to be placed after the configured CPPFLAGS.  Thus, if
a user or packaging system sets CPPFLAGS to a location that has
libressl or openssl headers installed, they will be used instead
of the bundled versions.  This corrects that issue by setting up
the variables correctly.

https://github.com/libressl-portable/portable/issues/150

Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

.gitignore

@@ -41,10 +41,6 @@ Makefile.in
 *.def
 *.pc
 
-# man pages
-*.1
-*.3
-
 # tests
 test-driver
 *.log
@@ -111,16 +107,14 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
-!/apps/nc/readpassphrase.c
+!/apps/apps_win.c
-/apps/nc/*.h
+!/apps/poll_win.c
-/apps/nc/*.c
+!/apps/certhash_disabled.c
-/apps/nc/nc*
+/apps/*.h
-/apps/openssl/*.h
+/apps/*.c
-/apps/openssl/*.c
+/apps/*.cnf
-/apps/openssl/*.cnf
+/apps/*.pem
-/apps/openssl/*.pem
+/apps/openssl
-/apps/openssl/openssl
-/apps/openssl/compat/strtonum.c
 
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
@@ -147,4 +141,7 @@ include/openssl/*.h
 openbsd/
 
 *.tar.gz
+apps/*.1*
+man/*.3
+man/*.1
 man/Makefile.am

ChangeLog

@@ -28,63 +28,53 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.3.0 - SSLv3 removed, libtls API changes, portability improvements
+2.2.9 - Security fix
 
-	* SSLv3 is now permanently removed from the tree.
+	* Correct a problem that prevents the DSA signing algorithm from
+	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
+	  This issue was reported by Cesar Pereida (Aalto University), Billy
+	  Brumley (Tampere University of Technology), and Yuval Yarom (The
+	  University of Adelaide and NICTA). The fix was developed by Cesar
+	  Pereida. See OpenBSD 5.8 errata 17, June 6, 2016
 
-	* The libtls API is changed from the 2.2.x series.
+2.2.8 - Reliability fix
 
-	  The read/write functions work correctly with external event
+	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
-	  libraries.  See the tls_init man page for examples of using libtls
-	  correctly in asynchronous mode.
 
-	  Client-side verification is now supported, with the client supplying
+2.2.7 - Security Update
-	  the certificate to the server.
 
-	  Also, when using tls_connect_fds, tls_connect_socket or
+	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
-	  tls_accept_fds, libtls no longer implicitly closes the passed in
+	From OpenSSL.
-	  sockets. The caller is responsible for closing them in this case.
 
-	* When loading a DSA key from an raw (without DH parameters) ASN.1
+2.2.6 - Security Update
-	  serialization, perform some consistency checks on its `p' and `q'
-	  values, and return an error if the checks failed.
 
-	  Thanks for Georgi Guninski (guninski at guninski dot com) for
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag.
-	  mentioning the possibility of a weak (non prime) q value and
-	  providing a test case.
 
-	  See
+2.2.5 - Reliability Update
-	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
-	  for a longer discussion.
 
-	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
+	* Fixes from OpenSSL 1.0.1q
-	  of the result key without error. A coding error could cause software
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
-	  to use much shorter keys than intended.
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
 
-	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
+	* The following OpenSSL CVEs did not apply to LibreSSL
-	  longer supported.
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+	                   squaring procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint
+	                   data.
 
-	* The engine command and parameters are removed from the openssl(1).
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
-	  Previous releases removed dynamic and builtin engine support
-	  already.
 
-	* SHA-0 is removed, which was withdrawn shortly after publication 20
+2.2.4 - Build and bug fixes
-	  years ago.
 
-	* Added Certplus CA root certificate to the default cert.pem file.
+	* Backported build fixes for CMake on Windows, OSX and Linux
 
-	* New interface OPENSSL_cpu_caps is provided that does not allow
+	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
-	  software to inadvertently modify cpu capability flags.
+	  reported by Qualys Security.
-	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
+	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
 
-	* The out_len argument of AEAD changed from ssize_t to size_t.
+	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
-
-	* Deduplicated DTLS code, sharing bugfixes and improvements with
-	  TLS.
-
-	* Converted 'nc' to use libtls for client and server operations; it is
-	  included in the libressl-portable distribution as an example of how
-	  to use the library.
 
 2.2.3 - Bug fixes, build enhancements
 

Makefile.am.common

@@ -1,2 +1,2 @@
-AM_CFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat
+AM_CFLAGS =
-AM_CPPFLAGS = -DLIBRESSL_INTERNAL
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_8

apps/CMakeLists.txt

@@ -2,77 +2,77 @@ include_directories(
 	.
 	../include
 	../include/compat
-	./openssl
 )
 
 set(
 	OPENSSL_SRC
-	openssl/apps.c
+	apps.c
-	openssl/asn1pars.c
+	asn1pars.c
-	openssl/ca.c
+	ca.c
-	openssl/ciphers.c
+	ciphers.c
-	openssl/cms.c
+	cms.c
-	openssl/crl.c
+	crl.c
-	openssl/crl2p7.c
+	crl2p7.c
-	openssl/dgst.c
+	dgst.c
-	openssl/dh.c
+	dh.c
-	openssl/dhparam.c
+	dhparam.c
-	openssl/dsa.c
+	dsa.c
-	openssl/dsaparam.c
+	dsaparam.c
-	openssl/ec.c
+	ec.c
-	openssl/ecparam.c
+	ecparam.c
-	openssl/enc.c
+	enc.c
-	openssl/errstr.c
+	engine.c
-	openssl/gendh.c
+	errstr.c
-	openssl/gendsa.c
+	gendh.c
-	openssl/genpkey.c
+	gendsa.c
-	openssl/genrsa.c
+	genpkey.c
-	openssl/nseq.c
+	genrsa.c
-	openssl/ocsp.c
+	nseq.c
-	openssl/openssl.c
+	ocsp.c
-	openssl/passwd.c
+	openssl.c
-	openssl/pkcs12.c
+	passwd.c
-	openssl/pkcs7.c
+	pkcs12.c
-	openssl/pkcs8.c
+	pkcs7.c
-	openssl/pkey.c
+	pkcs8.c
-	openssl/pkeyparam.c
+	pkey.c
-	openssl/pkeyutl.c
+	pkeyparam.c
-	openssl/prime.c
+	pkeyutl.c
-	openssl/rand.c
+	prime.c
-	openssl/req.c
+	rand.c
-	openssl/rsa.c
+	req.c
-	openssl/rsautl.c
+	rsa.c
-	openssl/s_cb.c
+	rsautl.c
-	openssl/s_client.c
+	s_cb.c
-	openssl/s_server.c
+	s_client.c
-	openssl/s_socket.c
+	s_server.c
-	openssl/s_time.c
+	s_socket.c
-	openssl/sess_id.c
+	s_time.c
-	openssl/smime.c
+	sess_id.c
-	openssl/speed.c
+	smime.c
-	openssl/spkac.c
+	speed.c
-	openssl/ts.c
+	spkac.c
-	openssl/verify.c
+	ts.c
-	openssl/version.c
+	verify.c
-	openssl/x509.c
+	version.c
+	x509.c
 )
 
 if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_disabled.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} poll_win.c)
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
 if(HAVE_STRTONUM)
 	add_definitions(-DHAVE_STRTONUM)
 else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} strtonum.c)
 endif()
 
 add_executable(openssl ${OPENSSL_SRC})

apps/Makefile.am

@@ -1,5 +1,118 @@
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS = openssl nc
+bin_PROGRAMS = openssl
 
