remove duplcate changelog entry

we currently do it at configure time, which makes this a generated
source, but generated sources should be cleaned up, which breaks
'make clean; make'

.gitignore

@@ -61,14 +61,15 @@ tests/rfc5280time*
 tests/ssl_versions*
 tests/timingsafe*
 tests/tls_ext_alpn*
+tests/tls_prf*
 tests/*test
 tests/tests.h
 tests/*test.c
-tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+tests/compat/*.c
 !tests/optionstest.c
 !tests/*.test
 
@@ -127,6 +128,7 @@ include/openssl/*.h
 /apps/nc/*.c
 /apps/nc/nc*
 !/apps/nc/readpassphrase.c
+/apps/nc/compat/*.c
 
 /apps/openssl/*.h
 /apps/openssl/*.c
@@ -141,6 +143,8 @@ include/openssl/*.h
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
 !/crypto/compat/explicit_bzero_win.c
+!/crypto/compat/freezero.c
+!/crypto/compat/getpagesize.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
@@ -164,3 +168,4 @@ openbsd/
 
 *.tar.gz
 man/Makefile.am
+man/mandoc.db

CMakeLists.txt

@@ -4,8 +4,9 @@ include(CheckLibraryExists)
 include(CheckIncludeFiles)
 include(CheckTypeSize)
 
-set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
 include(cmake_export_symbol)
+include(GNUInstallDirs)
 
 project (LibreSSL C)
 
@@ -26,12 +27,18 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 
+option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL})
 option(ENABLE_ASM "Enable assembly" ON)
 option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
 option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
 option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
 set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)
 
+if(NOT LIBRESSL_SKIP_INSTALL)
+	set( ENABLE_LIBRESSL_INSTALL ON )
+endif(NOT LIBRESSL_SKIP_INSTALL)
+
+
 set(BUILD_NC true)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
@@ -219,6 +226,11 @@ if(HAVE_GETENTROPY)
 	add_definitions(-DHAVE_GETENTROPY)
 endif()
 
+check_function_exists(getpagesize HAVE_GETPAGESIZE)
+if(HAVE_GETPAGESIZE)
+	add_definitions(-DHAVE_GETPAGESIZE)
+endif()
+
 check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
 if(HAVE_TIMINGSAFE_BCMP)
 	add_definitions(-DHAVE_TIMINGSAFE_BCMP)

ChangeLog

@@ -28,6 +28,130 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+2.6.0 - New APIs, bug fixes and improvements
+
+	* Added support for providing CRLs to libtls. Once a CRL is provided we
+	  enable CRL checking for the full certificate chain. Based on a diff
+	  from Jack Burton
+
+	* Allow non-compliant clients using IP literal addresses with SNI
+	  to connect to a server using libtls.
+
+	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
+	  Reported by Robert Swiecki, who found the issue using honggfuzz.
+
+	* Added definitions for three OIDs used in EV certificates.
+	  From Kyle J. McKay
+
+	* Plugged a memory leak in tls_ocsp_free.
+
+	* Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to
+	  libtls, useful in private certificate validation callbacks such as
+	  those in relayd.
+
+	* Converted explicit lear/free sequences to use freezero(3).
+
+	* Reworked TLS certificate name verification code to more strictly
+	  follow RFC 6125.
+
+	* Cleaned up and simplified server key exchange EC point handling.
+
+	* Added tls_keypair_clear_key for clearing key material.
+
+	* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
+	  simplified BIO_get_host_ip and BIO_accept.
+
+	* Fixed the openssl(1) ca command so that is generates certificates
+	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
+
+	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
+
+	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
+
+	* Added HKDF (HMAC Key Derivation Function) from BoringSSL
+
+	* Providea a tls_unload_file() function that frees the memory returned
+	  from a tls_load_file() call, ensuring that it the contents become
+	  inaccessible. This is specifically needed on platforms where the
+	  library allocators may be different from the application allocator.
+
+	* Perform reference counting for tls_config. This allows
+	  tls_config_free() to be called as soon as it has been passed to the
+	  final tls_configure() call, simplifying lifetime tracking for the
+	  application.
+
+	* Moved internal state of SSL and other structures to be opaque.
+
+	* Dropped cipher suites with DSS authentication.
+
+	* nc(1) improvements, including:
+	   nc -W to terminate nc after receiving a number of packets
+	   nc -Z for saving the peer certificate and chain in a pem file
+
+2.5.5 - Bug fixes
+
+	* Distinguish between self-issued certificates and self-signed
+	  certificates. The certificate verification code has special cases
+	  for self-signed certificates and without this change, self-issued
+	  certificates (which it seems are common place with
+	  openvpn/easyrsa) were also being included in this category.
+
+	* Added getpagesize fallback, needed for Android bionic libc.
+
+2.5.4 - Security Updates
+
+	* Revert a previous change that forced consistency between return
+	  value and error code when specifing a certificate verification
+	  callback, since this breaks the documented API. When a user supplied
+	  callback always returns 1, and later code checks the error code to
+	  potentially abort post verification, this will result in incorrect
+	  successul certificate verification.
+
+	* Switched Linux getrandom() usage to non-blocking mode, continuing to
+	  use fallback mechanims if unsuccessful. This works around a design
+	  flaw in Linux getrandom(2) where early boot usage in a library makes
+	  it impossible to recover if getrandom(2) is not yet initialized.
+
+	* Fixed a bug caused by the return value being set early to signal
+	  successful DTLS cookie validation. This can mask a later failure and
+	  result in a positive return value being returned from
+	  ssl3_get_client_hello(), when it should return a negative value to
+	  propagate the error.
+
+	* Fixed a build error on non-x86/x86_64 systems running Solaris.
+
+2.5.3 - OpenBSD 6.1 Release
+
+	* Documentation updates
+
+	* Improved ocspcheck(1) error handling
+
+2.5.2 - Security features and bugfixes
+
+	* Added the recallocarray(3) memory allocation function, and converted
+	  various places in the library to use it, such as CBB and BUF_MEM_grow.
+	  recallocarray(3) is similar to reallocarray. Newly allocated memory
+	  is cleared similar to calloc(3). Memory that becomes unallocated
+	  while shrinking or moving existing allocations is explicitly
+	  discarded by unmapping or clearing to 0
+
+	* Added new root CAs from SECOM Trust Systems / Security Communication
+	  of Japan.
+
+	* Added EVP interface for MD5+SHA1 hashes.
+
+	* Fixed DTLS client failures when the server sends a certificate
+	  request.
+
+	* Correct handling of padding when upgrading an SSLv2 challenge into
+	  an SSLv3/TLS connection.
+
+	* Allow protocols and ciphers to be set on a TLS config object in
+	  libtls.
+
+	* Improved nc(1) TLS handshake CPU usage and server-side error
+	  reporting.
+
 2.5.1 - Bug and security fixes, new features, documentation updates
 
