update changelog for 2.2.6

The build system incorrectly set include directives in AM_CFLAGS which
causes them to be placed after the configured CPPFLAGS.  Thus, if
a user or packaging system sets CPPFLAGS to a location that has
libressl or openssl headers installed, they will be used instead
of the bundled versions.  This corrects that issue by setting up
the variables correctly.

https://github.com/libressl-portable/portable/issues/150

Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

.gitignore

@@ -41,22 +41,17 @@ Makefile.in
 *.def
 *.pc
 
-# man pages
-*.1
-*.3
-
 # tests
 test-driver
 *.log
 *.trs
+!tests/optionstest.c
 tests/aes_wrap*
 tests/arc4random_fork*
-tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
-tests/rfc5280time*
 tests/timingsafe*
 tests/*test
 tests/tests.h
@@ -66,8 +61,6 @@ tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
-!tests/optionstest.c
-!tests/*.test
 
 # ctags stuff
 TAGS
@@ -114,18 +107,14 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
-/apps/nc/*.h
-/apps/nc/*.c
-/apps/nc/nc*
-!/apps/nc/readpassphrase.c
-/apps/openssl/*.h
-/apps/openssl/*.c
-/apps/openssl/*.cnf
-/apps/openssl/*.pem
-/apps/openssl/openssl
-/apps/openssl/compat/strtonum.c
-!/apps/openssl/apps_win.c
-!/apps/openssl/certhash_win.c
+!/apps/apps_win.c
+!/apps/poll_win.c
+!/apps/certhash_disabled.c
+/apps/*.h
+/apps/*.c
+/apps/*.cnf
+/apps/*.pem
+/apps/openssl
 
 !/crypto/Makefile.am.*
 !/crypto/compat/arc4random.h
@@ -134,7 +123,6 @@ include/openssl/*.h
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
-!/crypto/compat/timegm.c
 !/crypto/compat/ui_openssl_win.c
 !/crypto/CMakeLists.txt
 /crypto
@@ -153,4 +141,7 @@ include/openssl/*.h
 openbsd/
 
 *.tar.gz
+apps/*.1*
+man/*.3
+man/*.1
 man/Makefile.am

.travis.yml

@@ -1,24 +1,24 @@
 language: c
 matrix:
-  include:
-    - compiler: clang
-      os: osx
-      env: ARCH=native
-    - compiler: gcc
-      os: osx
-      env: ARCH=native
-    - compiler: clang
-      os: linux
-      env: ARCH=native
-    - compiler: gcc
-      os: linux
-      env: ARCH=native
-    - compiler: gcc
-      os: linux
-      env: ARCH=mingw32
-    - compiler: gcc
-      os: linux
-      env: ARCH=mingw64
+        include:
+                - compiler: clang
+                  os: osx
+                  env: ARCH=native
+                - compiler: gcc
+                  os: osx
+                  env: ARCH=native
+                - compiler: clang
+                  os: linux
+                  env: ARCH=native
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=native
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=mingw32
+                - compiler: gcc
+                  os: linux
+                  env: ARCH=mingw64
 
 script:
-  "./scripts/travis"
+        "./scripts/travis"

CMakeLists.txt

@@ -121,11 +121,6 @@ if(HAVE_STRSEP)
 	add_definitions(-DHAVE_STRSEP)
 endif()
 
-check_function_exists(timegm HAVE_TIMEGM)
-if(HAVE_TIMEGM)
-	add_definitions(-DHAVE_TIMEGM)
-endif()
-
 check_function_exists(arc4random_buf HAVE_ARC4RANDOM_BUF)
 if(HAVE_ARC4RANDOM_BUF)
 	add_definitions(-DHAVE_ARC4RANDOM_BUF)

ChangeLog

@@ -28,95 +28,35 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
-2.3.1 - ASN.1 and time handling cleanups
+2.2.6
 
-	* ASN.1 cleanups and RFC5280 compliance fixes.
+	* Deprecated the SSL_OP_SINGLE_DH_USE flag.
 
-	* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
-	  now checks if the host OS supports 64-bit time_t.
+2.2.5 - Reliability Update
 
-	* Fixed a leak in SSL_new in the error path.
+	* Fixes from OpenSSL 1.0.1q
+	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
+	                   validation.
+	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
 
-	* Support always extracting the peer cipher and version with libtls.
+	* The following OpenSSL CVEs did not apply to LibreSSL
+	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+	                   squaring procedure.
+	 - CVE-2015-3196 - Double free race condition of the identify hint
+	                   data.
 
-	* Added ability to check certificate validity times with libtls,
-	  tls_peer_cert_notbefore and tls_peer_cert_notafter.
+	 See https://marc.info/?l=openbsd-announce&m=144925068504102
 
-	* Changed tls_connect_servername to use the first address that resolves with
-	  getaddrinfo().
+2.2.4 - Build and bug fixes
 
-	* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
-	  initial commit in 2004).
+	* Backported build fixes for CMake on Windows, OSX and Linux
 
-	* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
-	  by Qualys Security.
+	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
+	  reported by Qualys Security.
+	 - CVE-2015-5333 - memory leak in OBJ_obj2txt
+	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt
 
-	* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
-	  sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
-
-	* Reject too small bits value in BN_generate_prime_ex(), so that it does
-	  not risk becoming negative in probable_prime_dh_safe(), reported by
-		Franck Denis.
-
-	* Enable nc(1) builds on more platforms.
-
-2.3.0 - SSLv3 removed, libtls API changes, portability improvements
-
-	* SSLv3 is now permanently removed from the tree.
-
-	* The libtls API is changed from the 2.2.x series.
-
-	  The read/write functions work correctly with external event
-	  libraries.  See the tls_init man page for examples of using libtls
-	  correctly in asynchronous mode.
-
-	  Client-side verification is now supported, with the client supplying
-	  the certificate to the server.
-
-	  Also, when using tls_connect_fds, tls_connect_socket or
-	  tls_accept_fds, libtls no longer implicitly closes the passed in
-	  sockets. The caller is responsible for closing them in this case.
-
-	* When loading a DSA key from an raw (without DH parameters) ASN.1
-	  serialization, perform some consistency checks on its `p' and `q'
-	  values, and return an error if the checks failed.
-
-	  Thanks for Georgi Guninski (guninski at guninski dot com) for
-	  mentioning the possibility of a weak (non prime) q value and
-	  providing a test case.
-
-	  See
-	  https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
-	  for a longer discussion.
-
-	* Fixed a bug in ECDH_compute_key that can lead to silent truncation
-	  of the result key without error. A coding error could cause software
-	  to use much shorter keys than intended.
-
-	* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
-	  longer supported.
-
-	* The engine command and parameters are removed from the openssl(1).
-	  Previous releases removed dynamic and builtin engine support
-	  already.
-
-	* SHA-0 is removed, which was withdrawn shortly after publication 20
-	  years ago.
-
-	* Added Certplus CA root certificate to the default cert.pem file.
-
-	* New interface OPENSSL_cpu_caps is provided that does not allow
-	  software to inadvertently modify cpu capability flags.
-	  OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
-
-	* The out_len argument of AEAD changed from ssize_t to size_t.
-
-	* Deduplicated DTLS code, sharing bugfixes and improvements with
-	  TLS.
-
-	* Converted 'nc' to use libtls for client and server operations; it is
-	  included in the libressl-portable distribution as an example of how
-	  to use the library.
+	 See http://www.openwall.com/lists/oss-security/2015/10/16/1
 
 2.2.3 - Bug fixes, build enhancements
 

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_5_8

apps/CMakeLists.txt

@@ -6,72 +6,73 @@ include_directories(
 
 set(
 	OPENSSL_SRC
-	openssl/apps.c
-	openssl/asn1pars.c
-	openssl/ca.c
-	openssl/ciphers.c
-	openssl/cms.c
-	openssl/crl.c
-	openssl/crl2p7.c
-	openssl/dgst.c
-	openssl/dh.c
-	openssl/dhparam.c
-	openssl/dsa.c
-	openssl/dsaparam.c
-	openssl/ec.c
-	openssl/ecparam.c
-	openssl/enc.c
-	openssl/errstr.c
-	openssl/gendh.c
-	openssl/gendsa.c
-	openssl/genpkey.c
-	openssl/genrsa.c
-	openssl/nseq.c
-	openssl/ocsp.c
-	openssl/openssl.c
-	openssl/passwd.c
-	openssl/pkcs12.c
-	openssl/pkcs7.c
-	openssl/pkcs8.c
-	openssl/pkey.c
-	openssl/pkeyparam.c
-	openssl/pkeyutl.c
-	openssl/prime.c
-	openssl/rand.c
-	openssl/req.c
-	openssl/rsa.c
-	openssl/rsautl.c
-	openssl/s_cb.c
-	openssl/s_client.c
-	openssl/s_server.c
-	openssl/s_socket.c
-	openssl/s_time.c
-	openssl/sess_id.c
-	openssl/smime.c
-	openssl/speed.c
-	openssl/spkac.c
-	openssl/ts.c
-	openssl/verify.c
-	openssl/version.c
-	openssl/x509.c
+	apps.c
+	asn1pars.c
+	ca.c
+	ciphers.c
+	cms.c
+	crl.c
+	crl2p7.c
+	dgst.c
+	dh.c
+	dhparam.c
+	dsa.c
+	dsaparam.c
+	ec.c
+	ecparam.c
+	enc.c
+	engine.c
+	errstr.c
+	gendh.c
+	gendsa.c
+	genpkey.c
+	genrsa.c
+	nseq.c
+	ocsp.c
+	openssl.c
+	passwd.c
+	pkcs12.c
+	pkcs7.c
+	pkcs8.c
+	pkey.c
+	pkeyparam.c
+	pkeyutl.c
+	prime.c
+	rand.c
+	req.c
+	rsa.c
+	rsautl.c
+	s_cb.c
+	s_client.c
+	s_server.c
+	s_socket.c
+	s_time.c
+	sess_id.c
+	smime.c
+	speed.c
+	spkac.c
+	ts.c
+	verify.c
+	version.c
+	x509.c
 )
 
 if(CMAKE_HOST_UNIX)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_posix.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/apps_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/certhash_win.c)
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/poll_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_disabled.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} poll_win.c)
 endif()
 
 check_function_exists(strtonum HAVE_STRTONUM)
 if(HAVE_STRTONUM)
 	add_definitions(-DHAVE_STRTONUM)
 else()
-	set(OPENSSL_SRC ${OPENSSL_SRC} openssl/compat/strtonum.c)
+	set(OPENSSL_SRC ${OPENSSL_SRC} strtonum.c)
 endif()
 
 add_executable(openssl ${OPENSSL_SRC})

apps/Makefile.am

@@ -1,5 +1,118 @@
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS = openssl nc
+bin_PROGRAMS = openssl
 
-EXTRA_DIST = CMakeLists.txt
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(top_builddir)/ssl/libssl.la
+openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
+
+openssl_SOURCES = apps.c
+openssl_SOURCES += asn1pars.c
+openssl_SOURCES += ca.c
+openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
+openssl_SOURCES += crl.c
+openssl_SOURCES += crl2p7.c
+openssl_SOURCES += dgst.c
+openssl_SOURCES += dh.c
+openssl_SOURCES += dhparam.c
+openssl_SOURCES += dsa.c
+openssl_SOURCES += dsaparam.c
+openssl_SOURCES += ec.c
+openssl_SOURCES += ecparam.c
+openssl_SOURCES += enc.c
+openssl_SOURCES += engine.c
+openssl_SOURCES += errstr.c
+openssl_SOURCES += gendh.c
+openssl_SOURCES += gendsa.c
+openssl_SOURCES += genpkey.c
+openssl_SOURCES += genrsa.c
+openssl_SOURCES += nseq.c
+openssl_SOURCES += ocsp.c
+openssl_SOURCES += openssl.c
+openssl_SOURCES += passwd.c
+openssl_SOURCES += pkcs12.c
+openssl_SOURCES += pkcs7.c
+openssl_SOURCES += pkcs8.c
+openssl_SOURCES += pkey.c
+openssl_SOURCES += pkeyparam.c
+openssl_SOURCES += pkeyutl.c
+openssl_SOURCES += prime.c
+openssl_SOURCES += rand.c
+openssl_SOURCES += req.c
+openssl_SOURCES += rsa.c
+openssl_SOURCES += rsautl.c
+openssl_SOURCES += s_cb.c
+openssl_SOURCES += s_client.c
+openssl_SOURCES += s_server.c
+openssl_SOURCES += s_socket.c
+openssl_SOURCES += s_time.c
+openssl_SOURCES += sess_id.c
+openssl_SOURCES += smime.c
+openssl_SOURCES += speed.c
+openssl_SOURCES += spkac.c
+openssl_SOURCES += ts.c
+openssl_SOURCES += verify.c
+openssl_SOURCES += version.c
+openssl_SOURCES += x509.c
+
+if BUILD_CERTHASH
+openssl_SOURCES += certhash.c
+else
+openssl_SOURCES += certhash_disabled.c
+endif
+
+if HOST_WIN
+openssl_SOURCES += apps_win.c
+else
+openssl_SOURCES += apps_posix.c
+endif
+
+if !HAVE_POLL
+if HOST_WIN
+openssl_SOURCES += poll_win.c
+endif
+endif
+
+if !HAVE_STRTONUM
+openssl_SOURCES += strtonum.c
+endif
+
+noinst_HEADERS = apps.h
+noinst_HEADERS += progs.h
+noinst_HEADERS += s_apps.h
+noinst_HEADERS += testdsa.h
+noinst_HEADERS += testrsa.h
+noinst_HEADERS += timeouts.h
+
+EXTRA_DIST = cert.pem
+EXTRA_DIST += openssl.cnf
+EXTRA_DIST += x509v3.cnf
+EXTRA_DIST += CMakeLists.txt
+
+install-exec-hook:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	mkdir -p "$$OPENSSLDIR/certs"; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+		else \
+			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
+		fi \
+	done
+
+uninstall-local:
+	@if [ "@OPENSSLDIR@x" != "x" ]; then \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+	else \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+	fi; \
+	for i in cert.pem openssl.cnf x509v3.cnf; do \
+		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+			rm -f "$$OPENSSLDIR/$$i"; \
+		fi \
+	done