-EXTRA_DIST = CMakeLists.txt
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += engine.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += certhash_disabled.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+
+EXTRA_DIST = cert.pem
+EXTRA_DIST += openssl.cnf
+EXTRA_DIST += x509v3.cnf
+EXTRA_DIST += CMakeLists.txt
+
+install-exec-hook:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	mkdir -p "$$OPENSSLDIR/certs"; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+		else \
+			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
+		fi \
+	done
+
+uninstall-local:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+			rm -f "$$OPENSSLDIR/$$i"; \
+		fi \
+	done

apps/apps_win.c

@@ -0,0 +1,29 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include "apps.h"
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}

apps/certhash_disabled.c

@@ -3,7 +3,7 @@
  * certhash dummy implementation for platforms without symlinks
  */
 
-#include <apps.h>
+#include "apps.h"
 
 int
 certhash_main(int argc, char **argv)

apps/nc/Makefile.am

@@ -1,36 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-if BUILD_NC
-
-noinst_PROGRAMS = nc
-
-EXTRA_DIST = nc.1
-
-nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(top_builddir)/crypto/libcrypto.la
-nc_LDADD += $(top_builddir)/ssl/libssl.la
-nc_LDADD += $(top_builddir)/tls/libtls.la
-
-CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
-
-nc_SOURCES = atomicio.c
-nc_SOURCES += netcat.c
-nc_SOURCES += socks.c
-noinst_HEADERS = atomicio.h
-noinst_HEADERS += compat/sys/socket.h
-
-nc_SOURCES += compat/socket.c
-
-if !HAVE_ACCEPT4
-nc_SOURCES += compat/accept4.c
-endif
-
-if !HAVE_READPASSPHRASE
-nc_SOURCES += compat/readpassphrase.c
-endif
-
-if !HAVE_STRTONUM
-nc_SOURCES += compat/strtonum.c
-endif
-
-endif

apps/nc/compat/accept4.c

@@ -1,17 +0,0 @@
-#include <sys/socket.h>
-#include <fcntl.h>
-
-int
-accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
-{
-	int rets = accept(s, addr, addrlen);
-	if (rets == -1)
-		return s;
-
-	if (flags & SOCK_CLOEXEC) {
-		flags = fcntl(s, F_GETFD);
-		fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
-	}
-
-	return rets;
-}

apps/nc/compat/readpassphrase.c

@@ -1,205 +0,0 @@
-/*	$OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $	*/
-
-/*
- * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
-
-#include <termios.h>
-#include <signal.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <readpassphrase.h>
-
-#ifndef _PATH_TTY
-# define _PATH_TTY "/dev/tty"
-#endif
-
-#ifdef TCSASOFT
-# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
-#else
-# define _T_FLUSH	(TCSAFLUSH)
-#endif
-
-/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
-#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
-#  define _POSIX_VDISABLE       VDISABLE
-#endif
-
-#ifndef _NSIG
-# ifdef NSIG
-#  define _NSIG NSIG
-# else
-#  define _NSIG 128
-# endif
-#endif
-
-static volatile sig_atomic_t signo[_NSIG];
-
-static void handler(int);
-
-char *
-readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
-{
-	ssize_t bytes_written = 0;
-	ssize_t nr;
-	int input, output, save_errno, i, need_restart;
-	char ch, *p, *end;
-	struct termios term, oterm;
-	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
-	struct sigaction savetstp, savettin, savettou, savepipe;
-
-	/* I suppose we could alloc on demand in this case (XXX). */
-	if (bufsiz == 0) {
-		errno = EINVAL;
-		return(NULL);
-	}
-
-restart:
-	for (i = 0; i < _NSIG; i++)
-		signo[i] = 0;
-	nr = -1;
-	save_errno = 0;
-	need_restart = 0;
-	/*
-	 * Read and write to /dev/tty if available.  If not, read from
-	 * stdin and write to stderr unless a tty is required.
-	 */
-	if ((flags & RPP_STDIN) ||
-	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
-		if (flags & RPP_REQUIRE_TTY) {
-			errno = ENOTTY;
-			return(NULL);
-		}
-		input = STDIN_FILENO;
-		output = STDERR_FILENO;
-	}
-
-	/*
-	 * Catch signals that would otherwise cause the user to end
-	 * up with echo turned off in the shell.  Don't worry about
-	 * things like SIGXCPU and SIGVTALRM for now.
-	 */
-	sigemptyset(&sa.sa_mask);
-	sa.sa_flags = 0;		/* don't restart system calls */
-	sa.sa_handler = handler;
-	(void)sigaction(SIGALRM, &sa, &savealrm);
-	(void)sigaction(SIGHUP, &sa, &savehup);
-	(void)sigaction(SIGINT, &sa, &saveint);
-	(void)sigaction(SIGPIPE, &sa, &savepipe);
-	(void)sigaction(SIGQUIT, &sa, &savequit);
-	(void)sigaction(SIGTERM, &sa, &saveterm);
-	(void)sigaction(SIGTSTP, &sa, &savetstp);
-	(void)sigaction(SIGTTIN, &sa, &savettin);
-	(void)sigaction(SIGTTOU, &sa, &savettou);
-
-	/* Turn off echo if possible. */
-	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
-		memcpy(&term, &oterm, sizeof(term));
-		if (!(flags & RPP_ECHO_ON))
-			term.c_lflag &= ~(ECHO | ECHONL);
-#ifdef VSTATUS
-		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
-			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
-#endif
-		(void)tcsetattr(input, _T_FLUSH, &term);
-	} else {
-		memset(&term, 0, sizeof(term));
-		term.c_lflag |= ECHO;
-		memset(&oterm, 0, sizeof(oterm));
-		oterm.c_lflag |= ECHO;
-	}
-
-	/* No I/O if we are already backgrounded. */
-	if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
-		if (!(flags & RPP_STDIN))
-			bytes_written = write(output, prompt, strlen(prompt));
-		end = buf + bufsiz - 1;
-		p = buf;
-		while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
-			if (p < end) {
-				if ((flags & RPP_SEVENBIT))
-					ch &= 0x7f;
-				if (isalpha(ch)) {
-					if ((flags & RPP_FORCELOWER))
-						ch = (char)tolower(ch);
-					if ((flags & RPP_FORCEUPPER))
-						ch = (char)toupper(ch);
-				}
-				*p++ = ch;
-			}
-		}
-		*p = '\0';
-		save_errno = errno;
-		if (!(term.c_lflag & ECHO))
-			bytes_written = write(output, "\n", 1);
-	}
-
-	(void) bytes_written;
-
-	/* Restore old terminal settings and signals. */
-	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
-		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
-		    errno == EINTR)
-			continue;
-	}
-	(void)sigaction(SIGALRM, &savealrm, NULL);
-	(void)sigaction(SIGHUP, &savehup, NULL);
-	(void)sigaction(SIGINT, &saveint, NULL);
-	(void)sigaction(SIGQUIT, &savequit, NULL);
-	(void)sigaction(SIGPIPE, &savepipe, NULL);
-	(void)sigaction(SIGTERM, &saveterm, NULL);
-	(void)sigaction(SIGTSTP, &savetstp, NULL);
-	(void)sigaction(SIGTTIN, &savettin, NULL);
-	(void)sigaction(SIGTTOU, &savettou, NULL);
-	if (input != STDIN_FILENO)
-		(void)close(input);
-
-	/*
-	 * If we were interrupted by a signal, resend it to ourselves
-	 * now that we have restored the signal handlers.
-	 */
-	for (i = 0; i < _NSIG; i++) {
-		if (signo[i]) {
-			kill(getpid(), i);
-			switch (i) {
-			case SIGTSTP:
-			case SIGTTIN:
-			case SIGTTOU:
-				need_restart = 1;
-			}
-		}
-	}
-	if (need_restart)
-		goto restart;
-
-	if (save_errno)
-		errno = save_errno;
-	return(nr == -1 ? NULL : buf);
-}
-
-static void handler(int s)
-{
-	signo[s] = 1;
-}