 	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
@@ -75,10 +199,10 @@ LibreSSL Portable Release Notes:
 	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
 	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
 	  list of curves to be X25519, P-256 and P-384. All other curves must
-          be manually enabled.
+	  be manually enabled.
 
 	* Added -groups option to openssl(1) s_client for specifying the curves
-          to be used in a colon-separated list.
+	  to be used in a colon-separated list.
 
 	* Merged client/server version negotiation code paths into one,
 	  reducing much duplicate code.

README.md

@@ -131,3 +131,15 @@ install CMake, enter the LibreSSL source directory and run:
 
 This will generate a LibreSSL.sln file that you can incorporate into other
 projects or build by itself.
+
+#### Cmake - Additional Options ####
+
+| Option Name | Default | Description 
+| ------------ | -----: | ------ 
+|  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
+|  ENABLE_ASM | ON | builds assembly optimized rules. |
+|  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
+|  ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) |
+|  ENABLE_VSTEST | OFF | Enable test on Visual Studio |
+|  OPENSSLDIR | Blank | Set the default openssl directory.  Can be specified from command line using <br>```-DOPENSSLDIR=<dirname>``` |
+

README.windows

@@ -12,7 +12,8 @@ cross compilers on Windows.
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:
 
- CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
+ CC=i686-w64-mingw32-gcc CPPFLAGS=-D__MINGW_USE_VC2005_COMPAT \
+ ./configure --host=i686-w64-mingw32
  make
  make check
 
@@ -22,6 +23,25 @@ For 64-bit builds, use these instead:
  make
  make check
 
+# Why the -D__MINGW_USE_VC2005_COMPAT flag on 32-bit systems?
+
+An ABI change introduced with Microsoft Visual C++ 2005 (also known as
+Visual C++ 8.0) switched time_t from 32-bit to 64-bit. It is important to
+build LibreSSL with 64-bit time_t whenever possible, because 32-bit time_t
+is unable to represent times past 2038 (this is commonly known as the
+Y2K38 problem).
+
+If LibreSSL is built with 32-bit time_t, when verifying a certificate whose
+expiry date is set past 19 January 2038, it will be unable to tell if the
+certificate has expired or not, and thus take the safe stance and reject it.
+
+In order to avoid this, you need to build LibreSSL (and everything that links
+with it) with the -D__MINGW_USE_VC2005_COMPAT flag. This tells mingw-w64 to
+use the new ABI.
+
+64-bit systems always have a 64-bit time_t and are not affected by this
+problem.
+
 # Using Libressl with Visual Studio
 
 A script for generating ready-to-use .DLL and static .LIB files is included in

apps/nc/CMakeLists.txt

@@ -53,8 +53,10 @@ add_executable(nc ${NC_SRC})
 target_link_libraries(nc tls ${OPENSSL_LIBS})
 
 if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
-	install(FILES nc.1 DESTINATION share/man/man1)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
+		install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 
 endif()

apps/nc/Makefile.am

@@ -4,6 +4,7 @@ if BUILD_NC
 
 if ENABLE_NC
 bin_PROGRAMS = nc
+dist_man_MANS = nc.1
 else
 noinst_PROGRAMS = nc
 endif

apps/ocspcheck/CMakeLists.txt

@@ -36,7 +36,10 @@ endif()
 add_executable(ocspcheck ${OCSPCHECK_SRC})
 target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
 