apps/apps_win.c

@@ -0,0 +1,29 @@
+/*
+ * Public domain
+ *
+ * Dongsheng Song <dongsheng.song@gmail.com>
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <windows.h>
+
+#include "apps.h"
+
+double
+app_tminterval(int stop, int usertime)
+{
+	static unsigned __int64 tmstart;
+	union {
+		unsigned __int64 u64;
+		FILETIME ft;
+	} ct, et, kt, ut;
+
+	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
+
+	if (stop == TM_START) {
+		tmstart = ut.u64 + kt.u64;
+	} else {
+		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
+	}
+	return 0;
+}

apps/nc/Makefile.am

@@ -1,40 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-if BUILD_NC
-
-noinst_PROGRAMS = nc
-
-EXTRA_DIST = nc.1
-
-nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(top_builddir)/crypto/libcrypto.la
-nc_LDADD += $(top_builddir)/ssl/libssl.la
-nc_LDADD += $(top_builddir)/tls/libtls.la
-
-AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
-
-nc_SOURCES = atomicio.c
-nc_SOURCES += netcat.c
-nc_SOURCES += socks.c
-noinst_HEADERS = atomicio.h
-noinst_HEADERS += compat/sys/socket.h
-
-nc_SOURCES += compat/socket.c
-
-if !HAVE_B64_NTOP
-nc_SOURCES += compat/base64.c
-endif
-
-if !HAVE_ACCEPT4
-nc_SOURCES += compat/accept4.c
-endif
-
-if !HAVE_READPASSPHRASE
-nc_SOURCES += compat/readpassphrase.c
-endif
-
-if !HAVE_STRTONUM
-nc_SOURCES += compat/strtonum.c
-endif
-
-endif

apps/nc/compat/accept4.c

@@ -1,17 +0,0 @@
-#include <sys/socket.h>
-#include <fcntl.h>
-
-int
-accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
-{
-	int rets = accept(s, addr, addrlen);
-	if (rets == -1)
-		return s;
-
-	if (flags & SOCK_CLOEXEC) {
-		flags = fcntl(s, F_GETFD);
-		fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
-	}
-
-	return rets;
-}

apps/nc/compat/base64.c

@@ -1,315 +0,0 @@
-/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/*
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <resolv.h>
-#include <stdio.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-static const char Base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static const char Pad64 = '=';
-
-/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
-   and Freed.  It is reproduced here in a slightly edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.
-
-   Since all base64 input is an integral number of octets, only the
-         -------------------------------------------------                       
-   following cases can arise:
-   
-       (1) the final quantum of encoding input is an integral
-           multiple of 24 bits; here, the final unit of encoded
-	   output will be an integral multiple of 4 characters
-	   with no "=" padding,
-       (2) the final quantum of encoding input is exactly 8 bits;
-           here, the final unit of encoded output will be two
-	   characters followed by two "=" padding characters, or
-       (3) the final quantum of encoding input is exactly 16 bits;
-           here, the final unit of encoded output will be three
-	   characters followed by one "=" padding character.
-   */
-
-int
-b64_ntop(src, srclength, target, targsize)
-	u_char const *src;
-	size_t srclength;
-	char *target;
-	size_t targsize;
-{
-	size_t datalength = 0;
-	u_char input[3];
-	u_char output[4];
-	int i;
-
-	while (2 < srclength) {
-		input[0] = *src++;
-		input[1] = *src++;
-		input[2] = *src++;
-		srclength -= 3;
-
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		output[3] = input[2] & 0x3f;
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		target[datalength++] = Base64[output[2]];
-		target[datalength++] = Base64[output[3]];
-	}
-    
-	/* Now we worry about padding. */
-	if (0 != srclength) {
-		/* Get what's left. */
-		input[0] = input[1] = input[2] = '\0';
-		for (i = 0; i < srclength; i++)
-			input[i] = *src++;
-	
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		if (srclength == 1)
-			target[datalength++] = Pad64;
-		else
-			target[datalength++] = Base64[output[2]];
-		target[datalength++] = Pad64;
-	}
-	if (datalength >= targsize)
-		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
-	return (datalength);
-}
-
-/* skips all whitespace anywhere.
-   converts characters, four at a time, starting at (or after)
-   src from base - 64 numbers into three 8 bit bytes in the target area.
-   it returns the number of data bytes stored at the target, or -1 on error.
- */
-
-int
-b64_pton(src, target, targsize)
-	char const *src;
-	u_char *target;
-	size_t targsize;
-{
-	int tarindex, state, ch;
-	u_char nextbyte;
-	char *pos;
-
-	state = 0;
-	tarindex = 0;
-
-	while ((ch = (unsigned char)*src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
-			continue;
-
-		if (ch == Pad64)
-			break;
-
-		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
-			return (-1);
-
-		switch (state) {
-		case 0:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] = (pos - Base64) << 2;
-			}
-			state = 1;
-			break;
-		case 1:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 4;
-				nextbyte = ((pos - Base64) & 0x0f) << 4;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 2;
-			break;
-		case 2:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 2;
-				nextbyte = ((pos - Base64) & 0x03) << 6;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 3;
-			break;
-		case 3:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] |= (pos - Base64);
-			}
-			tarindex++;
-			state = 0;
-			break;
-		}
-	}
-
-	/*
-	 * We are done decoding Base-64 chars.  Let's see if we ended
-	 * on a byte boundary, and/or with erroneous trailing characters.
-	 */
-
-	if (ch == Pad64) {			/* We got a pad char. */
-		ch = (unsigned char)*src++;	/* Skip it, get next. */
-		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
-			return (-1);
-
-		case 2:		/* Valid, means one byte of info */
-			/* Skip any number of spaces. */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					break;
-			/* Make sure there is another trailing = sign. */
-			if (ch != Pad64)
-				return (-1);
-			ch = (unsigned char)*src++;		/* Skip the = */
-			/* Fall through to "single trailing =" case. */
-			/* FALLTHROUGH */
-
-		case 3:		/* Valid, means two bytes of info */
-			/*
-			 * We know this char is an =.  Is there anything but
-			 * whitespace after it?
-			 */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					return (-1);
-
-			/*
-			 * Now make sure for cases 2 and 3 that the "extra"
-			 * bits that slopped past the last full byte were
-			 * zeros.  If we don't check them, they become a
-			 * subliminal channel.
-			 */
-			if (target && tarindex < targsize &&
-			    target[tarindex] != 0)
-				return (-1);
-		}
-	} else {
-		/*
-		 * We ended by seeing the end of the string.  Make sure we
-		 * have no partial bytes lying around.
-		 */
-		if (state != 0)
-			return (-1);
-	}
-
-	return (tarindex);
-}

apps/nc/compat/readpassphrase.c

@@ -1,205 +0,0 @@
-/*	$OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $	*/
-
-/*
- * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
-
-#include <termios.h>
-#include <signal.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <readpassphrase.h>
-
-#ifndef _PATH_TTY
-# define _PATH_TTY "/dev/tty"
-#endif
-
-#ifdef TCSASOFT
-# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
-#else
-# define _T_FLUSH	(TCSAFLUSH)
-#endif
-
-/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
-#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
-#  define _POSIX_VDISABLE       VDISABLE
-#endif
-
-#ifndef _NSIG
-# ifdef NSIG
-#  define _NSIG NSIG
-# else
-#  define _NSIG 128
-# endif
-#endif
-
-static volatile sig_atomic_t signo[_NSIG];
-
-static void handler(int);
-
-char *
-readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
-{
-	ssize_t bytes_written = 0;
-	ssize_t nr;
-	int input, output, save_errno, i, need_restart;
-	char ch, *p, *end;
-	struct termios term, oterm;
-	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
-	struct sigaction savetstp, savettin, savettou, savepipe;
-
-	/* I suppose we could alloc on demand in this case (XXX). */
-	if (bufsiz == 0) {
-		errno = EINVAL;
-		return(NULL);
-	}
-
-restart:
-	for (i = 0; i < _NSIG; i++)
-		signo[i] = 0;
-	nr = -1;
-	save_errno = 0;
-	need_restart = 0;
-	/*
-	 * Read and write to /dev/tty if available.  If not, read from
-	 * stdin and write to stderr unless a tty is required.
-	 */
-	if ((flags & RPP_STDIN) ||
-	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
-		if (flags & RPP_REQUIRE_TTY) {
-			errno = ENOTTY;
-			return(NULL);
-		}
-		input = STDIN_FILENO;
-		output = STDERR_FILENO;
-	}
-
-	/*
-	 * Catch signals that would otherwise cause the user to end
-	 * up with echo turned off in the shell.  Don't worry about
-	 * things like SIGXCPU and SIGVTALRM for now.
-	 */
-	sigemptyset(&sa.sa_mask);
-	sa.sa_flags = 0;		/* don't restart system calls */
-	sa.sa_handler = handler;
-	(void)sigaction(SIGALRM, &sa, &savealrm);
-	(void)sigaction(SIGHUP, &sa, &savehup);
-	(void)sigaction(SIGINT, &sa, &saveint);
-	(void)sigaction(SIGPIPE, &sa, &savepipe);
-	(void)sigaction(SIGQUIT, &sa, &savequit);
-	(void)sigaction(SIGTERM, &sa, &saveterm);
-	(void)sigaction(SIGTSTP, &sa, &savetstp);
-	(void)sigaction(SIGTTIN, &sa, &savettin);
-	(void)sigaction(SIGTTOU, &sa, &savettou);
-
-	/* Turn off echo if possible. */
-	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
-		memcpy(&term, &oterm, sizeof(term));
-		if (!(flags & RPP_ECHO_ON))
-			term.c_lflag &= ~(ECHO | ECHONL);
-#ifdef VSTATUS
-		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
-			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
-#endif
-		(void)tcsetattr(input, _T_FLUSH, &term);
-	} else {
-		memset(&term, 0, sizeof(term));
-		term.c_lflag |= ECHO;
-		memset(&oterm, 0, sizeof(oterm));
-		oterm.c_lflag |= ECHO;
-	}
-
-	/* No I/O if we are already backgrounded. */
-	if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
-		if (!(flags & RPP_STDIN))
-			bytes_written = write(output, prompt, strlen(prompt));
-		end = buf + bufsiz - 1;
-		p = buf;
-		while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
-			if (p < end) {
-				if ((flags & RPP_SEVENBIT))
-					ch &= 0x7f;
-				if (isalpha(ch)) {
-					if ((flags & RPP_FORCELOWER))
-						ch = (char)tolower(ch);
-					if ((flags & RPP_FORCEUPPER))
-						ch = (char)toupper(ch);
-				}
-				*p++ = ch;
-			}
-		}
-		*p = '\0';
-		save_errno = errno;
-		if (!(term.c_lflag & ECHO))
-			bytes_written = write(output, "\n", 1);
-	}
-
-	(void) bytes_written;
-
-	/* Restore old terminal settings and signals. */
-	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
-		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
-		    errno == EINTR)
-			continue;
-	}
-	(void)sigaction(SIGALRM, &savealrm, NULL);
-	(void)sigaction(SIGHUP, &savehup, NULL);
-	(void)sigaction(SIGINT, &saveint, NULL);
-	(void)sigaction(SIGQUIT, &savequit, NULL);
-	(void)sigaction(SIGPIPE, &savepipe, NULL);
-	(void)sigaction(SIGTERM, &saveterm, NULL);
-	(void)sigaction(SIGTSTP, &savetstp, NULL);
-	(void)sigaction(SIGTTIN, &savettin, NULL);
-	(void)sigaction(SIGTTOU, &savettou, NULL);
-	if (input != STDIN_FILENO)
-		(void)close(input);
-
-	/*
-	 * If we were interrupted by a signal, resend it to ourselves
-	 * now that we have restored the signal handlers.
-	 */
-	for (i = 0; i < _NSIG; i++) {
-		if (signo[i]) {
-			kill(getpid(), i);
-			switch (i) {
-			case SIGTSTP:
-			case SIGTTIN:
-			case SIGTTOU:
-				need_restart = 1;
-			}
-		}
-	}
-	if (need_restart)
-		goto restart;
-
-	if (save_errno)
-		errno = save_errno;
-	return(nr == -1 ? NULL : buf);
-}
-
-static void handler(int s)
-{
-	signo[s] = 1;
-}

apps/nc/compat/socket.c

@@ -1,29 +0,0 @@
-#define SOCKET_FLAGS_PRIV
-
-#include <sys/socket.h>
-
-#ifdef NEED_SOCKET_FLAGS
-
-#include <fcntl.h>
-
-int
-_socket(int domain, int type, int protocol)
-{
-	int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
-	int flags;
-	if (s == -1)
-		return s;
-
-	if (type & SOCK_CLOEXEC) {
-		flags = fcntl(s, F_GETFD);
-		fcntl(s, F_SETFD, flags | FD_CLOEXEC);
-	}
-
-	if (type & SOCK_NONBLOCK) {
-		flags = fcntl(s, F_GETFL);
-		fcntl(s, F_SETFL, flags | O_NONBLOCK);
-	}
-	return s;
-}
-
-#endif

apps/nc/compat/strtonum.c

@@ -1,65 +0,0 @@
-/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
-
-/*
- * Copyright (c) 2004 Ted Unangst and Todd Miller
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-#define	INVALID		1
-#define	TOOSMALL	2
-#define	TOOLARGE	3
-
-long long
-strtonum(const char *numstr, long long minval, long long maxval,
-    const char **errstrp)
-{
-	long long ll = 0;
-	int error = 0;
-	char *ep;
-	struct errval {
-		const char *errstr;
-		int err;
-	} ev[4] = {
-		{ NULL,		0 },
-		{ "invalid",	EINVAL },
-		{ "too small",	ERANGE },
-		{ "too large",	ERANGE },
-	};
-
-	ev[0].err = errno;
-	errno = 0;
-	if (minval > maxval) {
-		error = INVALID;
-	} else {
-		ll = strtoll(numstr, &ep, 10);
-		if (numstr == ep || *ep != '\0')
-			error = INVALID;
-		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
-			error = TOOSMALL;
-		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
-			error = TOOLARGE;
-	}
-	if (errstrp != NULL)
-		*errstrp = ev[error].errstr;
-	errno = ev[error].err;
-	if (error)
-		ll = 0;
-
-	return (ll);
-}

