update Changelog

- remove the CP_LIBC files from repo
- move tests/memmem.c to tests/compat/

.gitignore

@@ -39,6 +39,7 @@ Makefile.in
 *.la
 
 *.def
+*.sym
 *.pc
 
 # man pages
@@ -57,7 +58,9 @@ tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
+tests/ssl_versions*
 tests/timingsafe*
+tests/tls_ext_alpn*
 tests/*test
 tests/tests.h
 tests/*test.c
@@ -114,10 +117,17 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
+/apps/ocspcheck/*.h
+/apps/ocspcheck/*.c
+/apps/ocspcheck/ocspcheck*
+/apps/ocspcheck/compat/inet_ntop.c
+/apps/ocspcheck/compat/memmem.c
+
 /apps/nc/*.h
 /apps/nc/*.c
 /apps/nc/nc*
 !/apps/nc/readpassphrase.c
+
 /apps/openssl/*.h
 /apps/openssl/*.c
 /apps/openssl/*.cnf

.travis.yml

@@ -10,15 +10,23 @@ matrix:
     - compiler: clang
       os: linux
       env: ARCH=native
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=native
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=mingw32
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=mingw64
+      dist: trusty
+      sudo: required
 
 script:
   "./scripts/travis"

CMakeLists.txt

@@ -1,27 +1,43 @@
-cmake_minimum_required (VERSION 2.8)
+cmake_minimum_required (VERSION 2.8.8)
 include(CheckFunctionExists)
 include(CheckLibraryExists)
 include(CheckIncludeFiles)
+include(CheckTypeSize)
 
-project (LibreSSL)
+set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+include(cmake_export_symbol)
+
+project (LibreSSL C)
 
 enable_testing()
 
-file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
 string(STRIP ${SSL_VERSION} SSL_VERSION)
 string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
 string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
 
-file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
 string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
 string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
 string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
 
-file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/tls/VERSION TLS_VERSION)
 string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
+option(ENABLE_ASM "Enable assembly" ON)
+option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
+option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
+option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
+set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
+
+set(BUILD_NC true)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
+	add_definitions(-fno-common)
+endif()
+
 if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
 	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
 endif()
@@ -33,9 +49,36 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
 endif()
 
+if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
+	set(BUILD_NC false)
+endif()
+
+if(WIN32)
+	set(BUILD_NC false)
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+	if(CMAKE_C_COMPILER MATCHES "gcc")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
+	else()
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
+	endif()
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")
+endif()
+
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
+endif()
+
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
-add_definitions(-DOPENSSL_NO_ASM)
+add_definitions(-D__BEGIN_HIDDEN_DECLS=)
+add_definitions(-D__END_HIDDEN_DECLS=)
 
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 
@@ -43,15 +86,19 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 
-if(MSVC)
+if(WIN32)
-	add_definitions(-Dinline=__inline)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+endif()
 
+if(MSVC)
+	add_definitions(-Dinline=__inline)
+	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
+	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
 		        	# indirection to slightly different base types from 'char [2]'
@@ -61,14 +108,35 @@ if(MSVC)
 			        # possible loss of data
 			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
 			        # possible loss of data
+			"C4267" # conversion from 'size_t' to 'some type that is almost
+				# certainly safe to convert a size_t to'.
 			"C4706" # assignment within conditional expression
 			"C4820" # 'bytes' bytes padding added after construct 'member_name'
 			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
 			        # use the ISO C++ conformant name: _read.
 		)
+	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
+		add_definitions(-D_CRT_SUPPRESS_RESTRICT)
+		set(MSVC_DISABLED_WARNINGS_LIST
+			"C111"  # Unreachable statement
+			"C128"  # Unreachable loop
+			"C167"  # Unexplict casting unsigned to signed
+			"C186"  # Pointless comparison of unsigned int with zero
+			"C188"  # Enumerated type mixed with another type
+			"C344"  # Redeclared type
+			"C556"  # Unexplict casting signed to unsigned
+			"C869"  # Unreferenced parameters
+			"C1786" # Deprecated functions
+			"C2545" # Empty else statement
+			"C2557" # Comparing signed to unsigned
+			"C2722" # List init syntax is c++11 feature
+			"C3280" # Declaration hides variable
+		)
+	endif()
 	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
 		${MSVC_DISABLED_WARNINGS_LIST})
-	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+	string(REGEX REPLACE "[/-]W[1234][ ]?" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
 endif()
 
 check_function_exists(asprintf HAVE_ASPRINTF)
@@ -96,7 +164,7 @@ if(HAVE_STRLCAT)
 	add_definitions(-DHAVE_STRLCAT)
 endif()
 
-check_function_exists(strlcat HAVE_STRLCPY)
+check_function_exists(strlcpy HAVE_STRLCPY)
 if(HAVE_STRLCPY)
 	add_definitions(-DHAVE_STRLCPY)
 endif()
@@ -106,8 +174,8 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 
-if(MSVC)
+if(WIN32)
-	set(HAVE_STRNLEN)
+	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)
@@ -131,6 +199,11 @@ if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)
 endif()
 
+check_function_exists(arc4random_uniform HAVE_ARC4RANDOM_UNIFORM)
+if(HAVE_ARC4RANDOM_UNIFORM)
+	add_definitions(-DHAVE_ARC4RANDOM_UNIFORM)
+endif()
+
 check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
 if(HAVE_EXPLICIT_BZERO)
 	add_definitions(-DHAVE_EXPLICIT_BZERO)
@@ -156,12 +229,46 @@ if(HAVE_MEMCMP)
 	add_definitions(-DHAVE_MEMCMP)
 endif()
 
+check_function_exists(memmem HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+	add_definitions(-DHAVE_MEMMEM)
+endif()
+
 check_include_files(err.h HAVE_ERR_H)
 if(HAVE_ERR_H)
 	add_definitions(-DHAVE_ERR_H)
 endif()
 
-set(OPENSSL_LIBS ssl crypto)
+if(ENABLE_ASM)
+	if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF")
+		if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)")
+			set(HOST_ASM_ELF_X86_64 true)
+		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
+			set(HOST_ASM_ELF_X86_64 true)
+		endif()
+	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
+		set(HOST_ASM_MACOSX_X86_64 true)
+	endif()
+endif()
+
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
+	set(BUILD_SHARED true)
+endif()
+
+# USE_SHARED builds applications (e.g. openssl) using shared LibreSSL.
+# By default, applications use LibreSSL static library to avoid dependencies.
+# USE_SHARED isn't set by default; use -DUSE_SHARED=ON with CMake to enable.
+# Can be helpful for debugging; don't use for public releases.
+if(NOT BUILD_SHARED)
+	set(USE_SHARED off)
+endif()
+
+if(USE_SHARED)
+	set(OPENSSL_LIBS tls-shared ssl-shared crypto-shared)
+else()
+	set(OPENSSL_LIBS tls ssl crypto)
+endif()
+
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
@@ -171,10 +278,20 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
 	endif()
 endif()
-
+if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
-	set(BUILD_SHARED true)
 endif()
+if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
+endif()
+
+check_type_size(time_t SIZEOF_TIME_T)
+if(SIZEOF_TIME_T STREQUAL "4")
+	set(SMALL_TIME_T true)
+	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
+	                " ** It will behave incorrectly when handling valid RFC5280 dates")
+endif()
+add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
 
 add_subdirectory(crypto)
 add_subdirectory(ssl)
@@ -183,5 +300,15 @@ add_subdirectory(tls)
 add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
+endif()
+if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()
+
+configure_file(
+	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
+	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+	IMMEDIATE @ONLY)
+
+add_custom_target(uninstall
+	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

ChangeLog

@@ -28,6 +28,297 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.5.1 - Bug and security fixes, new features, documentation updates
+
+	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
+	  error. Reported by Theofilos Petsios.
+
+	* Detect zero-length encrypted session data early, instead of when
+	  malloc(0) fails or the HMAC check fails. Noted independently by
+	  jsing@ and Kurt Cancemi.
+
+	* Check for and handle failure of HMAC_{Update,Final} or
+	  EVP_DecryptUpdate().
+
+	* Massive update and normalization of manpages, conversion to
+	  mandoc format. Many pages were rewritten for clarity and accuracy.
+	  Portable doc links are up-to-date with a new conversion tool.
+
+	* Curve25519 Key Exchange support.
+
+	* Support for alternate chains for certificate verification.
+
+	* Code cleanups, CBS conversions, further unification of DTLS/SSL
+	  handshake code, further ASN1 macro expansion and removal.
+
+	* Private symbol are now hidden in libssl and libcryto.
+
+	* Friendly certificate verification error messages in libtls, peer
+	  verification is now always enabled.
+
+	* Added OCSP stapling support to libtls and netcat.
+
+	* Added ocspcheck utility to validate a certificate against its OCSP
+	  responder and save the reply for stapling
+
+	* Enhanced regression tests and error handling for libtls.
+
+	* Added explicit constant and non-constant time BN functions,
+	  defaulting to constant time wherever possible.
+
+	* Moved many leaked implementation details in public structs behind
+	  opaque pointers.
+
+	* Added ticket support to libtls.
+
+	* Added support for setting the supported EC curves via
+	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
+	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
+	  list of curves to be X25519, P-256 and P-384. All other curves must
+          be manually enabled.
+
+	* Added -groups option to openssl(1) s_client for specifying the curves
+          to be used in a colon-separated list.
+
+	* Merged client/server version negotiation code paths into one,
+	  reducing much duplicate code.
+
+	* Removed error function codes from libssl and libcrypto.
+
+	* Fixed an issue where a truncated packet could crash via an OOB read.
+
+	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
+	  client-initiated renegotiation. This is the default for libtls
+	  servers.
+
+	* Avoid a side-channel cache-timing attack that can leak the ECDSA
+	  private keys when signing. This is due to BN_mod_inverse() being
+	  used without the constant time flag being set. Reported by Cesar
+	  Pereida Garcia and Billy Brumley (Tampere University of Technology).
+	  The fix was developed by Cesar Pereida Garcia.
+
+	* iOS and MacOS compatibility updates from Simone Basso and Jacob
+	  Berkman.
+
+
+2.5.0 - New APIs, bug fixes and improvements
+
+	* libtls now supports ALPN and SNI
+
+	* libtls adds a new callback interface for integrating custom IO
+	  functions. Thanks to Tobias Pape.
+
+	* libtls now handles 4 cipher suite groups:
+	    "secure" (TLSv1.2+AEAD+PFS)
+	    "compat" (HIGH:!aNULL)
+	    "legacy" (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+
+	    This allows for flexibility and finer grained control, rather than
+	    having two extremes (an issue raised by Marko Kreen some time ago).
+
+	* Tightened error handling for tls_config_set_ciphers().
+
+	* libtls now always loads CA, key and certificate files at the time the
+	  configuration function is called. This simplifies code and results in
+	  a single memory based code path being used to provide data to libssl.
+
+	* Add support for OCSP intermediate certificates.
+
+	* Added functions used by stunnel and exim from BoringSSL - this
+	  brings in X509_check_host, X509_check_email, X509_check_ip, and
+	  X509_check_ip_asc.
+
+	* Added initial support for iOS, thanks to Jacob Berkman.
+
+	* Improved behavior of arc4random on Windows when using memory leak
+	  analysis software.
+
+	* Correctly handle an EOF that occurs prior to the TLS handshake
+	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
+	  Kreen.
+
+	* Limit the support of the "backward compatible" ssl2 handshake to
+	  only be used if TLS 1.0 is enabled.
+
+	* Fix incorrect results in certain cases on 64-bit systems when
+	  BN_mod_word() can return incorrect results. BN_mod_word() now can
+	  return an error condition. Thanks to Brian Smith.
+
+	* Added constant-time updates to address CVE-2016-0702
+
+	* Fixed undefined behavior in BN_GF2m_mod_arr()
+
+	* Removed unused Cryptographic Message Support (CMS)
+
+	* More conversions of long long idioms to time_t
+
+	* Improved compatibility by avoiding printing NULL strings with
+	  printf.
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.4.2 - Bug fixes and improvements
+
+	* Fixed loading default certificate locations with openssl s_client.
+
+	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
+
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
+2.4.1 - Security fix
+
+	* Correct a problem that prevents the DSA signing algorithm from
+	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
+	  This issue was reported by Cesar Pereida (Aalto University), Billy
+	  Brumley (Tampere University of Technology), and Yuval Yarom (The
+	  University of Adelaide and NICTA). The fix was developed by Cesar
+	  Pereida.
+
+2.4.0 - Build improvements, new features
+
+	* Many improvements to the CMake build infrastructure, including
+	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
+	  Inoguchi for this work.
+
+	* Added missing error handling around bn_wexpand() calls.
+
+	* Added explicit_bzero calls for freed ASN.1 objects.
+
+	* Fixed X509_*set_object functions to return 0 on allocation failure.
+
+	* Implemented the IETF ChaCha20-Poly1305 cipher suites.
+
+	* Changed default EVP_aead_chacha20_poly1305() implementation to the
+	  IETF version, which is now the default.
+
+	* Fixed password prompts from openssl(1) to properly handle ^C.
+
+	* Reworked error handling in libtls so that configuration errors are
+	  visible.
+
+	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
+
+	* Manpage fixes and updates
+
+2.3.5 - Reliability fix
+
+	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
+
+2.3.4 - Security Update
+
+	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
+	From OpenSSL.
+
+	* Minor build fixes
+
+2.3.3 - OpenBSD 5.9 release branch tagged
+
+	* Reworked build scripts to better sync with OpenNTPD-portable
+
+	* Fixed broken manpage links
+
+	* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
+
+	* Fixed HP-UX builds
+
+	* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
+	  binary builds
+
+	* cert.pem has been reorganized and synced with Mozilla's certificate store
+
+2.3.2 - Compatibility and Reliability fixes
+
+	* Changed format of LIBRESSL_VERSION_NUMBER to match that of
+	  OPENSSL_VERSION_NUMBER, see:
+	  https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
+
+	* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
+	  construction introduced in RFC 7539, which is different than that
+	  already used in TLS with EVP_aead_chacha20_poly1305()
+
+	* Avoid a potential undefined C99+ behavior due to shift overflow in
+	  AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
+
+	* More man pages converted from pod to mdoc format
+
+	* Added COMODO RSA Certification Authority and QuoVadis
+	  root certificates to cert.pem
+
+	* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
+	  Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
+	  certificate from cert.pem
+
+	* Added support for building nc(1) on Solaris
+
+	* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
+
+	* Improved console handling with openssl(1) on Windows
+
+	* Ensure the network stack is enabled on Windows when running
+	  tls_init()
+
+	* Fixed incorrect TLS certificate loading by nc(1)
+
+	* Added support for Solaris 11.3's getentropy(2) system call
+
+	* Enabled support for using NetBSD 7.0's arc4random(3) implementation
+
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
+
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+	                   squaring procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint
+	                   data.
+
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
+
 2.3.1 - ASN.1 and time handling cleanups
 
 	* ASN.1 cleanups and RFC5280 compliance fixes.