-install(TARGETS ocspcheck DESTINATION bin)
-install(FILES ocspcheck.8 DESTINATION share/man/man8)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
+
+endif(ENABLE_LIBRESSL_INSTALL)
 
 endif()

apps/openssl/CMakeLists.txt

@@ -76,13 +76,17 @@ endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})
 
-install(TARGETS openssl DESTINATION bin)
-install(FILES openssl.1 DESTINATION share/man/man1)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+endif(ENABLE_LIBRESSL_INSTALL)
 
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")
 else()
 	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
 endif()
-install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+endif(ENABLE_LIBRESSL_INSTALL)

configure.ac

@@ -54,8 +54,6 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP
 
-GENERATE_CRYPTO_PORTABLE_SYM
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -80,19 +78,15 @@ AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       BSWAP4=no)
 CFLAGS="$old_cflags"
 
-case $host_cpu in
-	*sparc*)
-		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
-		;;
-	*arm*)
-		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
-		;;
-	*amd64*)
-		host_cpu=x86_64
-		;;
-
-esac
+AS_CASE([$host_cpu],
+	[*sparc*], [CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"],
+	[*arm*], AS_IF([test "x$BSWAP4" = "xyes"],,
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"),
+	[*amd64*], [host_cpu=x86_64, HOSTARCH=intel],
+	[i?86], [HOSTARCH=intel],
+	[x86_64], [HOSTARCH=intel]
+)
+AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"])
 
 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[
@@ -142,6 +136,12 @@ AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
 if test "$ac_cv_sizeof_time_t" = "4"; then
     echo " ** Warning, this system is unable to represent times past 2038"
     echo " ** It will behave incorrectly when handling valid RFC5280 dates"
+
+    if test "$host_os" = "mingw32" ; then
+        echo " **"
+        echo " ** You can solve this by adjusting the build flags in your"
+        echo " ** mingw-w64 toolchain. Refer to README.windows for details."
+    fi
 fi
 
 AC_REQUIRE_AUX_FILE([tap-driver.sh])

crypto/CMakeLists.txt

@@ -429,6 +429,7 @@ set(
 	evp/m_gostr341194.c
 	evp/m_md4.c
 	evp/m_md5.c
+	evp/m_md5_sha1.c
 	evp/m_null.c
 	evp/m_ripemd.c
 	evp/m_sha1.c
@@ -462,6 +463,7 @@ set(
 	gost/gostr341001_pmeth.c
 	gost/gostr341194.c
 	gost/streebog.c
+	hkdf/hkdf.c
 	hmac/hm_ameth.c
 	hmac/hm_pmeth.c
 	hmac/hmac.c
@@ -680,6 +682,15 @@ if(NOT HAVE_ASPRINTF)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
 endif()
 
+if(NOT HAVE_FREEZERO)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/freezero.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} freezero)
+endif()
+
+if(NOT HAVE_GETPAGESIZE)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c)
+endif()
+
 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} inet_pton)
@@ -690,6 +701,11 @@ if(NOT HAVE_REALLOCARRAY)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray)
 endif()
 
+if(NOT HAVE_RECALLOCARRAY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/recallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} recallocarray)
+endif()
+
 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} strcasecmp)
@@ -736,8 +752,10 @@ endif()
 
 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_buf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
 
 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
@@ -761,11 +779,6 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 	endif()
 endif()
 
-if(NOT HAVE_ARC4RANDOM_UNIFORM)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
-endif()
-
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_bcmp)
@@ -816,9 +829,13 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	install(TARGETS crypto crypto-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
-	install(TARGETS crypto DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

crypto/Makefile.am

@@ -15,7 +15,84 @@ EXTRA_DIST += crypto.sym
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c
 