apps/nc/compat/socket.c

@@ -1,29 +0,0 @@
-#define SOCKET_FLAGS_PRIV
-
-#include <sys/socket.h>
-
-#ifdef NEED_SOCKET_FLAGS
-
-#include <fcntl.h>
-
-int
-_socket(int domain, int type, int protocol)
-{
-	int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
-	int flags;
-	if (s == -1)
-		return s;
-
-	if (type & SOCK_CLOEXEC) {
-		flags = fcntl(s, F_GETFD);
-		fcntl(s, F_SETFD, flags | FD_CLOEXEC);
-	}
-
-	if (type & SOCK_NONBLOCK) {
-		flags = fcntl(s, F_GETFL);
-		fcntl(s, F_SETFL, flags | O_NONBLOCK);
-	}
-	return s;
-}
-
-#endif

apps/nc/compat/strtonum.c

@@ -1,65 +0,0 @@
-/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
-
-/*
- * Copyright (c) 2004 Ted Unangst and Todd Miller
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-#define	INVALID		1
-#define	TOOSMALL	2
-#define	TOOLARGE	3
-
-long long
-strtonum(const char *numstr, long long minval, long long maxval,
-    const char **errstrp)
-{
-	long long ll = 0;
-	int error = 0;
-	char *ep;
-	struct errval {
-		const char *errstr;
-		int err;
-	} ev[4] = {
-		{ NULL,		0 },
-		{ "invalid",	EINVAL },
-		{ "too small",	ERANGE },
-		{ "too large",	ERANGE },
-	};
-
-	ev[0].err = errno;
-	errno = 0;
-	if (minval > maxval) {
-		error = INVALID;
-	} else {
-		ll = strtoll(numstr, &ep, 10);
-		if (numstr == ep || *ep != '\0')
-			error = INVALID;
-		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
-			error = TOOSMALL;
-		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
-			error = TOOLARGE;
-	}
-	if (errstrp != NULL)
-		*errstrp = ev[error].errstr;
-	errno = ev[error].err;
-	if (error)
-		ll = 0;
-
-	return (ll);
-}

apps/nc/compat/sys/socket.h

@@ -1,31 +0,0 @@
-/*
- * Public domain
- * sys/socket.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <sys/socket.h>
-
-#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
-#define NEED_SOCKET_FLAGS
-int _socket(int domain, int type, int protocol);
-#ifndef SOCKET_FLAGS_PRIV
-#define socket(d, t, p) _socket(d, t, p)
-#endif
-#endif
-
-#ifndef SOCK_NONBLOCK
-#define	SOCK_NONBLOCK		0x4000	/* set O_NONBLOCK */
-#endif
-
-#ifndef SOCK_CLOEXEC
-#define	SOCK_CLOEXEC		0x8000	/* set FD_CLOEXEC */
-#endif
-
-#ifndef HAVE_ACCEPT4
-int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
-#endif
-
-#else
-#include <win32netcompat.h>
-#endif

apps/openssl/Makefile.am

@@ -1,118 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-bin_PROGRAMS = openssl
-
-dist_man_MANS = openssl.1
-
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES = apps.c
-openssl_SOURCES += asn1pars.c
-openssl_SOURCES += ca.c
-openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
-openssl_SOURCES += crl.c
-openssl_SOURCES += crl2p7.c
-openssl_SOURCES += dgst.c
-openssl_SOURCES += dh.c
-openssl_SOURCES += dhparam.c
-openssl_SOURCES += dsa.c
-openssl_SOURCES += dsaparam.c
-openssl_SOURCES += ec.c
-openssl_SOURCES += ecparam.c
-openssl_SOURCES += enc.c
-openssl_SOURCES += errstr.c
-openssl_SOURCES += gendh.c
-openssl_SOURCES += gendsa.c
-openssl_SOURCES += genpkey.c
-openssl_SOURCES += genrsa.c
-openssl_SOURCES += nseq.c
-openssl_SOURCES += ocsp.c
-openssl_SOURCES += openssl.c
-openssl_SOURCES += passwd.c
-openssl_SOURCES += pkcs12.c
-openssl_SOURCES += pkcs7.c
-openssl_SOURCES += pkcs8.c
-openssl_SOURCES += pkey.c
-openssl_SOURCES += pkeyparam.c
-openssl_SOURCES += pkeyutl.c
-openssl_SOURCES += prime.c
-openssl_SOURCES += rand.c
-openssl_SOURCES += req.c
-openssl_SOURCES += rsa.c
-openssl_SOURCES += rsautl.c
-openssl_SOURCES += s_cb.c
-openssl_SOURCES += s_client.c
-openssl_SOURCES += s_server.c
-openssl_SOURCES += s_socket.c
-openssl_SOURCES += s_time.c
-openssl_SOURCES += sess_id.c
-openssl_SOURCES += smime.c
-openssl_SOURCES += speed.c
-openssl_SOURCES += spkac.c
-openssl_SOURCES += ts.c
-openssl_SOURCES += verify.c
-openssl_SOURCES += version.c
-openssl_SOURCES += x509.c
-
-if BUILD_CERTHASH
-openssl_SOURCES += certhash.c
-else
-openssl_SOURCES += compat/certhash_win.c
-endif
-
-if HOST_WIN
-openssl_SOURCES += compat/apps_win.c
-else
-openssl_SOURCES += apps_posix.c
-endif
-
-if !HAVE_POLL
-if HOST_WIN
-openssl_SOURCES += compat/poll_win.c
-endif
-endif
-
-if !HAVE_STRTONUM
-openssl_SOURCES += compat/strtonum.c
-endif
-
-noinst_HEADERS = apps.h
-noinst_HEADERS += progs.h
-noinst_HEADERS += s_apps.h
-noinst_HEADERS += testdsa.h
-noinst_HEADERS += testrsa.h
-noinst_HEADERS += timeouts.h
-
-EXTRA_DIST = cert.pem
-EXTRA_DIST += openssl.cnf
-EXTRA_DIST += x509v3.cnf
-
-install-exec-hook:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
-			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
-		else \
-			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
-		fi \
-	done
-
-uninstall-local:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
-			rm -f "$$OPENSSLDIR/$$i"; \
-		fi \
-	done

