remove duplicate entry

Primarily this is to select whether 'lib64' or 'lib' is used on linux type systems.

.gitignore

@@ -39,6 +39,7 @@ Makefile.in
 *.la
 
 *.def
+*.sym
 *.pc
 
 # man pages
@@ -57,15 +58,18 @@ tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
+tests/ssl_versions*
 tests/timingsafe*
+tests/tls_ext_alpn*
+tests/tls_prf*
 tests/*test
 tests/tests.h
 tests/*test.c
-tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+tests/compat/*.c
 !tests/optionstest.c
 !tests/*.test
 
@@ -114,10 +118,18 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h
 
+/apps/ocspcheck/*.h
+/apps/ocspcheck/*.c
+/apps/ocspcheck/ocspcheck*
+/apps/ocspcheck/compat/inet_ntop.c
+/apps/ocspcheck/compat/memmem.c
+
 /apps/nc/*.h
 /apps/nc/*.c
 /apps/nc/nc*
 !/apps/nc/readpassphrase.c
+/apps/nc/compat/*.c
+
 /apps/openssl/*.h
 /apps/openssl/*.c
 /apps/openssl/*.cnf
@@ -131,6 +143,7 @@ include/openssl/*.h
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
 !/crypto/compat/explicit_bzero_win.c
+!/crypto/compat/getpagesize.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
@@ -154,3 +167,4 @@ openbsd/
 
 *.tar.gz
 man/Makefile.am
+man/mandoc.db

.travis.yml

@@ -10,15 +10,23 @@ matrix:
     - compiler: clang
       os: linux
       env: ARCH=native
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=native
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=mingw32
+      dist: trusty
+      sudo: required
     - compiler: gcc
       os: linux
       env: ARCH=mingw64
+      dist: trusty
+      sudo: required
 
 script:
   "./scripts/travis"

CMakeLists.txt

@@ -4,21 +4,25 @@ include(CheckLibraryExists)
 include(CheckIncludeFiles)
 include(CheckTypeSize)
 
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+include(cmake_export_symbol)
+include(GNUInstallDirs)
+
 project (LibreSSL C)
 
 enable_testing()
 
-file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
 string(STRIP ${SSL_VERSION} SSL_VERSION)
 string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
 string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})
 
-file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
 string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
 string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
 string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})
 
-file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/tls/VERSION TLS_VERSION)
 string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
@@ -26,6 +30,7 @@ string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 option(ENABLE_ASM "Enable assembly" ON)
 option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
 option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
+option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
 set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
 
 set(BUILD_NC true)
@@ -49,7 +54,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	set(BUILD_NC false)
 endif()
 
-if(MSVC)
+if(WIN32)
 	set(BUILD_NC false)
 endif()
 
@@ -73,6 +78,8 @@ endif()
 
 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
+add_definitions(-D__BEGIN_HIDDEN_DECLS=)
+add_definitions(-D__END_HIDDEN_DECLS=)
 
 set(CMAKE_POSITION_INDEPENDENT_CODE true)
 
@@ -80,15 +87,19 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()
 
-if(MSVC)
-	add_definitions(-Dinline=__inline)
+if(WIN32)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+endif()
 
+if(MSVC)
+	add_definitions(-Dinline=__inline)
+	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
+	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
 		        	# indirection to slightly different base types from 'char [2]'
@@ -98,14 +109,35 @@ if(MSVC)
 			        # possible loss of data
 			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
 			        # possible loss of data
+			"C4267" # conversion from 'size_t' to 'some type that is almost
+				# certainly safe to convert a size_t to'.
 			"C4706" # assignment within conditional expression
 			"C4820" # 'bytes' bytes padding added after construct 'member_name'
 			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
 			        # use the ISO C++ conformant name: _read.
 		)
+	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
+		add_definitions(-D_CRT_SUPPRESS_RESTRICT)
+		set(MSVC_DISABLED_WARNINGS_LIST
+			"C111"  # Unreachable statement
+			"C128"  # Unreachable loop
+			"C167"  # Unexplict casting unsigned to signed
+			"C186"  # Pointless comparison of unsigned int with zero
+			"C188"  # Enumerated type mixed with another type
+			"C344"  # Redeclared type
+			"C556"  # Unexplict casting signed to unsigned
+			"C869"  # Unreferenced parameters
+			"C1786" # Deprecated functions
+			"C2545" # Empty else statement
+			"C2557" # Comparing signed to unsigned
+			"C2722" # List init syntax is c++11 feature
+			"C3280" # Declaration hides variable
+		)
+	endif()
 	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
 		${MSVC_DISABLED_WARNINGS_LIST})
-	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+	string(REGEX REPLACE "[/-]W[1234][ ]?" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
 endif()
 
 check_function_exists(asprintf HAVE_ASPRINTF)
@@ -143,8 +175,8 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()
 
-if(MSVC)
-	set(HAVE_STRNLEN)
+if(WIN32)
+	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
 	check_function_exists(strnlen HAVE_STRNLEN)
@@ -188,6 +220,11 @@ if(HAVE_GETENTROPY)
 	add_definitions(-DHAVE_GETENTROPY)
 endif()
 
+check_function_exists(getpagesize HAVE_GETPAGESIZE)
+if(HAVE_GETPAGESIZE)
+	add_definitions(-DHAVE_GETPAGESIZE)
+endif()
+
 check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
 if(HAVE_TIMINGSAFE_BCMP)
 	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
@@ -220,7 +257,24 @@ if(ENABLE_ASM)
 	endif()
 endif()
 
-set(OPENSSL_LIBS ssl crypto)
+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
+	set(BUILD_SHARED true)
+endif()
+
+# USE_SHARED builds applications (e.g. openssl) using shared LibreSSL.
+# By default, applications use LibreSSL static library to avoid dependencies.
+# USE_SHARED isn't set by default; use -DUSE_SHARED=ON with CMake to enable.
+# Can be helpful for debugging; don't use for public releases.
+if(NOT BUILD_SHARED)
+	set(USE_SHARED off)
+endif()
+
+if(USE_SHARED)
+	set(OPENSSL_LIBS tls-shared ssl-shared crypto-shared)
+else()
+	set(OPENSSL_LIBS tls ssl crypto)
+endif()
+
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
@@ -237,10 +291,6 @@ if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
 endif()
 
-if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|MINGW|CYGWIN)" OR MSVC))
-	set(BUILD_SHARED true)
-endif()
-
 check_type_size(time_t SIZEOF_TIME_T)
 if(SIZEOF_TIME_T STREQUAL "4")
 	set(SMALL_TIME_T true)
@@ -256,6 +306,8 @@ add_subdirectory(tls)
 add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
+endif()
+if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()
 

ChangeLog

@@ -28,6 +28,248 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.5.5 - Bug fixes
+
+	* Distinguish between self-issued certificates and self-signed
+	  certificates. The certificate verification code has special cases
+	  for self-signed certificates and without this change, self-issued
+	  certificates (which it seems are common place with
+	  openvpn/easyrsa) were also being included in this category.
+
+	* Added getpagesize fallback, needed for Android bionic libc.
+
+2.5.4 - Security Updates
+
+	* Revert a previous change that forced consistency between return
+	  value and error code when specifing a certificate verification
+	  callback, since this breaks the documented API. When a user supplied
+	  callback always returns 1, and later code checks the error code to
+	  potentially abort post verification, this will result in incorrect
+	  successul certificate verification.
+
+	* Switched Linux getrandom() usage to non-blocking mode, continuing to
+	  use fallback mechanims if unsuccessful. This works around a design
+	  flaw in Linux getrandom(2) where early boot usage in a library makes
+	  it impossible to recover if getrandom(2) is not yet initialized.
+
+	* Fixed a bug caused by the return value being set early to signal
+	  successful DTLS cookie validation. This can mask a later failure and
+	  result in a positive return value being returned from
+	  ssl3_get_client_hello(), when it should return a negative value to
+	  propagate the error.
+
+	* Fixed a build error on non-x86/x86_64 systems running Solaris.
+
+2.5.3 - OpenBSD 6.1 Release
+
+	* Documentation updates
+
+	* Improved ocspcheck(1) error handling
+
+2.5.2 - Security features and bugfixes
+
+	* Added the recallocarray(3) memory allocation function, and converted
+	  various places in the library to use it, such as CBB and BUF_MEM_grow.
+	  recallocarray(3) is similar to reallocarray. Newly allocated memory
+	  is cleared similar to calloc(3). Memory that becomes unallocated
+	  while shrinking or moving existing allocations is explicitly
+	  discarded by unmapping or clearing to 0
+
+	* Added new root CAs from SECOM Trust Systems / Security Communication
+	  of Japan.
+
+	* Added EVP interface for MD5+SHA1 hashes.
+
+	* Fixed DTLS client failures when the server sends a certificate
+	  request.
+
+	* Correct handling of padding when upgrading an SSLv2 challenge into
+	  an SSLv3/TLS connection.
+
+	* Allow protocols and ciphers to be set on a TLS config object in
+	  libtls.
+
+	* Improved nc(1) TLS handshake CPU usage and server-side error
+	  reporting.
+
+2.5.1 - Bug and security fixes, new features, documentation updates
+
+	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
+	  error. Reported by Theofilos Petsios.
+
+	* Detect zero-length encrypted session data early, instead of when
+	  malloc(0) fails or the HMAC check fails. Noted independently by
+	  jsing@ and Kurt Cancemi.
+
+	* Check for and handle failure of HMAC_{Update,Final} or
+	  EVP_DecryptUpdate().
+
+	* Massive update and normalization of manpages, conversion to
+	  mandoc format. Many pages were rewritten for clarity and accuracy.
+	  Portable doc links are up-to-date with a new conversion tool.
+
+	* Curve25519 Key Exchange support.
+
+	* Support for alternate chains for certificate verification.
+
+	* Code cleanups, CBS conversions, further unification of DTLS/SSL
+	  handshake code, further ASN1 macro expansion and removal.
+
+	* Private symbol are now hidden in libssl and libcryto.
+
+	* Friendly certificate verification error messages in libtls, peer
+	  verification is now always enabled.
+
+	* Added OCSP stapling support to libtls and netcat.
+
+	* Added ocspcheck utility to validate a certificate against its OCSP
+	  responder and save the reply for stapling
+
+	* Enhanced regression tests and error handling for libtls.
+
+	* Added explicit constant and non-constant time BN functions,
+	  defaulting to constant time wherever possible.
+
+	* Moved many leaked implementation details in public structs behind
+	  opaque pointers.
+
+	* Added ticket support to libtls.
+
+	* Added support for setting the supported EC curves via
+	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
+	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
+	  list of curves to be X25519, P-256 and P-384. All other curves must
+	  be manually enabled.
+
+	* Added -groups option to openssl(1) s_client for specifying the curves
+	  to be used in a colon-separated list.
+
+	* Merged client/server version negotiation code paths into one,
+	  reducing much duplicate code.
+
+	* Removed error function codes from libssl and libcrypto.
+
+	* Fixed an issue where a truncated packet could crash via an OOB read.
+
+	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
+	  client-initiated renegotiation. This is the default for libtls
+	  servers.
+
+	* Avoid a side-channel cache-timing attack that can leak the ECDSA
+	  private keys when signing. This is due to BN_mod_inverse() being
+	  used without the constant time flag being set. Reported by Cesar
+	  Pereida Garcia and Billy Brumley (Tampere University of Technology).
+	  The fix was developed by Cesar Pereida Garcia.
+
+	* iOS and MacOS compatibility updates from Simone Basso and Jacob
+	  Berkman.
+
+
+2.5.0 - New APIs, bug fixes and improvements
+
+	* libtls now supports ALPN and SNI
+
+	* libtls adds a new callback interface for integrating custom IO
+	  functions. Thanks to Tobias Pape.
+
+	* libtls now handles 4 cipher suite groups:
+	    "secure" (TLSv1.2+AEAD+PFS)
+	    "compat" (HIGH:!aNULL)
+	    "legacy" (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+
+	    This allows for flexibility and finer grained control, rather than
+	    having two extremes (an issue raised by Marko Kreen some time ago).
+
+	* Tightened error handling for tls_config_set_ciphers().
+
+	* libtls now always loads CA, key and certificate files at the time the
+	  configuration function is called. This simplifies code and results in
+	  a single memory based code path being used to provide data to libssl.
+
+	* Add support for OCSP intermediate certificates.
+
+	* Added functions used by stunnel and exim from BoringSSL - this
+	  brings in X509_check_host, X509_check_email, X509_check_ip, and
+	  X509_check_ip_asc.
+
+	* Added initial support for iOS, thanks to Jacob Berkman.
+
+	* Improved behavior of arc4random on Windows when using memory leak
+	  analysis software.
+
+	* Correctly handle an EOF that occurs prior to the TLS handshake
+	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
+	  Kreen.
+
+	* Limit the support of the "backward compatible" ssl2 handshake to
+	  only be used if TLS 1.0 is enabled.
+
+	* Fix incorrect results in certain cases on 64-bit systems when
+	  BN_mod_word() can return incorrect results. BN_mod_word() now can
+	  return an error condition. Thanks to Brian Smith.
+
+	* Added constant-time updates to address CVE-2016-0702
+
+	* Fixed undefined behavior in BN_GF2m_mod_arr()
+
+	* Removed unused Cryptographic Message Support (CMS)
+
+	* More conversions of long long idioms to time_t
+
+	* Improved compatibility by avoiding printing NULL strings with
+	  printf.
+
+	* Reverted change that cleans up the EVP cipher context in
+	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
+	  previous behaviour.
+
+	* Avoid unbounded memory growth in libssl, which can be triggered by a
+	  TLS client repeatedly renegotiating and sending OCSP Status Request
+	  TLS extensions.
+
+	* Avoid falling back to a weak digest for (EC)DH when using SNI with
+	  libssl.
+
+2.4.2 - Bug fixes and improvements
+
+	* Fixed loading default certificate locations with openssl s_client.
+
+	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
+	  RFC6960. Also added fixes for OCSP to work with intermediate
+	  certificates provided in responses.
+
+	* Improved behavior of arc4random on Windows to not appear to leak
+	  memory in debug tools, reduced privileges of allocated memory.
+
+	* Fixed incorrect results from BN_mod_word() when the modulus is too
+	  large, thanks to Brian Smith from BoringSSL.
+
+	* Correctly handle an EOF prior to completing the TLS handshake in
+	  libtls.
+
+	* Improved libtls ceritificate loading and cipher string validation.
+
+	* Updated libtls cipher group suites into four categories:
+	    "secure"   (TLSv1.2+AEAD+PFS)
+	    "compat"   (HIGH:!aNULL)
+	    "legacy"   (HIGH:MEDIUM:!aNULL)
+	    "insecure" (ALL:!aNULL:!eNULL)
+	  This allows for flexibility and finer grained control, rather than
+	  having two extremes.
+
+	* Limited support for 'backward compatible' SSLv2 handshake packets to
+	  when TLS 1.0 is enabled, providing more restricted compatibility
+	  with TLS 1.0 clients.
+
+	* openssl(1) and other documentation improvements.
+
+	* Removed flags for disabling constant-time operations.
+	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+	  all of these operations unconditionally constant-time.
+
+
 2.4.1 - Security fix
 