-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols $(top_srcdir)/crypto/crypto_portable.sym
+BUILT_SOURCES = crypto_portable.sym
+CLEANFILES = crypto_portable.sym
+
+crypto_portable.sym:
+	-echo "generating crypto_portable.sym ..."
+	-cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym
+	-chmod u+w crypto_portable.sym
+if !HAVE_ARC4RANDOM_BUF
+	-echo arc4random >> crypto_portable.sym
+	-echo arc4random_buf >> crypto_portable.sym
+	-echo arc4random_uniform >> crypto_portable.sym
+if !HAVE_GETENTROPY
+	-echo getentropy >> crypto_portable.sym
+endif
+endif
+if !HAVE_ASPRINTF
+	-echo asprintf >> crypto_portable.sym
+	-echo vasprintf >> crypto_portable.sym
+endif
+if !HAVE_EXPLICIT_BZERO
+	-echo explicit_bzero >> crypto_portable.sym
+endif
+if !HAVE_FREEZERO
+	-echo freezero >> crypto_portable.sym
+endif
+if !HAVE_INET_PTON
+	-echo inet_pton >> crypto_portable.sym
+endif
+if !HAVE_REALLOCARRAY
+	-echo reallocarray >> crypto_portable.sym
+endif
+if !HAVE_RECALLOCARRAY
+	-echo recallocarray >> crypto_portable.sym
+endif
+if !HAVE_STRLCAT
+	-echo strlcat >> crypto_portable.sym
+endif
+if !HAVE_STRLCPY
+	-echo strlcpy >> crypto_portable.sym
+endif
+if !HAVE_STRNDUP
+	-echo strndup >> crypto_portable.sym
+endif
+if !HAVE_STRNLEN
+	-echo strnlen >> crypto_portable.sym
+endif
+if !HAVE_STRSEP
+	-echo strsep >> crypto_portable.sym
+endif
+if !HAVE_TIMEGM
+	-echo timegm >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_BCMP
+	-echo timingsafe_bcmp >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_MEMCMP
+	-echo timingsafe_memcmp >> crypto_portable.sym
+endif
+if HOST_CPU_IS_INTEL
+	-echo OPENSSL_ia32cap_P >> crypto_portable.sym
+endif
+if HOST_WIN
+	-echo posix_perror >> crypto_portable.sym
+	-echo posix_fopen >> crypto_portable.sym
+	-echo posix_fgets >> crypto_portable.sym
+	-echo posix_open >> crypto_portable.sym
+	-echo posix_rename >> crypto_portable.sym
+	-echo posix_connect >> crypto_portable.sym
+	-echo posix_close >> crypto_portable.sym
+	-echo posix_read >> crypto_portable.sym
+	-echo posix_write >> crypto_portable.sym
+	-echo posix_getsockopt >> crypto_portable.sym
+	-echo posix_setsockopt >> crypto_portable.sym
+	-grep -v BIO_s_log crypto_portable.sym > crypto_portable.sym.tmp
+	-mv crypto_portable.sym.tmp crypto_portable.sym
+endif
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
@@ -81,6 +158,14 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
 
+if !HAVE_FREEZERO
+libcompat_la_SOURCES += compat/freezero.c
+endif
+
+if !HAVE_GETPAGESIZE
+libcompat_la_SOURCES += compat/getpagesize.c
+endif
+
 if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
@@ -93,6 +178,10 @@ if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif
 
+if !HAVE_RECALLOCARRAY
+libcompat_la_SOURCES += compat/recallocarray.c
+endif
+
 if !HAVE_TIMINGSAFE_MEMCMP
 libcompat_la_SOURCES += compat/timingsafe_memcmp.c
 endif
@@ -527,6 +616,7 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
+libcrypto_la_SOURCES += evp/m_md5_sha1.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha1.c
@@ -567,6 +657,9 @@ noinst_HEADERS += gost/gost.h
 noinst_HEADERS += gost/gost_asn1.h
 noinst_HEADERS += gost/gost_locl.h
 
+# hkdf
+libcrypto_la_SOURCES += hkdf/hkdf.c
+
 # hmac
 libcrypto_la_SOURCES += hmac/hm_ameth.c
 libcrypto_la_SOURCES += hmac/hm_pmeth.c

crypto/compat/freezero.c

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
+ * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
+ * Copyright (c) 2008 Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+void
+freezero(void *ptr, size_t sz)
+{
+	/* This is legal. */
+	if (ptr == NULL)
+		return;
+
+	explicit_bzero(ptr, sz);
+	free(ptr);
+}

crypto/compat/getpagesize.c

@@ -0,0 +1,18 @@
+/* $OpenBSD$ */
+
+#include <unistd.h>
+
+#ifdef _MSC_VER
+#include <windows.h>
+#endif
+
+int
+getpagesize(void) {
+#ifdef _MSC_VER
+	SYSTEM_INFO system_info;
+	GetSystemInfo(&system_info);
+	return system_info.dwPageSize;
+#else
+	return sysconf(_SC_PAGESIZE);
+#endif
+}

dist.sh

@@ -4,4 +4,4 @@ set -e
 rm -f man/*.1 man/*.3 include/openssl/*.h
 ./autogen.sh
 ./configure
-make distcheck
+make -j2 distcheck

include/CMakeLists.txt

@@ -1,5 +1,7 @@
-install(DIRECTORY .
-        DESTINATION include
-        PATTERN "CMakeLists.txt" EXCLUDE
-        PATTERN "compat" EXCLUDE
-        PATTERN "Makefile*" EXCLUDE)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(DIRECTORY .
+	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+	        PATTERN "CMakeLists.txt" EXCLUDE
+	        PATTERN "compat" EXCLUDE
+	        PATTERN "Makefile*" EXCLUDE)
+endif(ENABLE_LIBRESSL_INSTALL)

include/compat/stdlib.h

@@ -25,10 +25,18 @@ void arc4random_buf(void *_buf, size_t n);
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif
 
+#ifndef HAVE_FREEZERO
+void freezero(void *ptr, size_t sz);
+#endif
+
 #ifndef HAVE_REALLOCARRAY
 void *reallocarray(void *, size_t, size_t);
 #endif
 