apps/openssl/compat/apps_win.c

@@ -1,60 +0,0 @@
-/*
- * Public domain
- *
- * Dongsheng Song <dongsheng.song@gmail.com>
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <windows.h>
-
-#include <io.h>
-#include <fcntl.h>
-
-#include <apps.h>
-
-double
-app_tminterval(int stop, int usertime)
-{
-	static unsigned __int64 tmstart;
-	union {
-		unsigned __int64 u64;
-		FILETIME ft;
-	} ct, et, kt, ut;
-
-	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
-}
-
-int
-setup_ui(void)
-{
-	ui_method = UI_create_method("OpenSSL application user interface");
-	UI_method_set_opener(ui_method, ui_open);
-	UI_method_set_reader(ui_method, ui_read);
-	UI_method_set_writer(ui_method, ui_write);
-	UI_method_set_closer(ui_method, ui_close);
-
-	/*
-	 * Set STDIO to binary
-	 */
-	_setmode(_fileno(stdin), _O_BINARY);
-	_setmode(_fileno(stdout), _O_BINARY);
-	_setmode(_fileno(stderr), _O_BINARY);
-
-	return 0;
-}
-
-void
-destroy_ui(void)
-{
-	if (ui_method) {
-		UI_destroy_method(ui_method);
-		ui_method = NULL;
-	}
-}

check-release.sh

@@ -1,70 +0,0 @@
-#!/bin/sh
-set -e
-
-ver=$1
-dir=libressl-$ver
-tarball=$dir.tar.gz
-tag=v$ver
-
-if [ -z "$LIBRESSL_SSH" ]; then
-	if ! curl -v 1>/dev/null 2>&1; then
-		download="curl -O"
-	elif echo quit | ftp 1>/dev/null 2>&1; then
-		download=ftp
-	else
-		echo "need 'ftp' or 'curl' to verify"
-		exit
-	fi
-fi
-
-if [ "$ver" = "" ]; then
-	echo "please specify a version to check, e.g. $0 2.1.2"
-	exit
-fi
-
-if [ ! -e releases/$tarball ]; then
-	mkdir -p releases
-	rm -f $tarball
-	if [ -z "$LIBRESSL_SSH" ]; then
-		$download http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$tarball releases/
-		mv $tarball releases
-	else
-		scp $LIBRESSL_SSH/$tarball releases
-	fi
-	(cd releases; tar zxvf $tarball)
-fi
-
-if [ ! -e gen-releases/$tarball ]; then
-	rm -fr tests man include ssl crypto libtls-standalone/VERSION INSTALL
-	git checkout OPENBSD_BRANCH update.sh tests man include ssl crypto
-	git checkout $tag
-	echo "libressl-$tag" > OPENBSD_BRANCH
-	sed -i 's/git pull --rebase//' update.sh
-	./autogen.sh
-	./configure --enable-libtls
-	make dist
-
-	mkdir -p gen-releases
-	mv $tarball gen-releases
-
-	git checkout OPENBSD_BRANCH update.sh
-	git checkout master
-fi
-
-(cd gen-releases; rm -fr $dir; tar zxf $tarball)
-(cd releases; rm -fr $dir; tar zxf $tarball)
-
-echo "differences between release and regenerated release tag:"
-diff -urN \
-	-x *.3 \
-	-x Makefile.in \
-	-x aclocal.m4 \
-	-x compile \
-	-x config.guess \
-	-x config.sub \
-	-x configure \
-	-x depcomp \
-	-x install-sh \
-	-x missing \
-	-x test-driver \
-	releases/$dir gen-releases/$dir

configure.ac

@@ -52,6 +52,8 @@ CHECK_LIBC_COMPAT
 CHECK_LIBC_CRYPTO_COMPAT
 CHECK_VA_COPY
 
+AC_CHECK_HEADERS([err.h])
+
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -84,10 +86,6 @@ case $host_cpu in
 		AS_IF([test "x$BSWAP4" = "xyes"],,
 		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
-	*amd64*)
-		host_cpu=x86_64
-		;;
-
 esac
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
@@ -121,8 +119,6 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
-	apps/openssl/Makefile
-	apps/nc/Makefile
 	man/Makefile
 	libcrypto.pc
 	libssl.pc

crypto/CMakeLists.txt

@@ -263,6 +263,7 @@ set(
 	ecdh/ech_err.c
 	ecdh/ech_key.c
 	ecdh/ech_lib.c
+	ecdh/ech_ossl.c
 	ecdsa/ecs_asn1.c
 	ecdsa/ecs_err.c
 	ecdsa/ecs_lib.c
@@ -334,6 +335,7 @@ set(
 	evp/m_md5.c
 	evp/m_null.c
 	evp/m_ripemd.c
+	evp/m_sha.c
 	evp/m_sha1.c
 	evp/m_sigver.c
 	evp/m_streebog.c
@@ -471,6 +473,8 @@ set(
 	sha/sha1dgst.c
 	sha/sha256.c
 	sha/sha512.c
+	sha/sha_dgst.c
+	sha/sha_one.c
 	stack/stack.c
 	ts/ts_asn1.c
 	ts/ts_conf.c

crypto/Makefile.am

@@ -1,8 +1,9 @@
 include $(top_srcdir)/Makefile.am.common
 
-AM_CFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CFLAGS += -I$(top_srcdir)/crypto/evp
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
-AM_CFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto
 
 lib_LTLIBRARIES = libcrypto.la
 
@@ -14,7 +15,8 @@ EXTRA_DIST += compat/strcasecmp.c
 
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
-libcrypto_la_CPPFLAGS = -DLIBRESSL_INTERNAL
+libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
+libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
 if OPENSSL_NO_ASM
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_ASM
@@ -118,6 +120,7 @@ libcrypto_la_SOURCES += mem_dbg.c
 libcrypto_la_SOURCES += o_init.c
 libcrypto_la_SOURCES += o_str.c
 libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
@@ -419,6 +422,7 @@ noinst_HEADERS += ec/ec_lcl.h
 libcrypto_la_SOURCES += ecdh/ech_err.c
 libcrypto_la_SOURCES += ecdh/ech_key.c
 libcrypto_la_SOURCES += ecdh/ech_lib.c
+libcrypto_la_SOURCES += ecdh/ech_ossl.c
 noinst_HEADERS += ecdh/ech_locl.h
 
 # ecdsa
@@ -501,6 +505,7 @@ libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
+libcrypto_la_SOURCES += evp/m_sha.c
 libcrypto_la_SOURCES += evp/m_sha1.c
 libcrypto_la_SOURCES += evp/m_sigver.c
 libcrypto_la_SOURCES += evp/m_streebog.c
@@ -694,6 +699,8 @@ libcrypto_la_SOURCES += sha/sha1_one.c
 libcrypto_la_SOURCES += sha/sha1dgst.c
 libcrypto_la_SOURCES += sha/sha256.c
 libcrypto_la_SOURCES += sha/sha512.c
+libcrypto_la_SOURCES += sha/sha_dgst.c
+libcrypto_la_SOURCES += sha/sha_one.c
 noinst_HEADERS += sha/sha_locl.h
 
 # stack

crypto/compat/ui_openssl_win.c

@@ -286,7 +286,7 @@ error:
 	if (ps >= 1)
 		popsig();
 
-	explicit_bzero(result, BUFSIZ);
+	OPENSSL_cleanse(result, BUFSIZ);
 	return ok;
 }
 

dist-win.sh

@@ -22,18 +22,27 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST
+	CC=$HOST-gcc ./configure --host=$HOST --with-openssldir=c:/libressl/ssl
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 
 	mkdir -p $DIST/$ARCHDIR
+	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
-		cp -r stage-$ARCHDIR/usr/local/include $DIST
+		cp -a stage-$ARCHDIR/usr/local/include $DIST
+		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e "s/__attr.*;/;/"  \
+		       -e "s/sys\/time.h/winsock2.h/" \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
 	fi
 
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
+	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)

gen-openbsd-tags.sh

@@ -1,20 +0,0 @@
-#!/bin/sh
-set -e
-
-for tag in `git tag`; do
-	branch=master
-	if [[ $tag = v2.0* ]]; then
-		branch=OPENBSD_5_6
-	elif [[ $tag = v2.1* ]]; then
-		branch=OPENBSD_5_7
-	elif [[ $tag = v2.2* ]]; then
-		branch=OPENBSD_5_8
-	elif [[ $tag = v2.3* ]]; then
-		branch=OPENBSD_5_9
-	fi
-	# adjust for 9 hour timezone delta between trees
-	release_ts=$((`git show -s --format=%ct $tag|tail -n1` + 32400))
-	commit=`git -C openbsd rev-list -n 1 --before=$release_ts $branch`
-	git -C openbsd tag -f libressl-$tag $commit
-	echo Tagged $tag as $commit in openbsd
-done

include/Makefile.am

@@ -10,7 +10,6 @@ noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
-noinst_HEADERS += compat/readpassphrase.h
 noinst_HEADERS += compat/stdio.h
 noinst_HEADERS += compat/stdlib.h
 noinst_HEADERS += compat/string.h
@@ -24,7 +23,6 @@ noinst_HEADERS += compat/arpa/nameser.h
 noinst_HEADERS += compat/machine/endian.h
 
 noinst_HEADERS += compat/netinet/in.h
-noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
 noinst_HEADERS += compat/sys/cdefs.h
@@ -32,8 +30,8 @@ noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h
 noinst_HEADERS += compat/sys/select.h
-noinst_HEADERS += compat/sys/socket.h
 noinst_HEADERS += compat/sys/stat.h
+noinst_HEADERS += compat/sys/socket.h
 noinst_HEADERS += compat/sys/time.h
 noinst_HEADERS += compat/sys/types.h
 noinst_HEADERS += compat/sys/uio.h

include/compat/netinet/ip.h

@@ -1,43 +0,0 @@
-/*
- * Public domain
- * netinet/ip.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <netinet/ip.h>
-#else
-#include <win32netcompat.h>
-#endif
-
-/*
- * Definitions for DiffServ Codepoints as per RFC2474
- */
-#ifndef IPTOS_DSCP_CS0
-#define	IPTOS_DSCP_CS0		0x00
-#define	IPTOS_DSCP_CS1		0x20
-#define	IPTOS_DSCP_CS2		0x40
-#define	IPTOS_DSCP_CS3		0x60
-#define	IPTOS_DSCP_CS4		0x80
-#define	IPTOS_DSCP_CS5		0xa0
-#define	IPTOS_DSCP_CS6		0xc0
-#define	IPTOS_DSCP_CS7		0xe0
-#endif
-
-#ifndef IPTOS_DSCP_AF11
-#define	IPTOS_DSCP_AF11		0x28
-#define	IPTOS_DSCP_AF12		0x30
-#define	IPTOS_DSCP_AF13		0x38
-#define	IPTOS_DSCP_AF21		0x48
-#define	IPTOS_DSCP_AF22		0x50
-#define	IPTOS_DSCP_AF23		0x58
-#define	IPTOS_DSCP_AF31		0x68
-#define	IPTOS_DSCP_AF32		0x70
-#define	IPTOS_DSCP_AF33		0x78
-#define	IPTOS_DSCP_AF41		0x88
-#define	IPTOS_DSCP_AF42		0x90
-#define	IPTOS_DSCP_AF43		0x98
-#endif
-
-#ifndef IPTOS_DSCP_EF
-#define	IPTOS_DSCP_EF		0xb8
-#endif

include/compat/readpassphrase.h

@@ -1,48 +0,0 @@
-/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
-
-/*
- * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-#ifdef HAVE_READPASSPHRASE_H
-
-#include_next <readpassphrase.h>
-
-#else
-
-#ifndef _READPASSPHRASE_H_
-#define _READPASSPHRASE_H_
-
-#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
-#define RPP_ECHO_ON     0x01		/* Leave echo on. */
-#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
-#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
-#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
-#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
-#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
-
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
-char * readpassphrase(const char *, char *, size_t, int);
-__END_DECLS
-
-#endif /* !_READPASSPHRASE_H_ */
-
-#endif

m4/check-libc.m4

@@ -1,15 +1,11 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
-# Check for libc headers
-AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([accept4 asprintf inet_pton memmem poll readpassphrase reallocarray])
+AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
-AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
-AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])

m4/check-os-options.m4

@@ -15,10 +15,8 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
-		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
-		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
@@ -36,19 +34,15 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
-		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
-		AC_SUBST([PROG_LDADD], ['-lresolv'])
 		;;
 	*netbsd*)
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
-		BUILD_NC=yes
-		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
@@ -71,7 +65,6 @@ case $host_os in
 	*) ;;
 esac
 
-AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
@@ -79,7 +72,6 @@ AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
-AM_CONDITIONAL([HOST_OPENBSD], [test x$HOST_OS = xopenbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])

man/links

@@ -446,6 +446,7 @@ EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
+EVP_DigestInit.3,EVP_sha.3
 EVP_DigestInit.3,EVP_sha1.3
 EVP_DigestInit.3,EVP_sha224.3
 EVP_DigestInit.3,EVP_sha256.3
@@ -1103,11 +1104,8 @@ tls_init.3,tls_config_clear_keys.3
 tls_init.3,tls_config_free.3
 tls_init.3,tls_config_insecure_noverifycert.3
 tls_init.3,tls_config_insecure_noverifyname.3
-tls_init.3,tls_config_insecure_noverifytime.3
 tls_init.3,tls_config_new.3
 tls_init.3,tls_config_parse_protocols.3
-tls_init.3,tls_config_prefer_ciphers_client.3
-tls_init.3,tls_config_prefer_ciphers_server.3
 tls_init.3,tls_config_set_ca_file.3
 tls_init.3,tls_config_set_ca_mem.3
 tls_init.3,tls_config_set_ca_path.3
@@ -1121,24 +1119,14 @@ tls_init.3,tls_config_set_key_mem.3
 tls_init.3,tls_config_set_protocols.3
 tls_init.3,tls_config_set_verify_depth.3
 tls_init.3,tls_config_verify.3
-tls_init.3,tls_config_verify_client.3
-tls_init.3,tls_config_verify_client_optional.3
 tls_init.3,tls_configure.3
-tls_init.3,tls_conn_cipher.3
-tls_init.3,tls_conn_version.3
 tls_init.3,tls_connect.3
 tls_init.3,tls_connect_fds.3
 tls_init.3,tls_connect_servername.3
 tls_init.3,tls_connect_socket.3
 tls_init.3,tls_error.3
 tls_init.3,tls_free.3
-tls_init.3,tls_handshake.3
 tls_init.3,tls_load_file.3
-tls_init.3,tls_peer_cert_contains_name.3
-tls_init.3,tls_peer_cert_hash.3
-tls_init.3,tls_peer_cert_issuer.3
-tls_init.3,tls_peer_cert_provided.3
-tls_init.3,tls_peer_cert_subject.3
 tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3