apps/nc/compat/sys/socket.h

@@ -1,31 +0,0 @@
-/*
- * Public domain
- * sys/socket.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <sys/socket.h>
-
-#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
-#define NEED_SOCKET_FLAGS
-int _socket(int domain, int type, int protocol);
-#ifndef SOCKET_FLAGS_PRIV
-#define socket(d, t, p) _socket(d, t, p)
-#endif
-#endif
-
-#ifndef SOCK_NONBLOCK
-#define	SOCK_NONBLOCK		0x4000	/* set O_NONBLOCK */
-#endif
-
-#ifndef SOCK_CLOEXEC
-#define	SOCK_CLOEXEC		0x8000	/* set FD_CLOEXEC */
-#endif
-
-#ifndef HAVE_ACCEPT4
-int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
-#endif
-
-#else
-#include <win32netcompat.h>
-#endif

apps/openssl/Makefile.am

@@ -1,118 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-bin_PROGRAMS = openssl
-
-dist_man_MANS = openssl.1
-
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(top_builddir)/ssl/libssl.la
-openssl_LDADD += $(top_builddir)/crypto/libcrypto.la
-
-openssl_SOURCES = apps.c
-openssl_SOURCES += asn1pars.c
-openssl_SOURCES += ca.c
-openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
-openssl_SOURCES += crl.c
-openssl_SOURCES += crl2p7.c
-openssl_SOURCES += dgst.c
-openssl_SOURCES += dh.c
-openssl_SOURCES += dhparam.c
-openssl_SOURCES += dsa.c
-openssl_SOURCES += dsaparam.c
-openssl_SOURCES += ec.c
-openssl_SOURCES += ecparam.c
-openssl_SOURCES += enc.c
-openssl_SOURCES += errstr.c
-openssl_SOURCES += gendh.c
-openssl_SOURCES += gendsa.c
-openssl_SOURCES += genpkey.c
-openssl_SOURCES += genrsa.c
-openssl_SOURCES += nseq.c
-openssl_SOURCES += ocsp.c
-openssl_SOURCES += openssl.c
-openssl_SOURCES += passwd.c
-openssl_SOURCES += pkcs12.c
-openssl_SOURCES += pkcs7.c
-openssl_SOURCES += pkcs8.c
-openssl_SOURCES += pkey.c
-openssl_SOURCES += pkeyparam.c
-openssl_SOURCES += pkeyutl.c
-openssl_SOURCES += prime.c
-openssl_SOURCES += rand.c
-openssl_SOURCES += req.c
-openssl_SOURCES += rsa.c
-openssl_SOURCES += rsautl.c
-openssl_SOURCES += s_cb.c
-openssl_SOURCES += s_client.c
-openssl_SOURCES += s_server.c
-openssl_SOURCES += s_socket.c
-openssl_SOURCES += s_time.c
-openssl_SOURCES += sess_id.c
-openssl_SOURCES += smime.c
-openssl_SOURCES += speed.c
-openssl_SOURCES += spkac.c
-openssl_SOURCES += ts.c
-openssl_SOURCES += verify.c
-openssl_SOURCES += version.c
-openssl_SOURCES += x509.c
-
-if BUILD_CERTHASH
-openssl_SOURCES += certhash.c
-else
-openssl_SOURCES += certhash_win.c
-endif
-
-if HOST_WIN
-openssl_SOURCES += apps_win.c
-else
-openssl_SOURCES += apps_posix.c
-endif
-
-if !HAVE_POLL
-if HOST_WIN
-openssl_SOURCES += compat/poll_win.c
-endif
-endif
-
-if !HAVE_STRTONUM
-openssl_SOURCES += compat/strtonum.c
-endif
-
-noinst_HEADERS = apps.h
-noinst_HEADERS += progs.h
-noinst_HEADERS += s_apps.h
-noinst_HEADERS += testdsa.h
-noinst_HEADERS += testrsa.h
-noinst_HEADERS += timeouts.h
-
-EXTRA_DIST = cert.pem
-EXTRA_DIST += openssl.cnf
-EXTRA_DIST += x509v3.cnf
-
-install-exec-hook:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
-			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
-		else \
-			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
-		fi \
-	done
-
-uninstall-local:
-	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
-	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
-	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
-			rm -f "$$OPENSSLDIR/$$i"; \
-		fi \
-	done

apps/openssl/apps_win.c

@@ -1,60 +0,0 @@
-/*
- * Public domain
- *
- * Dongsheng Song <dongsheng.song@gmail.com>
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <windows.h>
-
-#include <io.h>
-#include <fcntl.h>
-
-#include "apps.h"
-
-double
-app_tminterval(int stop, int usertime)
-{
-	static unsigned __int64 tmstart;
-	union {
-		unsigned __int64 u64;
-		FILETIME ft;
-	} ct, et, kt, ut;
-
-	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
-		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
-}
-
-int
-setup_ui(void)
-{
-	ui_method = UI_create_method("OpenSSL application user interface");
-	UI_method_set_opener(ui_method, ui_open);
-	UI_method_set_reader(ui_method, ui_read);
-	UI_method_set_writer(ui_method, ui_write);
-	UI_method_set_closer(ui_method, ui_close);
-
-	/*
-	 * Set STDIO to binary
-	 */
-	_setmode(_fileno(stdin), _O_BINARY);
-	_setmode(_fileno(stdout), _O_BINARY);
-	_setmode(_fileno(stderr), _O_BINARY);
-
-	return 0;
-}
-
-void
-destroy_ui(void)
-{
-	if (ui_method) {
-		UI_destroy_method(ui_method);
-		ui_method = NULL;
-	}
-}

check-release.sh

@@ -1,70 +0,0 @@
-#!/bin/sh
-set -e
-
-ver=$1
-dir=libressl-$ver
-tarball=$dir.tar.gz
-tag=v$ver
-
-if [ -z "$LIBRESSL_SSH" ]; then
-	if ! curl -v 1>/dev/null 2>&1; then
-		download="curl -O"
-	elif echo quit | ftp 1>/dev/null 2>&1; then
-		download=ftp
-	else
-		echo "need 'ftp' or 'curl' to verify"
-		exit
-	fi
-fi
-
-if [ "$ver" = "" ]; then
-	echo "please specify a version to check, e.g. $0 2.1.2"
-	exit
-fi
-
-if [ ! -e releases/$tarball ]; then
-	mkdir -p releases
-	rm -f $tarball
-	if [ -z "$LIBRESSL_SSH" ]; then
-		$download http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$tarball releases/
-		mv $tarball releases
-	else
-		scp $LIBRESSL_SSH/$tarball releases
-	fi
-	(cd releases; tar zxvf $tarball)
-fi
-
-if [ ! -e gen-releases/$tarball ]; then
-	rm -fr tests man include ssl crypto libtls-standalone/VERSION INSTALL
-	git checkout OPENBSD_BRANCH update.sh tests man include ssl crypto
-	git checkout $tag
-	echo "libressl-$tag" > OPENBSD_BRANCH
-	sed -i 's/git pull --rebase//' update.sh
-	./autogen.sh
-	./configure --enable-libtls
-	make dist
-
-	mkdir -p gen-releases
-	mv $tarball gen-releases
-
-	git checkout OPENBSD_BRANCH update.sh
-	git checkout master
-fi
-
-(cd gen-releases; rm -fr $dir; tar zxf $tarball)
-(cd releases; rm -fr $dir; tar zxf $tarball)
-
-echo "differences between release and regenerated release tag:"
-diff -urN \
-	-x *.3 \
-	-x Makefile.in \
-	-x aclocal.m4 \
-	-x compile \
-	-x config.guess \
-	-x config.sub \
-	-x configure \
-	-x depcomp \
-	-x install-sh \
-	-x missing \
-	-x test-driver \
-	releases/$dir gen-releases/$dir

configure.ac

@@ -49,10 +49,10 @@ AM_CONDITIONAL([BUILD_CERTHASH], [test "x$ac_cv_func_symlink" = xyes])
 AC_CHECK_FUNC([funopen])
 
 CHECK_LIBC_COMPAT
-CHECK_SYSCALL_COMPAT
-CHECK_CRYPTO_COMPAT
+CHECK_LIBC_CRYPTO_COMPAT
 CHECK_VA_COPY
-CHECK_B64_NTOP
+
+AC_CHECK_HEADERS([err.h])
 
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
@@ -86,10 +86,6 @@ case $host_cpu in
 		AS_IF([test "x$BSWAP4" = "xyes"],,
 		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
 		;;
-	*amd64*)
-		host_cpu=x86_64
-		;;
-
 esac
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
@@ -114,9 +110,6 @@ AM_CONDITIONAL([HOST_ASM_ELF_X86_64],
 AM_CONDITIONAL([HOST_ASM_MACOSX_X86_64],
     [test "x$HOST_ABI" = "xmacosx" -a "$host_cpu" = "x86_64" -a "x$enable_asm" != "xno"])
 
-# Check if time_t is sized correctly
-AC_CHECK_SIZEOF([time_t], [time.h])
-
 AC_CONFIG_FILES([
 	Makefile
 	include/Makefile
@@ -126,8 +119,6 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
-	apps/openssl/Makefile
-	apps/nc/Makefile
 	man/Makefile
 	libcrypto.pc
 	libssl.pc
@@ -135,12 +126,4 @@ AC_CONFIG_FILES([
 	openssl.pc
 ])
 
-AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
-if test "$ac_cv_sizeof_time_t" = "4"; then
-    echo " ** Warning, this system is unable to represent times past 2038"
-    echo " ** It will behave incorrectly when handling valid RFC5280 dates"
-fi
-
-AC_REQUIRE_AUX_FILE([tap-driver.sh])
-
 AC_OUTPUT

crypto/CMakeLists.txt

@@ -42,6 +42,7 @@ set(
 	asn1/a_digest.c
 	asn1/a_dup.c
 	asn1/a_enum.c
+	asn1/a_gentm.c
 	asn1/a_i2d_fp.c
 	asn1/a_int.c
 	asn1/a_mbstr.c
@@ -53,8 +54,8 @@ set(
 	asn1/a_strex.c
 	asn1/a_strnid.c
 	asn1/a_time.c
-	asn1/a_time_tm.c
 	asn1/a_type.c
+	asn1/a_utctm.c
 	asn1/a_utf8.c
 	asn1/a_verify.c
 	asn1/ameth_lib.c
@@ -262,6 +263,7 @@ set(
 	ecdh/ech_err.c
 	ecdh/ech_key.c
 	ecdh/ech_lib.c
+	ecdh/ech_ossl.c
 	ecdsa/ecs_asn1.c
 	ecdsa/ecs_err.c
 	ecdsa/ecs_lib.c
@@ -333,6 +335,7 @@ set(
 	evp/m_md5.c
 	evp/m_null.c
 	evp/m_ripemd.c
+	evp/m_sha.c
 	evp/m_sha1.c
 	evp/m_sigver.c
 	evp/m_streebog.c
@@ -470,6 +473,8 @@ set(
 	sha/sha1dgst.c
 	sha/sha256.c
 	sha/sha512.c
+	sha/sha_dgst.c
+	sha/sha_one.c
 	stack/stack.c
 	ts/ts_asn1.c
 	ts/ts_conf.c
@@ -594,10 +599,6 @@ if(NOT HAVE_STRNDUP)
 	endif()
 endif()
 
-if(NOT HAVE_TIMEGM)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
-endif()
-
 if(NOT HAVE_EXPLICIT_BZERO)
 	if(CMAKE_HOST_WIN32)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero_win.c)

crypto/Makefile.am

@@ -73,10 +73,6 @@ if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
 
-if !HAVE_TIMEGM
-libcompat_la_SOURCES += compat/timegm.c
-endif
-
 if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
@@ -145,6 +141,7 @@ libcrypto_la_SOURCES += asn1/a_d2i_fp.c
 libcrypto_la_SOURCES += asn1/a_digest.c
 libcrypto_la_SOURCES += asn1/a_dup.c
 libcrypto_la_SOURCES += asn1/a_enum.c
+libcrypto_la_SOURCES += asn1/a_gentm.c
 libcrypto_la_SOURCES += asn1/a_i2d_fp.c
 libcrypto_la_SOURCES += asn1/a_int.c
 libcrypto_la_SOURCES += asn1/a_mbstr.c
@@ -156,8 +153,8 @@ libcrypto_la_SOURCES += asn1/a_sign.c
 libcrypto_la_SOURCES += asn1/a_strex.c
 libcrypto_la_SOURCES += asn1/a_strnid.c
 libcrypto_la_SOURCES += asn1/a_time.c
-libcrypto_la_SOURCES += asn1/a_time_tm.c
 libcrypto_la_SOURCES += asn1/a_type.c
+libcrypto_la_SOURCES += asn1/a_utctm.c
 libcrypto_la_SOURCES += asn1/a_utf8.c
 libcrypto_la_SOURCES += asn1/a_verify.c
 libcrypto_la_SOURCES += asn1/ameth_lib.c
@@ -423,6 +420,7 @@ noinst_HEADERS += ec/ec_lcl.h
 libcrypto_la_SOURCES += ecdh/ech_err.c
 libcrypto_la_SOURCES += ecdh/ech_key.c
 libcrypto_la_SOURCES += ecdh/ech_lib.c
+libcrypto_la_SOURCES += ecdh/ech_ossl.c
 noinst_HEADERS += ecdh/ech_locl.h
 
 # ecdsa
@@ -505,6 +503,7 @@ libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
+libcrypto_la_SOURCES += evp/m_sha.c
 libcrypto_la_SOURCES += evp/m_sha1.c
 libcrypto_la_SOURCES += evp/m_sigver.c
 libcrypto_la_SOURCES += evp/m_streebog.c
@@ -698,6 +697,8 @@ libcrypto_la_SOURCES += sha/sha1_one.c
 libcrypto_la_SOURCES += sha/sha1dgst.c
 libcrypto_la_SOURCES += sha/sha256.c
 libcrypto_la_SOURCES += sha/sha512.c
+libcrypto_la_SOURCES += sha/sha_dgst.c
+libcrypto_la_SOURCES += sha/sha_one.c
 noinst_HEADERS += sha/sha_locl.h
 
 # stack

crypto/compat/timegm.c

@@ -1,220 +0,0 @@
-/*
- * ----------------------------------------------------------------------
- * Copyright © 2005-2014 Rich Felker, et al.
- *
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject to
- * the following conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- * ----------------------------------------------------------------------
- */
-
-#include <errno.h>
-#include <limits.h>
-#include <time.h>
-
-/* 2000-03-01 (mod 400 year, immediately after feb29 */
-#define LEAPOCH (946684800LL + 86400*(31+29))
-
-#define DAYS_PER_400Y (365*400 + 97)
-#define DAYS_PER_100Y (365*100 + 24)
-#define DAYS_PER_4Y   (365*4   + 1)
-
-static int __month_to_secs(int month, int is_leap)
-{
-	static const int secs_through_month[] = {
-		0, 31*86400, 59*86400, 90*86400,
-		120*86400, 151*86400, 181*86400, 212*86400,
-		243*86400, 273*86400, 304*86400, 334*86400 };
-	int t = secs_through_month[month];
-	if (is_leap && month >= 2) t+=86400;
-	return t;
-}
-
-static long long __year_to_secs(long long year, int *is_leap)
-{
-	if (year-2ULL <= 136) {
-		int y = year;
-		int leaps = (y-68)>>2;
-		if (!((y-68)&3)) {
-			leaps--;
-			if (is_leap) *is_leap = 1;
-		} else if (is_leap) *is_leap = 0;
-		return 31536000*(y-70) + 86400*leaps;
-	}
-
-	int cycles, centuries, leaps, rem;
-
-	if (!is_leap) is_leap = &(int){0};
-	cycles = (year-100) / 400;
-	rem = (year-100) % 400;
-	if (rem < 0) {
-		cycles--;
-		rem += 400;
-	}
-	if (!rem) {
-		*is_leap = 1;
-		centuries = 0;
-		leaps = 0;
-	} else {
-		if (rem >= 200) {
-			if (rem >= 300) centuries = 3, rem -= 300;
-			else centuries = 2, rem -= 200;
-		} else {
-			if (rem >= 100) centuries = 1, rem -= 100;
-			else centuries = 0;
-		}
-		if (!rem) {
-			*is_leap = 0;
-			leaps = 0;
-		} else {
-			leaps = rem / 4U;
-			rem %= 4U;
-			*is_leap = !rem;
-		}
-	}
-
-	leaps += 97*cycles + 24*centuries - *is_leap;
-
-	return (year-100) * 31536000LL + leaps * 86400LL + 946684800 + 86400;
-}
-
-static long long __tm_to_secs(const struct tm *tm)
-{
-	int is_leap;
-	long long year = tm->tm_year;
-	int month = tm->tm_mon;
-	if (month >= 12 || month < 0) {
-		int adj = month / 12;
-		month %= 12;
-		if (month < 0) {
-			adj--;
-			month += 12;
-		}
-		year += adj;
-	}
-	long long t = __year_to_secs(year, &is_leap);
-	t += __month_to_secs(month, is_leap);
-	t += 86400LL * (tm->tm_mday-1);
-	t += 3600LL * tm->tm_hour;
-	t += 60LL * tm->tm_min;
-	t += tm->tm_sec;
-	return t;
-}
-
-static int __secs_to_tm(long long t, struct tm *tm)
-{
-	long long days, secs;
-	int remdays, remsecs, remyears;
-	int qc_cycles, c_cycles, q_cycles;
-	int years, months;
-	int wday, yday, leap;
-	static const char days_in_month[] = {31,30,31,30,31,31,30,31,30,31,31,29};
-
-	/* Reject time_t values whose year would overflow int */
-	if (t < INT_MIN * 31622400LL || t > INT_MAX * 31622400LL)
-		return -1;
-
-	secs = t - LEAPOCH;
-	days = secs / 86400;
-	remsecs = secs % 86400;
-	if (remsecs < 0) {
-		remsecs += 86400;
-		days--;
-	}
-
-	wday = (3+days)%7;
-	if (wday < 0) wday += 7;
-
-	qc_cycles = days / DAYS_PER_400Y;
-	remdays = days % DAYS_PER_400Y;
-	if (remdays < 0) {
-		remdays += DAYS_PER_400Y;
-		qc_cycles--;
-	}
-
-	c_cycles = remdays / DAYS_PER_100Y;
-	if (c_cycles == 4) c_cycles--;
-	remdays -= c_cycles * DAYS_PER_100Y;
-
-	q_cycles = remdays / DAYS_PER_4Y;
-	if (q_cycles == 25) q_cycles--;
-	remdays -= q_cycles * DAYS_PER_4Y;
-
-	remyears = remdays / 365;
-	if (remyears == 4) remyears--;
-	remdays -= remyears * 365;
-
-	leap = !remyears && (q_cycles || !c_cycles);
-	yday = remdays + 31 + 28 + leap;
-	if (yday >= 365+leap) yday -= 365+leap;
-
-	years = remyears + 4*q_cycles + 100*c_cycles + 400*qc_cycles;
-
-	for (months=0; days_in_month[months] <= remdays; months++)
-		remdays -= days_in_month[months];
-
-	if (years+100 > INT_MAX || years+100 < INT_MIN)
-		return -1;
-
-	tm->tm_year = years + 100;
-	tm->tm_mon = months + 2;
-	if (tm->tm_mon >= 12) {
-		tm->tm_mon -=12;
-		tm->tm_year++;
-	}
-	tm->tm_mday = remdays + 1;
-	tm->tm_wday = wday;
-	tm->tm_yday = yday;
-
-	tm->tm_hour = remsecs / 3600;
-	tm->tm_min = remsecs / 60 % 60;
-	tm->tm_sec = remsecs % 60;
-
-	return 0;
-}
-
-#ifdef _WIN32
-struct tm *__gmtime_r(const time_t *t, struct tm *tm)
-{
-	if (__secs_to_tm(*t, tm) < 0) {
-		errno = EOVERFLOW;
-		return 0;
-	}
-	tm->tm_isdst = 0;
-	return tm;
-}
-#endif
-
-time_t timegm(struct tm *tm)
-{
-	struct tm new;
-	long long t = __tm_to_secs(tm);
-	if (__secs_to_tm(t, &new) < 0) {
-		errno = EOVERFLOW;
-		return -1;
-	}
-#if SIZEOF_TIME_T != 8
-	if (t > (long long)INT_MAX || t < (long long)INT_MIN) {
-		errno = EOVERFLOW;
-		return -1;
-	}
-#endif
-	*tm = new;
-	tm->tm_isdst = 0;
-	return t;
-}

crypto/compat/ui_openssl_win.c

@@ -286,7 +286,7 @@ error:
 	if (ps >= 1)
 		popsig();
 
-	explicit_bzero(result, BUFSIZ);
+	OPENSSL_cleanse(result, BUFSIZ);
 	return ok;
 }
 

dist-win.sh

@@ -29,11 +29,20 @@ for ARCH in X86 X64; do
 	make -j 4 install DESTDIR=`pwd`/stage-$ARCHDIR
 
 	mkdir -p $DIST/$ARCHDIR
+	#cp -a stage-$ARCHDIR/usr/local/lib/* $DIST/$ARCHDIR
 	if [ ! -e $DIST/include ]; then
-		cp -r stage-$ARCHDIR/usr/local/include $DIST
+		cp -a stage-$ARCHDIR/usr/local/include $DIST
+		sed -i -e 'N;/\n.*__non/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e 'N;/\n.*__attr/s/"\? *\n/ /;P;D' \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
+		sed -i -e "s/__attr.*;/;/"  \
+		       -e "s/sys\/time.h/winsock2.h/" \
+		       $DIST/include/openssl/*.h $DIST/include/*.h
 	fi
 
 	cp stage-$ARCHDIR/usr/local/bin/* $DIST/$ARCHDIR
+	#cp /usr/$HOST/sys-root/mingw/bin/libssp* $DIST/$ARCHDIR
 
 	for i in libcrypto libssl libtls; do
 		DLL=$(basename `ls -1 $DIST/$ARCHDIR/$i*.dll`|cut -d. -f1)

gen-openbsd-tags.sh

@@ -1,20 +0,0 @@
-#!/bin/sh
-set -e
-
-for tag in `git tag`; do
-	branch=master
-	if [[ $tag = v2.0* ]]; then
-		branch=OPENBSD_5_6
-	elif [[ $tag = v2.1* ]]; then
-		branch=OPENBSD_5_7
-	elif [[ $tag = v2.2* ]]; then
-		branch=OPENBSD_5_8
-	elif [[ $tag = v2.3* ]]; then
-		branch=OPENBSD_5_9
-	fi
-	# adjust for 9 hour timezone delta between trees
-	release_ts=$((`git show -s --format=%ct $tag|tail -n1` + 32400))
-	commit=`git -C openbsd rev-list -n 1 --before=$release_ts $branch`
-	git -C openbsd tag -f libressl-$tag $commit
-	echo Tagged $tag as $commit in openbsd
-done

include/Makefile.am

@@ -8,11 +8,8 @@ noinst_HEADERS = pqueue.h
 noinst_HEADERS += compat/dirent.h
 noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
-noinst_HEADERS += compat/limits.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
-noinst_HEADERS += compat/readpassphrase.h
-noinst_HEADERS += compat/resolv.h
 noinst_HEADERS += compat/stdio.h
 noinst_HEADERS += compat/stdlib.h
 noinst_HEADERS += compat/string.h
@@ -26,7 +23,6 @@ noinst_HEADERS += compat/arpa/nameser.h
 noinst_HEADERS += compat/machine/endian.h
 
 noinst_HEADERS += compat/netinet/in.h
-noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
 noinst_HEADERS += compat/sys/cdefs.h
@@ -34,8 +30,8 @@ noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h
 noinst_HEADERS += compat/sys/select.h
-noinst_HEADERS += compat/sys/socket.h
 noinst_HEADERS += compat/sys/stat.h
+noinst_HEADERS += compat/sys/socket.h
 noinst_HEADERS += compat/sys/time.h
 noinst_HEADERS += compat/sys/types.h
 noinst_HEADERS += compat/sys/uio.h

include/compat/limits.h

@@ -1,21 +0,0 @@
-/*
- * Public domain
- * limits.h compatibility shim
- */
-
-#ifdef _MSC_VER
-#if _MSC_VER >= 1900
-#include <../ucrt/limits.h>
-#else
-#include <../include/limits.h>
-#endif
-#else
-#include_next <limits.h>
-#endif
-
-#ifdef __hpux
-#include <sys/param.h>
-#ifndef PATH_MAX
-#define PATH_MAX MAXPATHLEN
-#endif
-#endif

include/compat/netinet/ip.h

@@ -1,43 +0,0 @@
-/*
- * Public domain
- * netinet/ip.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <netinet/ip.h>
-#else
-#include <win32netcompat.h>
-#endif
-
-/*
- * Definitions for DiffServ Codepoints as per RFC2474
- */
-#ifndef IPTOS_DSCP_CS0
-#define	IPTOS_DSCP_CS0		0x00
-#define	IPTOS_DSCP_CS1		0x20
-#define	IPTOS_DSCP_CS2		0x40
-#define	IPTOS_DSCP_CS3		0x60
-#define	IPTOS_DSCP_CS4		0x80
-#define	IPTOS_DSCP_CS5		0xa0
-#define	IPTOS_DSCP_CS6		0xc0
-#define	IPTOS_DSCP_CS7		0xe0
-#endif
-
-#ifndef IPTOS_DSCP_AF11
-#define	IPTOS_DSCP_AF11		0x28
-#define	IPTOS_DSCP_AF12		0x30
-#define	IPTOS_DSCP_AF13		0x38
-#define	IPTOS_DSCP_AF21		0x48
-#define	IPTOS_DSCP_AF22		0x50
-#define	IPTOS_DSCP_AF23		0x58
-#define	IPTOS_DSCP_AF31		0x68
-#define	IPTOS_DSCP_AF32		0x70
-#define	IPTOS_DSCP_AF33		0x78
-#define	IPTOS_DSCP_AF41		0x88
-#define	IPTOS_DSCP_AF42		0x90
-#define	IPTOS_DSCP_AF43		0x98
-#endif
-
-#ifndef IPTOS_DSCP_EF
-#define	IPTOS_DSCP_EF		0xb8
-#endif

include/compat/readpassphrase.h

@@ -1,44 +0,0 @@
-/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
-
-/*
- * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-#ifdef HAVE_READPASSPHRASE_H
-
-#include_next <readpassphrase.h>
-
-#else
-
-#ifndef _READPASSPHRASE_H_
-#define _READPASSPHRASE_H_
-
-#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
-#define RPP_ECHO_ON     0x01		/* Leave echo on. */
-#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
-#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
-#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
-#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
-#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
-
-char * readpassphrase(const char *, char *, size_t, int);
-
-#endif /* !_READPASSPHRASE_H_ */
-
-#endif

include/compat/resolv.h

@@ -1,24 +0,0 @@
-/*
- * Public domain
- * resolv.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_RESOLV_H
-#define LIBCRYPTOCOMPAT_RESOLV_H
-
-#ifdef _MSC_VER
-#if _MSC_VER >= 1900
-#include <../ucrt/resolv.h>
-#else
-#include <../include/resolv.h>
-#endif
-#else
-#include_next <resolv.h>
-#endif
-
-#ifndef HAVE_B64_NTOP
-int b64_ntop(unsigned char const *, size_t, char *, size_t);
-int b64_pton(char const *, unsigned char *, size_t);
-#endif
-
-#endif

include/compat/time.h

@@ -9,15 +9,7 @@
 #else
 #include <../include/time.h>
 #endif
+#define gmtime_r(tp, tm) ((gmtime_s((tm), (tp)) == 0) ? (tm) : NULL)
 #else
 #include_next <time.h>
 #endif
-
-#ifdef _WIN32
-struct tm *__gmtime_r(const time_t * t, struct tm * tm);
-#define gmtime_r(tp, tm) __gmtime_r(tp, tm)
-#endif
-
-#ifndef HAVE_TIMEGM
-time_t timegm(struct tm *tm);
-#endif

include/compat/unistd.h

@@ -29,6 +29,4 @@ unsigned int sleep(unsigned int seconds);
 int getentropy(void *buf, size_t buflen);
 #endif
 
-#define pledge(request, paths) 0
-
 #endif

include/compat/win32netcompat.h

@@ -11,19 +11,14 @@
 #ifdef _WIN32
 
 #include <ws2tcpip.h>
+
+#define SHUT_RDWR SD_BOTH
+#define SHUT_RD   SD_RECEIVE
+#define SHUT_WR   SD_SEND
+
 #include <errno.h>
 #include <unistd.h>
 