+#ifndef HAVE_RECALLOCARRAY
+void *recallocarray(void *, size_t, size_t, size_t);
+#endif
+
 #ifndef HAVE_STRTONUM
 long long strtonum(const char *nptr, long long minval,
 		long long maxval, const char **errstr);

include/compat/sys/types.h

@@ -20,12 +20,14 @@
 
 #ifdef __MINGW32__
 #include <_bsd_types.h>
+typedef uint32_t        in_addr_t;
 #endif
 
 #ifdef _MSC_VER
 typedef unsigned char   u_char;
 typedef unsigned short  u_short;
 typedef unsigned int    u_int;
+typedef uint32_t        in_addr_t;
 
 #include <basetsd.h>
 typedef SSIZE_T ssize_t;

include/compat/unistd.h

@@ -39,6 +39,10 @@ int getentropy(void *buf, size_t buflen);
 #endif
 #endif
 
+#ifndef HAVE_GETPAGESIZE
+int getpagesize(void);
+#endif
+
 #define pledge(request, paths) 0
 
 #ifndef HAVE_PIPE2

libcrypto.pc.in

@@ -5,8 +5,8 @@ exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@
 
-Name: LibreSSL-libssl
-Description: Secure Sockets Layer and cryptography libraries
+Name: LibreSSL-libcrypto
+Description: LibreSSL cryptography library
 Version: @VERSION@
 Requires:
 Conflicts:

m4/check-libc.m4

@@ -2,15 +2,19 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_ntop inet_pton memmem readpassphrase])
-AC_CHECK_FUNCS([reallocarray strlcat strlcpy strndup strnlen strsep strtonum])
+AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
+AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
 AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_RECALLOCARRAY], [test "x$ac_cv_func_recallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
@@ -144,77 +148,3 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
-
-AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
-crypto_sym=$srcdir/crypto/crypto.sym
-crypto_p_sym=$srcdir/crypto/crypto_portable.sym
-echo "generating $crypto_p_sym ..."
-chmod u+w $srcdir/crypto
-cp $crypto_sym $crypto_p_sym
-chmod u+w $crypto_p_sym
-if test "x$ac_cv_func_arc4random" = "xno" ; then
-	echo arc4random >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
-	echo arc4random_buf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_arc4random_uniform" = "xno" ; then
-	echo arc4random_uniform >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_asprintf" = "xno" ; then
-	echo asprintf >> $crypto_p_sym
-	echo vasprintf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
-	echo explicit_bzero >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_getentropy" = "xno" ; then
-	echo getentropy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_inet_pton" = "xno" ; then
-	echo inet_pton >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_reallocarray" = "xno" ; then
-	echo reallocarray >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcat" = "xno" ; then
-	echo strlcat >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcpy" = "xno" ; then
-	echo strlcpy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strndup" = "xno" ; then
-	echo strndup >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strnlen" = "xno" ; then
-	echo strnlen >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strsep" = "xno" ; then
-	echo strsep >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timegm" = "xno" ; then
-	echo timegm >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
-	echo timingsafe_bcmp >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
-	echo timingsafe_memcmp >> $crypto_p_sym
-fi
-if test "x$HOST_OS" = "xwin" ; then
-	echo posix_perror >> $crypto_p_sym
-	echo posix_fopen >> $crypto_p_sym
-	echo posix_fgets >> $crypto_p_sym
-	echo posix_open >> $crypto_p_sym
-	echo posix_rename >> $crypto_p_sym
-	echo posix_connect >> $crypto_p_sym
-	echo posix_close >> $crypto_p_sym
-	echo posix_read >> $crypto_p_sym
-	echo posix_write >> $crypto_p_sym
-	echo posix_getsockopt >> $crypto_p_sym
-	echo posix_setsockopt >> $crypto_p_sym
-
-	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
-	mv $crypto_p_sym.tmp $crypto_p_sym
-fi
-])

m4/check-os-options.m4

@@ -106,13 +106,12 @@ char buf[1]; getentropy(buf, 1);
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
+		CFLAGS="$CFLAGS -m64"
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;

man/CMakeLists.txt

@@ -1,9 +1,11 @@
-install(DIRECTORY .
-    DESTINATION share/man/man3
-    FILES_MATCHING PATTERN "*.3"
-    )
+if(ENABLE_LIBRESSL_INSTALL)
+	install(DIRECTORY .
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
+	    FILES_MATCHING PATTERN "*.3"
+	    )
 
-install(DIRECTORY .
-    DESTINATION share/man/man1
-    FILES_MATCHING PATTERN "*.1"
-    )
+	install(DIRECTORY .
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
+	    FILES_MATCHING PATTERN "*.1"
+	    )
+endif(ENABLE_LIBRESSL_INSTALL)

patches/http.c.patch

@@ -0,0 +1,12 @@
+--- apps/ocspcheck/http.c.orig	Sun Jun  4 00:45:29 2017
++++ apps/ocspcheck/http.c	Sun Jun  4 00:45:57 2017
+@@ -35,7 +35,9 @@
+ #include "http.h"
+ #include <tls.h>
+ 
++#ifndef DEFAULT_CA_FILE
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
++#endif
+ 
+ /*
+  * A buffer for transferring HTTP/S data.