man/update_links.sh

@@ -3,7 +3,7 @@
 # Run this periodically to ensure that the manpage links are up to date
 
 echo "# This is an auto-generated file by $0" > links
-doas makewhatis
+sudo makewhatis
 for i in `ls -1 *.3`; do
   name=`echo $i|cut -d. -f1`
   links=`sqlite3 /usr/share/man/mandoc.db \

patches/arc4random.c.patch

@@ -0,0 +1,15 @@
+--- crypto/compat/arc4random.c.orig	2015-07-20 07:41:17.000000000 -0600
++++ crypto/compat/arc4random.c	2015-07-20 07:41:58.000000000 -0600
+@@ -36,8 +36,11 @@
+ #define KEYSTREAM_ONLY
+ #include "chacha_private.h"
+ 
++#ifndef min
+ #define min(a, b) ((a) < (b) ? (a) : (b))
+-#ifdef __GNUC__
++#endif
++
++#if defined(__GNUC__) || defined(_MSC_VER)
+ #define inline __inline
+ #else				/* !__GNUC__ */
+ #define inline

patches/netcat.c.patch

@@ -1,155 +0,0 @@
---- apps/nc/netcat.c.orig	Sun Sep 13 08:12:39 2015
-+++ apps/nc/netcat.c	Sun Sep 13 19:15:13 2015
-@@ -98,9 +98,13 @@
- int	Dflag;					/* sodebug */
- int	Iflag;					/* TCP receive buffer size */
- int	Oflag;					/* TCP send buffer size */
-+#ifdef TCP_MD5SIG
- int	Sflag;					/* TCP MD5 signature option */
-+#endif
- int	Tflag = -1;				/* IP Type of Service */
-+#ifdef SO_RTABLE
- int	rtableid = -1;
-+#endif
- 
- int	usetls;					/* use TLS */
- char    *Cflag;					/* Public cert file */
-@@ -150,7 +154,7 @@
- 	struct servent *sv;
- 	socklen_t len;
- 	struct sockaddr_storage cliaddr;
--	char *proxy;
-+	char *proxy = NULL;
- 	const char *errstr, *proxyhost = "", *proxyport = NULL;
- 	struct addrinfo proxyhints;
- 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -251,12 +255,14 @@
- 		case 'u':
- 			uflag = 1;
- 			break;
-+#ifdef SO_RTABLE
- 		case 'V':
- 			rtableid = (int)strtonum(optarg, 0,
- 			    RT_TABLEID_MAX, &errstr);
- 			if (errstr)
- 				errx(1, "rtable %s: %s", errstr, optarg);
- 			break;
-+#endif
- 		case 'v':
- 			vflag = 1;
- 			break;
-@@ -289,9 +295,11 @@
- 				errx(1, "TCP send window %s: %s",
- 				    errstr, optarg);
- 			break;
-+#ifdef TCP_MD5SIG
- 		case 'S':
- 			Sflag = 1;
- 			break;
-+#endif
- 		case 'T':
- 			errstr = NULL;
- 			errno = 0;
-@@ -776,7 +784,10 @@
- remote_connect(const char *host, const char *port, struct addrinfo hints)
- {
- 	struct addrinfo *res, *res0;
--	int s, error, on = 1;
-+	int s, error;
-+#ifdef SO_BINDANY
-+	int on = 1;
-+#endif
- 
- 	if ((error = getaddrinfo(host, port, &hints, &res)))
- 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -787,16 +798,20 @@
- 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
- 			continue;
- 
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
- 		/* Bind to a local port or source address if specified. */
- 		if (sflag || pflag) {
- 			struct addrinfo ahints, *ares;
- 
-+#ifdef SO_BINDANY
- 			/* try SO_BINDANY, but don't insist */
- 			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
-+#endif
- 			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res0->ai_family;
- 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -865,7 +880,10 @@
- local_listen(char *host, char *port, struct addrinfo hints)
- {
- 	struct addrinfo *res, *res0;
--	int s, ret, x = 1;
-+	int s;
-+#ifdef SO_REUSEPORT
-+	int ret, x = 1;
-+#endif
- 	int error;
- 
- 	/* Allow nodename to be null. */
-@@ -887,13 +905,17 @@
- 		    res0->ai_protocol)) < 0)
- 			continue;
- 
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
-+#ifdef SO_REUSEPORT
- 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
- 		if (ret == -1)
- 			err(1, NULL);
-+#endif
- 
- 		set_common_sockopts(s, res0->ai_family);
- 
-@@ -1337,11 +1359,13 @@
- {
- 	int x = 1;
- 
-+#ifdef TCP_MD5SIG
- 	if (Sflag) {
- 		if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
- 			&x, sizeof(x)) == -1)
- 			err(1, NULL);
- 	}
-+#endif
- 	if (Dflag) {
- 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
- 			&x, sizeof(x)) == -1)
-@@ -1516,15 +1540,19 @@
- 	\t-P proxyuser\tUsername for proxy authentication\n\
- 	\t-p port\t	Specify local port for remote connects\n\
- 	\t-R CAfile	CA bundle\n\
--	\t-r		Randomize remote ports\n\
--	\t-S		Enable the TCP MD5 signature option\n\
--	\t-s source	Local source address\n\
-+	\t-r		Randomize remote ports\n"
-+#ifdef TCP_MD5SIG
-+	"\t-S		Enable the TCP MD5 signature option\n"
-+#endif
-+	"\t-s source	Local source address\n\
- 	\t-T keyword	TOS value or TLS options\n\
- 	\t-t		Answer TELNET negotiation\n\
- 	\t-U		Use UNIX domain socket\n\
--	\t-u		UDP mode\n\
--	\t-V rtable	Specify alternate routing table\n\
--	\t-v		Verbose\n\
-+	\t-u		UDP mode\n"
-+#ifdef SO_RTABLE
-+	"\t-V rtable	Specify alternate routing table\n"
-+#endif
-+	"\t-v		Verbose\n\
- 	\t-w timeout	Timeout for connects and final net reads\n\
- 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
- 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/openssl.c.patch