Makefile.am

@@ -5,4 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in
+
+.PHONY: install_sw
+install_sw: install

Makefile.am.common

@@ -1,2 +1,3 @@
 AM_CFLAGS =
 AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
+AM_CPPFLAGS += -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=

README.md

@@ -30,7 +30,7 @@ At the time of this writing, LibreSSL is know to build and work on:
 
 * Linux (kernel 3.17 or later recommended)
 * FreeBSD (tested with 9.2 and later)
-* NetBSD (tested with 6.1.5)
+* NetBSD (7.0 or later recommended)
 * HP-UX (11i)
 * Solaris (11 and later preferred)
 * Mac OS X (tested with 10.8 and later)

apps/CMakeLists.txt

@@ -1,80 +1,3 @@
-include_directories(
+add_subdirectory(ocspcheck)
-	.
+add_subdirectory(openssl)
-	../include
+add_subdirectory(nc)
-	../include/compat
-)
-
-set(
-	OPENSSL_SRC
-	openssl/apps.c
-	openssl/asn1pars.c
-	openssl/ca.c
-	openssl/ciphers.c
-	openssl/cms.c
-	openssl/crl.c
-	openssl/crl2p7.c
-	openssl/dgst.c
-	openssl/dh.c
-	openssl/dhparam.c
-	openssl/dsa.c
-	openssl/dsaparam.c
-	openssl/ec.c
-	openssl/ecparam.c
-	openssl/enc.c
-	openssl/errstr.c
-	openssl/gendh.c
-	openssl/gendsa.c
-	openssl/genpkey.c
-	openssl/genrsa.c
-	openssl/nseq.c
-	openssl/ocsp.c
-	openssl/openssl.c
-	openssl/passwd.c
-	openssl/pkcs12.c
-	openssl/pkcs7.c
-	openssl/pkcs8.c
-	openssl/pkey.c
-	openssl/pkeyparam.c
-	openssl/pkeyutl.c
-	openssl/prime.c
-	openssl/rand.c
-	openssl/req.c
-	openssl/rsa.c
-	openssl/rsautl.c
-	openssl/s_cb.c
-	openssl/s_client.c
-	openssl/s_server.c
-	openssl/s_socket.c
-	openssl/s_time.c
-	openssl/sess_id.c
-	openssl/smime.c
-	openssl/speed.c
-	openssl/spkac.c
-	openssl/ts.c
-	openssl/verify.c
-	openssl/version.c
-	openssl/x509.c
-)
-
-if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
-endif()
-
-if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
-endif()
-
-check_function_exists(strtonum HAVE_STRTONUM)
-if(HAVE_STRTONUM)
-	add_definitions(-DHAVE_STRTONUM)
-else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
-endif()
-
-add_executable(openssl ${OPENSSL_SRC})
-target_link_libraries(openssl ${OPENSSL_LIBS})
-
-install(TARGETS openssl DESTINATION bin)

apps/Makefile.am

@@ -1,5 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS = openssl nc
+SUBDIRS = ocspcheck openssl nc
 
 EXTRA_DIST = CMakeLists.txt

apps/nc/CMakeLists.txt

@@ -0,0 +1,60 @@
+if(BUILD_NC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	NC_SRC
+	atomicio.c
+	netcat.c
+	socks.c
+	compat/socket.c
+)
+
+check_function_exists(b64_ntop HAVE_B64_NTOP)
+if(HAVE_B64_NTOP)
+	add_definitions(-DHAVE_B64_NTOP)
+else()
+	set(NC_SRC ${NC_SRC} compat/base64.c)
+endif()
+
+check_function_exists(accept4 HAVE_ACCEPT4)
+if(HAVE_ACCEPT4)
+	add_definitions(-DHAVE_ACCEPT4)
+else()
+	set(NC_SRC ${NC_SRC} compat/accept4.c)
+endif()
+
+check_function_exists(readpassphrase HAVE_READPASSPHRASE)
+if(HAVE_READPASSPHRASE)
+	add_definitions(-DHAVE_READPASSPHRASE)
+else()
+	set(NC_SRC ${NC_SRC} compat/readpassphrase.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(NC_SRC ${NC_SRC} compat/strtonum.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(nc ${NC_SRC})
+target_link_libraries(nc tls ${OPENSSL_LIBS})
+
+if(ENABLE_NC)
+	install(TARGETS nc DESTINATION bin)
+	install(FILES nc.1 DESTINATION share/man/man1)
+endif()
+
+endif()

apps/nc/Makefile.am

@@ -2,14 +2,19 @@ include $(top_srcdir)/Makefile.am.common
 
 if BUILD_NC
 
+if ENABLE_NC
+bin_PROGRAMS = nc
+else
 noinst_PROGRAMS = nc
+endif
 
 EXTRA_DIST = nc.1
+EXTRA_DIST += CMakeLists.txt
 
-nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
-nc_LDADD += $(top_builddir)/crypto/libcrypto.la
+nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
-nc_LDADD += $(top_builddir)/ssl/libssl.la
+nc_LDADD += $(abs_top_builddir)/tls/libtls.la
-nc_LDADD += $(top_builddir)/tls/libtls.la
+nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
 

apps/nc/compat/base64.c

@@ -1,315 +0,0 @@
-/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/*
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <resolv.h>
-#include <stdio.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-static const char Base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static const char Pad64 = '=';
-
-/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
-   and Freed.  It is reproduced here in a slightly edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.
-
-   Since all base64 input is an integral number of octets, only the
-         -------------------------------------------------                       
-   following cases can arise:
-   
-       (1) the final quantum of encoding input is an integral
-           multiple of 24 bits; here, the final unit of encoded
-	   output will be an integral multiple of 4 characters
-	   with no "=" padding,
-       (2) the final quantum of encoding input is exactly 8 bits;
-           here, the final unit of encoded output will be two
-	   characters followed by two "=" padding characters, or
-       (3) the final quantum of encoding input is exactly 16 bits;
-           here, the final unit of encoded output will be three
-	   characters followed by one "=" padding character.
-   */
-
-int
-b64_ntop(src, srclength, target, targsize)
-	u_char const *src;
-	size_t srclength;
-	char *target;
-	size_t targsize;
-{
-	size_t datalength = 0;
-	u_char input[3];
-	u_char output[4];
-	int i;
-
-	while (2 < srclength) {
-		input[0] = *src++;
-		input[1] = *src++;
-		input[2] = *src++;
-		srclength -= 3;
-
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		output[3] = input[2] & 0x3f;
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		target[datalength++] = Base64[output[2]];
-		target[datalength++] = Base64[output[3]];
-	}
-    
-	/* Now we worry about padding. */
-	if (0 != srclength) {
-		/* Get what's left. */
-		input[0] = input[1] = input[2] = '\0';
-		for (i = 0; i < srclength; i++)
-			input[i] = *src++;
-	
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		if (srclength == 1)
-			target[datalength++] = Pad64;
-		else
-			target[datalength++] = Base64[output[2]];
-		target[datalength++] = Pad64;
-	}
-	if (datalength >= targsize)
-		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
-	return (datalength);
-}
-
-/* skips all whitespace anywhere.
-   converts characters, four at a time, starting at (or after)
-   src from base - 64 numbers into three 8 bit bytes in the target area.
-   it returns the number of data bytes stored at the target, or -1 on error.
- */
-
-int
-b64_pton(src, target, targsize)
-	char const *src;
-	u_char *target;
-	size_t targsize;
-{
-	int tarindex, state, ch;
-	u_char nextbyte;
-	char *pos;
-
-	state = 0;
-	tarindex = 0;
-
-	while ((ch = (unsigned char)*src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
-			continue;
-
-		if (ch == Pad64)
-			break;
-
-		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
-			return (-1);
-
-		switch (state) {
-		case 0:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] = (pos - Base64) << 2;
-			}
-			state = 1;
-			break;
-		case 1:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 4;
-				nextbyte = ((pos - Base64) & 0x0f) << 4;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 2;
-			break;
-		case 2:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 2;
-				nextbyte = ((pos - Base64) & 0x03) << 6;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 3;
-			break;
-		case 3:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] |= (pos - Base64);
-			}
-			tarindex++;
-			state = 0;
-			break;
-		}
-	}
-
-	/*
-	 * We are done decoding Base-64 chars.  Let's see if we ended
-	 * on a byte boundary, and/or with erroneous trailing characters.
-	 */
-
-	if (ch == Pad64) {			/* We got a pad char. */
-		ch = (unsigned char)*src++;	/* Skip it, get next. */
-		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
-			return (-1);
-
-		case 2:		/* Valid, means one byte of info */
-			/* Skip any number of spaces. */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					break;
-			/* Make sure there is another trailing = sign. */
-			if (ch != Pad64)
-				return (-1);
-			ch = (unsigned char)*src++;		/* Skip the = */
-			/* Fall through to "single trailing =" case. */
-			/* FALLTHROUGH */
-
-		case 3:		/* Valid, means two bytes of info */
-			/*
-			 * We know this char is an =.  Is there anything but
-			 * whitespace after it?
-			 */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					return (-1);
-
-			/*
-			 * Now make sure for cases 2 and 3 that the "extra"
-			 * bits that slopped past the last full byte were
-			 * zeros.  If we don't check them, they become a
-			 * subliminal channel.
-			 */
-			if (target && tarindex < targsize &&
-			    target[tarindex] != 0)
-				return (-1);
-		}
-	} else {
-		/*
-		 * We ended by seeing the end of the string.  Make sure we
-		 * have no partial bytes lying around.
-		 */
-		if (state != 0)
-			return (-1);
-	}
-
-	return (tarindex);
-}

apps/nc/compat/readpassphrase.c

@@ -141,11 +141,11 @@ restart:
 			if (p < end) {
 				if ((flags & RPP_SEVENBIT))
 					ch &= 0x7f;
-				if (isalpha(ch)) {
+				if (isalpha((unsigned char)ch)) {
 					if ((flags & RPP_FORCELOWER))
-						ch = (char)tolower(ch);
+						ch = (char)tolower((unsigned char)ch);
 					if ((flags & RPP_FORCEUPPER))
-						ch = (char)toupper(ch);
+						ch = (char)toupper((unsigned char)ch);
 				}
 				*p++ = ch;
 			}

apps/nc/compat/strtonum.c

@@ -1,65 +0,0 @@
-/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
-
-/*
- * Copyright (c) 2004 Ted Unangst and Todd Miller
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-#define	INVALID		1
-#define	TOOSMALL	2
-#define	TOOLARGE	3
-
-long long
-strtonum(const char *numstr, long long minval, long long maxval,
-    const char **errstrp)
-{
-	long long ll = 0;
-	int error = 0;
-	char *ep;
-	struct errval {
-		const char *errstr;
-		int err;
-	} ev[4] = {
-		{ NULL,		0 },
-		{ "invalid",	EINVAL },
-		{ "too small",	ERANGE },
-		{ "too large",	ERANGE },
-	};
-
-	ev[0].err = errno;
-	errno = 0;
-	if (minval > maxval) {
-		error = INVALID;
-	} else {
-		ll = strtoll(numstr, &ep, 10);
-		if (numstr == ep || *ep != '\0')
-			error = INVALID;
-		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
-			error = TOOSMALL;
-		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
-			error = TOOLARGE;
-	}
-	if (errstrp != NULL)
-		*errstrp = ev[error].errstr;
-	errno = ev[error].err;
-	if (error)
-		ll = 0;
-
-	return (ll);
-}

apps/ocspcheck/CMakeLists.txt

@@ -0,0 +1,42 @@
+if(NOT MSVC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	OCSPCHECK_SRC
+	http.c
+	ocspcheck.c
+)
+
+check_function_exists(inet_ntop HAVE_INET_NTOP)
+if(HAVE_INET_NTOP)
+        add_definitions(-DHAVE_INET_NTOP)
+else()
+        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
+endif()
+
+check_function_exists(inet_ntop HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+        add_definitions(-DHAVE_MEMMEM)
+else()
+        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(ocspcheck ${OCSPCHECK_SRC})
+target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
+
+install(TARGETS ocspcheck DESTINATION bin)
+install(FILES ocspcheck.8 DESTINATION share/man/man8)
+
+endif()

apps/ocspcheck/Makefile.am

@@ -0,0 +1,23 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = ocspcheck
+
+EXTRA_DIST = ocspcheck.8
+EXTRA_DIST += CMakeLists.txt
+
+ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
+ocspcheck_LDADD += $(abs_top_builddir)/ssl/libssl.la
+ocspcheck_LDADD += $(abs_top_builddir)/tls/libtls.la
+ocspcheck_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
+
+ocspcheck_SOURCES = http.c
+ocspcheck_SOURCES += ocspcheck.c
+noinst_HEADERS = http.h
+
+if !HAVE_INET_NTOP
+ocspcheck_SOURCES += compat/inet_ntop.c
+endif
+
+if !HAVE_MEMMEM
+ocspcheck_SOURCES += compat/memmem.c
+endif

apps/openssl/CMakeLists.txt

@@ -0,0 +1,88 @@
+include_directories(
+	.
+	../../include
+	../../include/compat
+)
+
+set(
+	OPENSSL_SRC
+	apps.c
+	asn1pars.c
+	ca.c
+	ciphers.c
+	crl.c
+	crl2p7.c
+	dgst.c
+	dh.c
+	dhparam.c
+	dsa.c
+	dsaparam.c
+	ec.c
+	ecparam.c
+	enc.c
+	errstr.c
+	gendh.c
+	gendsa.c
+	genpkey.c
+	genrsa.c
+	nseq.c
+	ocsp.c
+	openssl.c
+	passwd.c
+	pkcs12.c
+	pkcs7.c
+	pkcs8.c
+	pkey.c
+	pkeyparam.c
+	pkeyutl.c
+	prime.c
+	rand.c
+	req.c
+	rsa.c
+	rsautl.c
+	s_cb.c
+	s_client.c
+	s_server.c
+	s_socket.c
+	s_time.c
+	sess_id.c
+	smime.c
+	speed.c
+	spkac.c
+	ts.c
+	verify.c
+	version.c
+	x509.c
+)
+
+if(CMAKE_HOST_UNIX)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
+endif()
+
+if(CMAKE_HOST_WIN32)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/poll_win.c)
+endif()
+
+check_function_exists(strtonum HAVE_STRTONUM)
+if(HAVE_STRTONUM)
+	add_definitions(-DHAVE_STRTONUM)
+else()
+	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
+endif()
+
+add_executable(openssl ${OPENSSL_SRC})
+target_link_libraries(openssl ${OPENSSL_LIBS})
+
+install(TARGETS openssl DESTINATION bin)
+install(FILES openssl.1 DESTINATION share/man/man1)
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	set(CONF_DIR "${OPENSSLDIR}")
+else()
+	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
+endif()
+install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+install(DIRECTORY DESTINATION ${CONF_DIR}/cert)

apps/openssl/Makefile.am

@@ -4,15 +4,14 @@ bin_PROGRAMS = openssl
 
 dist_man_MANS = openssl.1
 
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+openssl_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 
 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c
@@ -89,12 +88,13 @@ noinst_HEADERS += timeouts.h
 EXTRA_DIST = cert.pem
 EXTRA_DIST += openssl.cnf
 EXTRA_DIST += x509v3.cnf
+EXTRA_DIST += CMakeLists.txt
 
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
@@ -107,9 +107,9 @@ install-exec-hook:
 
 uninstall-local:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \

autogen.sh

@@ -9,3 +9,7 @@ autoreconf -i -f
 sed 's/-fuse-linker-plugin)/-fuse-linker-plugin|-fstack-protector*)/' \
   ltmain.sh > ltmain.sh.fixed
 mv -f ltmain.sh.fixed ltmain.sh
+
+# Update config scripts and fixup permissions
+find . ! -perm -u=w -exec chmod u+w {} \;
+cp scripts/config.* .

cmake_export_symbol.cmake

@@ -0,0 +1,44 @@
+macro(export_symbol TARGET FILENAME)
+
+	set(FLAG "")
+
+	if(WIN32)
+		string(REPLACE ".sym" ".def" DEF_FILENAME ${FILENAME})
+		file(WRITE ${DEF_FILENAME} "EXPORTS\n")
+		file(READ ${FILENAME} SYMBOLS)
+		file(APPEND ${DEF_FILENAME} "${SYMBOLS}")
+		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})
+
+	elseif(APPLE)
+		set(FLAG "-exported_symbols_list ${FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n+e " SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".opt" OPT_FILENAME ${FILENAME})
+		file(WRITE ${OPT_FILENAME} "+e ${SYMBOLS}")
+		set(FLAG "-Wl,-c,${OPT_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
+		file(WRITE ${VER_FILENAME}
+			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
+		set(FLAG "-Wl,-M${VER_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
+		file(WRITE ${VER_FILENAME}
+			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
+		set(FLAG "-Wl,--version-script,\"${VER_FILENAME}\"")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+	endif()
+
+endmacro()

cmake_uninstall.cmake.in

@@ -0,0 +1,21 @@
+if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+	message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+
+file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
+string(REGEX REPLACE "\n" ";" files "${files}")
+foreach(file ${files})
+	message(STATUS "Uninstalling $ENV{DESTDIR}${file}")
+	if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		exec_program(
+			"@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\""
+			OUTPUT_VARIABLE rm_out
+			RETURN_VALUE rm_retval
+			)
+		if(NOT "${rm_retval}" STREQUAL 0)
+			message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}")
+		endif(NOT "${rm_retval}" STREQUAL 0)
+	else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+		message(STATUS "File $ENV{DESTDIR}${file} does not exist.")
+	endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}")
+endforeach(file)

configure.ac

@@ -54,6 +54,8 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP
 
+GENERATE_CRYPTO_PORTABLE_SYM
+
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -126,6 +128,7 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/ocspcheck/Makefile
 	apps/openssl/Makefile
 	apps/nc/Makefile
 	man/Makefile

crypto/CMakeLists.txt

@@ -3,14 +3,100 @@ include_directories(
 	../include
 	../include/compat
 	asn1
+	bn
 	dsa
 	evp
 	modes
 )
 
+if(HOST_ASM_ELF_X86_64)
+	set(
+		ASM_X86_64_ELF_SRC
+		aes/aes-elf-x86_64.S
+		aes/bsaes-elf-x86_64.S
+		aes/vpaes-elf-x86_64.S
+		aes/aesni-elf-x86_64.S
+		aes/aesni-sha1-elf-x86_64.S
+		bn/modexp512-elf-x86_64.S
+		bn/mont-elf-x86_64.S
+		bn/mont5-elf-x86_64.S
+		bn/gf2m-elf-x86_64.S
+		camellia/cmll-elf-x86_64.S
+		md5/md5-elf-x86_64.S
+		modes/ghash-elf-x86_64.S
+		rc4/rc4-elf-x86_64.S
+		rc4/rc4-md5-elf-x86_64.S
+		sha/sha1-elf-x86_64.S
+		sha/sha256-elf-x86_64.S
+		sha/sha512-elf-x86_64.S
+		whrlpool/wp-elf-x86_64.S
+		cpuid-elf-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_ELF_SRC})
+	set_property(SOURCE ${ASM_X86_64_ELF_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if(HOST_ASM_MACOSX_X86_64)
+	set(
+		ASM_X86_64_MACOSX_SRC
+		aes/aes-macosx-x86_64.S
+		aes/bsaes-macosx-x86_64.S
+		aes/vpaes-macosx-x86_64.S
+		aes/aesni-macosx-x86_64.S
+		aes/aesni-sha1-macosx-x86_64.S
+		bn/modexp512-macosx-x86_64.S
+		bn/mont-macosx-x86_64.S
+		bn/mont5-macosx-x86_64.S
+		bn/gf2m-macosx-x86_64.S
+		camellia/cmll-macosx-x86_64.S
+		md5/md5-macosx-x86_64.S
+		modes/ghash-macosx-x86_64.S
+		rc4/rc4-macosx-x86_64.S
+		rc4/rc4-md5-macosx-x86_64.S
+		sha/sha1-macosx-x86_64.S
+		sha/sha256-macosx-x86_64.S
+		sha/sha512-macosx-x86_64.S
+		whrlpool/wp-macosx-x86_64.S
+		cpuid-macosx-x86_64.S
+	)
+	add_definitions(-DAES_ASM)
+	add_definitions(-DBSAES_ASM)
+	add_definitions(-DVPAES_ASM)
+	add_definitions(-DOPENSSL_IA32_SSE2)
+	add_definitions(-DOPENSSL_BN_ASM_MONT)
+	add_definitions(-DOPENSSL_BN_ASM_MONT5)
+	add_definitions(-DOPENSSL_BN_ASM_GF2m)
+	add_definitions(-DMD5_ASM)
+	add_definitions(-DGHASH_ASM)
+	add_definitions(-DRSA_ASM)
+	add_definitions(-DSHA1_ASM)
+	add_definitions(-DSHA256_ASM)
+	add_definitions(-DSHA512_ASM)
+	add_definitions(-DWHIRLPOOL_ASM)
+	add_definitions(-DOPENSSL_CPUID_OBJ)
+	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
+	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)
+endif()
+
+if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
 	set(
 		CRYPTO_SRC
-
+		${CRYPTO_SRC}
 		aes/aes_cbc.c
 		aes/aes_core.c
 		camellia/camellia.c
@@ -18,6 +104,12 @@ set(
 		rc4/rc4_enc.c
 		rc4/rc4_skey.c
 		whrlpool/wp_block.c
+	)
+endif()
+
+set(
+	CRYPTO_SRC
+	${CRYPTO_SRC}
 	cpt_err.c
 	cryptlib.c
 	cversion.c
@@ -190,6 +282,8 @@ set(
 	conf/conf_mall.c
 	conf/conf_mod.c
 	conf/conf_sap.c
+	curve25519/curve25519-generic.c
+	curve25519/curve25519.c
 	des/cbc_cksm.c
 	des/cbc_enc.c
 	des/cfb64ede.c
@@ -258,6 +352,10 @@ set(
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
+	ec/ecp_nistp224.c
+	ec/ecp_nistp256.c
+	ec/ecp_nistp521.c
+	ec/ecp_nistputil.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
@@ -372,7 +470,6 @@ set(
 	idea/i_ecb.c
 	idea/i_ofb64.c
 	idea/i_skey.c
-	krb5/krb5_asn.c
 	lhash/lh_stats.c
 	lhash/lhash.c
 	md4/md4_dgst.c
@@ -556,46 +653,75 @@ endif()
 
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
+	set(CRYPTO_UNEXPORT ${CRYPTO_UNEXPORT} BIO_s_log)
 	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} gettimeofday)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_perror)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fopen)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fgets)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_open)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_rename)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_connect)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_close)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_read)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_write)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_getsockopt)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_setsockopt)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} sleep)
 endif()
 
 if(NOT HAVE_ASPRINTF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} asprintf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
 endif()
 
 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} inet_pton)
 endif()
 
 if(NOT HAVE_REALLOCARRAY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray)
 endif()
 
 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strcasecmp)
 endif()
 
 if(NOT HAVE_STRLCAT)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcat)
 endif()
 
 if(NOT HAVE_STRLCPY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcpy)
 endif()
 
 if(NOT HAVE_STRNDUP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strndup)
 	if(NOT HAVE_STRNLEN)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
+		set(EXTRA_EXPORT ${EXTRA_EXPORT} strnlen)
 	endif()
 endif()
 
+if(NOT HAVE_STRSEP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strsep.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strsep)
+endif()
+
 if(NOT HAVE_TIMEGM)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timegm)
 endif()
 
 if(NOT HAVE_EXPLICIT_BZERO)
@@ -605,10 +731,13 @@ if(NOT HAVE_EXPLICIT_BZERO)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
 		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
 	endif()
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} explicit_bzero)
 endif()
 
 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_buf)
 
 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
@@ -617,31 +746,74 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_aix.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_freebsd.c)
+		elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_hpux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_linux.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
+		set(EXTRA_EXPORT ${EXTRA_EXPORT} getentropy)
 	endif()
 endif()
 
+if(NOT HAVE_ARC4RANDOM_UNIFORM)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
+endif()
+
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_bcmp)
 endif()
 
 if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_memcmp)
+endif()
+
+if(NOT ENABLE_ASM)
+	add_definitions(-DOPENSSL_NO_ASM)
+else()
+	if(CMAKE_HOST_WIN32)
+		add_definitions(-DOPENSSL_NO_ASM)
+	endif()
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\")
+else()
+	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
+endif()
+
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto.sym SYMS)
+foreach(SYM IN LISTS CRYPTO_UNEXPORT)
+	string(REPLACE "${SYM}\n" "" SYMS ${SYMS})
+endforeach()
+file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym ${SYMS})
+if(EXTRA_EXPORT)
+	list(SORT EXTRA_EXPORT)
+	foreach(SYM IN LISTS EXTRA_EXPORT)
+		file(APPEND ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym "${SYM}\n")
+	endforeach()
 endif()
 
-if (BUILD_SHARED)
 add_library(crypto-objects OBJECT ${CRYPTO_SRC})
+if (BUILD_SHARED)
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
+	export_symbol(crypto-shared ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym)
+	if (WIN32)
+		target_link_libraries(crypto-shared Ws2_32.lib)
+		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
+	endif()
+	set_target_properties(crypto-shared PROPERTIES
+		OUTPUT_NAME crypto${CRYPTO_POSTFIX}
+		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
 	install(TARGETS crypto crypto-shared DESTINATION lib)

crypto/Makefile.am

@@ -1,19 +1,25 @@
 include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/bn
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
+AM_CPPFLAGS += -I$(top_srcdir)/crypto
 
 lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += crypto.sym
 
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols $(top_srcdir)/crypto/crypto_portable.sym
-libcrypto_la_LIBADD = libcompat.la libcompatnoopt.la
+libcrypto_la_LIBADD = libcompat.la
+if !HAVE_EXPLICIT_BZERO
+libcrypto_la_LIBADD += libcompatnoopt.la
+endif
 libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS)
 libcrypto_la_CPPFLAGS += -DLIBRESSL_INTERNAL
 libcrypto_la_CPPFLAGS += -DOPENSSL_NO_HW_PADLOCK
@@ -31,13 +37,15 @@ else
 libcrypto_la_CPPFLAGS += -DOPENSSLDIR=\"$(sysconfdir)/ssl\"
 endif
 
-noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
+noinst_LTLIBRARIES = libcompat.la
 
 # compatibility functions that need to be built without optimizations
+if !HAVE_EXPLICIT_BZERO
+noinst_LTLIBRARIES += libcompatnoopt.la
+
 libcompatnoopt_la_CFLAGS = -O0
 libcompatnoopt_la_SOURCES =
 
-if !HAVE_EXPLICIT_BZERO
 if HOST_WIN
 libcompatnoopt_la_SOURCES += compat/explicit_bzero_win.c
 else
@@ -65,6 +73,10 @@ libcompat_la_SOURCES += compat/strnlen.c
 endif
 endif
 
+if !HAVE_STRSEP
+libcompat_la_SOURCES += compat/strsep.c
+endif
+
 if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
@@ -123,9 +135,11 @@ libcrypto_la_SOURCES += mem_dbg.c
 libcrypto_la_SOURCES += o_init.c
 libcrypto_la_SOURCES += o_str.c
 libcrypto_la_SOURCES += o_time.c
+noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
+noinst_HEADERS += x86_arch.h
 
 # aes
 libcrypto_la_SOURCES += aes/aes_cfb.c
@@ -335,6 +349,12 @@ libcrypto_la_SOURCES += conf/conf_mod.c
 libcrypto_la_SOURCES += conf/conf_sap.c
 noinst_HEADERS += conf/conf_def.h
 
+# curve25519
+libcrypto_la_SOURCES += curve25519/curve25519-generic.c
+libcrypto_la_SOURCES += curve25519/curve25519.c
+noinst_HEADERS += curve25519/curve25519_internal.h
+
+
 # des
 libcrypto_la_SOURCES += des/cbc_cksm.c
 libcrypto_la_SOURCES += des/cbc_enc.c
@@ -415,6 +435,10 @@ libcrypto_la_SOURCES += ec/ec_print.c
 libcrypto_la_SOURCES += ec/eck_prn.c
 libcrypto_la_SOURCES += ec/ecp_mont.c
 libcrypto_la_SOURCES += ec/ecp_nist.c
+libcrypto_la_SOURCES += ec/ecp_nistp224.c
+libcrypto_la_SOURCES += ec/ecp_nistp256.c
+libcrypto_la_SOURCES += ec/ecp_nistp521.c
+libcrypto_la_SOURCES += ec/ecp_nistputil.c
 libcrypto_la_SOURCES += ec/ecp_oct.c
 libcrypto_la_SOURCES += ec/ecp_smpl.c
 noinst_HEADERS += ec/ec_lcl.h
@@ -556,9 +580,6 @@ libcrypto_la_SOURCES += idea/i_ofb64.c
 libcrypto_la_SOURCES += idea/i_skey.c
 noinst_HEADERS += idea/idea_lcl.h
 
-# krb5
-libcrypto_la_SOURCES += krb5/krb5_asn.c
-
 # lhash
 libcrypto_la_SOURCES += lhash/lh_stats.c
 libcrypto_la_SOURCES += lhash/lhash.c
@@ -762,6 +783,7 @@ libcrypto_la_SOURCES += x509/x509spki.c
 libcrypto_la_SOURCES += x509/x509type.c
 libcrypto_la_SOURCES += x509/x_all.c
 noinst_HEADERS += x509/x509_lcl.h
+noinst_HEADERS += x509/vpm_int.h
 
 # x509v3
 libcrypto_la_SOURCES += x509v3/pcy_cache.c

crypto/Makefile.am.arc4random

@@ -1,5 +1,6 @@
 if !HAVE_ARC4RANDOM_BUF
 libcompat_la_SOURCES += compat/arc4random.c
+libcompat_la_SOURCES += compat/arc4random_uniform.c
 
 if !HAVE_GETENTROPY
 if HOST_AIX

crypto/Makefile.am.elf-x86_64

@@ -1,22 +1,22 @@
 
-ASM_X86_64_ELF = aes/aes-elf-x86_64.s
+ASM_X86_64_ELF = aes/aes-elf-x86_64.S
-ASM_X86_64_ELF += aes/bsaes-elf-x86_64.s
+ASM_X86_64_ELF += aes/bsaes-elf-x86_64.S
-ASM_X86_64_ELF += aes/vpaes-elf-x86_64.s
+ASM_X86_64_ELF += aes/vpaes-elf-x86_64.S
-ASM_X86_64_ELF += aes/aesni-elf-x86_64.s
+ASM_X86_64_ELF += aes/aesni-elf-x86_64.S
-ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.s
+ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.S
-ASM_X86_64_ELF += bn/modexp512-elf-x86_64.s
+ASM_X86_64_ELF += bn/modexp512-elf-x86_64.S
-ASM_X86_64_ELF += bn/mont-elf-x86_64.s
+ASM_X86_64_ELF += bn/mont-elf-x86_64.S
-ASM_X86_64_ELF += bn/mont5-elf-x86_64.s
+ASM_X86_64_ELF += bn/mont5-elf-x86_64.S
-ASM_X86_64_ELF += bn/gf2m-elf-x86_64.s
+ASM_X86_64_ELF += bn/gf2m-elf-x86_64.S
-ASM_X86_64_ELF += camellia/cmll-elf-x86_64.s
+ASM_X86_64_ELF += camellia/cmll-elf-x86_64.S
-ASM_X86_64_ELF += md5/md5-elf-x86_64.s
+ASM_X86_64_ELF += md5/md5-elf-x86_64.S
-ASM_X86_64_ELF += modes/ghash-elf-x86_64.s
+ASM_X86_64_ELF += modes/ghash-elf-x86_64.S
-ASM_X86_64_ELF += rc4/rc4-elf-x86_64.s
+ASM_X86_64_ELF += rc4/rc4-elf-x86_64.S
-ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.s
+ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.S
-ASM_X86_64_ELF += sha/sha1-elf-x86_64.s
+ASM_X86_64_ELF += sha/sha1-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha256-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha512-elf-x86_64.S
-ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.s
+ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.S
 ASM_X86_64_ELF += cpuid-elf-x86_64.S
 
 EXTRA_DIST += $(ASM_X86_64_ELF)

crypto/Makefile.am.macosx-x86_64

@@ -1,22 +1,22 @@
 
-ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.s
+ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.S
-ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.s
+ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.S
-ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.s
+ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.S
-ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.s
+ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.S
-ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.s
+ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.S
-ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.s
+ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.S
-ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha256-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha512-macosx-x86_64.S
-ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.s
+ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.S
 ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 
 EXTRA_DIST += $(ASM_X86_64_MACOSX)

crypto/compat/b_win.c

@@ -23,8 +23,8 @@ BIO_sock_init(void)
 	if (!wsa_init_done) {
 		if (WSAStartup(version_requested, &wsa_state) != 0) {
 			int err = WSAGetLastError();
-			SYSerr(SYS_F_WSASTARTUP, err);
+			SYSerror(err);
-			BIOerr(BIO_F_BIO_SOCK_INIT, BIO_R_WSASTARTUP);
+			BIOerror(BIO_R_WSASTARTUP);
 			return (-1);
 		}
 		wsa_init_done = 1;

crypto/compat/inet_pton.c

@@ -1,212 +0,0 @@
-/*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/* Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <string.h>
-#include <errno.h>
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int	inet_pton4(const char *src, u_char *dst);
-static int	inet_pton6(const char *src, u_char *dst);
-
-/* int
- * inet_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-inet_pton(int af, const char *src, void *dst)
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, u_char *dst)
-{
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	u_char tmp[INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			u_int new = *tp * 10 + (pch - digits);
-
-			if (new > 255)
-				return (0);
-			if (! saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-			*tp = new;
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-
-	memcpy(dst, tmp, INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, u_char *dst)
-{
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, saw_xdigit, count_xdigit;
-	u_int val;
-
-	memset((tp = tmp), '\0', IN6ADDRSZ);
-	endp = tp + IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	saw_xdigit = count_xdigit = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			if (count_xdigit >= 4)
-				return (0);
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (val > 0xffff)
-				return (0);
-			saw_xdigit = 1;
-			count_xdigit++;
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!saw_xdigit) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			} else if (*src == '\0') {
-				return (0);
-			}
-			if (tp + INT16SZ > endp)
-				return (0);
-			*tp++ = (u_char) (val >> 8) & 0xff;
-			*tp++ = (u_char) val & 0xff;
-			saw_xdigit = 0;
-			count_xdigit = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += INADDRSZ;
-			saw_xdigit = 0;
-			count_xdigit = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (saw_xdigit) {
-		if (tp + INT16SZ > endp)
-			return (0);
-		*tp++ = (u_char) (val >> 8) & 0xff;
-		*tp++ = (u_char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			return (0);
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, IN6ADDRSZ);
-	return (1);
-}

crypto/compat/posix_win.c

@@ -12,6 +12,8 @@
 #include <ws2tcpip.h>
 
 #include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -38,6 +40,42 @@ posix_fopen(const char *path, const char *mode)
 	return fopen(path, mode);
 }
 
+int
+posix_open(const char *path, ...)
+{
+	va_list ap;
+	int mode = 0;
+	int flags;
+
+	va_start(ap, path);
+	flags = va_arg(ap, int);
+	if (flags & O_CREAT)
+		mode = va_arg(ap, int);
+	va_end(ap);
+
+	flags |= O_BINARY;
+	if (flags & O_CLOEXEC) {
+		flags &= ~O_CLOEXEC;
+		flags |= O_NOINHERIT;
+	}
+	flags &= ~O_NONBLOCK;
+	return open(path, flags, mode);
+}
+
+char *
+posix_fgets(char *s, int size, FILE *stream)
+{
+	char *ret = fgets(s, size, stream);
+	if (ret != NULL) {
+		size_t end = strlen(ret);
+		if (end >= 2 && ret[end - 2] == '\r' && ret[end - 1] == '\n') {
+			ret[end - 2] = '\n';
+			ret[end - 1] = '\0';
+		}
+	}
+	return ret;
+}
+
 int
 posix_rename(const char *oldpath, const char *newpath)
 {
@@ -94,6 +132,9 @@ wsa_errno(int err)
 	case WSAEAFNOSUPPORT:
 		errno = EAFNOSUPPORT;
 		break;
+	case WSAEBADF:
+		errno = EBADF;
+		break;
 	case WSAENETRESET:
 	case WSAENOTCONN:
 	case WSAECONNABORTED:
@@ -120,7 +161,7 @@ posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			close(fd) : wsa_errno(err);
 	}
 	return 0;
@@ -132,7 +173,7 @@ posix_read(int fd, void *buf, size_t count)
 	ssize_t rc = recv(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			read(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
@@ -144,7 +185,7 @@ posix_write(int fd, const void *buf, size_t count)
 	ssize_t rc = send(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			write(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;

crypto/compat/ui_openssl_win.c

@@ -302,8 +302,12 @@ open_console(UI *ui)
 	tty_out = stderr;
 
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
 			return GetConsoleMode(handle, &console_mode);
+		else
+			return 1;
+	}
 	return 0;
 }
 
@@ -311,8 +315,12 @@ static int
 noecho_console(UI *ui)
 {
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
 			return SetConsoleMode(handle, console_mode & ~ENABLE_ECHO_INPUT);
+		else
+			return 1;
+	}
 	return 0;
 }
 
@@ -320,8 +328,12 @@ static int
 echo_console(UI *ui)
 {
 	HANDLE handle = GetStdHandle(STD_INPUT_HANDLE);
-	if (handle != INVALID_HANDLE_VALUE)
+	if (handle != NULL && handle != INVALID_HANDLE_VALUE) {
+		if (GetFileType(handle) == FILE_TYPE_CHAR)
 			return SetConsoleMode(handle, console_mode);
+		else
+			return 1;
+	}
 	return 0;
 }
 

dist-win.sh

@@ -22,7 +22,7 @@ for ARCH in X86 X64; do
 
 	echo Building for $HOST
 
-	CC=$HOST-gcc ./configure --host=$HOST
+	CC=$HOST-gcc ./configure --host=$HOST --with-openssldir=c:/libressl/ssl
 	make clean
 	PATH=$PATH:/usr/$HOST/sys-root/mingw/bin \
 	   make -j 4 check

include/CMakeLists.txt

@@ -2,4 +2,4 @@ install(DIRECTORY .
         DESTINATION include
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
-        PATTERN "Makefile.*" EXCLUDE)
+        PATTERN "Makefile*" EXCLUDE)

include/Makefile.am

@@ -8,6 +8,7 @@ noinst_HEADERS = pqueue.h
 noinst_HEADERS += compat/dirent.h
 noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
+noinst_HEADERS += compat/fcntl.h
 noinst_HEADERS += compat/limits.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
@@ -29,7 +30,6 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
-noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h

include/compat/arpa/inet.h

@@ -14,6 +14,10 @@
 
 #endif
 
+#ifndef HAVE_INET_NTOP
+const char * inet_ntop(int af, const void *src, char *dst, socklen_t size);
+#endif
+
 #ifndef HAVE_INET_PTON
 int inet_pton(int af, const char * src, void * dst);
 #endif

include/compat/err.h

@@ -13,20 +13,76 @@
 #define LIBCRYPTOCOMPAT_ERR_H
 
 #include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 
-#define err(exitcode, format, ...) \
+#if defined(_MSC_VER)
-  errx(exitcode, format ": %s", ## __VA_ARGS__, strerror(errno))
+__declspec(noreturn)
+#else
+__attribute__((noreturn))
+#endif
+static inline void
+err(int eval, const char *fmt, ...)
+{
+	int sverrno = errno;
+	va_list ap;
 
-#define errx(exitcode, format, ...) \
+	va_start(ap, fmt);
-  do { warnx(format, ## __VA_ARGS__); exit(exitcode); } while (0)
+	if (fmt != NULL) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, ": ");
+	}
+	fprintf(stderr, "%s\n", strerror(sverrno));
+	exit(eval);
+	va_end(ap);
+}
 
-#define warn(format, ...) \
+#if defined(_MSC_VER)
-  warnx(format ": %s", ## __VA_ARGS__, strerror(errno))
+__declspec(noreturn)
+#else
+__attribute__((noreturn))
+#endif
+static inline void
+errx(int eval, const char *fmt, ...)
+{
+	va_list ap;
 
-#define warnx(format, ...) \
+	va_start(ap, fmt);
-  fprintf(stderr, format "\n", ## __VA_ARGS__)
+	if (fmt != NULL)
+		vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	exit(eval);
+	va_end(ap);
+}
+
+static inline void
+warn(const char *fmt, ...)
+{
+	int sverrno = errno;
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, ": ");
+	}
+	fprintf(stderr, "%s\n", strerror(sverrno));
+	va_end(ap);
+}
+
+static inline void
+warnx(const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (fmt != NULL)
+		vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	va_end(ap);
+}
 
 #endif
 

include/compat/fcntl.h

@@ -0,0 +1,32 @@
+/*
+ * Public domain
+ * fcntl.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <fcntl.h>
+#else
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/fcntl.h>
+#else
+#include <../include/fcntl.h>
+#endif
+#else
+#include_next <fcntl.h>
+#endif
+
+#endif
+
+#ifndef O_NONBLOCK
+#define O_NONBLOCK      0x100000
+#endif
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC       0x200000
+#endif
+
+#ifndef FD_CLOEXEC
+#define FD_CLOEXEC      1
+#endif

include/compat/limits.h

@@ -4,10 +4,14 @@
  */
 
 #ifdef _MSC_VER
-#if _MSC_VER >= 1900
-#include <../ucrt/limits.h>
-#else
 #include <../include/limits.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
+#include <../include/stdlib.h>
+#endif
+#ifndef PATH_MAX
+#define PATH_MAX _MAX_PATH
 #endif
 #else
 #include_next <limits.h>

include/compat/netinet/ip.h

@@ -3,6 +3,10 @@
  * netinet/ip.h compatibility shim
  */
 
+#if defined(__hpux)
+#include <netinet/in_systm.h>
+#endif
+
 #ifndef _WIN32
 #include_next <netinet/ip.h>
 #else

include/compat/stdio.h

@@ -26,13 +26,19 @@ int asprintf(char **str, const char *fmt, ...);
 
 #ifdef _WIN32
 
+#if defined(_MSC_VER)
+#define __func__ __FUNCTION__
+#endif
+
 void posix_perror(const char *s);
 FILE * posix_fopen(const char *path, const char *mode);
+char * posix_fgets(char *s, int size, FILE *stream);
 int posix_rename(const char *oldpath, const char *newpath);
 
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define perror(errnum) posix_perror(errnum)
 #define fopen(path, mode) posix_fopen(path, mode)
+#define fgets(s, size, stream) posix_fgets(s, size, stream)
 #define rename(oldpath, newpath) posix_rename(oldpath, newpath)
 #endif
 

include/compat/stdlib.h

@@ -22,6 +22,7 @@
 #ifndef HAVE_ARC4RANDOM_BUF
 uint32_t arc4random(void);
 void arc4random_buf(void *_buf, size_t n);
+uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
 #ifndef HAVE_REALLOCARRAY

include/compat/string.h

@@ -18,9 +18,10 @@
 
 #include <sys/types.h>
 
-#if defined(__sun) || defined(__hpux)
+#if defined(__sun) || defined(_AIX) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX,
+ * Solaris, and HPUX.
  */
 #include <strings.h>
 #endif

include/compat/sys/cdefs.h

@@ -1,31 +0,0 @@
-/*
- * Public domain
- * sys/cdefs.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
-#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
-
-#ifdef _WIN32
-
-#define __warn_references(sym,msg)
-
-#else
-
-#include_next <sys/cdefs.h>
-
-#ifndef __warn_references
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-
-#endif /* _WIN32 */
-
-#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/socket.h

@@ -8,3 +8,10 @@
 #else
 #include <win32netcompat.h>
 #endif
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
+#define SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
+int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]);
+#define socketpair(d,t,p,sv) bsd_socketpair(d,t,p,sv)
+#endif

include/compat/sys/stat.h

@@ -8,6 +8,15 @@
 
 #ifndef _MSC_VER
 #include_next <sys/stat.h>
+
+/* for old MinGW */
+#ifndef S_IRGRP
+#define S_IRGRP         0
+#endif
+#ifndef S_IROTH
+#define S_IROTH         0
+#endif
+
 #else
 
 #include <windows.h>

include/compat/sys/types.h

@@ -44,4 +44,25 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif
 
+#ifdef _WIN32
+#define __warn_references(sym,msg)
+#else
+
+#ifndef __warn_references
+
+#ifndef __STRING
+#define __STRING(x) #x
+#endif
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+#endif /* _WIN32 */
+
 #endif

include/compat/unistd.h

@@ -14,6 +14,9 @@
 #include <io.h>
 #include <process.h>
 
+#define STDOUT_FILENO   1
+#define STDERR_FILENO   2
+
 #define R_OK    4
 #define W_OK    2
 #define X_OK    0
@@ -27,8 +30,19 @@ unsigned int sleep(unsigned int seconds);
 
 #ifndef HAVE_GETENTROPY
 int getentropy(void *buf, size_t buflen);
+#else
+/*
+ * Solaris 11.3 adds getentropy(2), but defines the function in sys/random.h
+ */
+#if defined(__sun)
+#include <sys/random.h>
+#endif
 #endif
 
 #define pledge(request, paths) 0
 
+#ifndef HAVE_PIPE2
+int pipe2(int fildes[2], int flags);
+#endif
+
 #endif

include/compat/win32netcompat.h

@@ -26,7 +26,10 @@
 
 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 
+int posix_open(const char *path, ...);
+
 int posix_close(int fd);
+
 ssize_t posix_read(int fd, void *buf, size_t count);
 
 ssize_t posix_write(int fd, const void *buf, size_t count);
@@ -39,6 +42,7 @@ int posix_setsockopt(int sockfd, int level, int optname,
 
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
+#define open(path, ...) posix_open(path, __VA_ARGS__)
 #define close(fd) posix_close(fd)
 #define read(fd, buf, count) posix_read(fd, buf, count)
 #define write(fd, buf, count) posix_write(fd, buf, count)

libcrypto.pc.in

@@ -11,5 +11,5 @@ Version: @VERSION@
 Requires:
 Conflicts:
 Libs: -L${libdir} -lcrypto
-Libs.private: @LIBS@
+Libs.private: @LIBS@ @PLATFORM_LDADD@
 Cflags: -I${includedir}

libssl.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto
 Conflicts:
 Libs: -L${libdir} -lssl
-Libs.private: @LIBS@ -lcrypto
+Libs.private: @LIBS@ -lcrypto @PLATFORM_LDADD@
 Cflags: -I${includedir}

libtls-standalone/include/string.h

@@ -18,9 +18,10 @@
 
 #include <sys/types.h>
 
-#if defined(__sun) || defined(__hpux)
+#if defined(__sun) || defined(_AIX) || defined(__hpux)
 /* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on Solaris and HPUX.
+ * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX,
+ * Solaris, and HPUX.
  */
 #include <strings.h>
 #endif

libtls-standalone/src/Makefile.am

@@ -8,6 +8,7 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 
 libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c

libtls-standalone/tests/test.c

@@ -5,7 +5,7 @@ int main()
 {
 	struct tls *tls;
 	struct tls_config *tls_config;
-	size_t written, read;
+	ssize_t written, read;
 	char buf[4096];
 
 	if (tls_init() != 0) {
@@ -31,10 +31,10 @@ int main()
 	if (tls_connect(tls, "google.com", "443") != 0)
 		goto err;
 
-	if (tls_write(tls, "GET /\r\n", 7, &written) != 0)
+	if ((written = tls_write(tls, "GET /\r\n", 7)) < 0)
 		goto err;
 
-	if (tls_read(tls, buf, sizeof(buf), &read) != 0)
+	if ((read = tls_read(tls, buf, sizeof(buf))) < 0)
 		goto err;
 
 	buf[read - 1] = '\0';

libtls.pc.in

@@ -12,5 +12,5 @@ Requires:
 Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl
+Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@
 Cflags: -I${includedir}

m4/check-libc.m4

@@ -2,10 +2,11 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem readpassphrase reallocarray])
+AC_CHECK_FUNCS([asprintf inet_ntop inet_pton memmem readpassphrase])
-AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
+AC_CHECK_FUNCS([reallocarray strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
@@ -20,10 +21,12 @@ AM_CONDITIONAL([HAVE_TIMEGM], [test "x$ac_cv_func_timegm" = xyes])
 ])
 
 AC_DEFUN([CHECK_SYSCALL_COMPAT], [
-AC_CHECK_FUNCS([accept4 pledge poll])
+AC_CHECK_FUNCS([accept4 pipe2 pledge poll socketpair])
 AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
+AM_CONDITIONAL([HAVE_PIPE2], [test "x$ac_cv_func_pipe2" = xyes])
 AM_CONDITIONAL([HAVE_PLEDGE], [test "x$ac_cv_func_pledge" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_SOCKETPAIR], [test "x$ac_cv_func_socketpair" = xyes])
 ])
 
 AC_DEFUN([CHECK_B64_NTOP], [
@@ -41,14 +44,62 @@ AC_CACHE_CHECK([for b64_ntop], ac_cv_have_b64_ntop_arg, [
 	[ ac_cv_have_b64_ntop_arg="no"
 	])
 ])
-AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop" = xyes])
+AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 ])
 
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
-AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
+AC_CHECK_FUNCS([explicit_bzero getauxval])
+
+AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <unistd.h>
+
+/*
+ * Explanation:
+ *
+ *   - iOS <= 10.1 fails because of missing sys/random.h
+ *
+ *   - in macOS 10.12 getentropy is not tagged as introduced in
+ *     10.12 so we cannot use it for target < 10.12
+ */
+#ifdef __APPLE__
+#  include <AvailabilityMacros.h>
+#  include <TargetConditionals.h>
+
+# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
+#  include <sys/random.h> /* Not available as of iOS <= 10.1 */
+# else
+
+#  include <sys/random.h> /* Pre 10.12 systems should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#  ifndef MAC_OS_X_VERSION_10_12
+#    define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
+#  endif
+#  if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#    if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#      error "Targeting on Mac OSX 10.11 or earlier"
+#    endif
+#  endif
+
+# endif
+#endif /* __APPLE__ */
+		]], [[
+	char buffer;
+	(void)getentropy(&buffer, sizeof (buffer));
+]])],
+	[ ac_cv_func_getentropy="yes" ],
+	[ ac_cv_func_getentropy="no"
+	])
+])
+
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
+AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
+AM_CONDITIONAL([HAVE_ARC4RANDOM_UNIFORM], [test "x$ac_cv_func_arc4random_uniform" = xyes])
 AM_CONDITIONAL([HAVE_EXPLICIT_BZERO], [test "x$ac_cv_func_explicit_bzero" = xyes])
 AM_CONDITIONAL([HAVE_GETENTROPY], [test "x$ac_cv_func_getentropy" = xyes])
 AM_CONDITIONAL([HAVE_TIMINGSAFE_BCMP], [test "x$ac_cv_func_timingsafe_bcmp" = xyes])
@@ -56,15 +107,15 @@ AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp"
 
 # Override arc4random_buf implementations with known issues
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
-	[test "x$HOST_OS" != xdarwin \
+	[test "x$USE_BUILTIN_ARC4RANDOM" != xyes \
-	   -a "x$HOST_OS" != xfreebsd \
-	   -a "x$HOST_OS" != xnetbsd \
 	   -a "x$ac_cv_func_arc4random_buf" = xyes])
 
 # Check for getentropy fallback dependencies
 AC_CHECK_FUNC([getauxval])
-AC_CHECK_FUNC([clock_gettime],, [AC_SEARCH_LIBS([clock_gettime],[rt posix4])])
+AC_SEARCH_LIBS([clock_gettime],[rt posix4])
-AC_CHECK_FUNC([dl_iterate_phdr],, [AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
+AC_CHECK_FUNC([clock_gettime])
+AC_SEARCH_LIBS([dl_iterate_phdr],[dl])
+AC_CHECK_FUNC([dl_iterate_phdr])
 ])
 
 AC_DEFUN([CHECK_VA_COPY], [
@@ -93,3 +144,77 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
+
+AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
+crypto_sym=$srcdir/crypto/crypto.sym
+crypto_p_sym=$srcdir/crypto/crypto_portable.sym
+echo "generating $crypto_p_sym ..."
+chmod u+w $srcdir/crypto
+cp $crypto_sym $crypto_p_sym
+chmod u+w $crypto_p_sym
+if test "x$ac_cv_func_arc4random" = "xno" ; then
+	echo arc4random >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
+	echo arc4random_buf >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_arc4random_uniform" = "xno" ; then
+	echo arc4random_uniform >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_asprintf" = "xno" ; then
+	echo asprintf >> $crypto_p_sym
+	echo vasprintf >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
+	echo explicit_bzero >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_getentropy" = "xno" ; then
+	echo getentropy >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_inet_pton" = "xno" ; then
+	echo inet_pton >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_reallocarray" = "xno" ; then
+	echo reallocarray >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strlcat" = "xno" ; then
+	echo strlcat >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strlcpy" = "xno" ; then
+	echo strlcpy >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strndup" = "xno" ; then
+	echo strndup >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strnlen" = "xno" ; then
+	echo strnlen >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strsep" = "xno" ; then
+	echo strsep >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timegm" = "xno" ; then
+	echo timegm >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
+	echo timingsafe_bcmp >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
+	echo timingsafe_memcmp >> $crypto_p_sym
+fi
+if test "x$HOST_OS" = "xwin" ; then
+	echo posix_perror >> $crypto_p_sym
+	echo posix_fopen >> $crypto_p_sym
+	echo posix_fgets >> $crypto_p_sym
+	echo posix_open >> $crypto_p_sym
+	echo posix_rename >> $crypto_p_sym
+	echo posix_connect >> $crypto_p_sym
+	echo posix_close >> $crypto_p_sym
+	echo posix_read >> $crypto_p_sym
+	echo posix_write >> $crypto_p_sym
+	echo posix_getsockopt >> $crypto_p_sym
+	echo posix_setsockopt >> $crypto_p_sym
+
+	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
+	mv $crypto_p_sym.tmp $crypto_p_sym
+fi
+])

m4/check-os-options.m4

@@ -1,6 +1,7 @@
 AC_DEFUN([CHECK_OS_OPTIONS], [
 
 CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
+BUILD_NC=yes
 
 case $host_os in
 	*aix*)
@@ -14,14 +15,54 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
-		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		#
+		# Don't use arc4random on systems before 10.12 because of
+		# weak seed on failure to open /dev/random, based on latest
+		# public source:
+		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
+		#
+		# We use the presence of getentropy() to detect 10.12. The
+		# following check take into account that:
+ 		#
+		#   - iOS <= 10.1 fails because of missing getentropy and
+		#     hence they miss sys/random.h
+		#
+		#   - in macOS 10.12 getentropy is not tagged as introduced in
+		#     10.12 so we cannot use it for target < 10.12
+		#
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <AvailabilityMacros.h>
+#include <unistd.h>
+#include <sys/random.h>  /* Systems without getentropy() should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#ifndef MAC_OS_X_VERSION_10_12
+#  define MAC_OS_X_VERSION_10_12 101200
+#endif
+#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#  if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#    error "Running on Mac OSX 10.11 or earlier"
+#  endif
+#endif
+                       ]], [[
+char buf[1]; getentropy(buf, 1);
+					   ]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
+		AC_MSG_CHECKING([whether to use builtin arc4random])
+		AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
+		# Not available on iOS
+		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;
 	*freebsd*)
-		BUILD_NC=yes
 		HOST_OS=freebsd
 		HOST_ABI=elf
+		# fork detection missing, weak seed on failure
+		# https://svnweb.freebsd.org/base/head/lib/libc/gen/arc4random.c?revision=268642&view=markup
+		USE_BUILTIN_ARC4RANDOM=yes
 		AC_SUBST([PROG_LDADD], ['-lthr'])
 		;;
 	*hpux*)
@@ -35,24 +76,32 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
-		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
-		BUILD_NC=yes
 		HOST_OS=netbsd
+		HOST_ABI=elf
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/param.h>
+#if __NetBSD_Version__ < 700000001
+        undefined
+#endif
+                       ]], [[]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
-		BUILD_NC=yes
 		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
 	*mingw*)
 		HOST_OS=win
+		BUILD_NC=no
 		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
@@ -70,7 +119,11 @@ case $host_os in
 	*) ;;
 esac
 
-AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
+AC_ARG_ENABLE([nc],
+	AS_HELP_STRING([--enable-nc], [Enable installing TLS-enabled nc(1)]))
+AM_CONDITIONAL([ENABLE_NC], [test "x$enable_nc" = xyes])
+AM_CONDITIONAL([BUILD_NC],  [test x$BUILD_NC = xyes -o "x$enable_nc" = xyes])
+
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])

man/update_links.sh

@@ -1,18 +1,19 @@
 #!/bin/sh
 
 # Run this periodically to ensure that the manpage links are up to date
+(
+    cd /usr/src/usr.bin/mandoc/
+    make obj
+    make cleandir
+    make depend
+    make
+    cd /usr/src/regress/usr.bin/mandoc/db/mlinks/
+    make obj
+    make cleandir
+    make
+)
+
+makewhatis -a .
 
 echo "# This is an auto-generated file by $0" > links
-doas makewhatis
+/usr/src/regress/usr.bin/mandoc/db/mlinks/obj/mlinks mandoc.db | sort >> links
-for i in `ls -1 *.3`; do
-  name=`echo $i|cut -d. -f1`
-  links=`sqlite3 /usr/share/man/mandoc.db \
-    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
-  for j in $links; do
-    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
-    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
-    if [ $a != $b ]; then
-      echo $name.3,$j.3 >> links
-    fi
-  done
-done

patches/aeadtest.c.patch

@@ -0,0 +1,15 @@
+--- tests/aeadtest.c.orig	2016-10-18 17:03:33.845870889 +0900
++++ tests/aeadtest.c	2016-10-18 17:11:19.880841283 +0900
+@@ -75,6 +75,12 @@
+ 
+ #define BUF_MAX 1024
+ 
++#ifdef _MSC_VER
++#ifdef IN
++#undef IN
++#endif
++#endif
++
+ /* These are the different types of line that are found in the input file. */
+ enum {
+ 	AEAD = 0,	/* name of the AEAD algorithm. */

patches/bio.h.patch

@@ -0,0 +1,36 @@
+--- include/openssl/bio.h.orig	Mon Oct  3 06:09:28 2016
++++ include/openssl/bio.h	Sun Nov  6 04:24:57 2016
+@@ -678,8 +678,24 @@
+
+ /*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
+
++#ifdef __MINGW_PRINTF_FORMAT
+ int
+ BIO_printf(BIO *bio, const char *format, ...)
++	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 3), __nonnull__(2)));
++int
++BIO_vprintf(BIO *bio, const char *format, va_list args)
++	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 0), __nonnull__(2)));
++int
++BIO_snprintf(char *buf, size_t n, const char *format, ...)
++	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 4),
++	    __nonnull__(3)));
++int
++BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
++	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 0),
++	    __nonnull__(3)));
++#else
++int
++BIO_printf(BIO *bio, const char *format, ...)
+ 	__attribute__((__format__(__printf__, 2, 3), __nonnull__(2)));
+ int
+ BIO_vprintf(BIO *bio, const char *format, va_list args)
+@@ -692,6 +708,8 @@
+ BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
+ 	__attribute__((__deprecated__, __format__(__printf__, 3, 0),
+ 	    __nonnull__(3)));
++#endif
++
+
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes

patches/modes_lcl.h

@@ -0,0 +1,21 @@
+--- openbsd/src/lib/libssl/src/crypto/modes/modes_lcl.h	Sat Dec  6 17:15:50 2014
++++ crypto/modes/modes_lcl.h	Sun Jul 17 17:45:27 2016
+@@ -43,14 +43,16 @@
+ 			asm ("bswapl %0"		\
+ 			: "+r"(ret));	ret;		})
+ # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
+-#  define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
++#  if (__ARM_ARCH >= 6)
++#   define BSWAP8(x) ({	u32 lo=(u64)(x)>>32,hi=(x);	\
+ 			asm ("rev %0,%0; rev %1,%1"	\
+ 			: "+r"(hi),"+r"(lo));		\
+ 			(u64)hi<<32|lo;			})
+-#  define BSWAP4(x) ({	u32 ret;			\
++#   define BSWAP4(x) ({	u32 ret;			\
+ 			asm ("rev %0,%1"		\
+ 			: "=r"(ret) : "r"((u32)(x)));	\
+ 			ret;				})
++#  endif
+ # endif
+ #endif
+ #endif

patches/netcat.c.patch

@@ -1,17 +1,16 @@
---- apps/nc/netcat.c.orig	2015-10-23 16:01:14.000000000 -0700
+--- apps/nc/netcat.c.orig	Sat Nov  5 14:00:01 2016
-+++ apps/nc/netcat.c	2015-10-23 16:17:08.000000000 -0700
++++ apps/nc/netcat.c	Sat Nov  5 15:28:35 2016
-@@ -57,6 +57,10 @@
+@@ -65,7 +65,9 @@
- #include <tls.h>
+ #define POLL_NETIN 2
- #include "atomicio.h"
+ #define POLL_STDOUT 3
- 
+ #define BUFSIZE 16384
-+#ifndef IPV6_TCLASS
++#ifndef DEFAULT_CA_FILE
-+#define IPV6_TCLASS -1
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
 +#endif
-+
+ 
- #define PORT_MAX	65535
+ #define TLS_LEGACY	(1 << 1)
- #define PORT_MAX_LEN	6
+ #define TLS_NOVERIFY	(1 << 2)
- #define UNIX_DG_TMP_SOCKET_SIZE	19
+@@ -93,9 +95,13 @@
-@@ -93,9 +97,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -25,7 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -145,7 +153,7 @@
+@@ -148,7 +154,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
@@ -34,7 +33,7 @@
  	const char *errstr, *proxyhost = "", *proxyport = NULL;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -246,12 +254,14 @@
+@@ -258,12 +264,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -49,9 +48,9 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -284,9 +294,11 @@
+@@ -299,9 +307,11 @@
- 				errx(1, "TCP send window %s: %s",
+ 		case 'o':
- 				    errstr, optarg);
+ 			oflag = optarg;
  			break;
 +#ifdef TCP_MD5SIG
  		case 'S':
@@ -61,48 +60,31 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -310,14 +322,16 @@
+@@ -325,9 +335,11 @@
  	argc -= optind;
  	argv += optind;
  
 +#ifdef SO_RTABLE
- 	if (rtableid >= 0) {
+ 	if (rtableid >= 0)
- 		/*
+ 		if (setrtable(rtableid) == -1)
- 		 * XXX No pledge if doing rtable manipulation!
+ 			err(1, "setrtable");
- 		 * XXX the routing table stuff is dangerous and can't be pledged.
- 		 * XXX rtable should really have a better interface than sockopt
- 		 */
--	}
--	else if (family == AF_UNIX) {
-+	} else
 +#endif
-+	if (family == AF_UNIX) {
+ 
+ 	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
- 			err(1, "pledge");
+@@ -836,7 +848,10 @@
- 	}
-@@ -797,7 +811,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, error, on = 1;
+-	int s = -1, error, on = 1, save_errno;
-+	int s, error;
++	int s = -1, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
- 	if ((error = getaddrinfo(host, port, &hints, &res)))
+ 	if ((error = getaddrinfo(host, port, &hints, &res0)))
  		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -808,16 +825,20 @@
+@@ -850,8 +865,10 @@
- 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
- 			continue;
- 
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
- 		/* Bind to a local port or source address if specified. */
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -111,39 +93,33 @@
  			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
  			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -886,7 +907,10 @@
+@@ -922,7 +939,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, ret, x = 1;
+-	int s = -1, ret, x = 1, save_errno;
-+	int s;
++	int s = -1, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -908,13 +932,17 @@
+@@ -943,9 +963,11 @@
- 		    res0->ai_protocol)) < 0)
+ 		    res->ai_protocol)) < 0)
  			continue;
  
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
 +#ifdef SO_REUSEPORT
  		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
  		if (ret == -1)
  			err(1, NULL);
 +#endif
  
- 		set_common_sockopts(s, res0->ai_family);
+ 		set_common_sockopts(s, res->ai_family);
  
-@@ -1358,11 +1386,13 @@
+@@ -1403,11 +1425,13 @@
  {
  	int x = 1;
  
@@ -157,29 +133,49 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1537,15 +1567,19 @@
+@@ -1444,13 +1468,17 @@
+ 	}
+ 
+ 	if (minttl != -1) {
++#ifdef IP_MINTTL
+ 		if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+ 		    IP_MINTTL, &minttl, sizeof(minttl)))
+ 			err(1, "set IP min TTL");
++#endif
+ 
+-		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
++#ifdef IPV6_MINHOPCOUNT
++		if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
+ 			err(1, "set IPv6 min hop count");
++#endif
+ 	}
+ }
+ 
+@@ -1644,14 +1672,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\
 -	\t-r		Randomize remote ports\n\
 -	\t-S		Enable the TCP MD5 signature option\n\
--	\t-s source	Local source address\n\
 +	\t-r		Randomize remote ports\n"
 +#ifdef TCP_MD5SIG
-+	"\t-S		Enable the TCP MD5 signature option\n"
++        "\
++	\t-S		Enable the TCP MD5 signature option\n"
 +#endif
-+	"\t-s source	Local source address\n\
++        "\
+ 	\t-s source	Local source address\n\
  	\t-T keyword	TOS value or TLS options\n\
  	\t-t		Answer TELNET negotiation\n\
  	\t-U		Use UNIX domain socket\n\
 -	\t-u		UDP mode\n\
 -	\t-V rtable	Specify alternate routing table\n\
--	\t-v		Verbose\n\
 +	\t-u		UDP mode\n"
 +#ifdef SO_RTABLE
-+	"\t-V rtable	Specify alternate routing table\n"
++        "\
++	\t-V rtable	Specify alternate routing table\n"
 +#endif
-+	"\t-v		Verbose\n\
++        "\
+ 	\t-v		Verbose\n\
  	\t-w timeout	Timeout for connects and final net reads\n\
  	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
- 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/ocsp_test.c.patch

@@ -0,0 +1,14 @@
+--- tests/ocsp_test.c.orig	2016-10-18 18:12:39.854607509 +0900
++++ tests/ocsp_test.c	2016-10-18 18:14:29.261600559 +0900
+@@ -16,6 +16,11 @@
+ 	hints.ai_family = AF_INET;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
++#ifdef _MSC_VER
++	if (BIO_sock_init() != 1)
++		exit(-1);
++#endif
++
+ 	error = getaddrinfo(host, port, &hints, &res);
+ 	if (error != 0) {
+ 		perror("getaddrinfo()");

patches/openssl.c.patch

@@ -1,6 +1,6 @@
---- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
+--- apps/openssl/openssl.c.orig	Fri Nov  4 09:33:19 2016
-+++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
++++ apps/openssl/openssl.c	Sat Nov  5 15:28:35 2016
-@@ -399,7 +399,9 @@
+@@ -396,7 +396,9 @@
  static void
  openssl_startup(void)
  {

patches/rfc5280.c.patch

@@ -1,5 +1,5 @@
---- tests/rfc5280time.c.orig	Sat Oct 17 22:36:27 2015
+--- tests/rfc5280time.c.orig	Mon Nov  2 20:00:31 2015
-+++ tests/rfc5280time.c	Sat Oct 17 22:44:25 2015
++++ tests/rfc5280time.c	Mon Nov  2 20:03:12 2015
 @@ -91,6 +91,7 @@
  		.data = "20150923032700Z",
  		.time = 1442978820,
@@ -10,7 +10,7 @@
  		.str = "00000101000000Z",
 @@ -103,6 +104,7 @@
  		.data = "20491231235959Z",
- 		.time = 2524607999,
+ 		.time = 2524607999LL,
  	},
 +#endif
  	{
@@ -26,7 +26,7 @@
  		.str = "99991231235959Z",
 @@ -129,6 +132,7 @@
  		.data = "20500101000000Z",
- 		.time =  2524608000,
+ 		.time =  2524608000LL,
  	},
 +#endif
  };
@@ -40,7 +40,7 @@
  	{
  		.str = "491231235959Z",
  		.data = "491231235959Z",
- 		.time = 2524607999,
+ 		.time = 2524607999LL,
  	},
 +#endif
  	{

patches/ssl_txt.c.patch

@@ -0,0 +1,19 @@
+--- ssl/ssl_txt.orig	Sun Jul 17 17:26:59 2016
++++ ssl/ssl_txt.c	Sun Jul 17 17:35:44 2016
+@@ -82,6 +82,7 @@
+  * OTHERWISE.
+  */
+ 
++#include <inttypes.h>
+ #include <stdio.h>
+ 
+ #include <openssl/buffer.h>
+@@ -163,7 +164,7 @@
+ 	}
+ 
+ 	if (x->time != 0) {
+-		if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
++		if (BIO_printf(bp, "\n    Start Time: %"PRId64, (int64_t)x->time) <= 0)
+ 			goto err;
+ 	}
+ 	if (x->timeout != 0L) {

patches/tls_internal.h.patch

@@ -0,0 +1,12 @@
+--- ./openbsd/src/lib/libtls/tls_internal.h	Thu Oct 15 16:12:24 2015
++++ ./tls/tls_internal.h	Sun Dec  6 20:18:17 2015
+@@ -24,7 +24,9 @@
+ 
+ #include <openssl/ssl.h>
+ 
++#ifndef _PATH_SSL_CA_FILE
+ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
+ #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"

patches/windows_headers.patch

@@ -1,6 +1,6 @@
-diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
+diff -u include/openssl.orig/dtls1.h include/openssl/dtls1.h
---- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
+--- include/openssl.orig/dtls1.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
++++ include/openssl/dtls1.h	Mon Dec  7 07:56:14 2015
 @@ -60,7 +60,11 @@
  #ifndef HEADER_DTLS1_H
  #define HEADER_DTLS1_H
@@ -13,9 +13,9 @@ diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
  
  #include <stdio.h>
  #include <stdlib.h>
-diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
+diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
---- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
+--- include/openssl.orig/opensslconf.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
++++ include/openssl/opensslconf.h	Mon Dec  7 07:56:14 2015
 @@ -1,6 +1,10 @@
  #include <openssl/opensslfeatures.h>
  /* crypto/opensslconf.h.in */
@@ -24,13 +24,13 @@ diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
 +#define __attribute__(a)
 +#endif
 +
- /* Generate 80386 code? */
+ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
- #undef I386_ONLY
+ #define OPENSSLDIR "/etc/ssl"
 
-diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
+diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
---- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
+--- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
++++ include/openssl/ossl_typ.h	Mon Dec  7 07:56:14 2015
-@@ -100,6 +100,22 @@
+@@ -80,6 +80,22 @@
  typedef struct ASN1_ITEM_st ASN1_ITEM;
  typedef struct asn1_pctx_st ASN1_PCTX;
  
@@ -53,9 +53,9 @@ diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
  #ifdef BIGNUM
  #undef BIGNUM
  #endif
-diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
+diff -u include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
---- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
+--- include/openssl.orig/pkcs7.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
++++ include/openssl/pkcs7.h	Mon Dec  7 07:56:14 2015
 @@ -69,6 +69,18 @@
  extern "C" {
  #endif
@@ -75,9 +75,9 @@ diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
  /*
  Encryption_ID		DES-CBC
  Digest_ID		MD5
-diff -urN include/openssl.orig/x509.h include/openssl/x509.h
+diff -u include/openssl.orig/x509.h include/openssl/x509.h
---- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
+--- include/openssl.orig/x509.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
++++ include/openssl/x509.h	Mon Dec  7 07:56:14 2015
 @@ -112,6 +112,19 @@
  extern "C" {
  #endif

scripts/travis

@@ -21,9 +21,6 @@ if [ "x$ARCH" = "xnative" ]; then
 		make
 		make test
 	else
-		sudo apt-get update
-		sudo apt-get install -y python-software-properties
-		sudo apt-add-repository -y ppa:kalakris/cmake
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
@@ -38,12 +35,8 @@ else
 	export CC=$CPU-w64-mingw32-gcc
 
 	if [ -z $(which $CC) ]; then
-		# Update Ubuntu 12.04 with current mingw toolchain
 		sudo apt-get update
-		sudo apt-get install -y python-software-properties
+		sudo apt-get install -y mingw-w64 make
-		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
-		sudo apt-get update
-		sudo apt-get install -y $ARCH-x-gcc make
 		export PATH=$PATH:/opt/$ARCH/bin
 	fi
 

ssl/CMakeLists.txt

@@ -19,27 +19,24 @@ set(
 	d1_srtp.c
 	d1_srvr.c
 	pqueue.c
-	s23_clnt.c
-	s23_lib.c
-	s23_pkt.c
-	s23_srvr.c
-	s3_both.c
 	s3_cbc.c
-	s3_clnt.c
 	s3_lib.c
-	s3_pkt.c
-	s3_srvr.c
 	ssl_algs.c
 	ssl_asn1.c
+	ssl_both.c
 	ssl_cert.c
 	ssl_ciph.c
+	ssl_clnt.c
 	ssl_err.c
-	ssl_err2.c
 	ssl_lib.c
+	ssl_packet.c
+	ssl_pkt.c
 	ssl_rsa.c
 	ssl_sess.c
+	ssl_srvr.c
 	ssl_stat.c
 	ssl_txt.c
+	ssl_versions.c
 	t1_clnt.c
 	t1_enc.c
 	t1_lib.c
@@ -48,11 +45,18 @@ set(
 	t1_srvr.c
 )
 
-if (BUILD_SHARED)
 add_library(ssl-objects OBJECT ${SSL_SRC})
+if (BUILD_SHARED)
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+	if (WIN32)
+		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
+	endif()
+	set_target_properties(ssl-shared PROPERTIES
+		OUTPUT_NAME ssl${SSL_POSTFIX}
+		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
 	install(TARGETS ssl ssl-shared DESTINATION lib)

ssl/Makefile.am

@@ -4,9 +4,10 @@ lib_LTLIBRARIES = libssl.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += ssl.sym
 
-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym
-libssl_la_LIBADD = ../crypto/libcrypto.la
+libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
 libssl_la_SOURCES += bs_ber.c
@@ -21,27 +22,24 @@ libssl_la_SOURCES += d1_pkt.c
 libssl_la_SOURCES += d1_srtp.c
 libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
-libssl_la_SOURCES += s23_clnt.c
-libssl_la_SOURCES += s23_lib.c
-libssl_la_SOURCES += s23_pkt.c
-libssl_la_SOURCES += s23_srvr.c
-libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
-libssl_la_SOURCES += s3_clnt.c
 libssl_la_SOURCES += s3_lib.c
-libssl_la_SOURCES += s3_pkt.c
-libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c
 libssl_la_SOURCES += ssl_asn1.c
+libssl_la_SOURCES += ssl_both.c
 libssl_la_SOURCES += ssl_cert.c
 libssl_la_SOURCES += ssl_ciph.c
+libssl_la_SOURCES += ssl_clnt.c
 libssl_la_SOURCES += ssl_err.c
-libssl_la_SOURCES += ssl_err2.c
 libssl_la_SOURCES += ssl_lib.c
+libssl_la_SOURCES += ssl_packet.c
+libssl_la_SOURCES += ssl_pkt.c
 libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
+libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
 libssl_la_SOURCES += ssl_txt.c
+libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
 libssl_la_SOURCES += t1_enc.c
 libssl_la_SOURCES += t1_lib.c

tests/CMakeLists.txt

@@ -9,274 +9,393 @@ include_directories(
 	../apps/openssl/compat
 )
 
-set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
+add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
+
+foreach(lib IN LISTS OPENSSL_LIBS)
+	if(${lib} STREQUAL "tls-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} tls)
+	elseif(${lib} STREQUAL "ssl-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} ssl)
+	elseif(${lib} STREQUAL "crypto-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} crypto)
+	else()
+		set(TESTS_LIBS ${TESTS_LIBS} ${lib})
+	endif()
+endforeach()
 
 # aeadtest
-#add_executable(aeadtest aeadtest.c)
+add_executable(aeadtest aeadtest.c)
-#target_link_libraries(aeadtest ${OPENSSL_LIBS})
+target_link_libraries(aeadtest ${TESTS_LIBS})
-#add_test(aeadtest aeadtest.sh)
+add_test(aeadtest aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtests.txt)
-#configure_file(aeadtests.txt aeadtests.txt COPYONLY)
-#configure_file(aeadtest.sh aeadtest.sh COPYONLY)
 
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
-target_link_libraries(aes_wrap ${OPENSSL_LIBS})
+target_link_libraries(aes_wrap ${TESTS_LIBS})
 add_test(aes_wrap aes_wrap)
 
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
-if(NOT CMAKE_HOST_WIN32)
+if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	add_executable(arc4randomforktest arc4randomforktest.c)
-target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
+	target_link_libraries(arc4randomforktest ${TESTS_LIBS})
 	add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()
 
 # asn1test
 add_executable(asn1test asn1test.c)
-target_link_libraries(asn1test ${OPENSSL_LIBS})
+target_link_libraries(asn1test ${TESTS_LIBS})
 add_test(asn1test asn1test)
 
 # asn1time
 add_executable(asn1time asn1time.c)
-target_link_libraries(asn1time ${OPENSSL_LIBS})
+target_link_libraries(asn1time ${TESTS_LIBS})
 add_test(asn1time asn1time)
 
 # base64test
 add_executable(base64test base64test.c)
-target_link_libraries(base64test ${OPENSSL_LIBS})
+target_link_libraries(base64test ${TESTS_LIBS})
 add_test(base64test base64test)
 
 # bftest
 add_executable(bftest bftest.c)
-target_link_libraries(bftest ${OPENSSL_LIBS})
+target_link_libraries(bftest ${TESTS_LIBS})
 add_test(bftest bftest)
 
+# biotest
+# the BIO tests rely on resolver results that are OS and environment-specific
+if(ENABLE_EXTRATESTS)
+	add_executable(biotest biotest.c)
+	target_link_libraries(biotest ${TESTS_LIBS})
+	add_test(biotest biotest)
+endif()
+
 # bntest
 add_executable(bntest bntest.c)
-target_link_libraries(bntest ${OPENSSL_LIBS})
+set_source_files_properties(bntest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
+target_link_libraries(bntest ${TESTS_LIBS})
 add_test(bntest bntest)
 
 # bytestringtest
 add_executable(bytestringtest bytestringtest.c)
-target_link_libraries(bytestringtest ${OPENSSL_LIBS})
+target_link_libraries(bytestringtest ${TESTS_LIBS})
 add_test(bytestringtest bytestringtest)
 
 # casttest
 add_executable(casttest casttest.c)
-target_link_libraries(casttest ${OPENSSL_LIBS})
+target_link_libraries(casttest ${TESTS_LIBS})
 add_test(casttest casttest)
 
 # chachatest
 add_executable(chachatest chachatest.c)
-target_link_libraries(chachatest ${OPENSSL_LIBS})
+target_link_libraries(chachatest ${TESTS_LIBS})
 add_test(chachatest chachatest)
 
 # cipher_list
 add_executable(cipher_list cipher_list.c)
-target_link_libraries(cipher_list ${OPENSSL_LIBS})
+target_link_libraries(cipher_list ${TESTS_LIBS})
 add_test(cipher_list cipher_list)
 
 # cipherstest
 add_executable(cipherstest cipherstest.c)
-target_link_libraries(cipherstest ${OPENSSL_LIBS})
+target_link_libraries(cipherstest ${TESTS_LIBS})
 add_test(cipherstest cipherstest)
 
 # clienttest
 add_executable(clienttest clienttest.c)
-target_link_libraries(clienttest ${OPENSSL_LIBS})
+target_link_libraries(clienttest ${TESTS_LIBS})
 add_test(clienttest clienttest)
 
 # cts128test
 add_executable(cts128test cts128test.c)
-target_link_libraries(cts128test ${OPENSSL_LIBS})
+target_link_libraries(cts128test ${TESTS_LIBS})
 add_test(cts128test cts128test)
 
 # destest
 add_executable(destest destest.c)
-target_link_libraries(destest ${OPENSSL_LIBS})
+target_link_libraries(destest ${TESTS_LIBS})
 add_test(destest destest)
 
 # dhtest
 add_executable(dhtest dhtest.c)
-target_link_libraries(dhtest ${OPENSSL_LIBS})
+target_link_libraries(dhtest ${TESTS_LIBS})
 add_test(dhtest dhtest)
 
 # dsatest
 add_executable(dsatest dsatest.c)
-target_link_libraries(dsatest ${OPENSSL_LIBS})
+target_link_libraries(dsatest ${TESTS_LIBS})
 add_test(dsatest dsatest)
 
 # ecdhtest
 add_executable(ecdhtest ecdhtest.c)
-target_link_libraries(ecdhtest ${OPENSSL_LIBS})
+target_link_libraries(ecdhtest ${TESTS_LIBS})
 add_test(ecdhtest ecdhtest)
 
 # ecdsatest
 add_executable(ecdsatest ecdsatest.c)
-target_link_libraries(ecdsatest ${OPENSSL_LIBS})
+target_link_libraries(ecdsatest ${TESTS_LIBS})
 add_test(ecdsatest ecdsatest)
 
 # ectest
 add_executable(ectest ectest.c)
-target_link_libraries(ectest ${OPENSSL_LIBS})
+target_link_libraries(ectest ${TESTS_LIBS})
 add_test(ectest ectest)
 
 # enginetest
 add_executable(enginetest enginetest.c)
-target_link_libraries(enginetest ${OPENSSL_LIBS})
+target_link_libraries(enginetest ${TESTS_LIBS})
 add_test(enginetest enginetest)
 
 # evptest
-#add_executable(evptest evptest.c)
+add_executable(evptest evptest.c)
-#target_link_libraries(evptest ${OPENSSL_LIBS})
+target_link_libraries(evptest ${TESTS_LIBS})
-#add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
+add_test(evptest evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptests.txt)
 
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
 if(NOT CMAKE_HOST_WIN32)
+	if(HAVE_MEMMEM)
 		add_executable(explicit_bzero explicit_bzero.c)
-target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
+	else()
+		add_executable(explicit_bzero explicit_bzero.c compat/memmem.c)
+	endif()
+	target_link_libraries(explicit_bzero ${TESTS_LIBS})
 	add_test(explicit_bzero explicit_bzero)
-#if !HAVE_MEMMEM
-#explicit_bzero_SOURCES += memmem.c
-#endif
 endif()
 
 # exptest
 add_executable(exptest exptest.c)
-target_link_libraries(exptest ${OPENSSL_LIBS})
+set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
+target_link_libraries(exptest ${TESTS_LIBS})
 add_test(exptest exptest)
 
 # gcm128test
 add_executable(gcm128test gcm128test.c)
-target_link_libraries(gcm128test ${OPENSSL_LIBS})
+target_link_libraries(gcm128test ${TESTS_LIBS})
 add_test(gcm128test gcm128test)
 
 # gost2814789t
 add_executable(gost2814789t gost2814789t.c)
-target_link_libraries(gost2814789t ${OPENSSL_LIBS})
+target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)
 
 # hmactest
 add_executable(hmactest hmactest.c)
-target_link_libraries(hmactest ${OPENSSL_LIBS})
+target_link_libraries(hmactest ${TESTS_LIBS})
 add_test(hmactest hmactest)
 
 # ideatest
 add_executable(ideatest ideatest.c)
-target_link_libraries(ideatest ${OPENSSL_LIBS})
+target_link_libraries(ideatest ${TESTS_LIBS})
 add_test(ideatest ideatest)
 
 # igetest
 add_executable(igetest igetest.c)
-target_link_libraries(igetest ${OPENSSL_LIBS})
+target_link_libraries(igetest ${TESTS_LIBS})
 add_test(igetest igetest)
 
 # md4test
 add_executable(md4test md4test.c)
-target_link_libraries(md4test ${OPENSSL_LIBS})
+target_link_libraries(md4test ${TESTS_LIBS})
 add_test(md4test md4test)
 
 # md5test
 add_executable(md5test md5test.c)
-target_link_libraries(md5test ${OPENSSL_LIBS})
+target_link_libraries(md5test ${TESTS_LIBS})
 add_test(md5test md5test)
 
 # mont
 add_executable(mont mont.c)
-target_link_libraries(mont ${OPENSSL_LIBS})
+target_link_libraries(mont ${TESTS_LIBS})
 add_test(mont mont)
 
+# ocsp_test
+if(ENABLE_EXTRATESTS)
+	add_executable(ocsp_test ocsp_test.c)
+	target_link_libraries(ocsp_test ${TESTS_LIBS})
+	if(NOT MSVC)
+		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
+	else()
+		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.bat)
+	endif()
+endif()
+
 # optionstest
 add_executable(optionstest optionstest.c)
-target_link_libraries(optionstest ${OPENSSL_LIBS})
+target_link_libraries(optionstest ${TESTS_LIBS})
 add_test(optionstest optionstest)
 
 # pbkdf2
 add_executable(pbkdf2 pbkdf2.c)
-target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
+target_link_libraries(pbkdf2 ${TESTS_LIBS})
 add_test(pbkdf2 pbkdf2)
 
+# pidwraptest
+# pidwraptest relies on an OS-specific way to give out pids and is generally
+# awkward on systems with slow fork
+if(ENABLE_EXTRATESTS AND NOT MSVC)
+	add_executable(pidwraptest pidwraptest.c)
+	target_link_libraries(pidwraptest ${TESTS_LIBS})
+	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
+endif()
+
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
-target_link_libraries(pkcs7test ${OPENSSL_LIBS})
+target_link_libraries(pkcs7test ${TESTS_LIBS})
 add_test(pkcs7test pkcs7test)
 
 # poly1305test
 add_executable(poly1305test poly1305test.c)
-target_link_libraries(poly1305test ${OPENSSL_LIBS})
+target_link_libraries(poly1305test ${TESTS_LIBS})
 add_test(poly1305test poly1305test)
 
 # pq_test
-#add_executable(pq_test pq_test.c)
+add_executable(pq_test pq_test.c)
-#target_link_libraries(pq_test ${OPENSSL_LIBS})
+target_link_libraries(pq_test ${TESTS_LIBS})
-#add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+if(NOT MSVC)
+	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+else()
+	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.bat)
+endif()
+set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # randtest
 add_executable(randtest randtest.c)
-target_link_libraries(randtest ${OPENSSL_LIBS})
+target_link_libraries(randtest ${TESTS_LIBS})
 add_test(randtest randtest)
 
 # rc2test
 add_executable(rc2test rc2test.c)
-target_link_libraries(rc2test ${OPENSSL_LIBS})
+target_link_libraries(rc2test ${TESTS_LIBS})
 add_test(rc2test rc2test)
 
 # rc4test
 add_executable(rc4test rc4test.c)
-target_link_libraries(rc4test ${OPENSSL_LIBS})
+target_link_libraries(rc4test ${TESTS_LIBS})
 add_test(rc4test rc4test)
 
 # rfc5280time
 add_executable(rfc5280time rfc5280time.c)
-target_link_libraries(rfc5280time ${OPENSSL_LIBS})
+target_link_libraries(rfc5280time ${TESTS_LIBS})
+if(SMALL_TIME_T)
+	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
+else()
 	add_test(rfc5280time rfc5280time)
+endif()
 
 # rmdtest
 add_executable(rmdtest rmdtest.c)
-target_link_libraries(rmdtest ${OPENSSL_LIBS})
+target_link_libraries(rmdtest ${TESTS_LIBS})
 add_test(rmdtest rmdtest)
 
+# rsa_test
+add_executable(rsa_test rsa_test.c)
+target_link_libraries(rsa_test ${TESTS_LIBS})
+add_test(rsa_test rsa_test)
+
 # sha1test
 add_executable(sha1test sha1test.c)
-target_link_libraries(sha1test ${OPENSSL_LIBS})
+target_link_libraries(sha1test ${TESTS_LIBS})
 add_test(sha1test sha1test)
 
 # sha256test
 add_executable(sha256test sha256test.c)
-target_link_libraries(sha256test ${OPENSSL_LIBS})
+target_link_libraries(sha256test ${TESTS_LIBS})
 add_test(sha256test sha256test)
 
 # sha512test
 add_executable(sha512test sha512test.c)
-target_link_libraries(sha512test ${OPENSSL_LIBS})
+target_link_libraries(sha512test ${TESTS_LIBS})
 add_test(sha512test sha512test)
 
+# ssl_versions
+add_executable(ssl_versions ssl_versions.c)
+target_link_libraries(ssl_versions ${TESTS_LIBS})
+add_test(ssl_versions ssl_versions)
+
 # ssltest
-#add_executable(ssltest ssltest.c)
+add_executable(ssltest ssltest.c)
-#target_link_libraries(ssltest ${OPENSSL_LIBS})
+target_link_libraries(ssltest ${TESTS_LIBS})
-#add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+if(NOT MSVC)
+	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+else()
+	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.bat)
+endif()
+set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testdsa
-#add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+if(NOT MSVC)
+	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+else()
+	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.bat)
+endif()
+set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testenc
+if(NOT MSVC)
 	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
+else()
+	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.bat)
+endif()
+set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testrsa
-#add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+if(NOT MSVC)
+	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+else()
+	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.bat)
+endif()
+set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # timingsafe
 add_executable(timingsafe timingsafe.c)
-target_link_libraries(timingsafe ${OPENSSL_LIBS})
+target_link_libraries(timingsafe ${TESTS_LIBS})
 add_test(timingsafe timingsafe)
 
+# tlstest
+set(TLSTEST_SRC tlstest.c)
+check_function_exists(pipe2 HAVE_PIPE2)
+if(HAVE_PIPE2)
+	add_definitions(-DHAVE_PIPE2)
+else()
+	set(TLSTEST_SRC ${TLSTEST_SRC} compat/pipe2.c)
+endif()
+
+add_executable(tlstest ${TLSTEST_SRC})
+target_link_libraries(tlstest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.sh)
+else()
+	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.bat)
+endif()
+set_tests_properties(tlstest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
+# tls_ext_alpn
+add_executable(tls_ext_alpn tls_ext_alpn.c)
+target_link_libraries(tls_ext_alpn ${TESTS_LIBS})
+add_test(tls_ext_alpn tls_ext_alpn)
+
 # utf8test
 add_executable(utf8test utf8test.c)
-target_link_libraries(utf8test ${OPENSSL_LIBS})
+target_link_libraries(utf8test ${TESTS_LIBS})
 add_test(utf8test utf8test)
 
 # verifytest
 add_executable(verifytest verifytest.c)
-target_link_libraries(verifytest tls ${OPENSSL_LIBS})
+target_link_libraries(verifytest tls ${TESTS_LIBS})
 add_test(verifytest verifytest)
+
+# x25519test
+add_executable(x25519test x25519test.c)
+target_link_libraries(x25519test ${TESTS_LIBS})
+add_test(x25519test x25519test)
+
+if(ENABLE_VSTEST AND USE_SHARED)
+	add_custom_command(TARGET x25519test POST_BUILD
+		COMMAND "${CMAKE_COMMAND}" -E copy
+		"$<TARGET_FILE:tls-shared>"
+		"$<TARGET_FILE:ssl-shared>"
+		"$<TARGET_FILE:crypto-shared>"
+		"${CMAKE_CURRENT_BINARY_DIR}"
+		COMMENT "Copying DLLs for regression tests")
+endif()
+

tests/Makefile.am

@@ -5,11 +5,15 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
+AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"
 
-LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+LDADD = $(abs_top_builddir)/tls/.libs/libtls.a
-LDADD += $(top_builddir)/ssl/libssl.la
+LDADD += $(abs_top_builddir)/ssl/.libs/libssl.a
-LDADD += $(top_builddir)/crypto/libcrypto.la
+LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto.a
-LDADD += $(top_builddir)/tls/libtls.la
+LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
+if HOST_ASM_MACOSX_X86_64
+LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto_la-cpuid-macosx-x86_64.o
+endif
 
 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 
@@ -69,6 +73,7 @@ endif
 
 # bntest
 TESTS += bntest
+bntest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 check_PROGRAMS += bntest
 bntest_SOURCES = bntest.c
 
@@ -158,7 +163,7 @@ TESTS += explicit_bzero
 check_PROGRAMS += explicit_bzero
 explicit_bzero_SOURCES = explicit_bzero.c
 if !HAVE_MEMMEM
-explicit_bzero_SOURCES += memmem.c
+explicit_bzero_SOURCES += compat/memmem.c
 endif
 endif
 endif
@@ -166,6 +171,7 @@ endif
 # exptest
 TESTS += exptest
 check_PROGRAMS += exptest
+exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c
 
 # gcm128test
@@ -208,6 +214,14 @@ TESTS += mont
 check_PROGRAMS += mont
 mont_SOURCES = mont.c
 
+# ocsp_test
+if ENABLE_EXTRATESTS
+TESTS += ocsptest.sh
+check_PROGRAMS += ocsp_test
+ocsp_test_SOURCES = ocsp_test.c
+endif
+EXTRA_DIST += ocsptest.sh ocsptest.bat
+
 # optionstest
 TESTS += optionstest
 check_PROGRAMS += optionstest
@@ -225,8 +239,8 @@ if ENABLE_EXTRATESTS
 TESTS += pidwraptest.sh
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
-EXTRA_DIST += pidwraptest.sh
 endif
+EXTRA_DIST += pidwraptest.sh
 
 # pkcs7test
 TESTS += pkcs7test
@@ -242,7 +256,7 @@ poly1305test_SOURCES = poly1305test.c
 TESTS += pq_test.sh
 check_PROGRAMS += pq_test
 pq_test_SOURCES = pq_test.c
-EXTRA_DIST += pq_test.sh
+EXTRA_DIST += pq_test.sh pq_test.bat
 EXTRA_DIST += pq_expected.txt
 
 # randtest
@@ -275,6 +289,11 @@ TESTS += rmdtest
 check_PROGRAMS += rmdtest
 rmdtest_SOURCES = rmdtest.c
 
+# rsa_test
+TESTS += rsa_test
+check_PROGRAMS += rsa_test
+rsa_test_SOURCES = rsa_test.c
+
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
@@ -290,31 +309,50 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
+# ssl_versions
+TESTS += ssl_versions
+check_PROGRAMS += ssl_versions
+ssl_versions_SOURCES = ssl_versions.c
+
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
 ssltest_SOURCES = ssltest.c
-EXTRA_DIST += ssltest.sh
+EXTRA_DIST += ssltest.sh ssltest.bat
-EXTRA_DIST += testssl ca.pem server.pem
+EXTRA_DIST += testssl testssl.bat ca.pem server.pem
 
 # testdsa
 TESTS += testdsa.sh
-EXTRA_DIST += testdsa.sh
+EXTRA_DIST += testdsa.sh testdsa.bat
 EXTRA_DIST += openssl.cnf
 
 # testenc
 TESTS += testenc.sh
-EXTRA_DIST += testenc.sh
+EXTRA_DIST += testenc.sh testenc.bat
 
 # testrsa
 TESTS += testrsa.sh
-EXTRA_DIST += testrsa.sh
+EXTRA_DIST += testrsa.sh testrsa.bat
 
 # timingsafe
 TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
+# tlstest
+TESTS += tlstest.sh
+check_PROGRAMS += tlstest
+tlstest_SOURCES = tlstest.c
+if !HAVE_PIPE2
+tlstest_SOURCES += compat/pipe2.c
+endif
+EXTRA_DIST += tlstest.sh tlstest.bat
+
+# tls_ext_alpn
+TESTS += tls_ext_alpn
+check_PROGRAMS += tls_ext_alpn
+tls_ext_alpn_SOURCES = tls_ext_alpn.c
+
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test
@@ -324,3 +362,8 @@ utf8test_SOURCES = utf8test.c
 TESTS += verifytest
 check_PROGRAMS += verifytest
 verifytest_SOURCES = verifytest.c
+
+# x25519test
+TESTS += x25519test
+check_PROGRAMS += x25519test
+x25519test_SOURCES = x25519test.c

tests/compat/pipe2.c

@@ -0,0 +1,167 @@
+/*
+ * Public domain
+ *
+ * pipe2/pipe/socketpair emulation
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/socket.h>
+
+#undef socketpair
+
+#ifdef _WIN32
+
+static int setfd(int fd, int flag)
+{
+	int rc = -1;
+	if (flag & FD_CLOEXEC) {
+		HANDLE h = (HANDLE)_get_osfhandle(fd);
+		if (h != NULL)
+			rc = SetHandleInformation(h, HANDLE_FLAG_INHERIT, 0) == 0 ? -1 : 0;
+	}
+	return rc;
+}
+
+static int setfl(int fd, int flag)
+{
+	int rc = -1;
+	if (flag & O_NONBLOCK) {
+		long mode = 1;
+		rc = ioctlsocket(fd, FIONBIO, &mode);
+	}
+	return rc;
+}
+
+int socketpair(int domain, int type, int protocol, int socket_vector[2])
+{
+	if (domain != AF_UNIX || !(type & SOCK_STREAM) || protocol != PF_UNSPEC)
+		return -1;
+
+	socket_vector[0] = -1;
+	socket_vector[1] = -1;
+
+	int listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (listener == -1) {
+		return -1;
+	}
+
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_addr.s_addr = htonl(INADDR_LOOPBACK),
+		.sin_port = 0,
+	};
+
+	int yes = 1, e;
+	if (setsockopt(listener, SOL_SOCKET, SO_REUSEADDR,
+			(void *)&yes, sizeof yes) == -1)
+		goto err;
+
+	if (bind(listener, (struct sockaddr *)&addr, sizeof addr) != 0)
+		goto err;
+
+	memset(&addr, 0, sizeof addr);
+	socklen_t addrlen = sizeof addr;
+	if (getsockname(listener, (struct sockaddr *)&addr, &addrlen) != 0)
+		goto err;
+
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	addr.sin_family = AF_INET;
+
+	if (listen(listener, 1) != 0)
+		goto err;
+
+	socket_vector[0] = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
+	if (socket_vector[0] == -1)
+		goto err;
+
+	if (connect(socket_vector[0], (struct sockaddr *)&addr, sizeof addr) != 0)
+		goto err;
+
+	socket_vector[1] = accept(listener, NULL, NULL);
+	if (socket_vector[1] == -1)
+		goto err;
+
+	closesocket(listener);
+	return 0;
+
+err:
+	e = WSAGetLastError();
+	closesocket(listener);
+	closesocket(socket_vector[0]);
+	closesocket(socket_vector[1]);
+	WSASetLastError(e);
+	socket_vector[0] = -1;
+	socket_vector[1] = -1;
+	return -1;
+}
+
+int pipe(int fildes[2])
+{
+	return socketpair(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, PF_UNSPEC, fildes);
+}
+
+#else
+
+static int setfd(int fd, int flag)
+{
+	int flags = fcntl(fd, F_GETFD);
+	flags |= flag;
+	return fcntl(fd, F_SETFD, flags);
+}
+
+static int setfl(int fd, int flag)
+{
+	int flags = fcntl(fd, F_GETFL);
+	flags |= flag;
+	return fcntl(fd, F_SETFL, flags);
+}
+#endif
+
+int pipe2(int fildes[2], int flags)
+{
+	int rc = pipe(fildes);
+	if (rc == 0) {
+		if (flags & O_NONBLOCK) {
+			rc |= setfl(fildes[0], O_NONBLOCK);
+			rc |= setfl(fildes[1], O_NONBLOCK);
+		}
+		if (flags & O_CLOEXEC) {
+			rc |= setfd(fildes[0], FD_CLOEXEC);
+			rc |= setfd(fildes[1], FD_CLOEXEC);
+		}
+		if (rc != 0) {
+			int e = errno;
+			close(fildes[0]);
+			close(fildes[1]);
+			errno = e;
+		}
+	}
+	return rc;
+}
+
+int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2])
+{
+	int flags = type & ~0xf;
+	type &= 0xf;
+	int rc = socketpair(domain, type, protocol, socket_vector);
+	if (rc == 0) {
+		if (flags & SOCK_NONBLOCK) {
+			rc |= setfl(socket_vector[0], O_NONBLOCK);
+			rc |= setfl(socket_vector[1], O_NONBLOCK);
+		}
+		if (flags & SOCK_CLOEXEC) {
+			rc |= setfd(socket_vector[0], FD_CLOEXEC);
+			rc |= setfd(socket_vector[1], FD_CLOEXEC);
+		}
+		if (rc != 0) {
+			int e = errno;
+			close(socket_vector[0]);
+			close(socket_vector[1]);
+			errno = e;
+		}
+	}
+	return rc;
+}

tests/ocsptest.bat

@@ -0,0 +1,11 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	ocsptest.bat
+
+set TEST=Debug\ocsp_test.exe
+if not exist %TEST% exit /b 1
+
+%TEST% www.amazon.com 443 & if !errorlevel! neq 0 exit /b 1
+%TEST% cloudflare.com 443 & if !errorlevel! neq 0 exit /b 1
+
+endlocal

tests/ocsptest.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+TEST=./ocsp_test
+if [ -e ./ocsp_test.exe ]; then
+	TEST=./ocsp_test.exe
+fi
+$TEST www.amazon.com 443
+$TEST cloudflare.com 443

tests/pq_test.bat

@@ -0,0 +1,14 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	pq_test.bat
+
+set TEST=Debug\pq_test.exe
+if not exist %TEST% exit /b 1
+
+set pq_output=pq_output.txt
+if exist %pq_output% del %pq_output%
+
+%TEST% > %pq_output%
+fc /b %pq_output% %srcdir%\pq_expected.txt
+
+endlocal

tests/ssltest.bat

@@ -0,0 +1,21 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	ssltest.bat
+
+set ssltest_bin=Debug\ssltest.exe
+if not exist %ssltest_bin% exit /b 1
+
+set openssl_bin=..\apps\openssl\Debug\openssl.exe
+if not exist %openssl_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%srcdir%\testssl.bat %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem ^
+    %ssltest_bin% %openssl_bin%
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/ssltest.sh

@@ -6,10 +6,17 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
+if [ -d ../apps/openssl ]; then
 	openssl_bin=../apps/openssl/openssl
 	if [ -e ../apps/openssl/openssl.exe ]; then
 		openssl_bin=../apps/openssl/openssl.exe
 	fi
+else
+	openssl_bin=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		openssl_bin=../apps/openssl.exe
+	fi
+fi
 
 if [ -z $srcdir ]; then
 	srcdir=.

tests/testdsa.bat

@@ -0,0 +1,38 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testdsa.bat
+
+
+REM # Test DSA certificate generation of openssl
+
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+REM # Generate DSA paramter set
+%cmd% dsaparam 512 -out dsa512.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Generate a DSA certificate
+%cmd% req -config %srcdir%\openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Now check the certificate
+%cmd% x509 -text -in testdsa.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+del testdsa.key dsa512.pem testdsa.pem
+
+exit /b 0
+endlocal

tests/testdsa.sh

@@ -4,10 +4,17 @@
 
 #Test DSA certificate generation of openssl
 
+if [ -d ../apps/openssl ]; then
 	cmd=../apps/openssl/openssl
 	if [ -e ../apps/openssl/openssl.exe ]; then
 		cmd=../apps/openssl/openssl.exe
 	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
+fi
 
 if [ -z $srcdir ]; then
 	srcdir=.

tests/testenc.bat

@@ -0,0 +1,69 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testenc.bat
+
+set test=p
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+set srcdir=..\..\tests
+
+copy %srcdir%\openssl.cnf %test%
+
+echo cat
+%cmd% enc -in %test% -out %test%.cipher
+%cmd% enc -in %test%.cipher -out %test%.clear
+fc /b %test% %test%.clear
+if !errorlevel! neq 0 (
+	exit /b 1
+) else (
+	del %test%.cipher %test%.clear
+)
+
+echo base64
+%cmd% enc -a -e -in %test% -out %test%.cipher
+%cmd% enc -a -d -in %test%.cipher -out %test%.clear
+fc /b %test% %test%.clear
+if !errorlevel! neq 0 (
+	exit /b 1
+) else (
+	del %test%.cipher %test%.clear
+)
+
+for %%i in (
+	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8
+	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb
+	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb
+	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8
+	aes-256-ecb aes-256-ofb
+	bf-cbc bf-cfb bf-ecb bf-ofb
+	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb
+	des-cbc des-cfb des-cfb8 des-ecb des-ede
+	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3
+	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc
+	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
+	rc4 rc4-40
+) do (
+	echo %%i
+	%cmd% %%i -e -k test -in %test% -out %test%.%%i.cipher
+	%cmd% %%i -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
+	fc /b %test% %test%.%%i.clear
+	if !errorlevel! neq 0 (
+		exit /b 1
+	) else (
+		del %test%.%%i.cipher %test%.%%i.clear
+	)
+
+	echo %%i base64
+	%cmd% %%i -a -e -k test -in %test% -out %test%.%%i.cipher
+	%cmd% %%i -a -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
+	fc /b %test% %test%.%%i.clear
+	if !errorlevel! neq 0 (
+		exit /b 1
+	) else (
+		del %test%.%%i.cipher %test%.%%i.clear
+	)
+)
+
+del %test%
+endlocal

tests/testenc.sh

@@ -2,12 +2,23 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
+if [ -d ../apps/openssl ]; then
 	cmd=../apps/openssl/openssl
 	if [ -e ../apps/openssl/openssl.exe ]; then
 		cmd=../apps/openssl/openssl.exe
 	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
+fi
 
-cat openssl.cnf >$test;
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+cat $srcdir/openssl.cnf >$test;
 
 echo cat
 $cmd enc < $test > $test.cipher

tests/testrsa.bat

@@ -0,0 +1,38 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testrsa.bat
+
+
+REM # Test RSA certificate generation of openssl
+
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+REM # Generate RSA private key
+%cmd% genrsa -out rsakey.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Generate an RSA certificate
+%cmd% req -config %srcdir%\openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Now check the certificate
+%cmd% x509 -text -in rsacert.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+del rsacert.pem rsakey.pem
+
+exit /b 0
+endlocal

tests/testrsa.sh

@@ -4,10 +4,17 @@
 
 #Test RSA certificate generation of openssl
 
+if [ -d ../apps/openssl ]; then
 	cmd=../apps/openssl/openssl
 	if [ -e ../apps/openssl/openssl.exe ]; then
 		cmd=../apps/openssl/openssl.exe
 	fi
+else
+	cmd=../apps/openssl
+	if [ -e ../apps/openssl.exe ]; then
+		cmd=../apps/openssl.exe
+	fi
+fi
 
 if [ -z $srcdir ]; then
 	srcdir=.

tests/testssl.bat

@@ -0,0 +1,157 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testssl.bat
+
+set key=%1
+set cert=%2
+set CA=-CAfile %3
+set ssltest=%4 -key %key% -cert %cert% -c_key %key% -c_cert %cert%
+set openssl=%5
+set extra=%6
+
+%openssl% version & if !errorlevel! neq 0 exit /b 1
+
+for /f "usebackq" %%s in (`%openssl% x509 -in %cert% -text -noout ^| find /c "DSA Public Key"`) do set lines=%%s
+if %lines% gtr 0 (
+  set dsa_cert=YES
+) else (
+  set dsa_cert=NO
+)
+
+REM #########################################################################
+
+echo test sslv2/sslv3
+%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with server authentication
+%ssltest% -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with client authentication
+%ssltest% -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication
+%ssltest% -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 via BIO pair
+%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
+
+if %dsa_cert%==NO (
+  echo "test sslv2/sslv3 w/o (EC)DHE via BIO pair"
+  %ssltest% -bio_pair -no_dhe -no_ecdhe %extra% & if !errorlevel! neq 0 exit /b 1
+)
+
+echo test sslv2/sslv3 with 1024bit DHE via BIO pair
+%ssltest% -bio_pair -dhe1024dsa -v %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with server authentication
+%ssltest% -bio_pair -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with client authentication via BIO pair
+%ssltest% -bio_pair -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair
+%ssltest% -bio_pair -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
+%ssltest% -bio_pair -server_auth -client_auth -app_verify %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo "Testing ciphersuites"
+for %%p in ( TLSv1.2 ) do (
+  echo "Testing ciphersuites for %%p"
+  for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p+aRSA"`) do (
+    echo "Testing %%c"
+    %ssltest% -cipher %%c
+    if !errorlevel! neq 0 (
+      echo "Failed %%c"
+      exit /b 1
+    )
+  )
+)
+
+REM ##########################################################################
+
+for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
+if %nodh%==no-dh (
+  echo skipping anonymous DH tests
+) else (
+  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  %ssltest% -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+)
+
+REM #for /f "usebackq" %%s in (`%openssl% no-rsa`) do set norsa=%%s
+REM #if %norsa%==no-rsa (
+REM #  echo skipping RSA tests
+REM #) else (
+REM #  echo "test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes"
+REM #  %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -no_dhe -no_ecdhe -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+REM #
+REM #  for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
+REM #  if %nodh%==no-dh (
+REM #    echo skipping RSA+DHE tests
+REM #  ) else (
+REM #    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+REM #    %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+REM #  )
+REM #)
+
+REM #
+REM # DTLS tests
+REM #
+
+echo test dtlsv1
+%ssltest% -dtls1 %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with server authentication
+%ssltest% -dtls1 -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with client authentication
+%ssltest% -dtls1 -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with both client and server authentication
+%ssltest% -dtls1 -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo "Testing DTLS ciphersuites"
+for %%p in ( SSLv3 ) do (
+  echo "Testing ciphersuites for %%p"
+  for /f "usebackq" %%c in (`%openssl% ciphers -v "RSA+%%p:-RC4"`) do (
+    echo "Testing %%c"
+    %ssltest% -cipher %%c -dtls1
+    if !errorlevel! neq 0 (
+      echo "Failed %%c"
+      exit /b 1
+    )
+  )
+)
+
+REM #
+REM # Next Protocol Negotiation tests
+REM #
+echo "Testing NPN..."
+%ssltest% -bio_pair -tls1 -npn_client & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_server & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_server_reject & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server_reject & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 -reuse & if !errorlevel! neq 0 exit /b 1
+
+REM #
+REM # ALPN tests
+REM #
+echo "Testing ALPN..."
+%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo ^
+  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo ^
+  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo & if !errorlevel! neq 0 exit /b 1
+
+endlocal

tests/tlstest.bat

@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	tlstest.bat
+
+set tlstest_bin=Debug\tlstest.exe
+if not exist %tlstest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/tlstest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+tlstest_bin=./tlstest
+if [ -e ./tlstest.exe ]; then
+	tlstest_bin=./tlstest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem

tls/CMakeLists.txt

@@ -7,25 +7,36 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
+	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
 	tls_server.c
+	tls_ocsp.c
 	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )
 
 
-if(NOT HAVE_STRCASECMP)
+if(NOT "${OPENSSLDIR}" STREQUAL "")
-	set(TLS_SRC ${TLS_SRC} strsep.c)
+	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
 endif()
 
-if (BUILD_SHARED)
 add_library(tls-objects OBJECT ${TLS_SRC})
+if (BUILD_SHARED)
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
+	if (WIN32)
+		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
+	endif()
+	set_target_properties(tls-shared PROPERTIES
+		OUTPUT_NAME tls${TLS_POSTFIX}
+		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
 	install(TARGETS tls tls-shared DESTINATION lib)

tls/Makefile.am

@@ -4,20 +4,28 @@ lib_LTLIBRARIES = libtls.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += tls.sym
 
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym
-libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
+libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
+libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
+libtls_la_LIBADD += $(PLATFORM_LDADD)
+
+libtls_la_CPPFLAGS = $(AM_CPPFLAGS)
+if OPENSSLDIR_DEFINED
+libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
+else
+libtls_la_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
+endif
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_ocsp.c
 libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
-
-if !HAVE_STRSEP
-libtls_la_SOURCES += strsep.c
-endif

update.sh

@@ -26,15 +26,16 @@ libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
 libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-app_src=$CWD/openbsd/src/usr.bin
+bin_src=$CWD/openbsd/src/usr.bin
+sbin_src=$CWD/openbsd/src/usr.sbin
 
 # load library versions
-. $libcrypto_src/crypto/shlib_version
+. $libcrypto_src/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-. $libssl_src/ssl/shlib_version
+. $libssl_src/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -62,29 +63,32 @@ CP_LIBC='do_cp_libc'
 
 CP='cp -p'
 
-$CP $libssl_src/src/LICENSE COPYING
+$CP $libssl_src/LICENSE COPYING
 
-$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
+$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
-$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
+$CP $libcrypto_src/opensslfeatures.h include/openssl
-$CP $libssl_src/src/ssl/pqueue.h include
+$CP $libssl_src/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
 	for j in $libc_src/crypt/arc4random.c \
+	    $libc_src/crypt/arc4random_uniform.c \
 	    $libc_src/crypt/chacha_private.h \
-	    $libc_src/string/explicit_bzero.c \
+	    $libc_src/net/inet_pton.c \
 	    $libc_src/stdlib/reallocarray.c \
+	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/string/strcasecmp.c \
 	    $libc_src/string/strlcpy.c \
 	    $libc_src/string/strlcat.c \
 	    $libc_src/string/strndup.c \
 	    $libc_src/string/strnlen.c \
+	    $libc_src/string/strsep.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/crypto/getentropy_*.c \
+	    $libcrypto_src/arc4random/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h; do
+	    $libcrypto_src/arc4random/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -98,36 +102,36 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 
-(cd $libssl_src/src/crypto/objects/;
+(cd $libcrypto_src/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
 copy_hdrs() {
 	for file in $2; do
-		$CP $libssl_src/src/$1/$file include/openssl
+		$CP $1/$file include/openssl
 	done
 }
 
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
 	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
-	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
+	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
-	gost/gost.h"
+	gost/gost.h curve25519/curve25519.h"
 
-copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-$CP $libssl_src/src/crypto/opensslv.h include/openssl
+$CP $libcrypto_src/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"
 
@@ -138,16 +142,18 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libssl_src/src/crypto/$i ]; then
+		if [ -e $libcrypto_src/$i ]; then
-			$CP $libssl_src/src/crypto/$i crypto/$i
+			$CP $libcrypto_src/$i crypto/$i
 		fi
 	fi
 done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
+# add the libcrypto symbol export list
+grep '^[[:alpha:]]' < $libcrypto_src/Symbols.list > crypto/crypto.sym
 
 # generate assembly crypto algorithms
-asm_src=$libssl_src/src/crypto
+asm_src=$libcrypto_src
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -168,24 +174,24 @@ gen_asm() {
 }
 for abi in elf macosx; do
 	echo generating ASM source for $abi
-	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.S
-	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.s
+	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.S
-	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.s
+	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.S
-	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.s
+	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.S
-	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.s
+	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.S
-	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.s
+	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.S
-	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.s
+	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha256-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha512-$abi-x86_64.S
-	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.s
+	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.S
 	gen_asm        $abi x86_64cpuid.pl               crypto/cpuid-$abi-x86_64.S
 done
 
@@ -198,9 +204,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-
+# add the libtls symbol export list
-$CP_LIBC $libc_src/string/strsep.c tls
+grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
-$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
 
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -211,25 +216,38 @@ sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 
 # copy nc(1) source
 echo "copying nc(1) source"
-$CP $app_src/nc/nc.1 apps/nc
+$CP $bin_src/nc/nc.1 apps/nc
 rm -f apps/nc/*.c apps/nc/*.h
+$CP_LIBC $libc_src/net/base64.c apps/nc/compat
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
-	if [ -e $app_src/nc/$i ]; then
+	if [ -e $bin_src/nc/$i ]; then
-		$CP $app_src/nc/$i apps/nc
+		$CP $bin_src/nc/$i apps/nc
+	fi
+done
+
+# copy ocspcheck(1) source
+echo "copying ocspcheck(1) source"
+$CP $sbin_src/ocspcheck/ocspcheck.8 apps/ocspcheck
+rm -f apps/ocspcheck/*.c apps/ocspcheck/*.h
+$CP_LIBC $libc_src/net/inet_ntop.c apps/ocspcheck/compat
+$CP_LIBC $libc_src/string/memmem.c apps/ocspcheck/compat
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/ocspcheck/Makefile.am` ; do
+	if [ -e $sbin_src/ocspcheck/$i ]; then
+		$CP $sbin_src/ocspcheck/$i apps/ocspcheck
 	fi
 done
 
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $app_src/openssl/openssl.1 apps/openssl
+$CP $bin_src/openssl/openssl.1 apps/openssl
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
 $CP $libcrypto_src/cert.pem apps/openssl
 $CP $libcrypto_src/openssl.cnf apps/openssl
 $CP $libcrypto_src/x509v3.cnf apps/openssl
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
-	if [ -e $app_src/openssl/$i ]; then
+	if [ -e $bin_src/openssl/$i ]; then
-		$CP $app_src/openssl/$i apps/openssl
+		$CP $bin_src/openssl/$i apps/openssl
 	fi
 done
 
@@ -237,8 +255,10 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/src/ssl/$i ssl
+	$CP $libssl_src/$i ssl
 done
+# add the libssl symbol export list
+grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
 
 # copy libcrypto tests
 echo "copying tests"
@@ -247,12 +267,11 @@ for i in `find $libcrypto_regress -name '*.c'`; do
 done
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
-$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP_LIBC $libc_src/string/memmem.c tests
+$CP_LIBC $libc_src/string/memmem.c tests/compat
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -263,6 +282,7 @@ done
 $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
+$CP $libssl_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libtls tests
 for i in `find $libtls_regress -name '*.c'`; do
@@ -286,7 +306,7 @@ add_man_links() {
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
 		fi
 	done
 	echo "" >> $dest
@@ -294,14 +314,19 @@ add_man_links() {
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
 		fi
 	done
 }
 
 # apply local patches
+PATCH=patch
+# Prefer gnu patch on AIX systems, if available
+if [ -x /opt/freeware/bin/patch ]; then
+    PATCH=/opt/freeware/bin/patch
+fi
 for i in patches/*.patch; do
-    patch -p0 < $i
+    $PATCH -p0 < $i
 done
 
 # copy manpages
@@ -309,12 +334,8 @@ echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
 echo dist_man_MANS = >> man/Makefile.am
 
-$CP $libtls_src/tls_init.3 man
-echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
-
 (cd man
-	# update new-style manpages
+	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
-	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
@@ -326,24 +347,10 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
 
-	# convert remaining POD manpages
+	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
-	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
+		NAME=`basename "$i"`
-		BASE=`echo $i|sed -e "s/\.pod//"`
+		$CP $i .
-		NAME=`basename "$BASE"`
+		echo "dist_man_MANS += $NAME" >> Makefile.am
-		# reformat file if new
-		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../include/openssl/opensslv.h -nt $NAME.3 ]; then
-			echo processing $NAME
-			pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
-				--section=3 $POD2MAN --name=$NAME < $BASE.pod > $NAME.3
-		fi
-		echo "dist_man_MANS += $NAME.3" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am
-
-# standalone libtls manpages
-mkdir -p libtls-standalone/man
-echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
-
-$CP $libtls_src/tls_init.3 libtls-standalone/man
-add_man_links tls_init libtls-standalone/man/Makefile.am