patches/netcat.c.patch

@@ -1,16 +1,16 @@
---- apps/nc/netcat.c.orig	Sat Nov  5 14:00:01 2016
-+++ apps/nc/netcat.c	Sat Nov  5 15:28:35 2016
-@@ -65,7 +65,9 @@
- #define POLL_NETIN 2
- #define POLL_STDOUT 3
- #define BUFSIZE 16384
+--- apps/nc/netcat.c.orig	2017-07-07 00:10:09.009409624 +0900
++++ apps/nc/netcat.c	2017-07-07 00:30:32.380088772 +0900
+@@ -66,7 +66,9 @@
+ #define POLL_NETIN	2
+ #define POLL_STDOUT	3
+ #define BUFSIZE		16384
 +#ifndef DEFAULT_CA_FILE
- #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
+ #define DEFAULT_CA_FILE	"/etc/ssl/cert.pem"
 +#endif
  
- #define TLS_LEGACY	(1 << 1)
+ #define TLS_ALL	(1 << 1)
  #define TLS_NOVERIFY	(1 << 2)
-@@ -93,9 +95,13 @@
+@@ -94,9 +96,13 @@ int	zflag;					/* Port Scan Flag */
  int	Dflag;					/* sodebug */
  int	Iflag;					/* TCP receive buffer size */
  int	Oflag;					/* TCP send buffer size */
@@ -24,16 +24,7 @@
  
  int	usetls;					/* use TLS */
  char    *Cflag;					/* Public cert file */
-@@ -148,7 +154,7 @@
- 	struct servent *sv;
- 	socklen_t len;
- 	struct sockaddr_storage cliaddr;
--	char *proxy;
-+	char *proxy = NULL;
- 	const char *errstr, *proxyhost = "", *proxyport = NULL;
- 	struct addrinfo proxyhints;
- 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -258,12 +264,14 @@
+@@ -265,12 +271,14 @@ main(int argc, char *argv[])
  		case 'u':
  			uflag = 1;
  			break;
@@ -48,7 +39,7 @@
  		case 'v':
  			vflag = 1;
  			break;
-@@ -299,9 +307,11 @@
+@@ -317,9 +325,11 @@ main(int argc, char *argv[])
  		case 'o':
  			oflag = optarg;
  			break;
@@ -60,7 +51,7 @@
  		case 'T':
  			errstr = NULL;
  			errno = 0;
-@@ -325,9 +335,11 @@
+@@ -343,9 +353,11 @@ main(int argc, char *argv[])
  	argc -= optind;
  	argv += optind;
  
@@ -72,7 +63,7 @@
  
  	if (family == AF_UNIX) {
  		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -836,7 +848,10 @@
+@@ -888,7 +900,10 @@ int
  remote_connect(const char *host, const char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -83,8 +74,8 @@
 +#endif
  
  	if ((error = getaddrinfo(host, port, &hints, &res0)))
- 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -850,8 +865,10 @@
+ 		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
+@@ -903,8 +918,10 @@ remote_connect(const char *host, const c
  		if (sflag || pflag) {
  			struct addrinfo ahints, *ares;
  
@@ -95,7 +86,7 @@
  			memset(&ahints, 0, sizeof(struct addrinfo));
  			ahints.ai_family = res->ai_family;
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -922,7 +939,10 @@
+@@ -975,7 +992,10 @@ int
  local_listen(char *host, char *port, struct addrinfo hints)
  {
  	struct addrinfo *res, *res0;
@@ -107,7 +98,7 @@
  	int error;
  
  	/* Allow nodename to be null. */
-@@ -943,9 +963,11 @@
+@@ -996,9 +1016,11 @@ local_listen(char *host, char *port, str
  		    res->ai_protocol)) < 0)
  			continue;
  
@@ -119,7 +110,7 @@
  
  		set_common_sockopts(s, res->ai_family);
  
-@@ -1403,11 +1425,13 @@
+@@ -1454,11 +1476,13 @@ set_common_sockopts(int s, int af)
  {
  	int x = 1;
  