@@ -1,6 +1,26 @@
---- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
+--- apps/openssl.c.orig	2015-07-20 02:01:42.000000000 -0600
-+++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
++++ apps/openssl.c	2015-07-20 02:02:00.000000000 -0600
-@@ -399,7 +399,9 @@
+@@ -130,6 +130,19 @@
+ #include <openssl/engine.h>
+ #endif
+
++#ifdef _WIN32
++#include <io.h>
++#include <fcntl.h>
++static void set_stdio_binary(void)
++{
++	_setmode(_fileno(stdin), _O_BINARY);
++	_setmode(_fileno(stdout), _O_BINARY);
++	_setmode(_fileno(stderr), _O_BINARY);
++}
++#else
++static void set_stdio_binary(void) {};
++#endif
++
+ #include "progs.h"
+ #include "s_apps.h"
+
+@@ -204,7 +216,9 @@
  static void
  openssl_startup(void)
  {
@@ -8,5 +28,13 @@
  	signal(SIGPIPE, SIG_IGN);
 +#endif
 
+ 	CRYPTO_malloc_init();
  	OpenSSL_add_all_algorithms();
- 	SSL_library_init();
+@@ -216,6 +230,7 @@
+ #endif
+
+ 	setup_ui_method();
++	set_stdio_binary();
+ }
+
+ static void

patches/opensslconf.h.patch

@@ -0,0 +1,13 @@
+--- include/openssl/opensslconf.h.orig	2015-07-19 23:21:47.000000000 -0600
++++ include/openssl/opensslconf.h	2015-07-19 23:21:17.000000000 -0600
+@@ -1,6 +1,10 @@
+ #include <openssl/opensslfeatures.h>
+ /* crypto/opensslconf.h.in */
+
++#if defined(_MSC_VER) && !defined(__attribute__)
++#define __attribute__(a)
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+

patches/ossl_typ.h.patch

@@ -0,0 +1,25 @@
+--- include/openssl/ossl_typ.h.orig	2015-07-06 13:21:18.788571423 -0700
++++ include/openssl/ossl_typ.h	2015-07-06 13:24:14.906468003 -0700
+@@ -100,6 +100,22 @@
+ typedef struct ASN1_ITEM_st ASN1_ITEM;
+ typedef struct asn1_pctx_st ASN1_PCTX;
+
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#undef OCSP_REQUEST
++#undef OCSP_RESPONSE
++#undef PKCS7_ISSUER_AND_SERIAL
++#endif
++
+ #ifdef BIGNUM
+ #undef BIGNUM
+ #endif

patches/pkcs7.h.patch

@@ -0,0 +1,21 @@
+--- include/openssl/pkcs7.h.orig	2015-07-06 13:26:27.369203527 -0700
++++ include/openssl/pkcs7.h	2015-07-06 13:27:37.637051967 -0700
+@@ -69,6 +69,18 @@
+ extern "C" {
+ #endif
+
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef PKCS7_ISSUER_AND_SERIAL
++#undef PKCS7_SIGNER_INFO
++#endif
++
+ /*
+ Encryption_ID		DES-CBC
+ Digest_ID		MD5

patches/windows_headers.patch

@@ -1,100 +0,0 @@
-diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
---- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
-@@ -60,7 +60,11 @@
- #ifndef HEADER_DTLS1_H
- #define HEADER_DTLS1_H
- 
-+#if defined(_WIN32)
-+#include <winsock2.h>
-+#else
- #include <sys/time.h>
-+#endif
- 
- #include <stdio.h>
- #include <stdlib.h>
-diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
---- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
-@@ -1,6 +1,10 @@
- #include <openssl/opensslfeatures.h>
- /* crypto/opensslconf.h.in */
- 
-+#if defined(_MSC_VER) && !defined(__attribute__)
-+#define __attribute__(a)
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
- 
-diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
---- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
-@@ -100,6 +100,22 @@
- typedef struct ASN1_ITEM_st ASN1_ITEM;
- typedef struct asn1_pctx_st ASN1_PCTX;
- 
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#undef OCSP_REQUEST
-+#undef OCSP_RESPONSE
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#endif
-+
- #ifdef BIGNUM
- #undef BIGNUM
- #endif
-diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
---- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
-@@ -69,6 +69,18 @@
- extern "C" {
- #endif
- 
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#undef PKCS7_SIGNER_INFO
-+#endif
-+
- /*
- Encryption_ID		DES-CBC
- Digest_ID		MD5
-diff -urN include/openssl.orig/x509.h include/openssl/x509.h
---- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
-@@ -112,6 +112,19 @@
- extern "C" {
- #endif
- 
-+#if defined(_WIN32)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#endif
-+
- #define X509_FILETYPE_PEM	1
- #define X509_FILETYPE_ASN1	2
- #define X509_FILETYPE_DEFAULT	3

patches/x509.h.patch

@@ -0,0 +1,22 @@
+--- include/openssl/x509.h.orig	2015-07-06 13:15:15.059306046 -0700
++++ include/openssl/x509.h	2015-07-06 13:16:10.506118278 -0700
+@@ -112,6 +112,19 @@
+ extern "C" {
+ #endif
+
++#if defined(_WIN32)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#endif
++
+ #define X509_FILETYPE_PEM	1
+ #define X509_FILETYPE_ASN1	2
+ #define X509_FILETYPE_DEFAULT	3

scripts/travis

@@ -6,7 +6,7 @@ set -e
 if [ "x$ARCH" = "xnative" ]; then
 	# test autotools
 	./configure
-	make -j 4 distcheck
+	make -j 4 check
 
 	# make distribution
 	make dist
@@ -19,7 +19,6 @@ if [ "x$ARCH" = "xnative" ]; then
 	if [ `uname` = "Darwin" ]; then
 		cmake ..
 		make
-		make test
 	else
 		sudo apt-get update
 		sudo apt-get install -y python-software-properties
@@ -28,7 +27,6 @@ if [ "x$ARCH" = "xnative" ]; then
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
 		ninja
-		ninja test
 	fi
 else
 	CPU=i686

ssl/CMakeLists.txt

@@ -21,12 +21,15 @@ set(
 	pqueue.c
 	s23_clnt.c
 	s23_lib.c
+	s23_meth.c
 	s23_pkt.c
 	s23_srvr.c
 	s3_both.c
 	s3_cbc.c
 	s3_clnt.c
+	s3_enc.c
 	s3_lib.c
+	s3_meth.c
 	s3_pkt.c
 	s3_srvr.c
 	ssl_algs.c

ssl/Makefile.am

@@ -23,12 +23,15 @@ libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
 libssl_la_SOURCES += s23_clnt.c
 libssl_la_SOURCES += s23_lib.c
+libssl_la_SOURCES += s23_meth.c
 libssl_la_SOURCES += s23_pkt.c
 libssl_la_SOURCES += s23_srvr.c
 libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
 libssl_la_SOURCES += s3_clnt.c
+libssl_la_SOURCES += s3_enc.c
 libssl_la_SOURCES += s3_lib.c
+libssl_la_SOURCES += s3_meth.c
 libssl_la_SOURCES += s3_pkt.c
 libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c

tests/CMakeLists.txt

@@ -5,8 +5,7 @@ include_directories(
 	../crypto/modes
 	../crypto/asn1
 	../ssl
-	../apps/openssl
+	../apps
-	../apps/openssl/compat
 )
 
 set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
@@ -76,11 +75,6 @@ add_executable(cipherstest cipherstest.c)
 target_link_libraries(cipherstest ${OPENSSL_LIBS})
 add_test(cipherstest cipherstest)
 
-# clienttest
-add_executable(clienttest clienttest.c)
-target_link_libraries(clienttest ${OPENSSL_LIBS})
-add_test(clienttest clienttest)
-
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${OPENSSL_LIBS})
@@ -242,6 +236,11 @@ add_executable(sha512test sha512test.c)
 target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
+# shatest
+add_executable(shatest shatest.c)
+target_link_libraries(shatest ${OPENSSL_LIBS})
+add_test(shatest shatest)
+
 # ssltest
 #add_executable(ssltest ssltest.c)
 #target_link_libraries(ssltest ${OPENSSL_LIBS})
@@ -265,8 +264,3 @@ add_test(timingsafe timingsafe)
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})
 add_test(utf8test utf8test)
-
-# verifytest
-add_executable(verifytest verifytest.c)
-target_link_libraries(verifytest tls ${OPENSSL_LIBS})
-add_test(verifytest verifytest)

tests/Makefile.am

@@ -3,13 +3,11 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
+AM_CPPFLAGS += -I $(top_srcdir)/apps
-AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
-LDADD += $(top_builddir)/tls/libtls.la
 
 TESTS =
 check_PROGRAMS =
@@ -91,11 +89,6 @@ TESTS += cipherstest
 check_PROGRAMS += cipherstest
 cipherstest_SOURCES = cipherstest.c
 
-# clienttest
-TESTS += clienttest
-check_PROGRAMS += clienttest
-clienttest_SOURCES = clienttest.c
-
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -215,10 +208,9 @@ pbkdf2_SOURCES = pbkdf2.c
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
 if ENABLE_EXTRATESTS
-TESTS += pidwraptest.sh
+TESTS += pidwraptest
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
-EXTRA_DIST += pidwraptest.sh
 endif
 
 # pkcs7test
@@ -273,6 +265,11 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
+# shatest
+TESTS += shatest
+check_PROGRAMS += shatest
+shatest_SOURCES = shatest.c
+
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
@@ -303,7 +300,3 @@ TESTS += utf8test
 check_PROGRAMS += utf8test
 utf8test_SOURCES = utf8test.c
 
-# verifytest
-TESTS += verifytest
-check_PROGRAMS += verifytest
-verifytest_SOURCES = verifytest.c

tests/ssltest.sh

@@ -6,9 +6,9 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl/openssl
+openssl_bin=../apps/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -e ../apps/openssl.exe ]; then
-	openssl_bin=../apps/openssl/openssl.exe
+	openssl_bin=../apps/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,9 +4,9 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
+cmd=../apps/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+	cmd=../apps/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,9 +2,9 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl/openssl
+cmd=../apps/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+	cmd=../apps/openssl.exe
 fi
 
 cat openssl.cnf >$test;

tests/testrsa.sh

@@ -4,9 +4,9 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
+cmd=../apps/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
+if [ -e ../apps/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+	cmd=../apps/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -9,9 +9,7 @@ set(
 	tls.c
 	tls_client.c
 	tls_config.c
-	tls_conninfo.c
 	tls_server.c
-	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )

tls/Makefile.am

@@ -11,9 +11,7 @@ libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
-libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
-libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h

update.sh

@@ -25,8 +25,7 @@ libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
 libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
-libtls_regress=$CWD/openbsd/src/regress/lib/libtls
+openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
-app_src=$CWD/openbsd/src/usr.bin
 
 # load library versions
 . $libcrypto_src/crypto/shlib_version
@@ -53,26 +52,21 @@ do_mv() {
 		rm -f "$1"
 	fi
 }
-MV='do_mv'
-
-do_cp_libc() {
-	sed "/DEF_WEAK/d" < "$1" > "$2"/`basename "$1"`
-}
-CP_LIBC='do_cp_libc'
-
 CP='cp -p'
+MV='do_mv'
 
 $CP $libssl_src/src/LICENSE COPYING
 
 $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
+$CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
-	for j in $libc_src/crypt/arc4random.c \
+	$CP $libc_src/crypt/arc4random.c \
 	    $libc_src/crypt/chacha_private.h \
 	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/stdlib/reallocarray.c \
@@ -84,9 +78,8 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
 	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h; do
+	    $libcrypto_src/crypto/arc4random_*.h \
-		$CP_LIBC $j $i
+	    $i
-	done
 done
 
 $CP include/compat/stdlib.h \
@@ -198,10 +191,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-
+$CP $libc_src/string/strsep.c tls
-$CP_LIBC $libc_src/string/strsep.c tls
+$CP $libc_src/string/strsep.c libtls-standalone/compat
-$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
-
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
 	m4/disable*.m4 \
@@ -209,28 +200,15 @@ $CP m4/check*.m4 \
 sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 	libtls-standalone/compat/Makefile.am.arc4random
 
-# copy nc(1) source
-echo "copying nc(1) source"
-$CP $app_src/nc/nc.1 apps/nc
-rm -f apps/nc/*.c apps/nc/*.h
-$CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
-for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
-	if [ -e $app_src/nc/$i ]; then
-		$CP $app_src/nc/$i apps/nc
-	fi
-done
-
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $app_src/openssl/openssl.1 apps/openssl
+$CP $libc_src/stdlib/strtonum.c apps
-rm -f apps/openssl/*.c apps/openssl/*.h
+$CP $libcrypto_src/cert.pem apps
-$CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
+$CP $libcrypto_src/openssl.cnf apps
-$CP $libcrypto_src/cert.pem apps/openssl
+$CP $libcrypto_src/x509v3.cnf apps
-$CP $libcrypto_src/openssl.cnf apps/openssl
+for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
-$CP $libcrypto_src/x509v3.cnf apps/openssl
+	if [ -e $openssl_app_src/$i ]; then
-for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
+		$CP $openssl_app_src/$i apps
-	if [ -e $app_src/openssl/$i ]; then
-		$CP $app_src/openssl/$i apps/openssl
 	fi
 done
 
@@ -253,7 +231,7 @@ $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP_LIBC $libc_src/string/memmem.c tests
+$CP $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -265,11 +243,6 @@ $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
-# copy libtls tests
-for i in `find $libtls_regress -name '*.c'`; do
-	 $CP "$i" tests
-done
-
 chmod 755 tests/testssl
 
 # add headers
@@ -300,7 +273,7 @@ add_man_links() {
 	done
 }
 
-# apply local patches
+# apply local patches (Windows support)
 for i in patches/*.patch; do
     patch -p0 < $i
 done
@@ -310,6 +283,9 @@ echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
 echo dist_man_MANS = >> man/Makefile.am
 
+$CP $openssl_app_src/openssl.1 man
+echo "dist_man_MANS += openssl.1" >> man/Makefile.am
+
 $CP $libtls_src/tls_init.3 man
 echo "dist_man_MANS += tls_init.3" >> man/Makefile.am