-#ifndef SHUT_RDWR
-#define SHUT_RDWR SD_BOTH
-#endif
-#ifndef SHUT_RD
-#define SHUT_RD   SD_RECEIVE
-#endif
-#ifndef SHUT_WR
-#define SHUT_WR   SD_SEND
-#endif
-
 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 
 int posix_close(int fd);

m4/check-libc.m4

@@ -1,14 +1,11 @@
 AC_DEFUN([CHECK_LIBC_COMPAT], [
-# Check for libc headers
-AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem readpassphrase reallocarray])
+AC_CHECK_FUNCS([asprintf inet_pton memmem poll reallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
-AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
-AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
+AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
@@ -16,36 +13,10 @@ AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
 AM_CONDITIONAL([HAVE_STRNLEN], [test "x$ac_cv_func_strnlen" = xyes])
 AM_CONDITIONAL([HAVE_STRSEP], [test "x$ac_cv_func_strsep" = xyes])
 AM_CONDITIONAL([HAVE_STRTONUM], [test "x$ac_cv_func_strtonum" = xyes])
-AM_CONDITIONAL([HAVE_TIMEGM], [test "x$ac_cv_func_timegm" = xyes])
 ])
 
-AC_DEFUN([CHECK_SYSCALL_COMPAT], [
-AC_CHECK_FUNCS([accept4 pledge poll])
-AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
-AM_CONDITIONAL([HAVE_PLEDGE], [test "x$ac_cv_func_pledge" = xyes])
-AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
-])
-
-AC_DEFUN([CHECK_B64_NTOP], [
-AC_SEARCH_LIBS([b64_ntop],[resolv])
-AC_SEARCH_LIBS([__b64_ntop],[resolv])
-AC_CACHE_CHECK([for b64_ntop], ac_cv_have_b64_ntop_arg, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-		]], [[ b64_ntop(NULL, 0, NULL, 0); ]])],
-	[ ac_cv_have_b64_ntop_arg="yes" ],
-	[ ac_cv_have_b64_ntop_arg="no"
-	])
-])
-AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop" = xyes])
-])
-
-AC_DEFUN([CHECK_CRYPTO_COMPAT], [
-# Check crypto-related libc functions and syscalls
+AC_DEFUN([CHECK_LIBC_CRYPTO_COMPAT], [
+# Check crypto-related libc functions
 AC_CHECK_FUNCS([arc4random_buf explicit_bzero getauxval getentropy])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])

m4/check-os-options.m4

@@ -1,3 +1,4 @@
+# This must be called before AC_PROG_CC
 AC_DEFUN([CHECK_OS_OPTIONS], [
 
 CFLAGS="$CFLAGS -Wall -std=gnu99 -fno-strict-aliasing"
@@ -14,12 +15,10 @@ case $host_os in
 		HOST_OS=cygwin
 		;;
 	*darwin*)
-		BUILD_NC=yes
 		HOST_OS=darwin
 		HOST_ABI=macosx
 		;;
 	*freebsd*)
-		BUILD_NC=yes
 		HOST_OS=freebsd
 		HOST_ABI=elf
 		AC_SUBST([PROG_LDADD], ['-lthr'])
@@ -35,19 +34,15 @@ case $host_os in
 		AC_SUBST([PLATFORM_LDADD], ['-lpthread'])
 		;;
 	*linux*)
-		BUILD_NC=yes
 		HOST_OS=linux
 		HOST_ABI=elf
 		CPPFLAGS="$CPPFLAGS -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE"
 		;;
 	*netbsd*)
-		BUILD_NC=yes
 		HOST_OS=netbsd
 		CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 		;;
 	*openbsd* | *bitrig*)
-		BUILD_NC=yes
-		HOST_OS=openbsd
 		HOST_ABI=elf
 		AC_DEFINE([HAVE_ATTRIBUTE__BOUNDED__], [1], [OpenBSD gcc has bounded])
 		;;
@@ -70,7 +65,6 @@ case $host_os in
 	*) ;;
 esac
 
-AM_CONDITIONAL([BUILD_NC],     [test x$BUILD_NC = xyes])
 AM_CONDITIONAL([HOST_AIX],     [test x$HOST_OS = xaix])
 AM_CONDITIONAL([HOST_CYGWIN],  [test x$HOST_OS = xcygwin])
 AM_CONDITIONAL([HOST_DARWIN],  [test x$HOST_OS = xdarwin])
@@ -78,7 +72,6 @@ AM_CONDITIONAL([HOST_FREEBSD], [test x$HOST_OS = xfreebsd])
 AM_CONDITIONAL([HOST_HPUX],    [test x$HOST_OS = xhpux])
 AM_CONDITIONAL([HOST_LINUX],   [test x$HOST_OS = xlinux])
 AM_CONDITIONAL([HOST_NETBSD],  [test x$HOST_OS = xnetbsd])
-AM_CONDITIONAL([HOST_OPENBSD], [test x$HOST_OS = xopenbsd])
 AM_CONDITIONAL([HOST_SOLARIS], [test x$HOST_OS = xsolaris])
 AM_CONDITIONAL([HOST_WIN],     [test x$HOST_OS = xwin])
 ])

man/links

@@ -446,6 +446,7 @@ EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
+EVP_DigestInit.3,EVP_sha.3
 EVP_DigestInit.3,EVP_sha1.3
 EVP_DigestInit.3,EVP_sha224.3
 EVP_DigestInit.3,EVP_sha256.3
@@ -1103,11 +1104,8 @@ tls_init.3,tls_config_clear_keys.3
 tls_init.3,tls_config_free.3
 tls_init.3,tls_config_insecure_noverifycert.3
 tls_init.3,tls_config_insecure_noverifyname.3
-tls_init.3,tls_config_insecure_noverifytime.3
 tls_init.3,tls_config_new.3
 tls_init.3,tls_config_parse_protocols.3
-tls_init.3,tls_config_prefer_ciphers_client.3
-tls_init.3,tls_config_prefer_ciphers_server.3
 tls_init.3,tls_config_set_ca_file.3
 tls_init.3,tls_config_set_ca_mem.3
 tls_init.3,tls_config_set_ca_path.3
@@ -1121,26 +1119,14 @@ tls_init.3,tls_config_set_key_mem.3
 tls_init.3,tls_config_set_protocols.3
 tls_init.3,tls_config_set_verify_depth.3
 tls_init.3,tls_config_verify.3
-tls_init.3,tls_config_verify_client.3
-tls_init.3,tls_config_verify_client_optional.3
 tls_init.3,tls_configure.3
-tls_init.3,tls_conn_cipher.3
-tls_init.3,tls_conn_version.3
 tls_init.3,tls_connect.3
 tls_init.3,tls_connect_fds.3
 tls_init.3,tls_connect_servername.3
 tls_init.3,tls_connect_socket.3
 tls_init.3,tls_error.3
 tls_init.3,tls_free.3
-tls_init.3,tls_handshake.3
 tls_init.3,tls_load_file.3
-tls_init.3,tls_peer_cert_contains_name.3
-tls_init.3,tls_peer_cert_hash.3
-tls_init.3,tls_peer_cert_issuer.3
-tls_init.3,tls_peer_cert_notafter.3
-tls_init.3,tls_peer_cert_notbefore.3
-tls_init.3,tls_peer_cert_provided.3
-tls_init.3,tls_peer_cert_subject.3
 tls_init.3,tls_read.3
 tls_init.3,tls_reset.3
 tls_init.3,tls_server.3

man/update_links.sh

@@ -3,7 +3,7 @@
 # Run this periodically to ensure that the manpage links are up to date
 
 echo "# This is an auto-generated file by $0" > links
-doas makewhatis
+sudo makewhatis
 for i in `ls -1 *.3`; do
   name=`echo $i|cut -d. -f1`
   links=`sqlite3 /usr/share/man/mandoc.db \

patches/arc4random.c.patch

@@ -0,0 +1,15 @@
+--- crypto/compat/arc4random.c.orig	2015-07-20 07:41:17.000000000 -0600
++++ crypto/compat/arc4random.c	2015-07-20 07:41:58.000000000 -0600
+@@ -36,8 +36,11 @@
+ #define KEYSTREAM_ONLY
+ #include "chacha_private.h"
+ 
++#ifndef min
+ #define min(a, b) ((a) < (b) ? (a) : (b))
+-#ifdef __GNUC__
++#endif
++
++#if defined(__GNUC__) || defined(_MSC_VER)
+ #define inline __inline
+ #else				/* !__GNUC__ */
+ #define inline

patches/netcat.c.patch

@@ -1,185 +0,0 @@
---- apps/nc/netcat.c.orig	2015-10-23 16:01:14.000000000 -0700
-+++ apps/nc/netcat.c	2015-10-23 16:17:08.000000000 -0700
-@@ -57,6 +57,10 @@
- #include <tls.h>
- #include "atomicio.h"
- 
-+#ifndef IPV6_TCLASS
-+#define IPV6_TCLASS -1
-+#endif
-+
- #define PORT_MAX	65535
- #define PORT_MAX_LEN	6
- #define UNIX_DG_TMP_SOCKET_SIZE	19
-@@ -93,9 +97,13 @@
- int	Dflag;					/* sodebug */
- int	Iflag;					/* TCP receive buffer size */
- int	Oflag;					/* TCP send buffer size */
-+#ifdef TCP_MD5SIG
- int	Sflag;					/* TCP MD5 signature option */
-+#endif
- int	Tflag = -1;				/* IP Type of Service */
-+#ifdef SO_RTABLE
- int	rtableid = -1;
-+#endif
- 
- int	usetls;					/* use TLS */
- char    *Cflag;					/* Public cert file */
-@@ -145,7 +153,7 @@
- 	struct servent *sv;
- 	socklen_t len;
- 	struct sockaddr_storage cliaddr;
--	char *proxy;
-+	char *proxy = NULL;
- 	const char *errstr, *proxyhost = "", *proxyport = NULL;
- 	struct addrinfo proxyhints;
- 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -246,12 +254,14 @@
- 		case 'u':
- 			uflag = 1;
- 			break;
-+#ifdef SO_RTABLE
- 		case 'V':
- 			rtableid = (int)strtonum(optarg, 0,
- 			    RT_TABLEID_MAX, &errstr);
- 			if (errstr)
- 				errx(1, "rtable %s: %s", errstr, optarg);
- 			break;
-+#endif
- 		case 'v':
- 			vflag = 1;
- 			break;
-@@ -284,9 +294,11 @@
- 				errx(1, "TCP send window %s: %s",
- 				    errstr, optarg);
- 			break;
-+#ifdef TCP_MD5SIG
- 		case 'S':
- 			Sflag = 1;
- 			break;
-+#endif
- 		case 'T':
- 			errstr = NULL;
- 			errno = 0;
-@@ -310,14 +322,16 @@
- 	argc -= optind;
- 	argv += optind;
- 
-+#ifdef SO_RTABLE
- 	if (rtableid >= 0) {
- 		/*
- 		 * XXX No pledge if doing rtable manipulation!
- 		 * XXX the routing table stuff is dangerous and can't be pledged.
- 		 * XXX rtable should really have a better interface than sockopt
- 		 */
--	}
--	else if (family == AF_UNIX) {
-+	} else
-+#endif
-+	if (family == AF_UNIX) {
- 		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
- 			err(1, "pledge");
- 	}
-@@ -797,7 +811,10 @@
- remote_connect(const char *host, const char *port, struct addrinfo hints)
- {
- 	struct addrinfo *res, *res0;
--	int s, error, on = 1;
-+	int s, error;
-+#ifdef SO_BINDANY
-+	int on = 1;
-+#endif
- 
- 	if ((error = getaddrinfo(host, port, &hints, &res)))
- 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -808,16 +825,20 @@
- 		    SOCK_NONBLOCK, res0->ai_protocol)) < 0)
- 			continue;
- 
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
- 		/* Bind to a local port or source address if specified. */
- 		if (sflag || pflag) {
- 			struct addrinfo ahints, *ares;
- 
-+#ifdef SO_BINDANY
- 			/* try SO_BINDANY, but don't insist */
- 			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
-+#endif
- 			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res0->ai_family;
- 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -886,7 +907,10 @@
- local_listen(char *host, char *port, struct addrinfo hints)
- {
- 	struct addrinfo *res, *res0;
--	int s, ret, x = 1;
-+	int s;
-+#ifdef SO_REUSEPORT
-+	int ret, x = 1;
-+#endif
- 	int error;
- 
- 	/* Allow nodename to be null. */
-@@ -908,13 +932,17 @@
- 		    res0->ai_protocol)) < 0)
- 			continue;
- 
-+#ifdef SO_RTABLE
- 		if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_RTABLE,
- 		    &rtableid, sizeof(rtableid)) == -1))
- 			err(1, "setsockopt SO_RTABLE");
-+#endif
- 
-+#ifdef SO_REUSEPORT
- 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
- 		if (ret == -1)
- 			err(1, NULL);
-+#endif
- 
- 		set_common_sockopts(s, res0->ai_family);
- 
-@@ -1358,11 +1386,13 @@
- {
- 	int x = 1;
- 
-+#ifdef TCP_MD5SIG
- 	if (Sflag) {
- 		if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
- 			&x, sizeof(x)) == -1)
- 			err(1, NULL);
- 	}
-+#endif
- 	if (Dflag) {
- 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
- 			&x, sizeof(x)) == -1)
-@@ -1537,15 +1567,19 @@
- 	\t-P proxyuser\tUsername for proxy authentication\n\
- 	\t-p port\t	Specify local port for remote connects\n\
- 	\t-R CAfile	CA bundle\n\
--	\t-r		Randomize remote ports\n\
--	\t-S		Enable the TCP MD5 signature option\n\
--	\t-s source	Local source address\n\
-+	\t-r		Randomize remote ports\n"
-+#ifdef TCP_MD5SIG
-+	"\t-S		Enable the TCP MD5 signature option\n"
-+#endif
-+	"\t-s source	Local source address\n\
- 	\t-T keyword	TOS value or TLS options\n\
- 	\t-t		Answer TELNET negotiation\n\
- 	\t-U		Use UNIX domain socket\n\
--	\t-u		UDP mode\n\
--	\t-V rtable	Specify alternate routing table\n\
--	\t-v		Verbose\n\
-+	\t-u		UDP mode\n"
-+#ifdef SO_RTABLE
-+	"\t-V rtable	Specify alternate routing table\n"
-+#endif
-+	"\t-v		Verbose\n\
- 	\t-w timeout	Timeout for connects and final net reads\n\
- 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
- 	\t-x addr[:port]\tSpecify proxy address and port\n\

patches/openssl.c.patch

@@ -1,12 +1,40 @@
---- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
-+++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
-@@ -399,7 +399,9 @@
+--- apps/openssl.c.orig	2015-07-20 02:01:42.000000000 -0600
++++ apps/openssl.c	2015-07-20 02:02:00.000000000 -0600
+@@ -130,6 +130,19 @@
+ #include <openssl/engine.h>
+ #endif
+
++#ifdef _WIN32
++#include <io.h>
++#include <fcntl.h>
++static void set_stdio_binary(void)
++{
++	_setmode(_fileno(stdin), _O_BINARY);
++	_setmode(_fileno(stdout), _O_BINARY);
++	_setmode(_fileno(stderr), _O_BINARY);
++}
++#else
++static void set_stdio_binary(void) {};
++#endif
++
+ #include "progs.h"
+ #include "s_apps.h"
+
+@@ -204,7 +216,9 @@
  static void
  openssl_startup(void)
  {
 +#ifndef _WIN32
  	signal(SIGPIPE, SIG_IGN);
 +#endif
- 
+
+ 	CRYPTO_malloc_init();
  	OpenSSL_add_all_algorithms();
- 	SSL_library_init();
+@@ -216,6 +230,7 @@
+ #endif
+
+ 	setup_ui_method();
++	set_stdio_binary();
+ }
+
+ static void

patches/opensslconf.h.patch

@@ -0,0 +1,13 @@
+--- include/openssl/opensslconf.h.orig	2015-07-19 23:21:47.000000000 -0600
++++ include/openssl/opensslconf.h	2015-07-19 23:21:17.000000000 -0600
+@@ -1,6 +1,10 @@
+ #include <openssl/opensslfeatures.h>
+ /* crypto/opensslconf.h.in */
+
++#if defined(_MSC_VER) && !defined(__attribute__)
++#define __attribute__(a)
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+

patches/ossl_typ.h.patch

@@ -0,0 +1,25 @@
+--- include/openssl/ossl_typ.h.orig	2015-07-06 13:21:18.788571423 -0700
++++ include/openssl/ossl_typ.h	2015-07-06 13:24:14.906468003 -0700
+@@ -100,6 +100,22 @@
+ typedef struct ASN1_ITEM_st ASN1_ITEM;
+ typedef struct asn1_pctx_st ASN1_PCTX;
+
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#undef OCSP_REQUEST
++#undef OCSP_RESPONSE
++#undef PKCS7_ISSUER_AND_SERIAL
++#endif
++
+ #ifdef BIGNUM
+ #undef BIGNUM
+ #endif

patches/pkcs7.h.patch

@@ -0,0 +1,21 @@
+--- include/openssl/pkcs7.h.orig	2015-07-06 13:26:27.369203527 -0700
++++ include/openssl/pkcs7.h	2015-07-06 13:27:37.637051967 -0700
+@@ -69,6 +69,18 @@
+ extern "C" {
+ #endif
+
++#if defined(_WIN32) && defined(__WINCRYPT_H__)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef PKCS7_ISSUER_AND_SERIAL
++#undef PKCS7_SIGNER_INFO
++#endif
++
+ /*
+ Encryption_ID		DES-CBC
+ Digest_ID		MD5

patches/rfc5280.c.patch

@@ -1,82 +0,0 @@
---- tests/rfc5280time.c.orig	Sat Oct 17 22:36:27 2015
-+++ tests/rfc5280time.c	Sat Oct 17 22:44:25 2015
-@@ -91,6 +91,7 @@
- 		.data = "20150923032700Z",
- 		.time = 1442978820,
- 	},
-+#if SIZEOF_TIME_T == 8
- 	{
- 		/* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */
- 		.str = "00000101000000Z",
-@@ -103,6 +104,7 @@
- 		.data = "20491231235959Z",
- 		.time = 2524607999,
- 	},
-+#endif
- 	{
- 		/* (times before 2050 must be UTCTIME) Per RFC 5280 4.1.2.5 */
- 		.str = "19500101000000Z",
-@@ -112,6 +114,7 @@
- };
-
- struct rfc5280_time_test rfc5280_gentime_tests[] = {
-+#if SIZEOF_TIME_T == 8
- 	{
- 		/* Biggest RFC 5280 time */
- 		.str = "99991231235959Z",
-@@ -129,6 +132,7 @@
- 		.data = "20500101000000Z",
- 		.time =  2524608000,
- 	},
-+#endif
- };
- struct rfc5280_time_test rfc5280_utctime_tests[] = {
- 	{
-@@ -141,11 +145,13 @@
- 		.data = "540226230640Z",
- 		.time = -500000000,
- 	},
-+#if SIZEOF_TIME_T == 8
- 	{
- 		.str = "491231235959Z",
- 		.data = "491231235959Z",
- 		.time = 2524607999,
- 	},
-+#endif
- 	{
- 		.str = "700101000000Z",
- 		.data = "700101000000Z",
-@@ -273,14 +279,14 @@
-
- 	if ((i = X509_cmp_time(gt, &att->time)) != -1) {
- 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
--		    test_no, i, att->time);
-+		    test_no, i, (long long)att->time);
- 		goto done;
- 	}
-
- 	att->time--;
- 	if ((i = X509_cmp_time(gt, &att->time)) != 1) {
- 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
--		    test_no, i, att->time);
-+		    test_no, i, (long long)att->time);
- 		goto done;
- 	}
- 	att->time++;
-@@ -325,14 +331,14 @@
-
- 	if ((i = X509_cmp_time(ut, &att->time)) != -1) {
- 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
--		    test_no, i, att->time);
-+		    test_no, i, (long long)att->time);
- 		goto done;
- 	}
-
- 	att->time--;
- 	if ((i = X509_cmp_time(ut, &att->time)) != 1) {
- 		fprintf(stderr, "FAIL: test %i - X509_cmp_time failed - returned %d compared to %lld\n",
--		    test_no, i, att->time);
-+		    test_no, i, (long long)att->time);
- 		goto done;
- 	}
- 	att->time++;

patches/windows_headers.patch

@@ -1,100 +0,0 @@
-diff -urN include/openssl.orig/dtls1.h include/openssl/dtls1.h
---- include/openssl.orig/dtls1.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/dtls1.h	Mon Sep 21 21:58:56 2015
-@@ -60,7 +60,11 @@
- #ifndef HEADER_DTLS1_H
- #define HEADER_DTLS1_H
- 
-+#if defined(_WIN32)
-+#include <winsock2.h>
-+#else
- #include <sys/time.h>
-+#endif
- 
- #include <stdio.h>
- #include <stdlib.h>
-diff -urN include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
---- include/openssl.orig/opensslconf.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/opensslconf.h	Mon Sep 21 21:56:13 2015
-@@ -1,6 +1,10 @@
- #include <openssl/opensslfeatures.h>
- /* crypto/opensslconf.h.in */
- 
-+#if defined(_MSC_VER) && !defined(__attribute__)
-+#define __attribute__(a)
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
- 
-diff -urN include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
---- include/openssl.orig/ossl_typ.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/ossl_typ.h	Mon Sep 21 21:56:22 2015
-@@ -100,6 +100,22 @@
- typedef struct ASN1_ITEM_st ASN1_ITEM;
- typedef struct asn1_pctx_st ASN1_PCTX;
- 
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#undef OCSP_REQUEST
-+#undef OCSP_RESPONSE
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#endif
-+
- #ifdef BIGNUM
- #undef BIGNUM
- #endif
-diff -urN include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
---- include/openssl.orig/pkcs7.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/pkcs7.h	Mon Sep 21 21:56:29 2015
-@@ -69,6 +69,18 @@
- extern "C" {
- #endif
- 
-+#if defined(_WIN32) && defined(__WINCRYPT_H__)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef PKCS7_ISSUER_AND_SERIAL
-+#undef PKCS7_SIGNER_INFO
-+#endif
-+
- /*
- Encryption_ID		DES-CBC
- Digest_ID		MD5
-diff -urN include/openssl.orig/x509.h include/openssl/x509.h
---- include/openssl.orig/x509.h	Mon Sep 21 21:45:45 2015
-+++ include/openssl/x509.h	Mon Sep 21 21:56:35 2015
-@@ -112,6 +112,19 @@
- extern "C" {
- #endif
- 
-+#if defined(_WIN32)
-+#ifndef LIBRESSL_INTERNAL
-+#ifdef _MSC_VER
-+#pragma message("Warning, overriding WinCrypt defines")
-+#else
-+#warning overriding WinCrypt defines
-+#endif
-+#endif
-+#undef X509_NAME
-+#undef X509_CERT_PAIR
-+#undef X509_EXTENSIONS
-+#endif
-+
- #define X509_FILETYPE_PEM	1
- #define X509_FILETYPE_ASN1	2
- #define X509_FILETYPE_DEFAULT	3

patches/x509.h.patch

@@ -0,0 +1,22 @@
+--- include/openssl/x509.h.orig	2015-07-06 13:15:15.059306046 -0700
++++ include/openssl/x509.h	2015-07-06 13:16:10.506118278 -0700
+@@ -112,6 +112,19 @@
+ extern "C" {
+ #endif
+
++#if defined(_WIN32)
++#ifndef LIBRESSL_INTERNAL
++#ifdef _MSC_VER
++#pragma message("Warning, overriding WinCrypt defines")
++#else
++#warning overriding WinCrypt defines
++#endif
++#endif
++#undef X509_NAME
++#undef X509_CERT_PAIR
++#undef X509_EXTENSIONS
++#endif
++
+ #define X509_FILETYPE_PEM	1
+ #define X509_FILETYPE_ASN1	2
+ #define X509_FILETYPE_DEFAULT	3

scripts/travis

@@ -6,7 +6,7 @@ set -e
 if [ "x$ARCH" = "xnative" ]; then
 	# test autotools
 	./configure
-	make -j 4 distcheck
+	make -j 4 check
 
 	# make distribution
 	make dist
@@ -19,7 +19,6 @@ if [ "x$ARCH" = "xnative" ]; then
 	if [ `uname` = "Darwin" ]; then
 		cmake ..
 		make
-		make test
 	else
 		sudo apt-get update
 		sudo apt-get install -y python-software-properties
@@ -28,7 +27,6 @@ if [ "x$ARCH" = "xnative" ]; then
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
 		ninja
-		ninja test
 	fi
 else
 	CPU=i686

ssl/CMakeLists.txt

@@ -21,12 +21,15 @@ set(
 	pqueue.c
 	s23_clnt.c
 	s23_lib.c
+	s23_meth.c
 	s23_pkt.c
 	s23_srvr.c
 	s3_both.c
 	s3_cbc.c
 	s3_clnt.c
+	s3_enc.c
 	s3_lib.c
+	s3_meth.c
 	s3_pkt.c
 	s3_srvr.c
 	ssl_algs.c

ssl/Makefile.am

@@ -23,12 +23,15 @@ libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
 libssl_la_SOURCES += s23_clnt.c
 libssl_la_SOURCES += s23_lib.c
+libssl_la_SOURCES += s23_meth.c
 libssl_la_SOURCES += s23_pkt.c
 libssl_la_SOURCES += s23_srvr.c
 libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
 libssl_la_SOURCES += s3_clnt.c
+libssl_la_SOURCES += s3_enc.c
 libssl_la_SOURCES += s3_lib.c
+libssl_la_SOURCES += s3_meth.c
 libssl_la_SOURCES += s3_pkt.c
 libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c

tap-driver.sh

@@ -1,651 +0,0 @@
-#! /bin/sh
-# Copyright (C) 2011-2014 Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-scriptversion=2013-12-23.17; # UTC
-
-# Make unconditional expansion of undefined variables an error.  This
-# helps a lot in preventing typo-related bugs.
-set -u
-
-me=tap-driver.sh
-
-fatal ()
-{
-  echo "$me: fatal: $*" >&2
-  exit 1
-}
-
-usage_error ()
-{
-  echo "$me: $*" >&2
-  print_usage >&2
-  exit 2
-}
-
-print_usage ()
-{
-  cat <<END
-Usage:
-  tap-driver.sh --test-name=NAME --log-file=PATH --trs-file=PATH
-                [--expect-failure={yes|no}] [--color-tests={yes|no}]
-                [--enable-hard-errors={yes|no}] [--ignore-exit]
-                [--diagnostic-string=STRING] [--merge|--no-merge]
-                [--comments|--no-comments] [--] TEST-COMMAND
-The '--test-name', '-log-file' and '--trs-file' options are mandatory.
-END
-}
-
-# TODO: better error handling in option parsing (in particular, ensure
-# TODO: $log_file, $trs_file and $test_name are defined).
-test_name= # Used for reporting.
-log_file=  # Where to save the result and output of the test script.
-trs_file=  # Where to save the metadata of the test run.
-expect_failure=0
-color_tests=0
-merge=0
-ignore_exit=0
-comments=0
-diag_string='#'
-while test $# -gt 0; do
-  case $1 in
-  --help) print_usage; exit $?;;
-  --version) echo "$me $scriptversion"; exit $?;;
-  --test-name) test_name=$2; shift;;
-  --log-file) log_file=$2; shift;;
-  --trs-file) trs_file=$2; shift;;
-  --color-tests) color_tests=$2; shift;;
-  --expect-failure) expect_failure=$2; shift;;
-  --enable-hard-errors) shift;; # No-op.
-  --merge) merge=1;;
-  --no-merge) merge=0;;
-  --ignore-exit) ignore_exit=1;;
-  --comments) comments=1;;
-  --no-comments) comments=0;;
-  --diagnostic-string) diag_string=$2; shift;;
-  --) shift; break;;
-  -*) usage_error "invalid option: '$1'";;
-  esac
-  shift
-done
-
-test $# -gt 0 || usage_error "missing test command"
-
-case $expect_failure in
-  yes) expect_failure=1;;
-    *) expect_failure=0;;
-esac
-
-if test $color_tests = yes; then
-  init_colors='
-    color_map["red"]="" # Red.
-    color_map["grn"]="" # Green.
-    color_map["lgn"]="" # Light green.
-    color_map["blu"]="" # Blue.
-    color_map["mgn"]="" # Magenta.
-    color_map["std"]=""     # No color.
-    color_for_result["ERROR"] = "mgn"
-    color_for_result["PASS"]  = "grn"
-    color_for_result["XPASS"] = "red"
-    color_for_result["FAIL"]  = "red"
-    color_for_result["XFAIL"] = "lgn"
-    color_for_result["SKIP"]  = "blu"'
-else
-  init_colors=''
-fi
-
-# :; is there to work around a bug in bash 3.2 (and earlier) which
-# does not always set '$?' properly on redirection failure.
-# See the Autoconf manual for more details.
-:;{
-  (
-    # Ignore common signals (in this subshell only!), to avoid potential
-    # problems with Korn shells.  Some Korn shells are known to propagate
-    # to themselves signals that have killed a child process they were
-    # waiting for; this is done at least for SIGINT (and usually only for
-    # it, in truth).  Without the `trap' below, such a behaviour could
-    # cause a premature exit in the current subshell, e.g., in case the
-    # test command it runs gets terminated by a SIGINT.  Thus, the awk
-    # script we are piping into would never seen the exit status it
-    # expects on its last input line (which is displayed below by the
-    # last `echo $?' statement), and would thus die reporting an internal
-    # error.
-    # For more information, see the Autoconf manual and the threads:
-    # <http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00004.html>
-    # <http://mail.opensolaris.org/pipermail/ksh93-integration-discuss/2009-February/004121.html>
-    trap : 1 3 2 13 15
-    if test $merge -gt 0; then
-      exec 2>&1
-    else
-      exec 2>&3
-    fi
-    "$@"
-    echo $?
-  ) | LC_ALL=C ${AM_TAP_AWK-awk} \
-        -v me="$me" \
-        -v test_script_name="$test_name" \
-        -v log_file="$log_file" \
-        -v trs_file="$trs_file" \
-        -v expect_failure="$expect_failure" \
-        -v merge="$merge" \
-        -v ignore_exit="$ignore_exit" \
-        -v comments="$comments" \
-        -v diag_string="$diag_string" \
-'
-# TODO: the usages of "cat >&3" below could be optimized when using
-#       GNU awk, and/on on systems that supports /dev/fd/.
-
-# Implementation note: in what follows, `result_obj` will be an
-# associative array that (partly) simulates a TAP result object
-# from the `TAP::Parser` perl module.
-
-## ----------- ##
-##  FUNCTIONS  ##
-## ----------- ##
-
-function fatal(msg)
-{
-  print me ": " msg | "cat >&2"
-  exit 1
-}
-
-function abort(where)
-{
-  fatal("internal error " where)
-}
-
-# Convert a boolean to a "yes"/"no" string.
-function yn(bool)
-{
-  return bool ? "yes" : "no";
-}
-
-function add_test_result(result)
-{
-  if (!test_results_index)
-    test_results_index = 0
-  test_results_list[test_results_index] = result
-  test_results_index += 1
-  test_results_seen[result] = 1;
-}
-
-# Whether the test script should be re-run by "make recheck".
-function must_recheck()
-{
-  for (k in test_results_seen)
-    if (k != "XFAIL" && k != "PASS" && k != "SKIP")
-      return 1
-  return 0
-}
-
-# Whether the content of the log file associated to this test should
-# be copied into the "global" test-suite.log.
-function copy_in_global_log()
-{
-  for (k in test_results_seen)
-    if (k != "PASS")
-      return 1
-  return 0
-}
-
-function get_global_test_result()
-{
-    if ("ERROR" in test_results_seen)
-      return "ERROR"
-    if ("FAIL" in test_results_seen || "XPASS" in test_results_seen)
-      return "FAIL"
-    all_skipped = 1
-    for (k in test_results_seen)
-      if (k != "SKIP")
-        all_skipped = 0
-    if (all_skipped)
-      return "SKIP"
-    return "PASS";
-}
-
-function stringify_result_obj(result_obj)
-{
-  if (result_obj["is_unplanned"] || result_obj["number"] != testno)
-    return "ERROR"
-
-  if (plan_seen == LATE_PLAN)
-    return "ERROR"
-
-  if (result_obj["directive"] == "TODO")
-    return result_obj["is_ok"] ? "XPASS" : "XFAIL"
-
-  if (result_obj["directive"] == "SKIP")
-    return result_obj["is_ok"] ? "SKIP" : COOKED_FAIL;
-
-  if (length(result_obj["directive"]))
-      abort("in function stringify_result_obj()")
-
-  return result_obj["is_ok"] ? COOKED_PASS : COOKED_FAIL
-}
-
-function decorate_result(result)
-{
-  color_name = color_for_result[result]
-  if (color_name)
-    return color_map[color_name] "" result "" color_map["std"]
-  # If we are not using colorized output, or if we do not know how
-  # to colorize the given result, we should return it unchanged.
-  return result
-}
-
-function report(result, details)
-{
-  if (result ~ /^(X?(PASS|FAIL)|SKIP|ERROR)/)
-    {
-      msg = ": " test_script_name
-      add_test_result(result)
-    }
-  else if (result == "#")
-    {
-      msg = " " test_script_name ":"
-    }
-  else
-    {
-      abort("in function report()")
-    }
-  if (length(details))
-    msg = msg " " details
-  # Output on console might be colorized.
-  print decorate_result(result) msg
-  # Log the result in the log file too, to help debugging (this is
-  # especially true when said result is a TAP error or "Bail out!").
-  print result msg | "cat >&3";
-}
-
-function testsuite_error(error_message)
-{
-  report("ERROR", "- " error_message)
-}
-
-function handle_tap_result()
-{
-  details = result_obj["number"];
-  if (length(result_obj["description"]))
-    details = details " " result_obj["description"]
-
-  if (plan_seen == LATE_PLAN)
-    {
-      details = details " # AFTER LATE PLAN";
-    }
-  else if (result_obj["is_unplanned"])
-    {
-       details = details " # UNPLANNED";
-    }
-  else if (result_obj["number"] != testno)
-    {
-       details = sprintf("%s # OUT-OF-ORDER (expecting %d)",
-                         details, testno);
-    }
-  else if (result_obj["directive"])
-    {
-      details = details " # " result_obj["directive"];
-      if (length(result_obj["explanation"]))
-        details = details " " result_obj["explanation"]
-    }
-
-  report(stringify_result_obj(result_obj), details)
-}
-
-# `skip_reason` should be empty whenever planned > 0.
-function handle_tap_plan(planned, skip_reason)
-{
-  planned += 0 # Avoid getting confused if, say, `planned` is "00"
-  if (length(skip_reason) && planned > 0)
-    abort("in function handle_tap_plan()")
-  if (plan_seen)
-    {
-      # Error, only one plan per stream is acceptable.
-      testsuite_error("multiple test plans")
-      return;
-    }
-  planned_tests = planned
-  # The TAP plan can come before or after *all* the TAP results; we speak
-  # respectively of an "early" or a "late" plan.  If we see the plan line
-  # after at least one TAP result has been seen, assume we have a late
-  # plan; in this case, any further test result seen after the plan will
-  # be flagged as an error.
-  plan_seen = (testno >= 1 ? LATE_PLAN : EARLY_PLAN)
-  # If testno > 0, we have an error ("too many tests run") that will be
-  # automatically dealt with later, so do not worry about it here.  If
-  # $plan_seen is true, we have an error due to a repeated plan, and that
-  # has already been dealt with above.  Otherwise, we have a valid "plan
-  # with SKIP" specification, and should report it as a particular kind
-  # of SKIP result.
-  if (planned == 0 && testno == 0)
-    {
-      if (length(skip_reason))
-        skip_reason = "- "  skip_reason;
-      report("SKIP", skip_reason);
-    }
-}
-
-function extract_tap_comment(line)
-{
-  if (index(line, diag_string) == 1)
-    {
-      # Strip leading `diag_string` from `line`.
-      line = substr(line, length(diag_string) + 1)
-      # And strip any leading and trailing whitespace left.
-      sub("^[ \t]*", "", line)
-      sub("[ \t]*$", "", line)
-      # Return what is left (if any).
-      return line;
-    }
-  return "";
-}
-
-# When this function is called, we know that line is a TAP result line,
-# so that it matches the (perl) RE "^(not )?ok\b".
-function setup_result_obj(line)
-{
-  # Get the result, and remove it from the line.
-  result_obj["is_ok"] = (substr(line, 1, 2) == "ok" ? 1 : 0)
-  sub("^(not )?ok[ \t]*", "", line)
-
-  # If the result has an explicit number, get it and strip it; otherwise,
-  # automatically assing the next progresive number to it.
-  if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/)
-    {
-      match(line, "^[0-9]+")
-      # The final `+ 0` is to normalize numbers with leading zeros.
-      result_obj["number"] = substr(line, 1, RLENGTH) + 0
-      line = substr(line, RLENGTH + 1)
-    }
-  else
-    {
-      result_obj["number"] = testno
-    }
-
-  if (plan_seen == LATE_PLAN)
-    # No further test results are acceptable after a "late" TAP plan
-    # has been seen.
-    result_obj["is_unplanned"] = 1
-  else if (plan_seen && testno > planned_tests)
-    result_obj["is_unplanned"] = 1
-  else
-    result_obj["is_unplanned"] = 0
-
-  # Strip trailing and leading whitespace.
-  sub("^[ \t]*", "", line)
-  sub("[ \t]*$", "", line)
-
-  # This will have to be corrected if we have a "TODO"/"SKIP" directive.
-  result_obj["description"] = line
-  result_obj["directive"] = ""
-  result_obj["explanation"] = ""
-
-  if (index(line, "#") == 0)
-    return # No possible directive, nothing more to do.
-
-  # Directives are case-insensitive.
-  rx = "[ \t]*#[ \t]*([tT][oO][dD][oO]|[sS][kK][iI][pP])[ \t]*"
-
-  # See whether we have the directive, and if yes, where.
-  pos = match(line, rx "$")
-  if (!pos)
-    pos = match(line, rx "[^a-zA-Z0-9_]")
-
-  # If there was no TAP directive, we have nothing more to do.
-  if (!pos)
-    return
-
-  # Let`s now see if the TAP directive has been escaped.  For example:
-  #  escaped:     ok \# SKIP
-  #  not escaped: ok \\# SKIP
-  #  escaped:     ok \\\\\# SKIP
-  #  not escaped: ok \ # SKIP
-  if (substr(line, pos, 1) == "#")
-    {
-      bslash_count = 0
-      for (i = pos; i > 1 && substr(line, i - 1, 1) == "\\"; i--)
-        bslash_count += 1
-      if (bslash_count % 2)
-        return # Directive was escaped.
-    }
-
-  # Strip the directive and its explanation (if any) from the test
-  # description.
-  result_obj["description"] = substr(line, 1, pos - 1)
-  # Now remove the test description from the line, that has been dealt
-  # with already.
-  line = substr(line, pos)
-  # Strip the directive, and save its value (normalized to upper case).
-  sub("^[ \t]*#[ \t]*", "", line)
-  result_obj["directive"] = toupper(substr(line, 1, 4))
-  line = substr(line, 5)
-  # Now get the explanation for the directive (if any), with leading
-  # and trailing whitespace removed.
-  sub("^[ \t]*", "", line)
-  sub("[ \t]*$", "", line)
-  result_obj["explanation"] = line
-}
-
-function get_test_exit_message(status)
-{
-  if (status == 0)
-    return ""
-  if (status !~ /^[1-9][0-9]*$/)
-    abort("getting exit status")
-  if (status < 127)
-    exit_details = ""
-  else if (status == 127)
-    exit_details = " (command not found?)"
-  else if (status >= 128 && status <= 255)
-    exit_details = sprintf(" (terminated by signal %d?)", status - 128)
-  else if (status > 256 && status <= 384)
-    # We used to report an "abnormal termination" here, but some Korn
-    # shells, when a child process die due to signal number n, can leave
-    # in $? an exit status of 256+n instead of the more standard 128+n.
-    # Apparently, both behaviours are allowed by POSIX (2008), so be
-    # prepared to handle them both.  See also Austing Group report ID
-    # 0000051 <http://www.austingroupbugs.net/view.php?id=51>
-    exit_details = sprintf(" (terminated by signal %d?)", status - 256)
-  else
-    # Never seen in practice.
-    exit_details = " (abnormal termination)"
-  return sprintf("exited with status %d%s", status, exit_details)
-}
-
-function write_test_results()
-{
-  print ":global-test-result: " get_global_test_result() > trs_file
-  print ":recheck: "  yn(must_recheck()) > trs_file
-  print ":copy-in-global-log: " yn(copy_in_global_log()) > trs_file
-  for (i = 0; i < test_results_index; i += 1)
-    print ":test-result: " test_results_list[i] > trs_file
-  close(trs_file);
-}
-
-BEGIN {
-
-## ------- ##
-##  SETUP  ##
-## ------- ##
-
-'"$init_colors"'
-
-# Properly initialized once the TAP plan is seen.
-planned_tests = 0
-
-COOKED_PASS = expect_failure ? "XPASS": "PASS";
-COOKED_FAIL = expect_failure ? "XFAIL": "FAIL";
-
-# Enumeration-like constants to remember which kind of plan (if any)
-# has been seen.  It is important that NO_PLAN evaluates "false" as
-# a boolean.
-NO_PLAN = 0
-EARLY_PLAN = 1
-LATE_PLAN = 2
-
-testno = 0     # Number of test results seen so far.
-bailed_out = 0 # Whether a "Bail out!" directive has been seen.
-
-# Whether the TAP plan has been seen or not, and if yes, which kind
-# it is ("early" is seen before any test result, "late" otherwise).
-plan_seen = NO_PLAN
-
-## --------- ##
-##  PARSING  ##
-## --------- ##
-
-is_first_read = 1
-
-while (1)
-  {
-    # Involutions required so that we are able to read the exit status
-    # from the last input line.
-    st = getline
-    if (st < 0) # I/O error.
-      fatal("I/O error while reading from input stream")
-    else if (st == 0) # End-of-input
-      {
-        if (is_first_read)
-          abort("in input loop: only one input line")
-        break
-      }
-    if (is_first_read)
-      {
-        is_first_read = 0
-        nextline = $0
-        continue
-      }
-    else
-      {
-        curline = nextline
-        nextline = $0
-        $0 = curline
-      }
-    # Copy any input line verbatim into the log file.
-    print | "cat >&3"
-    # Parsing of TAP input should stop after a "Bail out!" directive.
-    if (bailed_out)
-      continue
-
-    # TAP test result.
-    if ($0 ~ /^(not )?ok$/ || $0 ~ /^(not )?ok[^a-zA-Z0-9_]/)
-      {
-        testno += 1
-        setup_result_obj($0)
-        handle_tap_result()
-      }
-    # TAP plan (normal or "SKIP" without explanation).
-    else if ($0 ~ /^1\.\.[0-9]+[ \t]*$/)
-      {
-        # The next two lines will put the number of planned tests in $0.
-        sub("^1\\.\\.", "")
-        sub("[^0-9]*$", "")
-        handle_tap_plan($0, "")
-        continue
-      }
-    # TAP "SKIP" plan, with an explanation.
-    else if ($0 ~ /^1\.\.0+[ \t]*#/)
-      {
-        # The next lines will put the skip explanation in $0, stripping
-        # any leading and trailing whitespace.  This is a little more
-        # tricky in truth, since we want to also strip a potential leading
-        # "SKIP" string from the message.
-        sub("^[^#]*#[ \t]*(SKIP[: \t][ \t]*)?", "")
-        sub("[ \t]*$", "");
-        handle_tap_plan(0, $0)
-      }
-    # "Bail out!" magic.
-    # Older versions of prove and TAP::Harness (e.g., 3.17) did not
-    # recognize a "Bail out!" directive when preceded by leading
-    # whitespace, but more modern versions (e.g., 3.23) do.  So we
-    # emulate the latter, "more modern" behaviour.
-    else if ($0 ~ /^[ \t]*Bail out!/)
-      {
-        bailed_out = 1
-        # Get the bailout message (if any), with leading and trailing
-        # whitespace stripped.  The message remains stored in `$0`.
-        sub("^[ \t]*Bail out![ \t]*", "");
-        sub("[ \t]*$", "");
-        # Format the error message for the
-        bailout_message = "Bail out!"
-        if (length($0))
-          bailout_message = bailout_message " " $0
-        testsuite_error(bailout_message)
-      }
-    # Maybe we have too look for dianogtic comments too.
-    else if (comments != 0)
-      {
-        comment = extract_tap_comment($0);
-        if (length(comment))
-          report("#", comment);
-      }
-  }
-
-## -------- ##
-##  FINISH  ##
-## -------- ##
-
-# A "Bail out!" directive should cause us to ignore any following TAP
-# error, as well as a non-zero exit status from the TAP producer.
-if (!bailed_out)
-  {
-    if (!plan_seen)
-      {
-        testsuite_error("missing test plan")
-      }
-    else if (planned_tests != testno)
-      {
-        bad_amount = testno > planned_tests ? "many" : "few"
-        testsuite_error(sprintf("too %s tests run (expected %d, got %d)",
-                                bad_amount, planned_tests, testno))
-      }
-    if (!ignore_exit)
-      {
-        # Fetch exit status from the last line.
-        exit_message = get_test_exit_message(nextline)
-        if (exit_message)
-          testsuite_error(exit_message)
-      }
-  }
-
-write_test_results()
-
-exit 0
-
-} # End of "BEGIN" block.
-'
-
-# TODO: document that we consume the file descriptor 3 :-(
-} 3>"$log_file"
-
-test $? -eq 0 || fatal "I/O or internal error"
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
-# time-stamp-end: "; # UTC"
-# End:

tests/CMakeLists.txt

@@ -5,8 +5,7 @@ include_directories(
 	../crypto/modes
 	../crypto/asn1
 	../ssl
-	../apps/openssl
-	../apps/openssl/compat
+	../apps
 )
 
 set(ENV{srcdir} ${CMAKE_CURRENT_SOURCE_DIR})
@@ -36,11 +35,6 @@ add_executable(asn1test asn1test.c)
 target_link_libraries(asn1test ${OPENSSL_LIBS})
 add_test(asn1test asn1test)
 
-# asn1time
-add_executable(asn1time asn1time.c)
-target_link_libraries(asn1time ${OPENSSL_LIBS})
-add_test(asn1time asn1time)
-
 # base64test
 add_executable(base64test base64test.c)
 target_link_libraries(base64test ${OPENSSL_LIBS})
@@ -81,11 +75,6 @@ add_executable(cipherstest cipherstest.c)
 target_link_libraries(cipherstest ${OPENSSL_LIBS})
 add_test(cipherstest cipherstest)
 
-# clienttest
-add_executable(clienttest clienttest.c)
-target_link_libraries(clienttest ${OPENSSL_LIBS})
-add_test(clienttest clienttest)
-
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${OPENSSL_LIBS})
@@ -227,11 +216,6 @@ add_executable(rc4test rc4test.c)
 target_link_libraries(rc4test ${OPENSSL_LIBS})
 add_test(rc4test rc4test)
 
-# rfc5280time
-add_executable(rfc5280time rfc5280time.c)
-target_link_libraries(rfc5280time ${OPENSSL_LIBS})
-add_test(rfc5280time rfc5280time)
-
 # rmdtest
 add_executable(rmdtest rmdtest.c)
 target_link_libraries(rmdtest ${OPENSSL_LIBS})
@@ -252,6 +236,11 @@ add_executable(sha512test sha512test.c)
 target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)
 
+# shatest
+add_executable(shatest shatest.c)
+target_link_libraries(shatest ${OPENSSL_LIBS})
+add_test(shatest shatest)
+
 # ssltest
 #add_executable(ssltest ssltest.c)
 #target_link_libraries(ssltest ${OPENSSL_LIBS})
@@ -275,8 +264,3 @@ add_test(timingsafe timingsafe)
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${OPENSSL_LIBS})
 add_test(utf8test utf8test)
-
-# verifytest
-add_executable(verifytest verifytest.c)
-target_link_libraries(verifytest tls ${OPENSSL_LIBS})
-add_test(verifytest verifytest)

tests/Makefile.am

@@ -3,15 +3,11 @@ include $(top_srcdir)/Makefile.am.common
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
-AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
+AM_CPPFLAGS += -I $(top_srcdir)/apps
 
 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
 LDADD += $(top_builddir)/ssl/libssl.la
 LDADD += $(top_builddir)/crypto/libcrypto.la
-LDADD += $(top_builddir)/tls/libtls.la
-
-TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 
 TESTS =
 check_PROGRAMS =
@@ -44,11 +40,6 @@ TESTS += asn1test
 check_PROGRAMS += asn1test
 asn1test_SOURCES = asn1test.c
 
-# asn1time
-TESTS += asn1time
-check_PROGRAMS += asn1time
-asn1time_SOURCES = asn1time.c
-
 # base64test
 TESTS += base64test
 check_PROGRAMS += base64test
@@ -98,11 +89,6 @@ TESTS += cipherstest
 check_PROGRAMS += cipherstest
 cipherstest_SOURCES = cipherstest.c
 
-# clienttest
-TESTS += clienttest
-check_PROGRAMS += clienttest
-clienttest_SOURCES = clienttest.c
-
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -222,10 +208,9 @@ pbkdf2_SOURCES = pbkdf2.c
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
 if ENABLE_EXTRATESTS
-TESTS += pidwraptest.sh
+TESTS += pidwraptest
 check_PROGRAMS += pidwraptest
 pidwraptest_SOURCES = pidwraptest.c
-EXTRA_DIST += pidwraptest.sh
 endif
 
 # pkcs7test
@@ -260,16 +245,6 @@ TESTS += rc4test
 check_PROGRAMS += rc4test
 rc4test_SOURCES = rc4test.c
 
-# rfc5280time
-check_PROGRAMS += rfc5280time
-rfc5280time_SOURCES = rfc5280time.c
-if SMALL_TIME_T
-TESTS += rfc5280time_small.test
-else
-TESTS += rfc5280time
-endif
-EXTRA_DIST += rfc5280time_small.test
-
 # rmdtest
 TESTS += rmdtest
 check_PROGRAMS += rmdtest
@@ -290,6 +265,11 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
+# shatest
+TESTS += shatest
+check_PROGRAMS += shatest
+shatest_SOURCES = shatest.c
+
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
@@ -320,7 +300,3 @@ TESTS += utf8test
 check_PROGRAMS += utf8test
 utf8test_SOURCES = utf8test.c
 
-# verifytest
-TESTS += verifytest
-check_PROGRAMS += verifytest
-verifytest_SOURCES = verifytest.c

tests/rfc5280time_small.test

@@ -1,10 +0,0 @@
-#!/bin/sh
-set -e
-echo 1..2
-TEST=./rfc5280time
-if [ -e ./rfc5280time.exe ]; then
-	TEST=./rfc5280time.exe
-fi
-$TEST
-echo "ok 1"
-echo "ok 2 - rfc5280time_64-bit # SKIP this system is unable to represent times past 2038"

tests/ssltest.sh

@@ -6,9 +6,9 @@ if [ -e ./ssltest.exe ]; then
 	ssltest_bin=./ssltest.exe
 fi
 
-openssl_bin=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	openssl_bin=../apps/openssl/openssl.exe
+openssl_bin=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	openssl_bin=../apps/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testdsa.sh

@@ -4,9 +4,9 @@
 
 #Test DSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+cmd=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	cmd=../apps/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tests/testenc.sh

@@ -2,9 +2,9 @@
 #	$OpenBSD: testenc.sh,v 1.1 2014/08/26 17:50:07 jsing Exp $
 
 test=p
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+cmd=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	cmd=../apps/openssl.exe
 fi
 
 cat openssl.cnf >$test;

tests/testrsa.sh

@@ -4,9 +4,9 @@
 
 #Test RSA certificate generation of openssl
 
-cmd=../apps/openssl/openssl
-if [ -e ../apps/openssl/openssl.exe ]; then
-	cmd=../apps/openssl/openssl.exe
+cmd=../apps/openssl
+if [ -e ../apps/openssl.exe ]; then
+	cmd=../apps/openssl.exe
 fi
 
 if [ -z $srcdir ]; then

tls/CMakeLists.txt

@@ -9,9 +9,7 @@ set(
 	tls.c
 	tls_client.c
 	tls_config.c
-	tls_conninfo.c
 	tls_server.c
-	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )

tls/Makefile.am

@@ -11,9 +11,7 @@ libtls_la_LIBADD = ../crypto/libcrypto.la ../ssl/libssl.la $(PLATFORM_LDADD)
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
-libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
-libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h

update.sh

@@ -25,8 +25,7 @@ libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
 libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
-libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-app_src=$CWD/openbsd/src/usr.bin
+openssl_app_src=$CWD/openbsd/src/usr.bin/openssl
 
 # load library versions
 . $libcrypto_src/crypto/shlib_version
@@ -53,26 +52,21 @@ do_mv() {
 		rm -f "$1"
 	fi
 }
-MV='do_mv'
-
-do_cp_libc() {
-	sed "/DEF_WEAK/d" < "$1" > "$2"/`basename "$1"`
-}
-CP_LIBC='do_cp_libc'
-
 CP='cp -p'
+MV='do_mv'
 
 $CP $libssl_src/src/LICENSE COPYING
 
 $CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
 $CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
+$CP $libssl_src/src/e_os2.h include/openssl
 $CP $libssl_src/src/ssl/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
 
 for i in crypto/compat libtls-standalone/compat; do
-	for j in $libc_src/crypt/arc4random.c \
+	$CP $libc_src/crypt/arc4random.c \
 	    $libc_src/crypt/chacha_private.h \
 	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/stdlib/reallocarray.c \
@@ -84,9 +78,8 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
 	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h; do
-		$CP_LIBC $j $i
-	done
+	    $libcrypto_src/crypto/arc4random_*.h \
+	    $i
 done
 
 $CP include/compat/stdlib.h \
@@ -198,10 +191,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-
-$CP_LIBC $libc_src/string/strsep.c tls
-$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
-
+$CP $libc_src/string/strsep.c tls
+$CP $libc_src/string/strsep.c libtls-standalone/compat
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
 	m4/disable*.m4 \
@@ -209,27 +200,15 @@ $CP m4/check*.m4 \
 sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 	libtls-standalone/compat/Makefile.am.arc4random
 
-# copy nc(1) source
-echo "copying nc(1) source"
-$CP $app_src/nc/nc.1 apps/nc
-rm -f apps/nc/*.c apps/nc/*.h
-$CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
-for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
-	if [ -e $app_src/nc/$i ]; then
-		$CP $app_src/nc/$i apps/nc
-	fi
-done
-
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $app_src/openssl/openssl.1 apps/openssl
-$CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
-$CP $libcrypto_src/cert.pem apps/openssl
-$CP $libcrypto_src/openssl.cnf apps/openssl
-$CP $libcrypto_src/x509v3.cnf apps/openssl
-for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
-	if [ -e $app_src/openssl/$i ]; then
-		$CP $app_src/openssl/$i apps/openssl
+$CP $libc_src/stdlib/strtonum.c apps
+$CP $libcrypto_src/cert.pem apps
+$CP $libcrypto_src/openssl.cnf apps
+$CP $libcrypto_src/x509v3.cnf apps
+for i in `awk '/SOURCES|HEADERS/ { print $3 }' apps/Makefile.am` ; do
+	if [ -e $openssl_app_src/$i ]; then
+		$CP $openssl_app_src/$i apps
 	fi
 done
 
@@ -252,7 +231,7 @@ $CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP_LIBC $libc_src/string/memmem.c tests
+$CP $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -264,11 +243,6 @@ $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
 
-# copy libtls tests
-for i in `find $libtls_regress -name '*.c'`; do
-	 $CP "$i" tests
-done
-
 chmod 755 tests/testssl
 
 # add headers
@@ -299,7 +273,7 @@ add_man_links() {
 	done
 }
 
-# apply local patches
+# apply local patches (Windows support)
 for i in patches/*.patch; do
     patch -p0 < $i
 done
@@ -309,6 +283,9 @@ echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
 echo dist_man_MANS = >> man/Makefile.am
 
+$CP $openssl_app_src/openssl.1 man
+echo "dist_man_MANS += openssl.1" >> man/Makefile.am
+
 $CP $libtls_src/tls_init.3 man
 echo "dist_man_MANS += tls_init.3" >> man/Makefile.am