@@ -133,7 +124,24 @@
  	if (Dflag) {
  		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
  			&x, sizeof(x)) == -1)
-@@ -1444,13 +1468,17 @@
+@@ -1469,9 +1493,16 @@ set_common_sockopts(int s, int af)
+ 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IP ToS");
+ 
++#ifdef IPV6_TCLASS
+ 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IPv6 traffic class");
++#else
++		else if (af == AF_INET6) {
++			errno = ENOPROTOOPT
++			err(1, "set IPv6 traffic class not supported");
++		}
++#endif
+ 	}
+ 	if (Iflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
+@@ -1495,13 +1526,17 @@ set_common_sockopts(int s, int af)
  	}
  
  	if (minttl != -1) {
@@ -152,7 +160,7 @@
  	}
  }
  
-@@ -1644,14 +1672,22 @@
+@@ -1709,14 +1744,22 @@ help(void)
  	\t-P proxyuser\tUsername for proxy authentication\n\
  	\t-p port\t	Specify local port for remote connects\n\
  	\t-R CAfile	CA bundle\n\
@@ -160,10 +168,10 @@
 -	\t-S		Enable the TCP MD5 signature option\n\
 +	\t-r		Randomize remote ports\n"
 +#ifdef TCP_MD5SIG
-+        "\
++	"\
 +	\t-S		Enable the TCP MD5 signature option\n"
 +#endif
-+        "\
++	"\
  	\t-s source	Local source address\n\
  	\t-T keyword	TOS value or TLS options\n\
  	\t-t		Answer TELNET negotiation\n\
@@ -172,10 +180,10 @@
 -	\t-V rtable	Specify alternate routing table\n\
 +	\t-u		UDP mode\n"
 +#ifdef SO_RTABLE
-+        "\
++	"\
 +	\t-V rtable	Specify alternate routing table\n"
 +#endif
-+        "\
++	"\
  	\t-v		Verbose\n\
+ 	\t-W recvlimit	Terminate after receiving a number of packets\n\
  	\t-w timeout	Timeout for connects and final net reads\n\
- 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\

patches/tls.h.patch

@@ -0,0 +1,32 @@
+--- include/tls.h.orig	2017-02-13 20:19:55.918636579 +0900
++++ include/tls.h	2017-02-13 20:21:18.313073161 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
++#ifdef _MSC_VER
++#ifndef LIBRESSL_INTERNAL
++#include <basetsd.h>
++typedef SSIZE_T ssize_t;
++#endif
++#endif
++
+ #include <sys/types.h>
+ 
+ #include <stddef.h>
+--- libtls-standalone/include/tls.h.orig	2017-02-13 20:21:48.297958529 +0900
++++ libtls-standalone/include/tls.h	2017-02-13 20:21:48.296958502 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
++#ifdef _MSC_VER
++#ifndef LIBRESSL_INTERNAL
++#include <basetsd.h>
++typedef SSIZE_T ssize_t;
++#endif
++#endif
++
+ #include <sys/types.h>
+ 
+ #include <stddef.h>

ssl/CMakeLists.txt

@@ -39,6 +39,7 @@ set(
 	ssl_versions.c
 	t1_clnt.c
 	t1_enc.c
+	t1_hash.c
 	t1_lib.c
 	t1_meth.c
 	t1_reneg.c
@@ -59,8 +60,12 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	install(TARGETS ssl ssl-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	install(TARGETS ssl DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

ssl/Makefile.am

@@ -42,6 +42,7 @@ libssl_la_SOURCES += ssl_txt.c
 libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
 libssl_la_SOURCES += t1_enc.c
+libssl_la_SOURCES += t1_hash.c
 libssl_la_SOURCES += t1_lib.c
 libssl_la_SOURCES += t1_meth.c
 libssl_la_SOURCES += t1_reneg.c

tests/CMakeLists.txt

@@ -178,6 +178,11 @@ add_executable(gost2814789t gost2814789t.c)
 target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)
 
+# hkdf_test
+add_executable(hkdf_test hkdf_test.c)
+target_link_libraries(hkdf_test ${TESTS_LIBS})
+add_test(hkdf_test hkdf_test)
+
 # hmactest
 add_executable(hmactest hmactest.c)
 target_link_libraries(hmactest ${TESTS_LIBS})
@@ -292,6 +297,16 @@ add_executable(rsa_test rsa_test.c)
 target_link_libraries(rsa_test ${TESTS_LIBS})
 add_test(rsa_test rsa_test)
 
+# servertest
+add_executable(servertest servertest.c)
+target_link_libraries(servertest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.sh)
+else()
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.bat)
+endif()
+set_tests_properties(servertest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
 # sha1test
 add_executable(sha1test sha1test.c)
 target_link_libraries(sha1test ${TESTS_LIBS})
@@ -374,6 +389,11 @@ add_executable(tls_ext_alpn tls_ext_alpn.c)
 target_link_libraries(tls_ext_alpn ${TESTS_LIBS})
 add_test(tls_ext_alpn tls_ext_alpn)
 
+# tls_prf
+add_executable(tls_prf tls_prf.c)
+target_link_libraries(tls_prf ${TESTS_LIBS})
+add_test(tls_prf tls_prf)
+
 # utf8test
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${TESTS_LIBS})

tests/Makefile.am

@@ -184,6 +184,11 @@ TESTS += gost2814789t
 check_PROGRAMS += gost2814789t
 gost2814789t_SOURCES = gost2814789t.c
 
+# hkdf_test
+TESTS += hkdftest
+check_PROGRAMS += hkdftest
+hkdftest_SOURCES = hkdf_test.c
+
 # hmactest
 TESTS += hmactest
 check_PROGRAMS += hmactest
@@ -294,6 +299,12 @@ TESTS += rsa_test
 check_PROGRAMS += rsa_test
 rsa_test_SOURCES = rsa_test.c
 