 	* Correct a problem that prevents the DSA signing algorithm from

Makefile.am

@@ -5,7 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
 
 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt cmake_uninstall.cmake.in
+EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in
 
 .PHONY: install_sw
 install_sw: install

Makefile.am.common

@@ -1,2 +1,3 @@
 AM_CFLAGS =
 AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
+AM_CPPFLAGS += -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=

OPENBSD_BRANCH

@@ -1 +1 @@
-master
+OPENBSD_6_1

README.windows

@@ -12,7 +12,8 @@ cross compilers on Windows.
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
 
- CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
+ CC=i686-w64-mingw32-gcc CPPFLAGS=-D__MINGW_USE_VC2005_COMPAT \
+ ./configure --host=i686-w64-mingw32
  make
  make check
 
@@ -22,6 +23,25 @@ For 64-bit builds, use these instead:
  make
  make check
 
+# Why the -D__MINGW_USE_VC2005_COMPAT flag on 32-bit systems?
+
+An ABI change introduced with Microsoft Visual C++ 2005 (also known as
+Visual C++ 8.0) switched time_t from 32-bit to 64-bit. It is important to
+build LibreSSL with 64-bit time_t whenever possible, because 32-bit time_t
+is unable to represent times past 2038 (this is commonly known as the
+Y2K38 problem).
+
+If LibreSSL is built with 32-bit time_t, when verifying a certificate whose
+expiry date is set past 19 January 2038, it will be unable to tell if the
+certificate has expired or not, and thus take the safe stance and reject it.
+
+In order to avoid this, you need to build LibreSSL (and everything that links
+with it) with the -D__MINGW_USE_VC2005_COMPAT flag. This tells mingw-w64 to
+use the new ABI.
+
+64-bit systems always have a 64-bit time_t and are not affected by this
+problem.
+
 # Using Libressl with Visual Studio
 
 A script for generating ready-to-use .DLL and static .LIB files is included in

apps/CMakeLists.txt

@@ -1,2 +1,3 @@
+add_subdirectory(ocspcheck)
 add_subdirectory(openssl)
 add_subdirectory(nc)

apps/Makefile.am

@@ -1,5 +1,5 @@
 include $(top_srcdir)/Makefile.am.common
 
-SUBDIRS = openssl nc
+SUBDIRS = ocspcheck openssl nc
 
 EXTRA_DIST = CMakeLists.txt

apps/nc/CMakeLists.txt

@@ -53,8 +53,8 @@ add_executable(nc ${NC_SRC})
 target_link_libraries(nc tls ${OPENSSL_LIBS})
 
 if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
-	install(FILES nc.1 DESTINATION share/man/man1)
+	install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
 endif()
 
 endif()

apps/nc/Makefile.am

@@ -4,6 +4,7 @@ if BUILD_NC
 
 if ENABLE_NC
 bin_PROGRAMS = nc
+dist_man_MANS = nc.1
 else
 noinst_PROGRAMS = nc
 endif
@@ -11,17 +12,12 @@ endif
 EXTRA_DIST = nc.1
 EXTRA_DIST += CMakeLists.txt
 
-nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
 nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
 nc_LDADD += $(abs_top_builddir)/tls/libtls.la
+nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
-if OPENSSLDIR_DEFINED
-AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
-else
-AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
-endif
 
 nc_SOURCES = atomicio.c
 nc_SOURCES += netcat.c

apps/nc/compat/base64.c

@@ -1,315 +0,0 @@
-/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/*
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <resolv.h>
-#include <stdio.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-static const char Base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static const char Pad64 = '=';
-
-/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
-   and Freed.  It is reproduced here in a slightly edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.
-
-   Since all base64 input is an integral number of octets, only the
-         -------------------------------------------------                       
-   following cases can arise:
-   
-       (1) the final quantum of encoding input is an integral
-           multiple of 24 bits; here, the final unit of encoded
-	   output will be an integral multiple of 4 characters
-	   with no "=" padding,
-       (2) the final quantum of encoding input is exactly 8 bits;
-           here, the final unit of encoded output will be two
-	   characters followed by two "=" padding characters, or
-       (3) the final quantum of encoding input is exactly 16 bits;
-           here, the final unit of encoded output will be three
-	   characters followed by one "=" padding character.
-   */
-
-int
-b64_ntop(src, srclength, target, targsize)
-	u_char const *src;
-	size_t srclength;
-	char *target;
-	size_t targsize;
-{
-	size_t datalength = 0;
-	u_char input[3];
-	u_char output[4];
-	int i;
-
-	while (2 < srclength) {
-		input[0] = *src++;
-		input[1] = *src++;
-		input[2] = *src++;
-		srclength -= 3;
-
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		output[3] = input[2] & 0x3f;
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		target[datalength++] = Base64[output[2]];
-		target[datalength++] = Base64[output[3]];
-	}
-    
-	/* Now we worry about padding. */
-	if (0 != srclength) {
-		/* Get what's left. */
-		input[0] = input[1] = input[2] = '\0';
-		for (i = 0; i < srclength; i++)
-			input[i] = *src++;
-	
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		if (srclength == 1)
-			target[datalength++] = Pad64;
-		else
-			target[datalength++] = Base64[output[2]];
-		target[datalength++] = Pad64;
-	}
-	if (datalength >= targsize)
-		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
-	return (datalength);
-}
-
-/* skips all whitespace anywhere.
-   converts characters, four at a time, starting at (or after)
-   src from base - 64 numbers into three 8 bit bytes in the target area.
-   it returns the number of data bytes stored at the target, or -1 on error.
- */
-
-int
-b64_pton(src, target, targsize)
-	char const *src;
-	u_char *target;
-	size_t targsize;
-{
-	int tarindex, state, ch;
-	u_char nextbyte;
-	char *pos;
-
-	state = 0;
-	tarindex = 0;
-
-	while ((ch = (unsigned char)*src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
-			continue;
-
-		if (ch == Pad64)
-			break;
-
-		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
-			return (-1);
-
-		switch (state) {
-		case 0:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] = (pos - Base64) << 2;
-			}
-			state = 1;
-			break;
-		case 1:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 4;
-				nextbyte = ((pos - Base64) & 0x0f) << 4;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 2;
-			break;
-		case 2:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 2;
-				nextbyte = ((pos - Base64) & 0x03) << 6;
-				if (tarindex + 1 < targsize)
-					target[tarindex+1] = nextbyte;
-				else if (nextbyte)
-					return (-1);
-			}
-			tarindex++;
-			state = 3;
-			break;
-		case 3:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] |= (pos - Base64);
-			}
-			tarindex++;
-			state = 0;
-			break;
-		}
-	}
-
-	/*
-	 * We are done decoding Base-64 chars.  Let's see if we ended
-	 * on a byte boundary, and/or with erroneous trailing characters.
-	 */
-
-	if (ch == Pad64) {			/* We got a pad char. */
-		ch = (unsigned char)*src++;	/* Skip it, get next. */
-		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
-			return (-1);
-
-		case 2:		/* Valid, means one byte of info */
-			/* Skip any number of spaces. */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					break;
-			/* Make sure there is another trailing = sign. */
-			if (ch != Pad64)
-				return (-1);
-			ch = (unsigned char)*src++;		/* Skip the = */
-			/* Fall through to "single trailing =" case. */
-			/* FALLTHROUGH */
-
-		case 3:		/* Valid, means two bytes of info */
-			/*
-			 * We know this char is an =.  Is there anything but
-			 * whitespace after it?
-			 */
-			for (; ch != '\0'; ch = (unsigned char)*src++)
-				if (!isspace(ch))
-					return (-1);
-
-			/*
-			 * Now make sure for cases 2 and 3 that the "extra"
-			 * bits that slopped past the last full byte were
-			 * zeros.  If we don't check them, they become a
-			 * subliminal channel.
-			 */
-			if (target && tarindex < targsize &&
-			    target[tarindex] != 0)
-				return (-1);
-		}
-	} else {
-		/*
-		 * We ended by seeing the end of the string.  Make sure we
-		 * have no partial bytes lying around.
-		 */
-		if (state != 0)
-			return (-1);
-	}
-
-	return (tarindex);
-}

apps/nc/compat/strtonum.c

@@ -1,65 +0,0 @@
-/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
-
-/*
- * Copyright (c) 2004 Ted Unangst and Todd Miller
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-#define	INVALID		1
-#define	TOOSMALL	2
-#define	TOOLARGE	3
-
-long long
-strtonum(const char *numstr, long long minval, long long maxval,
-    const char **errstrp)
-{
-	long long ll = 0;
-	int error = 0;
-	char *ep;
-	struct errval {
-		const char *errstr;
-		int err;
-	} ev[4] = {
-		{ NULL,		0 },
-		{ "invalid",	EINVAL },
-		{ "too small",	ERANGE },
-		{ "too large",	ERANGE },
-	};
-
-	ev[0].err = errno;
-	errno = 0;
-	if (minval > maxval) {
-		error = INVALID;
-	} else {
-		ll = strtoll(numstr, &ep, 10);
-		if (numstr == ep || *ep != '\0')
-			error = INVALID;
-		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
-			error = TOOSMALL;
-		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
-			error = TOOLARGE;
-	}
-	if (errstrp != NULL)
-		*errstrp = ev[error].errstr;
-	errno = ev[error].err;
-	if (error)
-		ll = 0;
-
-	return (ll);
-}

apps/ocspcheck/CMakeLists.txt

@@ -0,0 +1,42 @@
+if(NOT MSVC)
+
+include_directories(
+	.
+	./compat
+	../../include
+	../../include/compat
+)
+
+set(
+	OCSPCHECK_SRC
+	http.c
+	ocspcheck.c
+)
+
+check_function_exists(inet_ntop HAVE_INET_NTOP)
+if(HAVE_INET_NTOP)
+        add_definitions(-DHAVE_INET_NTOP)
+else()
+        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
+endif()
+
+check_function_exists(inet_ntop HAVE_MEMMEM)
+if(HAVE_MEMMEM)
+        add_definitions(-DHAVE_MEMMEM)
+else()
+        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c)
+endif()
+
+if(NOT "${OPENSSLDIR}" STREQUAL "")
+	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
+else()
+	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
+endif()
+
+add_executable(ocspcheck ${OCSPCHECK_SRC})
+target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
+
+install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
+
+endif()

apps/ocspcheck/Makefile.am

@@ -0,0 +1,23 @@
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = ocspcheck
+
+EXTRA_DIST = ocspcheck.8
+EXTRA_DIST += CMakeLists.txt
+
+ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
+ocspcheck_LDADD += $(abs_top_builddir)/ssl/libssl.la
+ocspcheck_LDADD += $(abs_top_builddir)/tls/libtls.la
+ocspcheck_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
+
+ocspcheck_SOURCES = http.c
+ocspcheck_SOURCES += ocspcheck.c
+noinst_HEADERS = http.h
+
+if !HAVE_INET_NTOP
+ocspcheck_SOURCES += compat/inet_ntop.c
+endif
+
+if !HAVE_MEMMEM
+ocspcheck_SOURCES += compat/memmem.c
+endif

apps/openssl/CMakeLists.txt

@@ -10,7 +10,6 @@ set(
 	asn1pars.c
 	ca.c
 	ciphers.c
-	cms.c
 	crl.c
 	crl2p7.c
 	dgst.c
@@ -77,8 +76,8 @@ endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
 
-install(TARGETS openssl DESTINATION bin)
-install(FILES openssl.1 DESTINATION share/man/man1)
+install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
 
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")

apps/openssl/Makefile.am

@@ -4,15 +4,14 @@ bin_PROGRAMS = openssl
 
 dist_man_MANS = openssl.1
 
-openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la
 openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+openssl_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 
 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
-openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c
@@ -93,9 +92,9 @@ EXTRA_DIST += CMakeLists.txt
 
 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
@@ -108,9 +107,9 @@ install-exec-hook:
 
 uninstall-local:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \

cmake_export_symbol.cmake

@@ -0,0 +1,44 @@
+macro(export_symbol TARGET FILENAME)
+
+	set(FLAG "")
+
+	if(WIN32)
+		string(REPLACE ".sym" ".def" DEF_FILENAME ${FILENAME})
+		file(WRITE ${DEF_FILENAME} "EXPORTS\n")
+		file(READ ${FILENAME} SYMBOLS)
+		file(APPEND ${DEF_FILENAME} "${SYMBOLS}")
+		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})
+
+	elseif(APPLE)
+		set(FLAG "-exported_symbols_list ${FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n+e " SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".opt" OPT_FILENAME ${FILENAME})
+		file(WRITE ${OPT_FILENAME} "+e ${SYMBOLS}")
+		set(FLAG "-Wl,-c,${OPT_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
+		file(WRITE ${VER_FILENAME}
+			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
+		set(FLAG "-Wl,-M${VER_FILENAME}")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+
+	elseif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
+		file(WRITE ${VER_FILENAME}
+			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
+		set(FLAG "-Wl,--version-script,\"${VER_FILENAME}\"")
+		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
+	endif()
+
+endmacro()

configure.ac

@@ -54,6 +54,8 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP
 
+GENERATE_CRYPTO_PORTABLE_SYM
+
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -126,6 +128,7 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
+	apps/ocspcheck/Makefile
 	apps/openssl/Makefile
 	apps/nc/Makefile
 	man/Makefile
@@ -139,6 +142,12 @@ AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
 if test "$ac_cv_sizeof_time_t" = "4"; then
     echo " ** Warning, this system is unable to represent times past 2038"
     echo " ** It will behave incorrectly when handling valid RFC5280 dates"
+
+    if test "$host_os" = "mingw32" ; then
+        echo " **"
+        echo " ** You can solve this by adjusting the build flags in your"
+        echo " ** mingw-w64 toolchain. Refer to README.windows for details."
+    fi
 fi
 
 AC_REQUIRE_AUX_FILE([tap-driver.sh])

crypto/CMakeLists.txt

@@ -3,6 +3,7 @@ include_directories(
 	../include
 	../include/compat
 	asn1
+	bn
 	dsa
 	evp
 	modes
@@ -11,24 +12,24 @@ include_directories(
 if(HOST_ASM_ELF_X86_64)
 	set(
 		ASM_X86_64_ELF_SRC
-		aes/aes-elf-x86_64.s
-		aes/bsaes-elf-x86_64.s
-		aes/vpaes-elf-x86_64.s
-		aes/aesni-elf-x86_64.s
-		aes/aesni-sha1-elf-x86_64.s
-		bn/modexp512-elf-x86_64.s
-		bn/mont-elf-x86_64.s
-		bn/mont5-elf-x86_64.s
-		bn/gf2m-elf-x86_64.s
-		camellia/cmll-elf-x86_64.s
-		md5/md5-elf-x86_64.s
-		modes/ghash-elf-x86_64.s
-		rc4/rc4-elf-x86_64.s
-		rc4/rc4-md5-elf-x86_64.s
-		sha/sha1-elf-x86_64.s
+		aes/aes-elf-x86_64.S
+		aes/bsaes-elf-x86_64.S
+		aes/vpaes-elf-x86_64.S
+		aes/aesni-elf-x86_64.S
+		aes/aesni-sha1-elf-x86_64.S
+		bn/modexp512-elf-x86_64.S
+		bn/mont-elf-x86_64.S
+		bn/mont5-elf-x86_64.S
+		bn/gf2m-elf-x86_64.S
+		camellia/cmll-elf-x86_64.S
+		md5/md5-elf-x86_64.S
+		modes/ghash-elf-x86_64.S
+		rc4/rc4-elf-x86_64.S
+		rc4/rc4-md5-elf-x86_64.S
+		sha/sha1-elf-x86_64.S
 		sha/sha256-elf-x86_64.S
 		sha/sha512-elf-x86_64.S
-		whrlpool/wp-elf-x86_64.s
+		whrlpool/wp-elf-x86_64.S
 		cpuid-elf-x86_64.S
 	)
 	add_definitions(-DAES_ASM)
@@ -53,24 +54,24 @@ endif()
 if(HOST_ASM_MACOSX_X86_64)
 	set(
 		ASM_X86_64_MACOSX_SRC
-		aes/aes-macosx-x86_64.s
-		aes/bsaes-macosx-x86_64.s
-		aes/vpaes-macosx-x86_64.s
-		aes/aesni-macosx-x86_64.s
-		aes/aesni-sha1-macosx-x86_64.s
-		bn/modexp512-macosx-x86_64.s
-		bn/mont-macosx-x86_64.s
-		bn/mont5-macosx-x86_64.s
-		bn/gf2m-macosx-x86_64.s
-		camellia/cmll-macosx-x86_64.s
-		md5/md5-macosx-x86_64.s
-		modes/ghash-macosx-x86_64.s
-		rc4/rc4-macosx-x86_64.s
-		rc4/rc4-md5-macosx-x86_64.s
-		sha/sha1-macosx-x86_64.s
+		aes/aes-macosx-x86_64.S
+		aes/bsaes-macosx-x86_64.S
+		aes/vpaes-macosx-x86_64.S
+		aes/aesni-macosx-x86_64.S
+		aes/aesni-sha1-macosx-x86_64.S
+		bn/modexp512-macosx-x86_64.S
+		bn/mont-macosx-x86_64.S
+		bn/mont5-macosx-x86_64.S
+		bn/gf2m-macosx-x86_64.S
+		camellia/cmll-macosx-x86_64.S
+		md5/md5-macosx-x86_64.S
+		modes/ghash-macosx-x86_64.S
+		rc4/rc4-macosx-x86_64.S
+		rc4/rc4-md5-macosx-x86_64.S
+		sha/sha1-macosx-x86_64.S
 		sha/sha256-macosx-x86_64.S
 		sha/sha512-macosx-x86_64.S
-		whrlpool/wp-macosx-x86_64.s
+		whrlpool/wp-macosx-x86_64.S
 		cpuid-macosx-x86_64.S
 	)
 	add_definitions(-DAES_ASM)
@@ -281,6 +282,8 @@ set(
 	conf/conf_mall.c
 	conf/conf_mod.c
 	conf/conf_sap.c
+	curve25519/curve25519-generic.c
+	curve25519/curve25519.c
 	des/cbc_cksm.c
 	des/cbc_enc.c
 	des/cfb64ede.c
@@ -349,6 +352,10 @@ set(
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
+	ec/ecp_nistp224.c
+	ec/ecp_nistp256.c
+	ec/ecp_nistp521.c
+	ec/ecp_nistputil.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
@@ -422,6 +429,7 @@ set(
 	evp/m_gostr341194.c
 	evp/m_md4.c
 	evp/m_md5.c
+	evp/m_md5_sha1.c
 	evp/m_null.c
 	evp/m_ripemd.c
 	evp/m_sha1.c
@@ -463,7 +471,6 @@ set(
 	idea/i_ecb.c
 	idea/i_ofb64.c
 	idea/i_skey.c
-	krb5/krb5_asn.c
 	lhash/lh_stats.c
 	lhash/lhash.c
 	md4/md4_dgst.c
@@ -647,46 +654,84 @@ endif()
 
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
+	set(CRYPTO_UNEXPORT ${CRYPTO_UNEXPORT} BIO_s_log)
 	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
 endif()
 
 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} gettimeofday)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_perror)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fopen)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fgets)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_open)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_rename)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_connect)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_close)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_read)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_write)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_getsockopt)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_setsockopt)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} sleep)
 endif()
 
 if(NOT HAVE_ASPRINTF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} asprintf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
+endif()
+
+if(NOT HAVE_GETPAGESIZE)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c)
 endif()
 
 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} inet_pton)
 endif()
 
 if(NOT HAVE_REALLOCARRAY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray)
+endif()
+
+if(NOT HAVE_RECALLOCARRAY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/recallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} recallocarray)
 endif()
 
 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strcasecmp)
 endif()
 
 if(NOT HAVE_STRLCAT)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcat)
 endif()
 
 if(NOT HAVE_STRLCPY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcpy)
 endif()
 
 if(NOT HAVE_STRNDUP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strndup)
 	if(NOT HAVE_STRNLEN)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
+		set(EXTRA_EXPORT ${EXTRA_EXPORT} strnlen)
 	endif()
 endif()
 
+if(NOT HAVE_STRSEP)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strsep.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} strsep)
+endif()
+
 if(NOT HAVE_TIMEGM)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timegm)
 endif()
 
 if(NOT HAVE_EXPLICIT_BZERO)
@@ -696,10 +741,15 @@ if(NOT HAVE_EXPLICIT_BZERO)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
 		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
 	endif()
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} explicit_bzero)
 endif()
 
 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_buf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
 
 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
@@ -715,23 +765,22 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
+		set(EXTRA_EXPORT ${EXTRA_EXPORT} getentropy)
 	endif()
 endif()
 
-if(NOT HAVE_ARC4RANDOM_UNIFORM)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
-endif()
-
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_bcmp)
 endif()
 
 if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_memcmp)
 endif()
 
 if(NOT ENABLE_ASM)
@@ -748,16 +797,35 @@ else()
 	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
 endif()
 
-if (BUILD_SHARED)
-	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
-	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
-	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
-	set_target_properties(crypto-shared PROPERTIES VERSION
-		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	install(TARGETS crypto crypto-shared DESTINATION lib)
-else()
-	add_library(crypto STATIC ${CRYPTO_SRC})
-	install(TARGETS crypto DESTINATION lib)
+file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto.sym SYMS)
+foreach(SYM IN LISTS CRYPTO_UNEXPORT)
+	string(REPLACE "${SYM}\n" "" SYMS ${SYMS})
+endforeach()
+file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym ${SYMS})
+if(EXTRA_EXPORT)
+	list(SORT EXTRA_EXPORT)
+	foreach(SYM IN LISTS EXTRA_EXPORT)
+		file(APPEND ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym "${SYM}\n")
+	endforeach()
+endif()
+
+add_library(crypto-objects OBJECT ${CRYPTO_SRC})
+if (BUILD_SHARED)
+	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
+	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
+	export_symbol(crypto-shared ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym)
+	if (WIN32)
+		target_link_libraries(crypto-shared Ws2_32.lib)
+		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
+	endif()
+	set_target_properties(crypto-shared PROPERTIES
+		OUTPUT_NAME crypto${CRYPTO_POSTFIX}
+		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
+	set_target_properties(crypto-shared PROPERTIES VERSION
+		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
+	install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+else()
+	add_library(crypto STATIC ${CRYPTO_SRC})
+	install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()
 

crypto/Makefile.am

@@ -1,6 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
+AM_CPPFLAGS += -I$(top_srcdir)/crypto/bn
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I$(top_srcdir)/crypto
@@ -9,11 +10,15 @@ lib_LTLIBRARIES = libcrypto.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += crypto.sym
 
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
+BUILT_SOURCES = crypto_portable.sym
+CLEANFILES = crypto_portable.sym
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
@@ -71,10 +76,18 @@ libcompat_la_SOURCES += compat/strnlen.c
 endif
 endif
 
+if !HAVE_STRSEP
+libcompat_la_SOURCES += compat/strsep.c
+endif
+
 if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
+if !HAVE_GETPAGESIZE
+libcompat_la_SOURCES += compat/getpagesize.c
+endif
+
 if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
@@ -87,6 +100,10 @@ if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
 
+if !HAVE_RECALLOCARRAY
+libcompat_la_SOURCES += compat/recallocarray.c
+endif
+
 if !HAVE_TIMINGSAFE_MEMCMP
 libcompat_la_SOURCES += compat/timingsafe_memcmp.c
 endif
@@ -133,6 +150,7 @@ noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
+noinst_HEADERS += x86_arch.h
 
 # aes
 libcrypto_la_SOURCES += aes/aes_cfb.c
@@ -342,6 +360,12 @@ libcrypto_la_SOURCES += conf/conf_mod.c
 libcrypto_la_SOURCES += conf/conf_sap.c
 noinst_HEADERS += conf/conf_def.h
 
+# curve25519
+libcrypto_la_SOURCES += curve25519/curve25519-generic.c
+libcrypto_la_SOURCES += curve25519/curve25519.c
+noinst_HEADERS += curve25519/curve25519_internal.h
+
+
 # des
 libcrypto_la_SOURCES += des/cbc_cksm.c
 libcrypto_la_SOURCES += des/cbc_enc.c
@@ -422,6 +446,10 @@ libcrypto_la_SOURCES += ec/ec_print.c
 libcrypto_la_SOURCES += ec/eck_prn.c
 libcrypto_la_SOURCES += ec/ecp_mont.c
 libcrypto_la_SOURCES += ec/ecp_nist.c
+libcrypto_la_SOURCES += ec/ecp_nistp224.c
+libcrypto_la_SOURCES += ec/ecp_nistp256.c
+libcrypto_la_SOURCES += ec/ecp_nistp521.c
+libcrypto_la_SOURCES += ec/ecp_nistputil.c
 libcrypto_la_SOURCES += ec/ecp_oct.c
 libcrypto_la_SOURCES += ec/ecp_smpl.c
 noinst_HEADERS += ec/ec_lcl.h
@@ -510,6 +538,7 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
+libcrypto_la_SOURCES += evp/m_md5_sha1.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha1.c
@@ -563,9 +592,6 @@ libcrypto_la_SOURCES += idea/i_ofb64.c
 libcrypto_la_SOURCES += idea/i_skey.c
 noinst_HEADERS += idea/idea_lcl.h
 
-# krb5
-libcrypto_la_SOURCES += krb5/krb5_asn.c
-
 # lhash
 libcrypto_la_SOURCES += lhash/lh_stats.c
 libcrypto_la_SOURCES += lhash/lhash.c
@@ -769,6 +795,7 @@ libcrypto_la_SOURCES += x509/x509spki.c
 libcrypto_la_SOURCES += x509/x509type.c
 libcrypto_la_SOURCES += x509/x_all.c
 noinst_HEADERS += x509/x509_lcl.h
+noinst_HEADERS += x509/vpm_int.h
 
 # x509v3
 libcrypto_la_SOURCES += x509v3/pcy_cache.c

crypto/Makefile.am.elf-x86_64

@@ -1,22 +1,22 @@
 
-ASM_X86_64_ELF = aes/aes-elf-x86_64.s
-ASM_X86_64_ELF += aes/bsaes-elf-x86_64.s
-ASM_X86_64_ELF += aes/vpaes-elf-x86_64.s
-ASM_X86_64_ELF += aes/aesni-elf-x86_64.s
-ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.s
-ASM_X86_64_ELF += bn/modexp512-elf-x86_64.s
-ASM_X86_64_ELF += bn/mont-elf-x86_64.s
-ASM_X86_64_ELF += bn/mont5-elf-x86_64.s
-ASM_X86_64_ELF += bn/gf2m-elf-x86_64.s
-ASM_X86_64_ELF += camellia/cmll-elf-x86_64.s
-ASM_X86_64_ELF += md5/md5-elf-x86_64.s
-ASM_X86_64_ELF += modes/ghash-elf-x86_64.s
-ASM_X86_64_ELF += rc4/rc4-elf-x86_64.s
-ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.s
-ASM_X86_64_ELF += sha/sha1-elf-x86_64.s
+ASM_X86_64_ELF = aes/aes-elf-x86_64.S
+ASM_X86_64_ELF += aes/bsaes-elf-x86_64.S
+ASM_X86_64_ELF += aes/vpaes-elf-x86_64.S
+ASM_X86_64_ELF += aes/aesni-elf-x86_64.S
+ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.S
+ASM_X86_64_ELF += bn/modexp512-elf-x86_64.S
+ASM_X86_64_ELF += bn/mont-elf-x86_64.S
+ASM_X86_64_ELF += bn/mont5-elf-x86_64.S
+ASM_X86_64_ELF += bn/gf2m-elf-x86_64.S
+ASM_X86_64_ELF += camellia/cmll-elf-x86_64.S
+ASM_X86_64_ELF += md5/md5-elf-x86_64.S
+ASM_X86_64_ELF += modes/ghash-elf-x86_64.S
+ASM_X86_64_ELF += rc4/rc4-elf-x86_64.S
+ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.S
+ASM_X86_64_ELF += sha/sha1-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha256-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha512-elf-x86_64.S
-ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.s
+ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.S
 ASM_X86_64_ELF += cpuid-elf-x86_64.S
 
 EXTRA_DIST += $(ASM_X86_64_ELF)

crypto/Makefile.am.macosx-x86_64

@@ -1,22 +1,22 @@
 
-ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.s
-ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.s
-ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.s
-ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.s
-ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.s
-ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.s
-ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.s
-ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.s
-ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.S
+ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.S
+ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.S
+ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.S
+ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.S
+ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.S
+ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.S
+ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.S
+ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha256-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha512-macosx-x86_64.S
-ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.s
+ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.S
 ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S
 
 EXTRA_DIST += $(ASM_X86_64_MACOSX)

crypto/compat/b_win.c

@@ -23,8 +23,8 @@ BIO_sock_init(void)
 	if (!wsa_init_done) {
 		if (WSAStartup(version_requested, &wsa_state) != 0) {
 			int err = WSAGetLastError();
-			SYSerr(SYS_F_WSASTARTUP, err);
-			BIOerr(BIO_F_BIO_SOCK_INIT, BIO_R_WSASTARTUP);
+			SYSerror(err);
+			BIOerror(BIO_R_WSASTARTUP);
 			return (-1);
 		}
 		wsa_init_done = 1;

crypto/compat/getpagesize.c

@@ -0,0 +1,18 @@
+/* $OpenBSD$ */
+
+#include <unistd.h>
+
+#ifdef _MSC_VER
+#include <windows.h>
+#endif
+
+int
+getpagesize(void) {
+#ifdef _MSC_VER
+	SYSTEM_INFO system_info;
+	GetSystemInfo(&system_info);
+	return system_info.dwPageSize;
+#else
+	return sysconf(_SC_PAGESIZE);
+#endif
+}

crypto/compat/inet_pton.c

@@ -1,212 +0,0 @@
-/*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
-
-/* Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <string.h>
-#include <errno.h>
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int	inet_pton4(const char *src, u_char *dst);
-static int	inet_pton6(const char *src, u_char *dst);
-
-/* int
- * inet_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-inet_pton(int af, const char *src, void *dst)
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, u_char *dst)
-{
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	u_char tmp[INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			u_int new = *tp * 10 + (pch - digits);
-
-			if (new > 255)
-				return (0);
-			if (! saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-			*tp = new;
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-
-	memcpy(dst, tmp, INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, u_char *dst)
-{
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, saw_xdigit, count_xdigit;
-	u_int val;
-
-	memset((tp = tmp), '\0', IN6ADDRSZ);
-	endp = tp + IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	saw_xdigit = count_xdigit = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			if (count_xdigit >= 4)
-				return (0);
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (val > 0xffff)
-				return (0);
-			saw_xdigit = 1;
-			count_xdigit++;
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!saw_xdigit) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			} else if (*src == '\0') {
-				return (0);
-			}
-			if (tp + INT16SZ > endp)
-				return (0);
-			*tp++ = (u_char) (val >> 8) & 0xff;
-			*tp++ = (u_char) val & 0xff;
-			saw_xdigit = 0;
-			count_xdigit = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += INADDRSZ;
-			saw_xdigit = 0;
-			count_xdigit = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (saw_xdigit) {
-		if (tp + INT16SZ > endp)
-			return (0);
-		*tp++ = (u_char) (val >> 8) & 0xff;
-		*tp++ = (u_char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			return (0);
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, IN6ADDRSZ);
-	return (1);
-}

crypto/compat/posix_win.c

@@ -12,6 +12,7 @@
 #include <ws2tcpip.h>
 
 #include <errno.h>
+#include <fcntl.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -39,6 +40,28 @@ posix_fopen(const char *path, const char *mode)
 	return fopen(path, mode);
 }
 
+int
+posix_open(const char *path, ...)
+{
+	va_list ap;
+	int mode = 0;
+	int flags;
+
+	va_start(ap, path);
+	flags = va_arg(ap, int);
+	if (flags & O_CREAT)
+		mode = va_arg(ap, int);
+	va_end(ap);
+
+	flags |= O_BINARY;
+	if (flags & O_CLOEXEC) {
+		flags &= ~O_CLOEXEC;
+		flags |= O_NOINHERIT;
+	}
+	flags &= ~O_NONBLOCK;
+	return open(path, flags, mode);
+}
+
 char *
 posix_fgets(char *s, int size, FILE *stream)
 {
@@ -109,6 +132,9 @@ wsa_errno(int err)
 	case WSAEAFNOSUPPORT:
 		errno = EAFNOSUPPORT;
 		break;
+	case WSAEBADF:
+		errno = EBADF;
+		break;
 	case WSAENETRESET:
 	case WSAENOTCONN:
 	case WSAECONNABORTED:
@@ -135,7 +161,7 @@ posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			close(fd) : wsa_errno(err);
 	}
 	return 0;
@@ -147,7 +173,7 @@ posix_read(int fd, void *buf, size_t count)
 	ssize_t rc = recv(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			read(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
@@ -159,7 +185,7 @@ posix_write(int fd, const void *buf, size_t count)
 	ssize_t rc = send(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return err == WSAENOTSOCK ?
+		return (err == WSAENOTSOCK || err == WSAEBADF) ?
 			write(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;

dist.sh

@@ -4,4 +4,4 @@ set -e
 rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
-make distcheck
+make -j2 distcheck

include/CMakeLists.txt

@@ -1,5 +1,5 @@
 install(DIRECTORY .
-        DESTINATION include
+        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
         PATTERN "CMakeLists.txt" EXCLUDE
         PATTERN "compat" EXCLUDE
         PATTERN "Makefile*" EXCLUDE)

include/Makefile.am

@@ -8,6 +8,7 @@ noinst_HEADERS = pqueue.h
 noinst_HEADERS += compat/dirent.h
 noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
+noinst_HEADERS += compat/fcntl.h
 noinst_HEADERS += compat/limits.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
@@ -29,7 +30,6 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h
 
-noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h

include/compat/arpa/inet.h

@@ -14,6 +14,10 @@
 
 #endif
 
+#ifndef HAVE_INET_NTOP
+const char * inet_ntop(int af, const void *src, char *dst, socklen_t size);
+#endif
+
 #ifndef HAVE_INET_PTON
 int inet_pton(int af, const char * src, void * dst);
 #endif

include/compat/err.h

@@ -18,6 +18,11 @@
 #include <stdio.h>
 #include <string.h>
 
+#if defined(_MSC_VER)
+__declspec(noreturn)
+#else
+__attribute__((noreturn))
+#endif
 static inline void
 err(int eval, const char *fmt, ...)
 {
@@ -34,6 +39,11 @@ err(int eval, const char *fmt, ...)
 	va_end(ap);
 }
 
+#if defined(_MSC_VER)
+__declspec(noreturn)
+#else
+__attribute__((noreturn))
+#endif
 static inline void
 errx(int eval, const char *fmt, ...)
 {

include/compat/fcntl.h

@@ -0,0 +1,32 @@
+/*
+ * Public domain
+ * fcntl.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <fcntl.h>
+#else
+
+#ifdef _MSC_VER
+#if _MSC_VER >= 1900
+#include <../ucrt/fcntl.h>
+#else
+#include <../include/fcntl.h>
+#endif
+#else
+#include_next <fcntl.h>
+#endif
+
+#endif
+
+#ifndef O_NONBLOCK
+#define O_NONBLOCK      0x100000
+#endif
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC       0x200000
+#endif
+
+#ifndef FD_CLOEXEC
+#define FD_CLOEXEC      1
+#endif

include/compat/limits.h

@@ -5,6 +5,14 @@
 
 #ifdef _MSC_VER
 #include <../include/limits.h>
+#if _MSC_VER >= 1900
+#include <../ucrt/stdlib.h>
+#else
+#include <../include/stdlib.h>
+#endif
+#ifndef PATH_MAX
+#define PATH_MAX _MAX_PATH
+#endif
 #else
 #include_next <limits.h>
 #endif

include/compat/stdio.h

@@ -26,6 +26,10 @@ int asprintf(char **str, const char *fmt, ...);
 
 #ifdef _WIN32
 
+#if defined(_MSC_VER)
+#define __func__ __FUNCTION__
+#endif
+
 void posix_perror(const char *s);
 FILE * posix_fopen(const char *path, const char *mode);
 char * posix_fgets(char *s, int size, FILE *stream);

include/compat/stdlib.h

@@ -29,6 +29,10 @@ uint32_t arc4random_uniform(uint32_t upper_bound);
 void *reallocarray(void *, size_t, size_t);
 #endif
 
+#ifndef HAVE_RECALLOCARRAY
+void *recallocarray(void *, size_t, size_t, size_t);
+#endif
+
 #ifndef HAVE_STRTONUM
 long long strtonum(const char *nptr, long long minval,
 		long long maxval, const char **errstr);

include/compat/sys/cdefs.h

@@ -1,31 +0,0 @@
-/*
- * Public domain
- * sys/cdefs.h compatibility shim
- */
-
-#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
-#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
-
-#ifdef _WIN32
-
-#define __warn_references(sym,msg)
-
-#else
-
-#include_next <sys/cdefs.h>
-
-#ifndef __warn_references
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-
-#endif /* _WIN32 */
-
-#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */

include/compat/sys/socket.h

@@ -8,3 +8,10 @@
 #else
 #include <win32netcompat.h>
 #endif
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
+#define SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
+int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]);
+#define socketpair(d,t,p,sv) bsd_socketpair(d,t,p,sv)
+#endif

include/compat/sys/stat.h

@@ -8,6 +8,15 @@
 
 #ifndef _MSC_VER
 #include_next <sys/stat.h>
+
+/* for old MinGW */
+#ifndef S_IRGRP
+#define S_IRGRP         0
+#endif
+#ifndef S_IROTH
+#define S_IROTH         0
+#endif
+
 #else
 
 #include <windows.h>

include/compat/sys/types.h

@@ -44,4 +44,25 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif
 
+#ifdef _WIN32
+#define __warn_references(sym,msg)
+#else
+
+#ifndef __warn_references
+
+#ifndef __STRING
+#define __STRING(x) #x
+#endif
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+#endif /* _WIN32 */
+
 #endif

include/compat/unistd.h

@@ -14,6 +14,9 @@
 #include <io.h>
 #include <process.h>
 
+#define STDOUT_FILENO   1
+#define STDERR_FILENO   2
+
 #define R_OK    4
 #define W_OK    2
 #define X_OK    0
@@ -36,6 +39,14 @@ int getentropy(void *buf, size_t buflen);
 #endif
 #endif
 
+#ifndef HAVE_GETPAGESIZE
+int getpagesize(void);
+#endif
+
 #define pledge(request, paths) 0
 
+#ifndef HAVE_PIPE2
+int pipe2(int fildes[2], int flags);
+#endif
+
 #endif

include/compat/win32netcompat.h

@@ -26,7 +26,10 @@
 
 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
 
+int posix_open(const char *path, ...);
+
 int posix_close(int fd);
+
 ssize_t posix_read(int fd, void *buf, size_t count);
 
 ssize_t posix_write(int fd, const void *buf, size_t count);
@@ -39,6 +42,7 @@ int posix_setsockopt(int sockfd, int level, int optname,
 
 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
+#define open(path, ...) posix_open(path, __VA_ARGS__)
 #define close(fd) posix_close(fd)
 #define read(fd, buf, count) posix_read(fd, buf, count)
 #define write(fd, buf, count) posix_write(fd, buf, count)

libcrypto.pc.in

@@ -5,8 +5,8 @@ exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 
-Name: LibreSSL-libssl
-Description: Secure Sockets Layer and cryptography libraries
+Name: LibreSSL-libcrypto
+Description: LibreSSL cryptography library
 Version: @VERSION@
 Requires:
 Conflicts:

libtls-standalone/src/Makefile.am

@@ -8,6 +8,7 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
 
 libtls_la_SOURCES = tls.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c

m4/check-libc.m4

@@ -2,14 +2,18 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_pton memmem readpassphrase reallocarray])
+AC_CHECK_FUNCS([asprintf getpagesize inet_ntop inet_pton memmem readpassphrase])
+AC_CHECK_FUNCS([reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
+AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_RECALLOCARRAY], [test "x$ac_cv_func_recallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
@@ -20,10 +24,12 @@ AM_CONDITIONAL([HAVE_TIMEGM], [test "x$ac_cv_func_timegm" = xyes])
 ])
 
 AC_DEFUN([CHECK_SYSCALL_COMPAT], [
-AC_CHECK_FUNCS([accept4 pledge poll])
+AC_CHECK_FUNCS([accept4 pipe2 pledge poll socketpair])
 AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
+AM_CONDITIONAL([HAVE_PIPE2], [test "x$ac_cv_func_pipe2" = xyes])
 AM_CONDITIONAL([HAVE_PLEDGE], [test "x$ac_cv_func_pledge" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
+AM_CONDITIONAL([HAVE_SOCKETPAIR], [test "x$ac_cv_func_socketpair" = xyes])
 ])
 
 AC_DEFUN([CHECK_B64_NTOP], [
@@ -47,7 +53,52 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
 AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
-AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
+AC_CHECK_FUNCS([explicit_bzero getauxval])
+
+AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <unistd.h>
+
+/*
+ * Explanation:
+ *
+ *   - iOS <= 10.1 fails because of missing sys/random.h
+ *
+ *   - in macOS 10.12 getentropy is not tagged as introduced in
+ *     10.12 so we cannot use it for target < 10.12
+ */
+#ifdef __APPLE__
+#  include <AvailabilityMacros.h>
+#  include <TargetConditionals.h>
+
+# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
+#  include <sys/random.h> /* Not available as of iOS <= 10.1 */
+# else
+
+#  include <sys/random.h> /* Pre 10.12 systems should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#  ifndef MAC_OS_X_VERSION_10_12
+#    define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
+#  endif
+#  if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#    if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#      error "Targeting on Mac OSX 10.11 or earlier"
+#    endif
+#  endif
+
+# endif
+#endif /* __APPLE__ */
+		]], [[
+	char buffer;
+	(void)getentropy(&buffer, sizeof (buffer));
+]])],
+	[ ac_cv_func_getentropy="yes" ],
+	[ ac_cv_func_getentropy="no"
+	])
+])
+
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
@@ -96,3 +147,85 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
+
+AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
+AS_CASE([$host_cpu],
+	[i?86], [HOSTARCH=intel],
+	[x86_64], [HOSTARCH=intel],
+	[amd64], [HOSTARCH=intel],
+)
+AC_SUBST([HOSTARCH])
+crypto_sym=$srcdir/crypto/crypto.sym
+crypto_p_sym=./crypto/crypto_portable.sym
+echo "generating $crypto_p_sym ..."
+mkdir -p ./crypto
+cp $crypto_sym $crypto_p_sym
+chmod u+w $crypto_p_sym
+if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
+	echo arc4random >> $crypto_p_sym
+	echo arc4random_buf >> $crypto_p_sym
+	echo arc4random_uniform >> $crypto_p_sym
+	if test "x$ac_cv_func_getentropy" = "xno" ; then
+		echo getentropy >> $crypto_p_sym
+	fi
+fi
+if test "x$ac_cv_func_asprintf" = "xno" ; then
+	echo asprintf >> $crypto_p_sym
+	echo vasprintf >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
+	echo explicit_bzero >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_inet_pton" = "xno" ; then
+	echo inet_pton >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_reallocarray" = "xno" ; then
+	echo reallocarray >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_recallocarray" = "xno" ; then
+	echo recallocarray >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strlcat" = "xno" ; then
+	echo strlcat >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strlcpy" = "xno" ; then
+	echo strlcpy >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strndup" = "xno" ; then
+	echo strndup >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strnlen" = "xno" ; then
+	echo strnlen >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_strsep" = "xno" ; then
+	echo strsep >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timegm" = "xno" ; then
+	echo timegm >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
+	echo timingsafe_bcmp >> $crypto_p_sym
+fi
+if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
+	echo timingsafe_memcmp >> $crypto_p_sym
+fi
+if test "x$HOSTARCH" = "xintel" ; then
+	echo OPENSSL_ia32cap_P >> $crypto_p_sym
+fi
+if test "x$HOST_OS" = "xwin" ; then
+	echo posix_perror >> $crypto_p_sym
+	echo posix_fopen >> $crypto_p_sym
+	echo posix_fgets >> $crypto_p_sym
+	echo posix_open >> $crypto_p_sym
+	echo posix_rename >> $crypto_p_sym
+	echo posix_connect >> $crypto_p_sym
+	echo posix_close >> $crypto_p_sym
+	echo posix_read >> $crypto_p_sym
+	echo posix_write >> $crypto_p_sym
+	echo posix_getsockopt >> $crypto_p_sym
+	echo posix_setsockopt >> $crypto_p_sym
+
+	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
+	mv $crypto_p_sym.tmp $crypto_p_sym
+fi
+])

m4/check-os-options.m4

@@ -17,10 +17,45 @@ case $host_os in
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
+		#
+		# Don't use arc4random on systems before 10.12 because of
 		# weak seed on failure to open /dev/random, based on latest
 		# public source:
 		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
-		USE_BUILTIN_ARC4RANDOM=yes
+		#
+		# We use the presence of getentropy() to detect 10.12. The
+		# following check take into account that:
+ 		#
+		#   - iOS <= 10.1 fails because of missing getentropy and
+		#     hence they miss sys/random.h
+		#
+		#   - in macOS 10.12 getentropy is not tagged as introduced in
+		#     10.12 so we cannot use it for target < 10.12
+		#
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <AvailabilityMacros.h>
+#include <unistd.h>
+#include <sys/random.h>  /* Systems without getentropy() should die here */
+
+/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
+#ifndef MAC_OS_X_VERSION_10_12
+#  define MAC_OS_X_VERSION_10_12 101200
+#endif
+#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
+#  if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
+#    error "Running on Mac OSX 10.11 or earlier"
+#  endif
+#endif
+                       ]], [[
+char buf[1]; getentropy(buf, 1);
+					   ]])],
+                       [ USE_BUILTIN_ARC4RANDOM=no ],
+                       [ USE_BUILTIN_ARC4RANDOM=yes ]
+		)
+		AC_MSG_CHECKING([whether to use builtin arc4random])
+		AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
+		# Not available on iOS
+		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
@@ -71,8 +106,6 @@ case $host_os in
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)

man/CMakeLists.txt

@@ -1,9 +1,9 @@
 install(DIRECTORY .
-    DESTINATION share/man/man3
+    DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
     FILES_MATCHING PATTERN "*.3"
     )
 
 install(DIRECTORY .
-    DESTINATION share/man/man1
+    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
     FILES_MATCHING PATTERN "*.1"
     )

man/update_links.sh

@@ -1,18 +1,19 @@
 #!/bin/sh
 
 # Run this periodically to ensure that the manpage links are up to date
+(
+    cd /usr/src/usr.bin/mandoc/
+    make obj
+    make cleandir
+    make depend
+    make
+    cd /usr/src/regress/usr.bin/mandoc/db/mlinks/
+    make obj
+    make cleandir
+    make
+)
+
+makewhatis -a .
 
 echo "# This is an auto-generated file by $0" > links
-doas makewhatis
-for i in `ls -1 *.3`; do
-  name=`echo $i|cut -d. -f1`
-  links=`sqlite3 /usr/share/man/mandoc.db \
-    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
-  for j in $links; do
-    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
-    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
-    if [[ $a != $b && $a != *"<type>"* ]]; then
-      echo $name.3,$j.3 >> links
-    fi
-  done
-done
+/usr/src/regress/usr.bin/mandoc/db/mlinks/obj/mlinks mandoc.db | sort >> links

patches/aeadtest.c.patch

@@ -0,0 +1,15 @@
+--- tests/aeadtest.c.orig	2016-10-18 17:03:33.845870889 +0900
++++ tests/aeadtest.c	2016-10-18 17:11:19.880841283 +0900
+@@ -75,6 +75,12 @@
+ 
+ #define BUF_MAX 1024
+ 
++#ifdef _MSC_VER
++#ifdef IN
++#undef IN
++#endif
++#endif
++
+ /* These are the different types of line that are found in the input file. */
+ enum {
+ 	AEAD = 0,	/* name of the AEAD algorithm. */

patches/bio.h.patch

@@ -0,0 +1,36 @@
+--- include/openssl/bio.h.orig	Mon Oct  3 06:09:28 2016
++++ include/openssl/bio.h	Sun Nov  6 04:24:57 2016
+@@ -678,8 +678,24 @@
+
+ /*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
+
++#ifdef __MINGW_PRINTF_FORMAT
+ int
+ BIO_printf(BIO *bio, const char *format, ...)
++	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 3), __nonnull__(2)));
++int
++BIO_vprintf(BIO *bio, const char *format, va_list args)
++	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 0), __nonnull__(2)));
++int
++BIO_snprintf(char *buf, size_t n, const char *format, ...)
++	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 4),
++	    __nonnull__(3)));
++int
++BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
++	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 0),
++	    __nonnull__(3)));
++#else
++int
++BIO_printf(BIO *bio, const char *format, ...)
+ 	__attribute__((__format__(__printf__, 2, 3), __nonnull__(2)));
+ int
+ BIO_vprintf(BIO *bio, const char *format, va_list args)
+@@ -692,6 +708,8 @@
+ BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
+ 	__attribute__((__deprecated__, __format__(__printf__, 3, 0),
+ 	    __nonnull__(3)));
++#endif
++
+
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes

patches/netcat.c.patch

@@ -1,5 +1,5 @@
---- apps/nc/netcat.c.orig	Thu Jun 30 19:56:49 2016
-+++ apps/nc/netcat.c	Thu Jun 30 19:59:09 2016
+--- apps/nc/netcat.c.orig	Thu Mar 16 19:26:06 2017
++++ apps/nc/netcat.c	Sat Mar 25 11:17:36 2017
 @@ -65,7 +65,9 @@
  #define POLL_NETIN 2
  #define POLL_STDOUT 3
@@ -8,9 +8,9 @@
  #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
 +#endif
  
- #define TLS_LEGACY	(1 << 1)
+ #define TLS_ALL	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -92,9 +94,13 @@
+@@ -93,9 +95,13 @@
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -24,16 +24,16 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -152,7 +158,7 @@
+@@ -149,7 +155,7 @@
  	struct servent *sv;
  	socklen_t len;
  	struct sockaddr_storage cliaddr;
--	char *proxy;
-+	char *proxy = NULL;
- 	const char *errstr, *proxyhost = "", *proxyport = NULL;
+-	char *proxy, *proxyport = NULL;
++	char *proxy = NULL, *proxyport = NULL;
+ 	const char *errstr;
  	struct addrinfo proxyhints;
  	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -262,12 +268,14 @@
+@@ -259,12 +265,14 @@
  		case 'u':
  			uflag = 1;
  			break;
@@ -49,8 +49,8 @@
  			vflag = 1;
  			break;
 @@ -300,9 +308,11 @@
- 				errx(1, "TCP send window %s: %s",
- 				    errstr, optarg);
+ 		case 'o':
+ 			oflag = optarg;
  			break;
 +#ifdef TCP_MD5SIG
  		case 'S':
@@ -72,31 +72,19 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -480,7 +492,10 @@
- 				errx(1, "-H and -T noverify may not be used"
- 				    "together");
- 			tls_config_insecure_noverifycert(tls_cfg);
--		}
-+		} else {
-+                        if (Rflag && access(Rflag, R_OK) == -1)
-+                                errx(1, "unable to find root CA file %s", Rflag);
-+                }
- 	}
- 	if (lflag) {
- 		struct tls *tls_cctx = NULL;
-@@ -832,7 +847,10 @@
+@@ -865,7 +877,10 @@
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, error, on = 1, save_errno;
-+	int s, error, save_errno;
+-	int s = -1, error, on = 1, save_errno;
++	int s = -1, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
  
- 	if ((error = getaddrinfo(host, port, &hints, &res)))
- 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -847,8 +865,10 @@
+ 	if ((error = getaddrinfo(host, port, &hints, &res0)))
+ 		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
+@@ -880,8 +895,10 @@
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -105,22 +93,22 @@
  			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
  			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res0->ai_family;
+ 			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -919,7 +939,10 @@
+@@ -952,7 +969,10 @@
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
--	int s, ret, x = 1, save_errno;
-+	int s, save_errno;
+-	int s = -1, ret, x = 1, save_errno;
++	int s = -1, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -941,9 +964,11 @@
- 		    res0->ai_protocol)) < 0)
+@@ -973,9 +993,11 @@
+ 		    res->ai_protocol)) < 0)
  			continue;
  
 +#ifdef SO_REUSEPORT
@@ -129,9 +117,9 @@
  			err(1, NULL);
 +#endif
  
- 		set_common_sockopts(s, res0->ai_family);
+ 		set_common_sockopts(s, res->ai_family);
  
-@@ -1401,11 +1426,13 @@
+@@ -1425,11 +1447,13 @@
  {
  	int x = 1;
  
@@ -145,7 +133,7 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1442,13 +1469,17 @@
+@@ -1466,13 +1490,17 @@
  	}
  
  	if (minttl != -1) {
@@ -164,7 +152,7 @@
  	}
  }
  
-@@ -1605,14 +1636,22 @@
+@@ -1666,14 +1694,22 @@
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\

patches/ocsp_test.c.patch

@@ -0,0 +1,14 @@
+--- tests/ocsp_test.c.orig	2016-10-18 18:12:39.854607509 +0900
++++ tests/ocsp_test.c	2016-10-18 18:14:29.261600559 +0900
+@@ -16,6 +16,11 @@
+ 	hints.ai_family = AF_INET;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
++#ifdef _MSC_VER
++	if (BIO_sock_init() != 1)
++		exit(-1);
++#endif
++
+ 	error = getaddrinfo(host, port, &hints, &res);
+ 	if (error != 0) {
+ 		perror("getaddrinfo()");

patches/openssl.c.patch

@@ -1,6 +1,6 @@
---- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
-+++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
-@@ -399,7 +399,9 @@
+--- apps/openssl/openssl.c.orig	Fri Nov  4 09:33:19 2016
++++ apps/openssl/openssl.c	Sat Nov  5 15:28:35 2016
+@@ -396,7 +396,9 @@
  static void
  openssl_startup(void)
  {

patches/tls.h.patch

@@ -0,0 +1,32 @@
+--- include/tls.h.orig	2017-02-13 20:19:55.918636579 +0900
++++ include/tls.h	2017-02-13 20:21:18.313073161 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
++#ifdef _MSC_VER
++#ifndef LIBRESSL_INTERNAL
++#include <basetsd.h>
++typedef SSIZE_T ssize_t;
++#endif
++#endif
++
+ #include <sys/types.h>
+ 
+ #include <stddef.h>
+--- libtls-standalone/include/tls.h.orig	2017-02-13 20:21:48.297958529 +0900
++++ libtls-standalone/include/tls.h	2017-02-13 20:21:48.296958502 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
++#ifdef _MSC_VER
++#ifndef LIBRESSL_INTERNAL
++#include <basetsd.h>
++typedef SSIZE_T ssize_t;
++#endif
++#endif
++
+ #include <sys/types.h>
+ 
+ #include <stddef.h>

patches/windows_headers.patch

@@ -24,8 +24,8 @@ diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
 +#define __attribute__(a)
 +#endif
 +
- /* Generate 80386 code? */
- #undef I386_ONLY
+ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+ #define OPENSSLDIR "/etc/ssl"
 
 diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
 --- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015

scripts/travis

@@ -21,9 +21,6 @@ if [ "x$ARCH" = "xnative" ]; then
 		make
 		make test
 	else
-		sudo apt-get update
-		sudo apt-get install -y python-software-properties
-		sudo apt-add-repository -y ppa:kalakris/cmake
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
@@ -38,12 +35,8 @@ else
 	export CC=$CPU-w64-mingw32-gcc
 
 	if [ -z $(which $CC) ]; then
-		# Update Ubuntu 12.04 with current mingw toolchain
 		sudo apt-get update
-		sudo apt-get install -y python-software-properties
-		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
-		sudo apt-get update
-		sudo apt-get install -y $ARCH-x-gcc make
+		sudo apt-get install -y mingw-w64 make
 		export PATH=$PATH:/opt/$ARCH/bin
 	fi
 

ssl/CMakeLists.txt

@@ -19,44 +19,49 @@ set(
 	d1_srtp.c
 	d1_srvr.c
 	pqueue.c
-	s23_clnt.c
-	s23_lib.c
-	s23_pkt.c
-	s23_srvr.c
-	s3_both.c
 	s3_cbc.c
-	s3_clnt.c
 	s3_lib.c
-	s3_pkt.c
-	s3_srvr.c
 	ssl_algs.c
 	ssl_asn1.c
+	ssl_both.c
 	ssl_cert.c
 	ssl_ciph.c
+	ssl_clnt.c
 	ssl_err.c
-	ssl_err2.c
 	ssl_lib.c
+	ssl_packet.c
+	ssl_pkt.c
 	ssl_rsa.c
 	ssl_sess.c
+	ssl_srvr.c
 	ssl_stat.c
 	ssl_txt.c
+	ssl_versions.c
 	t1_clnt.c
 	t1_enc.c
+	t1_hash.c
 	t1_lib.c
 	t1_meth.c
 	t1_reneg.c
 	t1_srvr.c
 )
 
-if (BUILD_SHARED)
 add_library(ssl-objects OBJECT ${SSL_SRC})
+if (BUILD_SHARED)
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
+	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+	if (WIN32)
+		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
+	endif()
+	set_target_properties(ssl-shared PROPERTIES
+		OUTPUT_NAME ssl${SSL_POSTFIX}
+		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	install(TARGETS ssl ssl-shared DESTINATION lib)
+	install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	install(TARGETS ssl DESTINATION lib)
+	install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()

ssl/Makefile.am

@@ -4,8 +4,9 @@ lib_LTLIBRARIES = libssl.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += ssl.sym
 
-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym
 libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la
 
 libssl_la_SOURCES = bio_ssl.c
@@ -21,29 +22,27 @@ libssl_la_SOURCES += d1_pkt.c
 libssl_la_SOURCES += d1_srtp.c
 libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
-libssl_la_SOURCES += s23_clnt.c
-libssl_la_SOURCES += s23_lib.c
-libssl_la_SOURCES += s23_pkt.c
-libssl_la_SOURCES += s23_srvr.c
-libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
-libssl_la_SOURCES += s3_clnt.c
 libssl_la_SOURCES += s3_lib.c
-libssl_la_SOURCES += s3_pkt.c
-libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c
 libssl_la_SOURCES += ssl_asn1.c
+libssl_la_SOURCES += ssl_both.c
 libssl_la_SOURCES += ssl_cert.c
 libssl_la_SOURCES += ssl_ciph.c
+libssl_la_SOURCES += ssl_clnt.c
 libssl_la_SOURCES += ssl_err.c
-libssl_la_SOURCES += ssl_err2.c
 libssl_la_SOURCES += ssl_lib.c
+libssl_la_SOURCES += ssl_packet.c
+libssl_la_SOURCES += ssl_pkt.c
 libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
+libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
 libssl_la_SOURCES += ssl_txt.c
+libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
 libssl_la_SOURCES += t1_enc.c
+libssl_la_SOURCES += t1_hash.c
 libssl_la_SOURCES += t1_lib.c
 libssl_la_SOURCES += t1_meth.c
 libssl_la_SOURCES += t1_reneg.c

tests/CMakeLists.txt

@@ -9,133 +9,146 @@ include_directories(
 	../apps/openssl/compat
 )
 
+add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
+
+foreach(lib IN LISTS OPENSSL_LIBS)
+	if(${lib} STREQUAL "tls-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} tls)
+	elseif(${lib} STREQUAL "ssl-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} ssl)
+	elseif(${lib} STREQUAL "crypto-shared")
+		set(TESTS_LIBS ${TESTS_LIBS} crypto)
+	else()
+		set(TESTS_LIBS ${TESTS_LIBS} ${lib})
+	endif()
+endforeach()
+
 # aeadtest
 add_executable(aeadtest aeadtest.c)
-target_link_libraries(aeadtest ${OPENSSL_LIBS})
-add_test(aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtest.sh)
-set_tests_properties(aeadtest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+target_link_libraries(aeadtest ${TESTS_LIBS})
+add_test(aeadtest aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtests.txt)
 
 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
-target_link_libraries(aes_wrap ${OPENSSL_LIBS})
+target_link_libraries(aes_wrap ${TESTS_LIBS})
 add_test(aes_wrap aes_wrap)
 
 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
 if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	add_executable(arc4randomforktest arc4randomforktest.c)
-target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
+	target_link_libraries(arc4randomforktest ${TESTS_LIBS})
 	add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()
 
 # asn1test
 add_executable(asn1test asn1test.c)
-target_link_libraries(asn1test ${OPENSSL_LIBS})
+target_link_libraries(asn1test ${TESTS_LIBS})
 add_test(asn1test asn1test)
 
 # asn1time
 add_executable(asn1time asn1time.c)
-target_link_libraries(asn1time ${OPENSSL_LIBS})
+target_link_libraries(asn1time ${TESTS_LIBS})
 add_test(asn1time asn1time)
 
 # base64test
 add_executable(base64test base64test.c)
-target_link_libraries(base64test ${OPENSSL_LIBS})
+target_link_libraries(base64test ${TESTS_LIBS})
 add_test(base64test base64test)
 
 # bftest
 add_executable(bftest bftest.c)
-target_link_libraries(bftest ${OPENSSL_LIBS})
+target_link_libraries(bftest ${TESTS_LIBS})
 add_test(bftest bftest)
 
 # biotest
 # the BIO tests rely on resolver results that are OS and environment-specific
 if(ENABLE_EXTRATESTS)
 	add_executable(biotest biotest.c)
-	target_link_libraries(biotest ${OPENSSL_LIBS})
+	target_link_libraries(biotest ${TESTS_LIBS})
 	add_test(biotest biotest)
 endif()
 
 # bntest
 add_executable(bntest bntest.c)
-target_link_libraries(bntest ${OPENSSL_LIBS})
+set_source_files_properties(bntest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
+target_link_libraries(bntest ${TESTS_LIBS})
 add_test(bntest bntest)
 
 # bytestringtest
 add_executable(bytestringtest bytestringtest.c)
-target_link_libraries(bytestringtest ${OPENSSL_LIBS})
+target_link_libraries(bytestringtest ${TESTS_LIBS})
 add_test(bytestringtest bytestringtest)
 
 # casttest
 add_executable(casttest casttest.c)
-target_link_libraries(casttest ${OPENSSL_LIBS})
+target_link_libraries(casttest ${TESTS_LIBS})
 add_test(casttest casttest)
 
 # chachatest
 add_executable(chachatest chachatest.c)
-target_link_libraries(chachatest ${OPENSSL_LIBS})
+target_link_libraries(chachatest ${TESTS_LIBS})
 add_test(chachatest chachatest)
 
 # cipher_list
 add_executable(cipher_list cipher_list.c)
-target_link_libraries(cipher_list ${OPENSSL_LIBS})
+target_link_libraries(cipher_list ${TESTS_LIBS})
 add_test(cipher_list cipher_list)
 
 # cipherstest
 add_executable(cipherstest cipherstest.c)
-target_link_libraries(cipherstest ${OPENSSL_LIBS})
+target_link_libraries(cipherstest ${TESTS_LIBS})
 add_test(cipherstest cipherstest)
 
 # clienttest
 add_executable(clienttest clienttest.c)
-target_link_libraries(clienttest ${OPENSSL_LIBS})
+target_link_libraries(clienttest ${TESTS_LIBS})
 add_test(clienttest clienttest)
 
 # cts128test
 add_executable(cts128test cts128test.c)
-target_link_libraries(cts128test ${OPENSSL_LIBS})
+target_link_libraries(cts128test ${TESTS_LIBS})
 add_test(cts128test cts128test)
 
 # destest
 add_executable(destest destest.c)
-target_link_libraries(destest ${OPENSSL_LIBS})
+target_link_libraries(destest ${TESTS_LIBS})
 add_test(destest destest)
 
 # dhtest
 add_executable(dhtest dhtest.c)
-target_link_libraries(dhtest ${OPENSSL_LIBS})
+target_link_libraries(dhtest ${TESTS_LIBS})
 add_test(dhtest dhtest)
 
 # dsatest
 add_executable(dsatest dsatest.c)
-target_link_libraries(dsatest ${OPENSSL_LIBS})
+target_link_libraries(dsatest ${TESTS_LIBS})
 add_test(dsatest dsatest)
 
 # ecdhtest
 add_executable(ecdhtest ecdhtest.c)
-target_link_libraries(ecdhtest ${OPENSSL_LIBS})
+target_link_libraries(ecdhtest ${TESTS_LIBS})
 add_test(ecdhtest ecdhtest)
 
 # ecdsatest
 add_executable(ecdsatest ecdsatest.c)
-target_link_libraries(ecdsatest ${OPENSSL_LIBS})
+target_link_libraries(ecdsatest ${TESTS_LIBS})
 add_test(ecdsatest ecdsatest)
 
 # ectest
 add_executable(ectest ectest.c)
-target_link_libraries(ectest ${OPENSSL_LIBS})
+target_link_libraries(ectest ${TESTS_LIBS})
 add_test(ectest ectest)
 
 # enginetest
 add_executable(enginetest enginetest.c)
-target_link_libraries(enginetest ${OPENSSL_LIBS})
+target_link_libraries(enginetest ${TESTS_LIBS})
 add_test(enginetest enginetest)
 
 # evptest
 add_executable(evptest evptest.c)
-target_link_libraries(evptest ${OPENSSL_LIBS})
-add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
-set_tests_properties(evptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+target_link_libraries(evptest ${TESTS_LIBS})
+add_test(evptest evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptests.txt)
 
 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
@@ -143,118 +156,126 @@ if(NOT CMAKE_HOST_WIN32)
 	if(HAVE_MEMMEM)
 		add_executable(explicit_bzero explicit_bzero.c)
 	else()
-	add_executable(explicit_bzero explicit_bzero.c memmem.c)
+		add_executable(explicit_bzero explicit_bzero.c compat/memmem.c)
 	endif()
-target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
+	target_link_libraries(explicit_bzero ${TESTS_LIBS})
 	add_test(explicit_bzero explicit_bzero)
 endif()
 
 # exptest
 add_executable(exptest exptest.c)
-target_link_libraries(exptest ${OPENSSL_LIBS})
+set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
+target_link_libraries(exptest ${TESTS_LIBS})
 add_test(exptest exptest)
 
 # gcm128test
 add_executable(gcm128test gcm128test.c)
-target_link_libraries(gcm128test ${OPENSSL_LIBS})
+target_link_libraries(gcm128test ${TESTS_LIBS})
 add_test(gcm128test gcm128test)
 
 # gost2814789t
 add_executable(gost2814789t gost2814789t.c)
-target_link_libraries(gost2814789t ${OPENSSL_LIBS})
+target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)
 
 # hmactest
 add_executable(hmactest hmactest.c)
-target_link_libraries(hmactest ${OPENSSL_LIBS})
+target_link_libraries(hmactest ${TESTS_LIBS})
 add_test(hmactest hmactest)
 
 # ideatest
 add_executable(ideatest ideatest.c)
-target_link_libraries(ideatest ${OPENSSL_LIBS})
+target_link_libraries(ideatest ${TESTS_LIBS})
 add_test(ideatest ideatest)
 
 # igetest
 add_executable(igetest igetest.c)
-target_link_libraries(igetest ${OPENSSL_LIBS})
+target_link_libraries(igetest ${TESTS_LIBS})
 add_test(igetest igetest)
 
 # md4test
 add_executable(md4test md4test.c)
-target_link_libraries(md4test ${OPENSSL_LIBS})
+target_link_libraries(md4test ${TESTS_LIBS})
 add_test(md4test md4test)
 
 # md5test
 add_executable(md5test md5test.c)
-target_link_libraries(md5test ${OPENSSL_LIBS})
+target_link_libraries(md5test ${TESTS_LIBS})
 add_test(md5test md5test)
 
 # mont
 add_executable(mont mont.c)
-target_link_libraries(mont ${OPENSSL_LIBS})
+target_link_libraries(mont ${TESTS_LIBS})
 add_test(mont mont)
 
 # ocsp_test
 if(ENABLE_EXTRATESTS)
 	add_executable(ocsp_test ocsp_test.c)
-	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
+	target_link_libraries(ocsp_test ${TESTS_LIBS})
+	if(NOT MSVC)
 		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
-	set_tests_properties(ocsptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+	else()
+		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.bat)
+	endif()
 endif()
 
 # optionstest
 add_executable(optionstest optionstest.c)
-target_link_libraries(optionstest ${OPENSSL_LIBS})
+target_link_libraries(optionstest ${TESTS_LIBS})
 add_test(optionstest optionstest)
 
 # pbkdf2
 add_executable(pbkdf2 pbkdf2.c)
-target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
+target_link_libraries(pbkdf2 ${TESTS_LIBS})
 add_test(pbkdf2 pbkdf2)
 
 # pidwraptest
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
-if(ENABLE_EXTRATESTS)
+if(ENABLE_EXTRATESTS AND NOT MSVC)
 	add_executable(pidwraptest pidwraptest.c)
-	target_link_libraries(pidwraptest ${OPENSSL_LIBS})
+	target_link_libraries(pidwraptest ${TESTS_LIBS})
 	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
 endif()
 
 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
-target_link_libraries(pkcs7test ${OPENSSL_LIBS})
+target_link_libraries(pkcs7test ${TESTS_LIBS})
 add_test(pkcs7test pkcs7test)
 
 # poly1305test
 add_executable(poly1305test poly1305test.c)
-target_link_libraries(poly1305test ${OPENSSL_LIBS})
+target_link_libraries(poly1305test ${TESTS_LIBS})
 add_test(poly1305test poly1305test)
 
 # pq_test
 add_executable(pq_test pq_test.c)
-target_link_libraries(pq_test ${OPENSSL_LIBS})
+target_link_libraries(pq_test ${TESTS_LIBS})
+if(NOT MSVC)
 	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
+else()
+	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.bat)
+endif()
 set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # randtest
 add_executable(randtest randtest.c)
-target_link_libraries(randtest ${OPENSSL_LIBS})
+target_link_libraries(randtest ${TESTS_LIBS})
 add_test(randtest randtest)
 
 # rc2test
 add_executable(rc2test rc2test.c)
-target_link_libraries(rc2test ${OPENSSL_LIBS})
+target_link_libraries(rc2test ${TESTS_LIBS})
 add_test(rc2test rc2test)
 
 # rc4test
 add_executable(rc4test rc4test.c)
-target_link_libraries(rc4test ${OPENSSL_LIBS})
+target_link_libraries(rc4test ${TESTS_LIBS})
 add_test(rc4test rc4test)
 
 # rfc5280time
 add_executable(rfc5280time rfc5280time.c)
-target_link_libraries(rfc5280time ${OPENSSL_LIBS})
+target_link_libraries(rfc5280time ${TESTS_LIBS})
 if(SMALL_TIME_T)
 	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
 else()
@@ -263,53 +284,133 @@ endif()
 
 # rmdtest
 add_executable(rmdtest rmdtest.c)
-target_link_libraries(rmdtest ${OPENSSL_LIBS})
+target_link_libraries(rmdtest ${TESTS_LIBS})
 add_test(rmdtest rmdtest)
 
+# rsa_test
+add_executable(rsa_test rsa_test.c)
+target_link_libraries(rsa_test ${TESTS_LIBS})
+add_test(rsa_test rsa_test)
+
+# servertest
+add_executable(servertest servertest.c)
+target_link_libraries(servertest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.sh)
+else()
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.bat)
+endif()
+set_tests_properties(servertest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
 # sha1test
 add_executable(sha1test sha1test.c)
-target_link_libraries(sha1test ${OPENSSL_LIBS})
+target_link_libraries(sha1test ${TESTS_LIBS})
 add_test(sha1test sha1test)
 
 # sha256test
 add_executable(sha256test sha256test.c)
-target_link_libraries(sha256test ${OPENSSL_LIBS})
+target_link_libraries(sha256test ${TESTS_LIBS})
 add_test(sha256test sha256test)
 
 # sha512test
 add_executable(sha512test sha512test.c)
-target_link_libraries(sha512test ${OPENSSL_LIBS})
+target_link_libraries(sha512test ${TESTS_LIBS})
 add_test(sha512test sha512test)
 
+# ssl_versions
+add_executable(ssl_versions ssl_versions.c)
+target_link_libraries(ssl_versions ${TESTS_LIBS})
+add_test(ssl_versions ssl_versions)
+
 # ssltest
 add_executable(ssltest ssltest.c)
-target_link_libraries(ssltest ${OPENSSL_LIBS})
+target_link_libraries(ssltest ${TESTS_LIBS})
+if(NOT MSVC)
 	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
+else()
+	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.bat)
+endif()
 set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testdsa
+if(NOT MSVC)
 	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
+else()
+	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.bat)
+endif()
 set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testenc
+if(NOT MSVC)
 	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
+else()
+	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.bat)
+endif()
 set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # testrsa
+if(NOT MSVC)
 	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
+else()
+	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.bat)
+endif()
 set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 
 # timingsafe
 add_executable(timingsafe timingsafe.c)
-target_link_libraries(timingsafe ${OPENSSL_LIBS})
+target_link_libraries(timingsafe ${TESTS_LIBS})
 add_test(timingsafe timingsafe)
 
+# tlstest
+set(TLSTEST_SRC tlstest.c)
+check_function_exists(pipe2 HAVE_PIPE2)
+if(HAVE_PIPE2)
+	add_definitions(-DHAVE_PIPE2)
+else()
+	set(TLSTEST_SRC ${TLSTEST_SRC} compat/pipe2.c)
+endif()
+
+add_executable(tlstest ${TLSTEST_SRC})
+target_link_libraries(tlstest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.sh)
+else()
+	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.bat)
+endif()
+set_tests_properties(tlstest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
+# tls_ext_alpn
+add_executable(tls_ext_alpn tls_ext_alpn.c)
+target_link_libraries(tls_ext_alpn ${TESTS_LIBS})
+add_test(tls_ext_alpn tls_ext_alpn)
+
+# tls_prf
+add_executable(tls_prf tls_prf.c)
+target_link_libraries(tls_prf ${TESTS_LIBS})
+add_test(tls_prf tls_prf)
+
 # utf8test
 add_executable(utf8test utf8test.c)
-target_link_libraries(utf8test ${OPENSSL_LIBS})
+target_link_libraries(utf8test ${TESTS_LIBS})
 add_test(utf8test utf8test)
 
 # verifytest
 add_executable(verifytest verifytest.c)
-target_link_libraries(verifytest tls ${OPENSSL_LIBS})
+target_link_libraries(verifytest tls ${TESTS_LIBS})
 add_test(verifytest verifytest)
+
+# x25519test
+add_executable(x25519test x25519test.c)
+target_link_libraries(x25519test ${TESTS_LIBS})
+add_test(x25519test x25519test)
+
+if(ENABLE_VSTEST AND USE_SHARED)
+	add_custom_command(TARGET x25519test POST_BUILD
+		COMMAND "${CMAKE_COMMAND}" -E copy
+		"$<TARGET_FILE:tls-shared>"
+		"$<TARGET_FILE:ssl-shared>"
+		"$<TARGET_FILE:crypto-shared>"
+		"${CMAKE_CURRENT_BINARY_DIR}"
+		COMMENT "Copying DLLs for regression tests")
+endif()
+

tests/Makefile.am

@@ -5,11 +5,15 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
+AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"
 
-LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(abs_top_builddir)/ssl/libssl.la
-LDADD += $(abs_top_builddir)/crypto/libcrypto.la
-LDADD += $(abs_top_builddir)/tls/libtls.la
+LDADD = $(abs_top_builddir)/tls/.libs/libtls.a
+LDADD += $(abs_top_builddir)/ssl/.libs/libssl.a
+LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto.a
+LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
+if HOST_ASM_MACOSX_X86_64
+LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto_la-cpuid-macosx-x86_64.o
+endif
 
 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh
 
@@ -69,6 +73,7 @@ endif
 
 # bntest
 TESTS += bntest
+bntest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 check_PROGRAMS += bntest
 bntest_SOURCES = bntest.c
 
@@ -158,7 +163,7 @@ TESTS += explicit_bzero
 check_PROGRAMS += explicit_bzero
 explicit_bzero_SOURCES = explicit_bzero.c
 if !HAVE_MEMMEM
-explicit_bzero_SOURCES += memmem.c
+explicit_bzero_SOURCES += compat/memmem.c
 endif
 endif
 endif
@@ -166,6 +171,7 @@ endif
 # exptest
 TESTS += exptest
 check_PROGRAMS += exptest
+exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c
 
 # gcm128test
@@ -214,7 +220,7 @@ TESTS += ocsptest.sh
 check_PROGRAMS += ocsp_test
 ocsp_test_SOURCES = ocsp_test.c
 endif
-EXTRA_DIST += ocsptest.sh
+EXTRA_DIST += ocsptest.sh ocsptest.bat
 
 # optionstest
 TESTS += optionstest
@@ -250,7 +256,7 @@ poly1305test_SOURCES = poly1305test.c
 TESTS += pq_test.sh
 check_PROGRAMS += pq_test
 pq_test_SOURCES = pq_test.c
-EXTRA_DIST += pq_test.sh
+EXTRA_DIST += pq_test.sh pq_test.bat
 EXTRA_DIST += pq_expected.txt
 
 # randtest
@@ -283,6 +289,17 @@ TESTS += rmdtest
 check_PROGRAMS += rmdtest
 rmdtest_SOURCES = rmdtest.c
 
+# rsa_test
+TESTS += rsa_test
+check_PROGRAMS += rsa_test
+rsa_test_SOURCES = rsa_test.c
+
+# servertest
+TESTS += servertest.sh
+check_PROGRAMS += servertest
+servertest_SOURCES = servertest.c
+EXTRA_DIST += servertest.sh servertest.bat
+
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
@@ -298,31 +315,55 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c
 
+# ssl_versions
+TESTS += ssl_versions
+check_PROGRAMS += ssl_versions
+ssl_versions_SOURCES = ssl_versions.c
+
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
 ssltest_SOURCES = ssltest.c
-EXTRA_DIST += ssltest.sh
-EXTRA_DIST += testssl ca.pem server.pem
+EXTRA_DIST += ssltest.sh ssltest.bat
+EXTRA_DIST += testssl testssl.bat ca.pem server.pem
 
 # testdsa
 TESTS += testdsa.sh
-EXTRA_DIST += testdsa.sh
+EXTRA_DIST += testdsa.sh testdsa.bat
 EXTRA_DIST += openssl.cnf
 
 # testenc
 TESTS += testenc.sh
-EXTRA_DIST += testenc.sh
+EXTRA_DIST += testenc.sh testenc.bat
 
 # testrsa
 TESTS += testrsa.sh
-EXTRA_DIST += testrsa.sh
+EXTRA_DIST += testrsa.sh testrsa.bat
 
 # timingsafe
 TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c
 
+# tlstest
+TESTS += tlstest.sh
+check_PROGRAMS += tlstest
+tlstest_SOURCES = tlstest.c
+if !HAVE_PIPE2
+tlstest_SOURCES += compat/pipe2.c
+endif
+EXTRA_DIST += tlstest.sh tlstest.bat
+
+# tls_ext_alpn
+TESTS += tls_ext_alpn
+check_PROGRAMS += tls_ext_alpn
+tls_ext_alpn_SOURCES = tls_ext_alpn.c
+
+# tls_prf
+TESTS += tls_prf
+check_PROGRAMS += tls_prf
+tls_prf_SOURCES = tls_prf.c
+
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test
@@ -332,3 +373,8 @@ utf8test_SOURCES = utf8test.c
 TESTS += verifytest
 check_PROGRAMS += verifytest
 verifytest_SOURCES = verifytest.c
+
+# x25519test
+TESTS += x25519test
+check_PROGRAMS += x25519test
+x25519test_SOURCES = x25519test.c

tests/compat/pipe2.c

@@ -0,0 +1,167 @@
+/*
+ * Public domain
+ *
+ * pipe2/pipe/socketpair emulation
+ * Brent Cook <bcook@openbsd.org>
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/socket.h>
+
+#undef socketpair
+
+#ifdef _WIN32
+
+static int setfd(int fd, int flag)
+{
+	int rc = -1;
+	if (flag & FD_CLOEXEC) {
+		HANDLE h = (HANDLE)_get_osfhandle(fd);
+		if (h != NULL)
+			rc = SetHandleInformation(h, HANDLE_FLAG_INHERIT, 0) == 0 ? -1 : 0;
+	}
+	return rc;
+}
+
+static int setfl(int fd, int flag)
+{
+	int rc = -1;
+	if (flag & O_NONBLOCK) {
+		long mode = 1;
+		rc = ioctlsocket(fd, FIONBIO, &mode);
+	}
+	return rc;
+}
+
+int socketpair(int domain, int type, int protocol, int socket_vector[2])
+{
+	if (domain != AF_UNIX || !(type & SOCK_STREAM) || protocol != PF_UNSPEC)
+		return -1;
+
+	socket_vector[0] = -1;
+	socket_vector[1] = -1;
+
+	int listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (listener == -1) {
+		return -1;
+	}
+
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_addr.s_addr = htonl(INADDR_LOOPBACK),
+		.sin_port = 0,
+	};
+
+	int yes = 1, e;
+	if (setsockopt(listener, SOL_SOCKET, SO_REUSEADDR,
+			(void *)&yes, sizeof yes) == -1)
+		goto err;
+
+	if (bind(listener, (struct sockaddr *)&addr, sizeof addr) != 0)
+		goto err;
+
+	memset(&addr, 0, sizeof addr);
+	socklen_t addrlen = sizeof addr;
+	if (getsockname(listener, (struct sockaddr *)&addr, &addrlen) != 0)
+		goto err;
+
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	addr.sin_family = AF_INET;
+
+	if (listen(listener, 1) != 0)
+		goto err;
+
+	socket_vector[0] = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
+	if (socket_vector[0] == -1)
+		goto err;
+
+	if (connect(socket_vector[0], (struct sockaddr *)&addr, sizeof addr) != 0)
+		goto err;
+
+	socket_vector[1] = accept(listener, NULL, NULL);
+	if (socket_vector[1] == -1)
+		goto err;
+
+	closesocket(listener);
+	return 0;
+
+err:
+	e = WSAGetLastError();
+	closesocket(listener);
+	closesocket(socket_vector[0]);
+	closesocket(socket_vector[1]);
+	WSASetLastError(e);
+	socket_vector[0] = -1;
+	socket_vector[1] = -1;
+	return -1;
+}
+
+int pipe(int fildes[2])
+{
+	return socketpair(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, PF_UNSPEC, fildes);
+}
+
+#else
+
+static int setfd(int fd, int flag)
+{
+	int flags = fcntl(fd, F_GETFD);
+	flags |= flag;
+	return fcntl(fd, F_SETFD, flags);
+}
+
+static int setfl(int fd, int flag)
+{
+	int flags = fcntl(fd, F_GETFL);
+	flags |= flag;
+	return fcntl(fd, F_SETFL, flags);
+}
+#endif
+
+int pipe2(int fildes[2], int flags)
+{
+	int rc = pipe(fildes);
+	if (rc == 0) {
+		if (flags & O_NONBLOCK) {
+			rc |= setfl(fildes[0], O_NONBLOCK);
+			rc |= setfl(fildes[1], O_NONBLOCK);
+		}
+		if (flags & O_CLOEXEC) {
+			rc |= setfd(fildes[0], FD_CLOEXEC);
+			rc |= setfd(fildes[1], FD_CLOEXEC);
+		}
+		if (rc != 0) {
+			int e = errno;
+			close(fildes[0]);
+			close(fildes[1]);
+			errno = e;
+		}
+	}
+	return rc;
+}
+
+int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2])
+{
+	int flags = type & ~0xf;
+	type &= 0xf;
+	int rc = socketpair(domain, type, protocol, socket_vector);
+	if (rc == 0) {
+		if (flags & SOCK_NONBLOCK) {
+			rc |= setfl(socket_vector[0], O_NONBLOCK);
+			rc |= setfl(socket_vector[1], O_NONBLOCK);
+		}
+		if (flags & SOCK_CLOEXEC) {
+			rc |= setfd(socket_vector[0], FD_CLOEXEC);
+			rc |= setfd(socket_vector[1], FD_CLOEXEC);
+		}
+		if (rc != 0) {
+			int e = errno;
+			close(socket_vector[0]);
+			close(socket_vector[1]);
+			errno = e;
+		}
+	}
+	return rc;
+}

tests/ocsptest.bat

@@ -0,0 +1,11 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	ocsptest.bat
+
+set TEST=Debug\ocsp_test.exe
+if not exist %TEST% exit /b 1
+
+%TEST% www.amazon.com 443 & if !errorlevel! neq 0 exit /b 1
+%TEST% cloudflare.com 443 & if !errorlevel! neq 0 exit /b 1
+
+endlocal

tests/pq_test.bat

@@ -0,0 +1,14 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	pq_test.bat
+
+set TEST=Debug\pq_test.exe
+if not exist %TEST% exit /b 1
+
+set pq_output=pq_output.txt
+if exist %pq_output% del %pq_output%
+
+%TEST% > %pq_output%
+fc /b %pq_output% %srcdir%\pq_expected.txt
+
+endlocal

tests/servertest.bat

@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	servertest.bat
+
+set servertest_bin=Debug\servertest.exe
+if not exist %servertest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%servertest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/servertest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+servertest_bin=./servertest
+if [ -e ./servertest.exe ]; then
+	servertest_bin=./servertest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$servertest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem

tests/ssltest.bat

@@ -0,0 +1,21 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	ssltest.bat
+
+set ssltest_bin=Debug\ssltest.exe
+if not exist %ssltest_bin% exit /b 1
+
+set openssl_bin=..\apps\openssl\Debug\openssl.exe
+if not exist %openssl_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%srcdir%\testssl.bat %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem ^
+    %ssltest_bin% %openssl_bin%
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/testdsa.bat

@@ -0,0 +1,38 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testdsa.bat
+
+
+REM # Test DSA certificate generation of openssl
+
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+REM # Generate DSA paramter set
+%cmd% dsaparam 512 -out dsa512.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Generate a DSA certificate
+%cmd% req -config %srcdir%\openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Now check the certificate
+%cmd% x509 -text -in testdsa.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+del testdsa.key dsa512.pem testdsa.pem
+
+exit /b 0
+endlocal

tests/testenc.bat

@@ -0,0 +1,69 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testenc.bat
+
+set test=p
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+set srcdir=..\..\tests
+
+copy %srcdir%\openssl.cnf %test%
+
+echo cat
+%cmd% enc -in %test% -out %test%.cipher
+%cmd% enc -in %test%.cipher -out %test%.clear
+fc /b %test% %test%.clear
+if !errorlevel! neq 0 (
+	exit /b 1
+) else (
+	del %test%.cipher %test%.clear
+)
+
+echo base64
+%cmd% enc -a -e -in %test% -out %test%.cipher
+%cmd% enc -a -d -in %test%.cipher -out %test%.clear
+fc /b %test% %test%.clear
+if !errorlevel! neq 0 (
+	exit /b 1
+) else (
+	del %test%.cipher %test%.clear
+)
+
+for %%i in (
+	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8
+	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb
+	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb
+	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8
+	aes-256-ecb aes-256-ofb
+	bf-cbc bf-cfb bf-ecb bf-ofb
+	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb
+	des-cbc des-cfb des-cfb8 des-ecb des-ede
+	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3
+	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc
+	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
+	rc4 rc4-40
+) do (
+	echo %%i
+	%cmd% %%i -e -k test -in %test% -out %test%.%%i.cipher
+	%cmd% %%i -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
+	fc /b %test% %test%.%%i.clear
+	if !errorlevel! neq 0 (
+		exit /b 1
+	) else (
+		del %test%.%%i.cipher %test%.%%i.clear
+	)
+
+	echo %%i base64
+	%cmd% %%i -a -e -k test -in %test% -out %test%.%%i.cipher
+	%cmd% %%i -a -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
+	fc /b %test% %test%.%%i.clear
+	if !errorlevel! neq 0 (
+		exit /b 1
+	) else (
+		del %test%.%%i.cipher %test%.%%i.clear
+	)
+)
+
+del %test%
+endlocal

tests/testrsa.bat

@@ -0,0 +1,38 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testrsa.bat
+
+
+REM # Test RSA certificate generation of openssl
+
+set cmd=..\apps\openssl\Debug\openssl.exe
+if not exist %cmd% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+REM # Generate RSA private key
+%cmd% genrsa -out rsakey.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Generate an RSA certificate
+%cmd% req -config %srcdir%\openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+
+REM # Now check the certificate
+%cmd% x509 -text -in rsacert.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+del rsacert.pem rsakey.pem
+
+exit /b 0
+endlocal

tests/testssl.bat

@@ -0,0 +1,157 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	testssl.bat
+
+set key=%1
+set cert=%2
+set CA=-CAfile %3
+set ssltest=%4 -key %key% -cert %cert% -c_key %key% -c_cert %cert%
+set openssl=%5
+set extra=%6
+
+%openssl% version & if !errorlevel! neq 0 exit /b 1
+
+for /f "usebackq" %%s in (`%openssl% x509 -in %cert% -text -noout ^| find /c "DSA Public Key"`) do set lines=%%s
+if %lines% gtr 0 (
+  set dsa_cert=YES
+) else (
+  set dsa_cert=NO
+)
+
+REM #########################################################################
+
+echo test sslv2/sslv3
+%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with server authentication
+%ssltest% -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with client authentication
+%ssltest% -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication
+%ssltest% -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 via BIO pair
+%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
+
+if %dsa_cert%==NO (
+  echo "test sslv2/sslv3 w/o (EC)DHE via BIO pair"
+  %ssltest% -bio_pair -no_dhe -no_ecdhe %extra% & if !errorlevel! neq 0 exit /b 1
+)
+
+echo test sslv2/sslv3 with 1024bit DHE via BIO pair
+%ssltest% -bio_pair -dhe1024dsa -v %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with server authentication
+%ssltest% -bio_pair -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with client authentication via BIO pair
+%ssltest% -bio_pair -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair
+%ssltest% -bio_pair -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
+%ssltest% -bio_pair -server_auth -client_auth -app_verify %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo "Testing ciphersuites"
+for %%p in ( TLSv1.2 ) do (
+  echo "Testing ciphersuites for %%p"
+  for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p+aRSA"`) do (
+    echo "Testing %%c"
+    %ssltest% -cipher %%c
+    if !errorlevel! neq 0 (
+      echo "Failed %%c"
+      exit /b 1
+    )
+  )
+)
+
+REM ##########################################################################
+
+for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
+if %nodh%==no-dh (
+  echo skipping anonymous DH tests
+) else (
+  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  %ssltest% -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+)
+
+REM #for /f "usebackq" %%s in (`%openssl% no-rsa`) do set norsa=%%s
+REM #if %norsa%==no-rsa (
+REM #  echo skipping RSA tests
+REM #) else (
+REM #  echo "test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes"
+REM #  %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -no_dhe -no_ecdhe -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+REM #
+REM #  for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
+REM #  if %nodh%==no-dh (
+REM #    echo skipping RSA+DHE tests
+REM #  ) else (
+REM #    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+REM #    %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
+REM #  )
+REM #)
+
+REM #
+REM # DTLS tests
+REM #
+
+echo test dtlsv1
+%ssltest% -dtls1 %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with server authentication
+%ssltest% -dtls1 -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with client authentication
+%ssltest% -dtls1 -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo test dtlsv1 with both client and server authentication
+%ssltest% -dtls1 -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
+
+echo "Testing DTLS ciphersuites"
+for %%p in ( SSLv3 ) do (
+  echo "Testing ciphersuites for %%p"
+  for /f "usebackq" %%c in (`%openssl% ciphers -v "RSA+%%p:-RC4"`) do (
+    echo "Testing %%c"
+    %ssltest% -cipher %%c -dtls1
+    if !errorlevel! neq 0 (
+      echo "Failed %%c"
+      exit /b 1
+    )
+  )
+)
+
+REM #
+REM # Next Protocol Negotiation tests
+REM #
+echo "Testing NPN..."
+%ssltest% -bio_pair -tls1 -npn_client & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_server & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_server_reject & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server_reject & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 -reuse & if !errorlevel! neq 0 exit /b 1
+
+REM #
+REM # ALPN tests
+REM #
+echo "Testing ALPN..."
+%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar ^
+  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo ^
+  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo ^
+  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
+%ssltest% -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo & if !errorlevel! neq 0 exit /b 1
+
+endlocal

tests/tlstest.bat

@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	tlstest.bat
+
+set tlstest_bin=Debug\tlstest.exe
+if not exist %tlstest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/tlstest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+tlstest_bin=./tlstest
+if [ -e ./tlstest.exe ]; then
+	tlstest_bin=./tlstest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem

tls/CMakeLists.txt

@@ -7,36 +7,41 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
+	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
 	tls_server.c
+	tls_ocsp.c
 	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )
 
 
-if(NOT HAVE_STRSEP)
-	set(TLS_SRC ${TLS_SRC} strsep.c)
-endif()
-
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
 else()
 	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
 endif()
 
-if (BUILD_SHARED)
 add_library(tls-objects OBJECT ${TLS_SRC})
+if (BUILD_SHARED)
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
+	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
+	if (WIN32)
+		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
+	endif()
+	set_target_properties(tls-shared PROPERTIES
+		OUTPUT_NAME tls${TLS_POSTFIX}
+		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	install(TARGETS tls tls-shared DESTINATION lib)
+	install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	install(TARGETS tls DESTINATION lib)
+	install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()
 

tls/Makefile.am

@@ -4,8 +4,9 @@ lib_LTLIBRARIES = libtls.la
 
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
+EXTRA_DIST += tls.sym
 
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym
 libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
 libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
 libtls_la_LIBADD += $(PLATFORM_LDADD)
@@ -19,14 +20,12 @@ endif
 
 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
+libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
+libtls_la_SOURCES += tls_ocsp.c
 libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
-
-if !HAVE_STRSEP
-libtls_la_SOURCES += strsep.c
-endif

update.sh

@@ -26,15 +26,16 @@ libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
 libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-app_src=$CWD/openbsd/src/usr.bin
+bin_src=$CWD/openbsd/src/usr.bin
+sbin_src=$CWD/openbsd/src/usr.sbin
 
 # load library versions
-. $libcrypto_src/crypto/shlib_version
+. $libcrypto_src/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION
 
-. $libssl_src/ssl/shlib_version
+. $libssl_src/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -62,11 +63,11 @@ CP_LIBC='do_cp_libc'
 
 CP='cp -p'
 
-$CP $libssl_src/src/LICENSE COPYING
+$CP $libssl_src/LICENSE COPYING
 
-$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
-$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
-$CP $libssl_src/src/ssl/pqueue.h include
+$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
+$CP $libcrypto_src/opensslfeatures.h include/openssl
+$CP $libssl_src/pqueue.h include
 
 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
@@ -75,17 +76,20 @@ for i in crypto/compat libtls-standalone/compat; do
 	for j in $libc_src/crypt/arc4random.c \
 	    $libc_src/crypt/arc4random_uniform.c \
 	    $libc_src/crypt/chacha_private.h \
-	    $libc_src/string/explicit_bzero.c \
+	    $libc_src/net/inet_pton.c \
 	    $libc_src/stdlib/reallocarray.c \
+	    $libc_src/stdlib/recallocarray.c \
+	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/string/strcasecmp.c \
 	    $libc_src/string/strlcpy.c \
 	    $libc_src/string/strlcat.c \
 	    $libc_src/string/strndup.c \
 	    $libc_src/string/strnlen.c \
+	    $libc_src/string/strsep.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/crypto/getentropy_*.c \
-	    $libcrypto_src/crypto/arc4random_*.h; do
+	    $libcrypto_src/arc4random/getentropy_*.c \
+	    $libcrypto_src/arc4random/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -99,36 +103,36 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat
 
-(cd $libssl_src/src/crypto/objects/;
+(cd $libcrypto_src/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
 
 copy_hdrs() {
 	for file in $2; do
-		$CP $libssl_src/src/$1/$file include/openssl
+		$CP $1/$file include/openssl
 	done
 }
 
-copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
 	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
-	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
+	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
-	gost/gost.h"
+	gost/gost.h curve25519/curve25519.h"
 
-copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
 
-$CP $libssl_src/src/crypto/opensslv.h include/openssl
+$CP $libcrypto_src/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"
 
@@ -139,16 +143,18 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libssl_src/src/crypto/$i ]; then
-			$CP $libssl_src/src/crypto/$i crypto/$i
+		if [ -e $libcrypto_src/$i ]; then
+			$CP $libcrypto_src/$i crypto/$i
 		fi
 	fi
 done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
+# add the libcrypto symbol export list
+grep -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | grep '^[[:alpha:]]' > crypto/crypto.sym
 
 # generate assembly crypto algorithms
-asm_src=$libssl_src/src/crypto
+asm_src=$libcrypto_src
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -169,24 +175,24 @@ gen_asm() {
 }
 for abi in elf macosx; do
 	echo generating ASM source for $abi
-	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.s
-	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.s
-	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.s
-	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.s
-	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.s
-	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.s
-	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.s
-	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.s
-	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.S
+	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.S
+	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.S
+	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.S
+	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.S
+	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.S
+	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.S
+	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha256-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha512-$abi-x86_64.S
-	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.s
+	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.S
 	gen_asm        $abi x86_64cpuid.pl               crypto/cpuid-$abi-x86_64.S
 done
 
@@ -199,9 +205,8 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-
-$CP_LIBC $libc_src/string/strsep.c tls
-$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
+# add the libtls symbol export list
+grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
 
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -212,25 +217,38 @@ sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
 
 # copy nc(1) source
 echo "copying nc(1) source"
-$CP $app_src/nc/nc.1 apps/nc
+$CP $bin_src/nc/nc.1 apps/nc
 rm -f apps/nc/*.c apps/nc/*.h
+$CP_LIBC $libc_src/net/base64.c apps/nc/compat
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
-	if [ -e $app_src/nc/$i ]; then
-		$CP $app_src/nc/$i apps/nc
+	if [ -e $bin_src/nc/$i ]; then
+		$CP $bin_src/nc/$i apps/nc
+	fi
+done
+
+# copy ocspcheck(1) source
+echo "copying ocspcheck(1) source"
+$CP $sbin_src/ocspcheck/ocspcheck.8 apps/ocspcheck
+rm -f apps/ocspcheck/*.c apps/ocspcheck/*.h
+$CP_LIBC $libc_src/net/inet_ntop.c apps/ocspcheck/compat
+$CP_LIBC $libc_src/string/memmem.c apps/ocspcheck/compat
+for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/ocspcheck/Makefile.am` ; do
+	if [ -e $sbin_src/ocspcheck/$i ]; then
+		$CP $sbin_src/ocspcheck/$i apps/ocspcheck
 	fi
 done
 
 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $app_src/openssl/openssl.1 apps/openssl
+$CP $bin_src/openssl/openssl.1 apps/openssl
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
 $CP $libcrypto_src/cert.pem apps/openssl
 $CP $libcrypto_src/openssl.cnf apps/openssl
 $CP $libcrypto_src/x509v3.cnf apps/openssl
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
-	if [ -e $app_src/openssl/$i ]; then
-		$CP $app_src/openssl/$i apps/openssl
+	if [ -e $bin_src/openssl/$i ]; then
+		$CP $bin_src/openssl/$i apps/openssl
 	fi
 done
 
@@ -238,8 +256,10 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/src/ssl/$i ssl
+	$CP $libssl_src/$i ssl
 done
+# add the libssl symbol export list
+grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
 
 # copy libcrypto tests
 echo "copying tests"
@@ -248,12 +268,11 @@ for i in `find $libcrypto_regress -name '*.c'`; do
 done
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
-$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP_LIBC $libc_src/string/memmem.c tests
+$CP_LIBC $libc_src/string/memmem.c tests/compat
 $CP $libc_regress/timingsafe/timingsafe.c tests
 
 # copy libssl tests
@@ -264,6 +283,7 @@ done
 $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
+$CP $libssl_regress/pqueue/expected.txt tests/pq_expected.txt
 
 # copy libtls tests
 for i in `find $libtls_regress -name '*.c'`; do
@@ -287,7 +307,7 @@ add_man_links() {
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
 		fi
 	done
 	echo "" >> $dest
@@ -295,7 +315,7 @@ add_man_links() {
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
+			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
 		fi
 	done
 }
@@ -315,12 +335,8 @@ echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
 echo dist_man_MANS = >> man/Makefile.am
 
-$CP $libtls_src/tls_init.3 man
-echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
-
 (cd man
-	# update new-style manpages
-	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
+	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
@@ -332,24 +348,10 @@ echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
 
-	# convert remaining POD manpages
-	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
-		BASE=`echo $i|sed -e "s/\.pod//"`
-		NAME=`basename "$BASE"`
-		# reformat file if new
-		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../include/openssl/opensslv.h -nt $NAME.3 ]; then
-			echo processing $NAME
-			pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
-				--section=3 $POD2MAN --name=$NAME < $BASE.pod > $NAME.3
-		fi
-		echo "dist_man_MANS += $NAME.3" >> Makefile.am
+	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am
-
-# standalone libtls manpages
-mkdir -p libtls-standalone/man
-echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
-
-$CP $libtls_src/tls_init.3 libtls-standalone/man
-add_man_links tls_init libtls-standalone/man/Makefile.am