+# servertest
+TESTS += servertest.sh
+check_PROGRAMS += servertest
+servertest_SOURCES = servertest.c
+EXTRA_DIST += servertest.sh servertest.bat
+
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
@@ -353,6 +364,11 @@ TESTS += tls_ext_alpn
 check_PROGRAMS += tls_ext_alpn
 tls_ext_alpn_SOURCES = tls_ext_alpn.c
 
+# tls_prf
+TESTS += tls_prf
+check_PROGRAMS += tls_prf
+tls_prf_SOURCES = tls_prf.c
+
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test

tests/servertest.bat

@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	servertest.bat
+
+set servertest_bin=Debug\servertest.exe
+if not exist %servertest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%servertest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal

tests/servertest.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+servertest_bin=./servertest
+if [ -e ./servertest.exe ]; then
+	servertest_bin=./servertest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$servertest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem

tests/tlstest.bat

@@ -9,7 +9,7 @@ if "%srcdir%"=="" (
 	set srcdir=.
 )
 
-%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+%tlstest_bin% %srcdir%\ca.pem %srcdir%\server.pem %srcdir%\server.pem
 if !errorlevel! neq 0 (
 	exit /b 1
 )

tests/tlstest.sh

@@ -10,4 +10,4 @@ if [ -z $srcdir ]; then
 	srcdir=.
 fi
 
-$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem
+$tlstest_bin $srcdir/ca.pem $srcdir/server.pem $srcdir/server.pem

tls/CMakeLists.txt

@@ -39,9 +39,13 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	install(TARGETS tls tls-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	install(TARGETS tls DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
 

update.sh

@@ -18,16 +18,17 @@ fi
 
 # setup source paths
 CWD=`pwd`
-libc_src=$CWD/openbsd/src/lib/libc
-libc_regress=$CWD/openbsd/src/regress/lib/libc
-libcrypto_src=$CWD/openbsd/src/lib/libcrypto
-libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
-libssl_src=$CWD/openbsd/src/lib/libssl
-libssl_regress=$CWD/openbsd/src/regress/lib/libssl
-libtls_src=$CWD/openbsd/src/lib/libtls
-libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-bin_src=$CWD/openbsd/src/usr.bin
-sbin_src=$CWD/openbsd/src/usr.sbin
+OPENBSD_SRC=$CWD/openbsd/src
+libc_src=$OPENBSD_SRC/lib/libc
+libc_regress=$OPENBSD_SRC/regress/lib/libc
+libcrypto_src=$OPENBSD_SRC/lib/libcrypto
+libcrypto_regress=$OPENBSD_SRC/regress/lib/libcrypto
+libssl_src=$OPENBSD_SRC/lib/libssl
+libssl_regress=$OPENBSD_SRC/regress/lib/libssl
+libtls_src=$OPENBSD_SRC/lib/libtls
+libtls_regress=$OPENBSD_SRC/regress/lib/libtls
+bin_src=$OPENBSD_SRC/usr.bin
+sbin_src=$OPENBSD_SRC/usr.sbin
 
 # load library versions
 . $libcrypto_src/shlib_version
@@ -62,6 +63,10 @@ do_cp_libc() {
 CP_LIBC='do_cp_libc'
 
 CP='cp -p'
+GREP='grep'
+if [ -x /opt/csw/bin/ggrep ]; then
+	GREP='/opt/csw/bin/ggrep'
+fi
 
 $CP $libssl_src/LICENSE COPYING
 
@@ -78,6 +83,7 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/crypt/chacha_private.h \
 	    $libc_src/net/inet_pton.c \
 	    $libc_src/stdlib/reallocarray.c \
+	    $libc_src/stdlib/recallocarray.c \
 	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/string/strcasecmp.c \
 	    $libc_src/string/strlcpy.c \
@@ -119,7 +125,7 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
-	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
+	pem/pem2.h hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h
 	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
@@ -150,7 +156,7 @@ done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 # add the libcrypto symbol export list
-grep '^[[:alpha:]]' < $libcrypto_src/Symbols.list > crypto/crypto.sym
+$GREP -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | $GREP '^[[:alpha:]]' > crypto/crypto.sym
 
 # generate assembly crypto algorithms
 asm_src=$libcrypto_src
@@ -205,7 +211,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	fi
 done
 # add the libtls symbol export list
-grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
+$GREP '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
 
 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -258,7 +264,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
 	$CP $libssl_src/$i ssl
 done
 # add the libssl symbol export list
-grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
+$GREP '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
 
 # copy libcrypto tests
 echo "copying tests"
@@ -303,7 +309,7 @@ add_man_links() {
 	filter=$1
 	dest=$2
 	echo "install-data-hook:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
@@ -311,7 +317,7 @@ add_man_links() {
 	done
 	echo "" >> $dest
 	echo "uninstall-local:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest