update changelog

make OPENBSD_6_2 branch
Separate man(5) pages
2017-11-05 17:13:06 -06:00 · 2017-11-02 05:59:08 -05:00 · 2017-10-22 16:10:38 +02:00 · 2017-09-26 09:21:38 -05:00 · 2017-09-26 22:02:21 +09:00 · 2017-09-25 23:06:21 -05:00
47 changed files with 945 additions and 265 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -45,6 +45,7 @@ Makefile.in
 # man pages
 *.1
 *.3
+*.5

 # tests
 test-driver
@@ -55,20 +56,22 @@ tests/arc4random_fork*
 tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*
+tests/freenull*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
 tests/ssl_versions*
 tests/timingsafe*
 tests/tls_ext_alpn*
+tests/tls_prf*
 tests/*test
 tests/tests.h
 tests/*test.c
-tests/memmem.c
 tests/pbkdf2*
 tests/*.pem
 tests/testssl
 tests/*.txt
+tests/compat/*.c
 !tests/optionstest.c
 !tests/*.test

@@ -127,6 +130,7 @@ include/openssl/*.h
 /apps/nc/*.c
 /apps/nc/nc*
 !/apps/nc/readpassphrase.c
+/apps/nc/compat/*.c

 /apps/openssl/*.h
 /apps/openssl/*.c
@@ -141,6 +145,8 @@ include/openssl/*.h
 !/crypto/compat/arc4random.h
 !/crypto/compat/b_win.c
 !/crypto/compat/explicit_bzero_win.c
+!/crypto/compat/freezero.c
+!/crypto/compat/getpagesize.c
 !/crypto/compat/posix_win.c
 !/crypto/compat/bsd_asprintf.c
 !/crypto/compat/inet_pton.c
@@ -164,3 +170,4 @@ openbsd/

 *.tar.gz
 man/Makefile.am
+man/mandoc.db
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,8 +4,9 @@ include(CheckLibraryExists)
 include(CheckIncludeFiles)
 include(CheckTypeSize)

-set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
+set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
 include(cmake_export_symbol)
+include(GNUInstallDirs)

 project (LibreSSL C)

@@ -26,12 +27,18 @@ string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})

+option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL})
 option(ENABLE_ASM "Enable assembly" ON)
 option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
 option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
 option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
 set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)

+if(NOT LIBRESSL_SKIP_INSTALL)
+	set( ENABLE_LIBRESSL_INSTALL ON )
+endif(NOT LIBRESSL_SKIP_INSTALL)
+
+
 set(BUILD_NC true)

 if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
@@ -102,14 +109,20 @@ if(MSVC)
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
 		        	# indirection to slightly different base types from 'char [2]'
+			"C4018" # '>=': signed/unsigned mismatch
 			"C4100" # 'exarg' : unreferenced formal parameter
 			"C4127" # conditional expression is constant
+			"C4146" # unary minus operator applied to unsigned
+			        # type, result still unsigned
 			"C4242" # 'function' : conversion from 'int' to 'uint8_t',
 			        # possible loss of data
 			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
 			        # possible loss of data
+			"C4245" # 'initializing': conversion from 'long' to
+			        # 'unsigned long', signed/unsigned mismatch
 			"C4267" # conversion from 'size_t' to 'some type that is almost
 				# certainly safe to convert a size_t to'.
+			"C4389" # '!=': signed/unsigned mismatch
 			"C4706" # assignment within conditional expression
 			"C4820" # 'bytes' bytes padding added after construct 'member_name'
 			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
@@ -219,6 +232,11 @@ if(HAVE_GETENTROPY)
 	add_definitions(-DHAVE_GETENTROPY)
 endif()

+check_function_exists(getpagesize HAVE_GETPAGESIZE)
+if(HAVE_GETPAGESIZE)
+	add_definitions(-DHAVE_GETPAGESIZE)
+endif()
+
 check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
 if(HAVE_TIMINGSAFE_BCMP)
 	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
@@ -288,6 +306,7 @@ endif()
 check_type_size(time_t SIZEOF_TIME_T)
 if(SIZEOF_TIME_T STREQUAL "4")
 	set(SMALL_TIME_T true)
+	add_definitions(-DSMALL_TIME_T)
 	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
 	                " ** It will behave incorrectly when handling valid RFC5280 dates")
 endif()
@@ -305,6 +324,23 @@ if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()

+if(NOT MSVC)
+	# Create pkgconfig files.
+	set(prefix      ${CMAKE_INSTALL_PREFIX})
+	set(exec_prefix \${prefix})
+	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
+	set(includedir  \${prefix}/include)
+	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
+	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
+	foreach(file ${OPENSSL_PKGCONFIGS})
+		get_filename_component(filename ${file} NAME)
+		string(REPLACE ".in" "" new_file "${filename}")
+		configure_file(${filename} pkgconfig/${new_file} @ONLY)
+	endforeach()
+	install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig
+		DESTINATION ${CMAKE_INSTALL_LIBDIR})
+endif()
+
 configure_file(
 	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
 	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
--- a/206
+++ b/206
@@ -28,6 +28,208 @@ history is also available from Git.

 LibreSSL Portable Release Notes:

+2.6.3 - OpenBSD 6.2 Release
+
+	* No core changes from LibreSSL 2.6.2
+
+	* Minor compatibility fixes in portable version.
+
+2.6.2 - Bug fixes
+
+	* Provide a useful error with libtls if there are no OCSP URLs in a
+	  peer certificate.
+
+	* Keep track of which keypair is in use by a TLS context, fixing a bug
+	  where a TLS server with SNI would only return the OCSP staple for the
+	  default keypair. Issue reported by William Graeber and confirmed by
+	  Andreas Bartelt.
+
+	* Fixed various issues in the OCSP extension parsing code.
+	  The original code incorrectly passes the pointer allocated via
+	  CBS_stow() (using malloc()) to a d2i_*() function and then calls
+	  free() on the now incremented pointer, most likely resulting in a
+	  crash. This issue was reported by Robert Swiecki who found the issue
+	  using honggfuzz.
+
+	* If tls_config_parse_protocols() is called with a NULL pointer,
+	  return the default protocols instead of crashing - this makes the
+	  behaviour more useful and mirrors what we already do in
+	  tls_config_set_ciphers() et al.
+
+2.6.1 - Code removal, rewrites
+
+	* Added a "-T tlscompat" option to nc(1), which enables the use of all
+	  TLS protocols and "compat" ciphers. This allows for TLS connections
+	  to TLS servers that are using less than ideal cipher suites, without
+	  having to resort to "-T tlsall" which enables all known cipher
+	  suites.  Diff from Kyle J. McKay.
+
+	* Added a new TLS extension handling framework, somewhat analogous to
+	  BoringSSL, and converted all TLS extensions to use it. Added new TLS
+	  extension regression tests.
+
+	* Improved and added many new manpages. Updated *check_private_key
+	  manpages with additional cautions regarding their use.
+
+	* Cleaned up the EC key/curve configuration handling.
+
+	* Added tls_config_set_ecdhecurves() to libtls, which allows the names
+	  of the eliptical curves that may be used during client and server
+	  key exchange to be specified.
+
+	* Converted more code paths to use CBB/CBS.
+
+	* Removed support for DSS/DSA, since we removed the cipher suites a
+	  while back.
+
+	* Removed NPN support. NPN was never standardised and the last draft
+	  expired in October 2012. ALPN was standardised in July 2014 and has
+	  been supported in LibreSSL since December 2014. NPN has also been
+	  removed from Chromium in May 2016.
+
+	* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
+	  CryptoPro clients.
+
+	* Removed support for the TLS padding extension, which was added as a
+	  workaround for an old bug in F5's TLS termination.
+
+	* Worked around another bug in F5's TLS termination handling of the
+	  elliptical curves extension. RFC 4492 only defines elliptic_curves
+	  for ClientHello. However, F5 is sending it in ServerHello.  We need
+	  to skip over it since our TLS extension parsing code is now more
+	  strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
+
+	* Added ability to clamp notafter valies in certificates for systems
+	  with 32-bit time_t. This is necessary to conform to RFC 5280
+	  4.1.2.5.
+
+	* Implemented the SSL_CTX_set_min_proto_version(3) API.
+
+	* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
+
+	* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
+
+2.6.0 - New APIs, bug fixes and improvements
+
+	* Added support for providing CRLs to libtls. Once a CRL is provided we
+	  enable CRL checking for the full certificate chain. Based on a diff
+	  from Jack Burton
+
+	* Allow non-compliant clients using IP literal addresses with SNI
+	  to connect to a server using libtls.
+
+	* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
+	  Reported by Robert Swiecki, who found the issue using honggfuzz.
+
+	* Added definitions for three OIDs used in EV certificates.
+	  From Kyle J. McKay
+
+	* Added tls_peer_cert_chain_pem to libtls, useful in private
+	  certificate validation callbacks such as those in relayd.
+
+	* Converted explicit clear/free sequences to use freezero(3).
+
+	* Reworked TLS certificate name verification code to more strictly
+	  follow RFC 6125.
+
+	* Cleaned up and simplified server key exchange EC point handling.
+
+	* Added tls_keypair_clear_key for clearing key material.
+
+	* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
+	  simplified BIO_get_host_ip and BIO_accept.
+
+	* Fixed the openssl(1) ca command so that is generates certificates
+	  with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
+
+	* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
+
+	* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
+
+	* Added HKDF (HMAC Key Derivation Function) from BoringSSL
+
+	* Provided a tls_unload_file() function that frees the memory returned
+	  from a tls_load_file() call, ensuring that it the contents become
+	  inaccessible. This is specifically needed on platforms where the
+	  library allocators may be different from the application allocator.
+
+	* Perform reference counting for tls_config. This allows
+	  tls_config_free() to be called as soon as it has been passed to the
+	  final tls_configure() call, simplifying lifetime tracking for the
+	  application.
+
+	* Moved internal state of SSL and other structures to be opaque.
+
+	* Dropped cipher suites with DSS authentication.
+
+	* nc(1) improvements, including:
+	   nc -W to terminate nc after receiving a number of packets
+	   nc -Z for saving the peer certificate and chain in a pem file
+
+2.5.5 - Bug fixes
+
+	* Distinguish between self-issued certificates and self-signed
+	  certificates. The certificate verification code has special cases
+	  for self-signed certificates and without this change, self-issued
+	  certificates (which it seems are common place with
+	  openvpn/easyrsa) were also being included in this category.
+
+	* Added getpagesize fallback, needed for Android bionic libc.
+
+2.5.4 - Security Updates
+
+	* Revert a previous change that forced consistency between return
+	  value and error code when specifing a certificate verification
+	  callback, since this breaks the documented API. When a user supplied
+	  callback always returns 1, and later code checks the error code to
+	  potentially abort post verification, this will result in incorrect
+	  successul certificate verification.
+
+	* Switched Linux getrandom() usage to non-blocking mode, continuing to
+	  use fallback mechanims if unsuccessful. This works around a design
+	  flaw in Linux getrandom(2) where early boot usage in a library makes
+	  it impossible to recover if getrandom(2) is not yet initialized.
+
+	* Fixed a bug caused by the return value being set early to signal
+	  successful DTLS cookie validation. This can mask a later failure and
+	  result in a positive return value being returned from
+	  ssl3_get_client_hello(), when it should return a negative value to
+	  propagate the error.
+
+	* Fixed a build error on non-x86/x86_64 systems running Solaris.
+
+2.5.3 - OpenBSD 6.1 Release
+
+	* Documentation updates
+
+	* Improved ocspcheck(1) error handling
+
+2.5.2 - Security features and bugfixes
+
+	* Added the recallocarray(3) memory allocation function, and converted
+	  various places in the library to use it, such as CBB and BUF_MEM_grow.
+	  recallocarray(3) is similar to reallocarray. Newly allocated memory
+	  is cleared similar to calloc(3). Memory that becomes unallocated
+	  while shrinking or moving existing allocations is explicitly
+	  discarded by unmapping or clearing to 0
+
+	* Added new root CAs from SECOM Trust Systems / Security Communication
+	  of Japan.
+
+	* Added EVP interface for MD5+SHA1 hashes.
+
+	* Fixed DTLS client failures when the server sends a certificate
+	  request.
+
+	* Correct handling of padding when upgrading an SSLv2 challenge into
+	  an SSLv3/TLS connection.
+
+	* Allow protocols and ciphers to be set on a TLS config object in
+	  libtls.
+
+	* Improved nc(1) TLS handshake CPU usage and server-side error
+	  reporting.
+
 2.5.1 - Bug and security fixes, new features, documentation updates

 	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
@@ -75,10 +277,10 @@ LibreSSL Portable Release Notes:
 	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
 	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
 	  list of curves to be X25519, P-256 and P-384. All other curves must
-          be manually enabled.
+	  be manually enabled.

 	* Added -groups option to openssl(1) s_client for specifying the curves
-          to be used in a colon-separated list.
+	  to be used in a colon-separated list.

 	* Merged client/server version negotiation code paths into one,
 	  reducing much duplicate code.
--- a/2
+++ b/2
@@ -1 +1 @@
-master
+OPENBSD_6_2
--- a/README.md
+++ b/README.md
@@ -56,20 +56,25 @@ or to the github
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.

-## Prerequisites when building from git ##
+# Building LibreSSL #

-If you have checked this source using Git, follow these initial steps to
-prepare the source tree for building:
+## Prerequisites when building from a Git checkout ##
+
+If you have checked this source using Git, or have downloaded a source tarball
+from Github, follow these initial steps to prepare the source tree for
+building. _Note: Your build will fail if you do not follow these instructions! If you cannot follow these instructions (e.g. Windows system using CMake) or cannot meet these prerequistes, please download an official release distribution from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official releases is strongly advised if you are not a developer._

 1. Ensure you have the following packages installed:
-   automake, autoconf, git, libtool, perl, pod2man
+   automake, autoconf, git, libtool, perl
 2. Run './autogen.sh' to prepare the source tree for building or
   run './dist.sh' to prepare a tarball.

-## Building LibreSSL ##
+## Steps that apply to all builds ##

-Once you have a source tree from Git or FTP, run these commands to build and
-install the package on most systems:
+Once you have a source tree, either by downloaded using git and having
+run the autogen.sh script above, or by downloading a release distribution from
+an OpenBSD mirror, run these commands to build and install the package on most
+systems:

 ```sh
 ./configure   # see ./configure --help for configuration options
@@ -119,9 +124,9 @@ should work. See README.windows for more information

 #### Windows - Visual Studio ####

-LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
-against older/newer targets as well. To generate a Visual Studio project,
-install CMake, enter the LibreSSL source directory and run:
+LibreSSL builds using the CMake target "Visual Studio 12 2013" and newer. To
+generate a Visual Studio project, install CMake, enter the LibreSSL source
+directory and run:

 ```sh
 mkdir build-vs2013
@@ -129,5 +134,18 @@ install CMake, enter the LibreSSL source directory and run:
 cmake -G"Visual Studio 12 2013" ..
 ```

-This will generate a LibreSSL.sln file that you can incorporate into other
-projects or build by itself.
+Replace "Visual Studion 12 2013" with whatever version of Visual Studio you
+have installed. This will generate a LibreSSL.sln file that you can incorporate
+into other projects or build by itself.
+
+#### Cmake - Additional Options ####
+
+| Option Name | Default | Description
+| ------------ | -----: | ------
+|  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
+|  ENABLE_ASM | ON | builds assembly optimized rules. |
+|  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
+|  ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) |
+|  ENABLE_VSTEST | OFF | Enable test on Visual Studio |
+|  OPENSSLDIR | Blank | Set the default openssl directory.  Can be specified from command line using <br>```-DOPENSSLDIR=<dirname>``` |
+
--- a/README.windows
+++ b/README.windows
@@ -12,7 +12,8 @@ cross compilers on Windows.
 To configure and build LibreSSL for a 32-bit system, use the following
 build steps:

- CC=i686-w64-mingw32-gcc ./configure --host=i686-w64-mingw32
+ CC=i686-w64-mingw32-gcc CPPFLAGS=-D__MINGW_USE_VC2005_COMPAT \
+ ./configure --host=i686-w64-mingw32
 make
 make check

@@ -22,6 +23,25 @@ For 64-bit builds, use these instead:
 make
 make check

+# Why the -D__MINGW_USE_VC2005_COMPAT flag on 32-bit systems?
+
+An ABI change introduced with Microsoft Visual C++ 2005 (also known as
+Visual C++ 8.0) switched time_t from 32-bit to 64-bit. It is important to
+build LibreSSL with 64-bit time_t whenever possible, because 32-bit time_t
+is unable to represent times past 2038 (this is commonly known as the
+Y2K38 problem).
+
+If LibreSSL is built with 32-bit time_t, when verifying a certificate whose
+expiry date is set past 19 January 2038, it will be unable to tell if the
+certificate has expired or not, and thus take the safe stance and reject it.
+
+In order to avoid this, you need to build LibreSSL (and everything that links
+with it) with the -D__MINGW_USE_VC2005_COMPAT flag. This tells mingw-w64 to
+use the new ABI.
+
+64-bit systems always have a 64-bit time_t and are not affected by this
+problem.
+
 # Using Libressl with Visual Studio

 A script for generating ready-to-use .DLL and static .LIB files is included in
--- a/apps/nc/CMakeLists.txt
+++ b/apps/nc/CMakeLists.txt
@@ -53,8 +53,10 @@ add_executable(nc ${NC_SRC})
 target_link_libraries(nc tls ${OPENSSL_LIBS})

 if(ENABLE_NC)
-	install(TARGETS nc DESTINATION bin)
-	install(FILES nc.1 DESTINATION share/man/man1)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
+		install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

 endif()
--- a/apps/nc/Makefile.am
+++ b/apps/nc/Makefile.am
@@ -4,6 +4,7 @@ if BUILD_NC

 if ENABLE_NC
 bin_PROGRAMS = nc
+dist_man_MANS = nc.1
 else
 noinst_PROGRAMS = nc
 endif
--- a/apps/ocspcheck/CMakeLists.txt
+++ b/apps/ocspcheck/CMakeLists.txt
@@ -20,7 +20,7 @@ else()
        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
 endif()

-check_function_exists(inet_ntop HAVE_MEMMEM)
+check_function_exists(memmem HAVE_MEMMEM)
 if(HAVE_MEMMEM)
        add_definitions(-DHAVE_MEMMEM)
 else()
@@ -36,7 +36,10 @@ endif()
 add_executable(ocspcheck ${OCSPCHECK_SRC})
 target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})

-install(TARGETS ocspcheck DESTINATION bin)
-install(FILES ocspcheck.8 DESTINATION share/man/man8)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
+
+endif(ENABLE_LIBRESSL_INSTALL)

 endif()
--- a/apps/openssl/CMakeLists.txt
+++ b/apps/openssl/CMakeLists.txt
@@ -76,13 +76,17 @@ endif()
 add_executable(openssl ${OPENSSL_SRC})
 target_link_libraries(openssl ${OPENSSL_LIBS})

-install(TARGETS openssl DESTINATION bin)
-install(FILES openssl.1 DESTINATION share/man/man1)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
+	install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
+endif(ENABLE_LIBRESSL_INSTALL)

 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")
 else()
 	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
 endif()
-install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+endif(ENABLE_LIBRESSL_INSTALL)
--- a/apps/openssl/compat/poll_win.c
+++ b/apps/openssl/compat/poll_win.c
@@ -253,7 +253,9 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	looptime_ms = timeout_ms > 100 ? 100 : timeout_ms;

 	do {
-		struct timeval tv = {0, looptime_ms * 1000};
+		struct timeval tv;
+		tv.tv_sec = 0;
+		tv.tv_usec = looptime_ms * 1000;
 		int handle_signaled = 0;

 		/*
--- a/check-release.sh
+++ b/check-release.sh
@@ -57,6 +57,7 @@ fi
 echo "differences between release and regenerated release tag:"
 diff -urN \
 	-x *.3 \
+	-x *.5 \
 	-x Makefile.in \
 	-x aclocal.m4 \
 	-x compile \
--- a/cmake_export_symbol.cmake
+++ b/cmake_export_symbol.cmake
@@ -10,7 +10,13 @@ macro(export_symbol TARGET FILENAME)
 		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})

 	elseif(APPLE)
-		set(FLAG "-exported_symbols_list ${FILENAME}")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n_" SYMBOLS ${SYMBOLS})
+		string(REGEX REPLACE "(.)$" "\\1\\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".exp" EXP_FILENAME ${FILENAME})
+		file(WRITE ${EXP_FILENAME} "_${SYMBOLS}")
+		set(FLAG "-exported_symbols_list ${EXP_FILENAME}")
 		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})

 	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
--- a/configure.ac
+++ b/configure.ac
@@ -54,8 +54,6 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP

-GENERATE_CRYPTO_PORTABLE_SYM
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -80,19 +78,15 @@ AC_TRY_COMPILE([#include "$srcdir/crypto/modes/modes_lcl.h"],
 	       BSWAP4=no)
 CFLAGS="$old_cflags"

-case $host_cpu in
-	*sparc*)
-		CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"
-		;;
-	*arm*)
-		AS_IF([test "x$BSWAP4" = "xyes"],,
-		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT")
-		;;
-	*amd64*)
-		host_cpu=x86_64
-		;;
-
-esac
+AS_CASE([$host_cpu],
+	[*sparc*], [CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"],
+	[*arm*], AS_IF([test "x$BSWAP4" = "xyes"],,
+		    CPPFLAGS="$CPPFLAGS -D__STRICT_ALIGNMENT"),
+	[*amd64*], [host_cpu=x86_64, HOSTARCH=intel],
+	[i?86], [HOSTARCH=intel],
+	[x86_64], [HOSTARCH=intel]
+)
+AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"])

 AC_MSG_CHECKING([if .gnu.warning accepts long strings])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[
@@ -140,8 +134,15 @@ AC_CONFIG_FILES([

 AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
 if test "$ac_cv_sizeof_time_t" = "4"; then
+    AC_DEFINE([SMALL_TIME_T])
    echo " ** Warning, this system is unable to represent times past 2038"
    echo " ** It will behave incorrectly when handling valid RFC5280 dates"
+
+    if test "$host_os" = "mingw32" ; then
+        echo " **"
+        echo " ** You can solve this by adjusting the build flags in your"
+        echo " ** mingw-w64 toolchain. Refer to README.windows for details."
+    fi
 fi

 AC_REQUIRE_AUX_FILE([tap-driver.sh])
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -352,10 +352,6 @@ set(
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
-	ec/ecp_nistp224.c
-	ec/ecp_nistp256.c
-	ec/ecp_nistp521.c
-	ec/ecp_nistputil.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
@@ -429,6 +425,7 @@ set(
 	evp/m_gostr341194.c
 	evp/m_md4.c
 	evp/m_md5.c
+	evp/m_md5_sha1.c
 	evp/m_null.c
 	evp/m_ripemd.c
 	evp/m_sha1.c
@@ -462,6 +459,7 @@ set(
 	gost/gostr341001_pmeth.c
 	gost/gostr341194.c
 	gost/streebog.c
+	hkdf/hkdf.c
 	hmac/hm_ameth.c
 	hmac/hm_pmeth.c
 	hmac/hmac.c
@@ -561,7 +559,6 @@ set(
 	rsa/rsa_pss.c
 	rsa/rsa_saos.c
 	rsa/rsa_sign.c
-	rsa/rsa_ssl.c
 	rsa/rsa_x931.c
 	sha/sha1_one.c
 	sha/sha1dgst.c
@@ -680,6 +677,15 @@ if(NOT HAVE_ASPRINTF)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
 endif()

+if(NOT HAVE_FREEZERO)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/freezero.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} freezero)
+endif()
+
+if(NOT HAVE_GETPAGESIZE)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c)
+endif()
+
 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} inet_pton)
@@ -690,6 +696,11 @@ if(NOT HAVE_REALLOCARRAY)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray)
 endif()

+if(NOT HAVE_RECALLOCARRAY)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/recallocarray.c)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} recallocarray)
+endif()
+
 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} strcasecmp)
@@ -736,8 +747,10 @@ endif()

 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
+	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_buf)
+	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)

 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
@@ -761,11 +774,6 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 	endif()
 endif()

-if(NOT HAVE_ARC4RANDOM_UNIFORM)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
-endif()
-
 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
 	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_bcmp)
@@ -816,9 +824,13 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
-	install(TARGETS crypto crypto-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto crypto-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(crypto STATIC ${CRYPTO_SRC})
-	install(TARGETS crypto DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS crypto DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -15,7 +15,84 @@ EXTRA_DIST += crypto.sym
 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c

-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols $(top_srcdir)/crypto/crypto_portable.sym
+BUILT_SOURCES = crypto_portable.sym
+CLEANFILES = crypto_portable.sym
+
+crypto_portable.sym:
+	-echo "generating crypto_portable.sym ..."
+	-cp $(top_srcdir)/crypto/crypto.sym crypto_portable.sym
+	-chmod u+w crypto_portable.sym
+if !HAVE_ARC4RANDOM_BUF
+	-echo arc4random >> crypto_portable.sym
+	-echo arc4random_buf >> crypto_portable.sym
+	-echo arc4random_uniform >> crypto_portable.sym
+if !HAVE_GETENTROPY
+	-echo getentropy >> crypto_portable.sym
+endif
+endif
+if !HAVE_ASPRINTF
+	-echo asprintf >> crypto_portable.sym
+	-echo vasprintf >> crypto_portable.sym
+endif
+if !HAVE_EXPLICIT_BZERO
+	-echo explicit_bzero >> crypto_portable.sym
+endif
+if !HAVE_FREEZERO
+	-echo freezero >> crypto_portable.sym
+endif
+if !HAVE_INET_PTON
+	-echo inet_pton >> crypto_portable.sym
+endif
+if !HAVE_REALLOCARRAY
+	-echo reallocarray >> crypto_portable.sym
+endif
+if !HAVE_RECALLOCARRAY
+	-echo recallocarray >> crypto_portable.sym
+endif
+if !HAVE_STRLCAT
+	-echo strlcat >> crypto_portable.sym
+endif
+if !HAVE_STRLCPY
+	-echo strlcpy >> crypto_portable.sym
+endif
+if !HAVE_STRNDUP
+	-echo strndup >> crypto_portable.sym
+endif
+if !HAVE_STRNLEN
+	-echo strnlen >> crypto_portable.sym
+endif
+if !HAVE_STRSEP
+	-echo strsep >> crypto_portable.sym
+endif
+if !HAVE_TIMEGM
+	-echo timegm >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_BCMP
+	-echo timingsafe_bcmp >> crypto_portable.sym
+endif
+if !HAVE_TIMINGSAFE_MEMCMP
+	-echo timingsafe_memcmp >> crypto_portable.sym
+endif
+if HOST_CPU_IS_INTEL
+	-echo OPENSSL_ia32cap_P >> crypto_portable.sym
+endif
+if HOST_WIN
+	-echo posix_perror >> crypto_portable.sym
+	-echo posix_fopen >> crypto_portable.sym
+	-echo posix_fgets >> crypto_portable.sym
+	-echo posix_open >> crypto_portable.sym
+	-echo posix_rename >> crypto_portable.sym
+	-echo posix_connect >> crypto_portable.sym
+	-echo posix_close >> crypto_portable.sym
+	-echo posix_read >> crypto_portable.sym
+	-echo posix_write >> crypto_portable.sym
+	-echo posix_getsockopt >> crypto_portable.sym
+	-echo posix_setsockopt >> crypto_portable.sym
+	-grep -v BIO_s_log crypto_portable.sym > crypto_portable.sym.tmp
+	-mv crypto_portable.sym.tmp crypto_portable.sym
+endif
+
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
@@ -81,6 +158,14 @@ if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif

+if !HAVE_FREEZERO
+libcompat_la_SOURCES += compat/freezero.c
+endif
+
+if !HAVE_GETPAGESIZE
+libcompat_la_SOURCES += compat/getpagesize.c
+endif
+
 if !HAVE_INET_PTON
 libcompat_la_SOURCES += compat/inet_pton.c
 endif
@@ -93,6 +178,10 @@ if !HAVE_REALLOCARRAY
 libcompat_la_SOURCES += compat/reallocarray.c
 endif

+if !HAVE_RECALLOCARRAY
+libcompat_la_SOURCES += compat/recallocarray.c
+endif
+
 if !HAVE_TIMINGSAFE_MEMCMP
 libcompat_la_SOURCES += compat/timingsafe_memcmp.c
 endif
@@ -435,10 +524,6 @@ libcrypto_la_SOURCES += ec/ec_print.c
 libcrypto_la_SOURCES += ec/eck_prn.c
 libcrypto_la_SOURCES += ec/ecp_mont.c
 libcrypto_la_SOURCES += ec/ecp_nist.c
-libcrypto_la_SOURCES += ec/ecp_nistp224.c
-libcrypto_la_SOURCES += ec/ecp_nistp256.c
-libcrypto_la_SOURCES += ec/ecp_nistp521.c
-libcrypto_la_SOURCES += ec/ecp_nistputil.c
 libcrypto_la_SOURCES += ec/ecp_oct.c
 libcrypto_la_SOURCES += ec/ecp_smpl.c
 noinst_HEADERS += ec/ec_lcl.h
@@ -527,6 +612,7 @@ libcrypto_la_SOURCES += evp/m_gost2814789.c
 libcrypto_la_SOURCES += evp/m_gostr341194.c
 libcrypto_la_SOURCES += evp/m_md4.c
 libcrypto_la_SOURCES += evp/m_md5.c
+libcrypto_la_SOURCES += evp/m_md5_sha1.c
 libcrypto_la_SOURCES += evp/m_null.c
 libcrypto_la_SOURCES += evp/m_ripemd.c
 libcrypto_la_SOURCES += evp/m_sha1.c
@@ -567,6 +653,9 @@ noinst_HEADERS += gost/gost.h
 noinst_HEADERS += gost/gost_asn1.h
 noinst_HEADERS += gost/gost_locl.h

+# hkdf
+libcrypto_la_SOURCES += hkdf/hkdf.c
+
 # hmac
 libcrypto_la_SOURCES += hmac/hm_ameth.c
 libcrypto_la_SOURCES += hmac/hm_pmeth.c
@@ -710,7 +799,6 @@ libcrypto_la_SOURCES += rsa/rsa_prn.c
 libcrypto_la_SOURCES += rsa/rsa_pss.c
 libcrypto_la_SOURCES += rsa/rsa_saos.c
 libcrypto_la_SOURCES += rsa/rsa_sign.c
-libcrypto_la_SOURCES += rsa/rsa_ssl.c
 libcrypto_la_SOURCES += rsa/rsa_x931.c
 noinst_HEADERS += rsa/rsa_locl.h

--- a/crypto/compat/freezero.c
+++ b/crypto/compat/freezero.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
+ * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
+ * Copyright (c) 2008 Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+void
+freezero(void *ptr, size_t sz)
+{
+	/* This is legal. */
+	if (ptr == NULL)
+		return;
+
+	explicit_bzero(ptr, sz);
+	free(ptr);
+}
--- a/crypto/compat/getpagesize.c
+++ b/crypto/compat/getpagesize.c
@@ -0,0 +1,18 @@
+/* $OpenBSD$ */
+
+#include <unistd.h>
+
+#ifdef _MSC_VER
+#include <windows.h>
+#endif
+
+int
+getpagesize(void) {
+#ifdef _MSC_VER
+	SYSTEM_INFO system_info;
+	GetSystemInfo(&system_info);
+	return system_info.dwPageSize;
+#else
+	return sysconf(_SC_PAGESIZE);
+#endif
+}
--- a/crypto/compat/posix_win.c
+++ b/crypto/compat/posix_win.c
@@ -209,6 +209,7 @@ posix_setsockopt(int sockfd, int level, int optname,
 }

 #ifdef _MSC_VER
+struct timezone;
 int gettimeofday(struct timeval * tp, struct timezone * tzp)
 {
 	/*
--- a/dist.sh
+++ b/dist.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e

-rm -f man/*.1 man/*.3 include/openssl/*.h
+rm -f man/*.[35] include/openssl/*.h
 ./autogen.sh
 ./configure
-make distcheck
+make -j2 distcheck
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -1,5 +1,8 @@
-install(DIRECTORY .
-        DESTINATION include
-        PATTERN "CMakeLists.txt" EXCLUDE
-        PATTERN "compat" EXCLUDE
-        PATTERN "Makefile*" EXCLUDE)
+if(ENABLE_LIBRESSL_INSTALL)
+	install(DIRECTORY .
+	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
+	        PATTERN "CMakeLists.txt" EXCLUDE
+	        PATTERN "compat" EXCLUDE
+	        PATTERN "pqueue.h" EXCLUDE
+	        PATTERN "Makefile*" EXCLUDE)
+endif(ENABLE_LIBRESSL_INSTALL)
--- a/include/compat/stdlib.h
+++ b/include/compat/stdlib.h
@@ -25,10 +25,18 @@ void arc4random_buf(void *_buf, size_t n);
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #endif

+#ifndef HAVE_FREEZERO
+void freezero(void *ptr, size_t sz);
+#endif
+
 #ifndef HAVE_REALLOCARRAY
 void *reallocarray(void *, size_t, size_t);
 #endif

+#ifndef HAVE_RECALLOCARRAY
+void *recallocarray(void *, size_t, size_t, size_t);
+#endif
+
 #ifndef HAVE_STRTONUM
 long long strtonum(const char *nptr, long long minval,
 		long long maxval, const char **errstr);
--- a/include/compat/sys/types.h
+++ b/include/compat/sys/types.h
@@ -20,12 +20,14 @@

 #ifdef __MINGW32__
 #include <_bsd_types.h>
+typedef uint32_t        in_addr_t;
 #endif

 #ifdef _MSC_VER
 typedef unsigned char   u_char;
 typedef unsigned short  u_short;
 typedef unsigned int    u_int;
+typedef uint32_t        in_addr_t;

 #include <basetsd.h>
 typedef SSIZE_T ssize_t;
--- a/include/compat/unistd.h
+++ b/include/compat/unistd.h
@@ -39,6 +39,10 @@ int getentropy(void *buf, size_t buflen);
 #endif
 #endif

+#ifndef HAVE_GETPAGESIZE
+int getpagesize(void);
+#endif
+
 #define pledge(request, paths) 0

 #ifndef HAVE_PIPE2
--- a/libcrypto.pc.in
+++ b/libcrypto.pc.in
@@ -5,8 +5,8 @@ exec_prefix=@exec_prefix@
 libdir=@libdir@
 includedir=@includedir@

-Name: LibreSSL-libssl
-Description: Secure Sockets Layer and cryptography libraries
+Name: LibreSSL-libcrypto
+Description: LibreSSL cryptography library
 Version: @VERSION@
 Requires:
 Conflicts:
--- a/m4/check-libc.m4
+++ b/m4/check-libc.m4
@@ -2,15 +2,19 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_ntop inet_pton memmem readpassphrase])
-AC_CHECK_FUNCS([reallocarray strlcat strlcpy strndup strnlen strsep strtonum])
+AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
+AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
+AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
 AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
 AM_CONDITIONAL([HAVE_REALLOCARRAY], [test "x$ac_cv_func_reallocarray" = xyes])
+AM_CONDITIONAL([HAVE_RECALLOCARRAY], [test "x$ac_cv_func_recallocarray" = xyes])
 AM_CONDITIONAL([HAVE_STRLCAT], [test "x$ac_cv_func_strlcat" = xyes])
 AM_CONDITIONAL([HAVE_STRLCPY], [test "x$ac_cv_func_strlcpy" = xyes])
 AM_CONDITIONAL([HAVE_STRNDUP], [test "x$ac_cv_func_strndup" = xyes])
@@ -144,77 +148,3 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
-
-AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
-crypto_sym=$srcdir/crypto/crypto.sym
-crypto_p_sym=$srcdir/crypto/crypto_portable.sym
-echo "generating $crypto_p_sym ..."
-chmod u+w $srcdir/crypto
-cp $crypto_sym $crypto_p_sym
-chmod u+w $crypto_p_sym
-if test "x$ac_cv_func_arc4random" = "xno" ; then
-	echo arc4random >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
-	echo arc4random_buf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_arc4random_uniform" = "xno" ; then
-	echo arc4random_uniform >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_asprintf" = "xno" ; then
-	echo asprintf >> $crypto_p_sym
-	echo vasprintf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
-	echo explicit_bzero >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_getentropy" = "xno" ; then
-	echo getentropy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_inet_pton" = "xno" ; then
-	echo inet_pton >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_reallocarray" = "xno" ; then
-	echo reallocarray >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcat" = "xno" ; then
-	echo strlcat >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcpy" = "xno" ; then
-	echo strlcpy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strndup" = "xno" ; then
-	echo strndup >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strnlen" = "xno" ; then
-	echo strnlen >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strsep" = "xno" ; then
-	echo strsep >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timegm" = "xno" ; then
-	echo timegm >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
-	echo timingsafe_bcmp >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
-	echo timingsafe_memcmp >> $crypto_p_sym
-fi
-if test "x$HOST_OS" = "xwin" ; then
-	echo posix_perror >> $crypto_p_sym
-	echo posix_fopen >> $crypto_p_sym
-	echo posix_fgets >> $crypto_p_sym
-	echo posix_open >> $crypto_p_sym
-	echo posix_rename >> $crypto_p_sym
-	echo posix_connect >> $crypto_p_sym
-	echo posix_close >> $crypto_p_sym
-	echo posix_read >> $crypto_p_sym
-	echo posix_write >> $crypto_p_sym
-	echo posix_getsockopt >> $crypto_p_sym
-	echo posix_setsockopt >> $crypto_p_sym
-
-	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
-	mv $crypto_p_sym.tmp $crypto_p_sym
-fi
-])
--- a/m4/check-os-options.m4
+++ b/m4/check-os-options.m4
@@ -13,6 +13,7 @@ case $host_os in
 		;;
 	*cygwin*)
 		HOST_OS=cygwin
+		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
 		;;
 	*darwin*)
 		HOST_OS=darwin
@@ -106,13 +107,12 @@ char buf[1]; getentropy(buf, 1);
 		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
 		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501"
 		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
-		CFLAGS="$CFLAGS -static-libgcc"
-		LDFLAGS="$LDFLAGS -static-libgcc"
 		AC_SUBST([PLATFORM_LDADD], ['-lws2_32'])
 		;;
 	*solaris*)
 		HOST_OS=solaris
 		HOST_ABI=elf
+		CFLAGS="$CFLAGS -m64"
 		CPPFLAGS="$CPPFLAGS -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 -DBSD_COMP"
 		AC_SUBST([PLATFORM_LDADD], ['-lnsl -lsocket'])
 		;;
--- a/man/CMakeLists.txt
+++ b/man/CMakeLists.txt
@@ -1,9 +1,11 @@
-install(DIRECTORY .
-    DESTINATION share/man/man3
-    FILES_MATCHING PATTERN "*.3"
-    )
+if(ENABLE_LIBRESSL_INSTALL)
+	install(DIRECTORY .
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man3
+	    FILES_MATCHING PATTERN "*.3"
+	    )

-install(DIRECTORY .
-    DESTINATION share/man/man1
-    FILES_MATCHING PATTERN "*.1"
-    )
+	install(DIRECTORY .
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+	    FILES_MATCHING PATTERN "*.5"
+	    )
+endif(ENABLE_LIBRESSL_INSTALL)
--- a/man/links
+++ b/man/links
@@ -3,6 +3,8 @@ ACCESS_DESCRIPTION_new.3,ACCESS_DESCRIPTION_free.3
 ACCESS_DESCRIPTION_new.3,AUTHORITY_INFO_ACCESS_free.3
 ACCESS_DESCRIPTION_new.3,AUTHORITY_INFO_ACCESS_new.3
 ASN1_OBJECT_new.3,ASN1_OBJECT_free.3
+ASN1_STRING_TABLE_add.3,ASN1_STRING_TABLE_cleanup.3
+ASN1_STRING_TABLE_add.3,ASN1_STRING_TABLE_get.3
 ASN1_STRING_length.3,ASN1_STRING_cmp.3
 ASN1_STRING_length.3,ASN1_STRING_data.3
 ASN1_STRING_length.3,ASN1_STRING_dup.3
@@ -50,10 +52,23 @@ ASN1_STRING_new.3,DISPLAYTEXT_free.3
 ASN1_STRING_new.3,DISPLAYTEXT_new.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print_ex_fp.3
+ASN1_STRING_print_ex.3,ASN1_tag2str.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_adj.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_check.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_print.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_set.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_set_string.3
 ASN1_TIME_set.3,ASN1_TIME_adj.3
 ASN1_TIME_set.3,ASN1_TIME_check.3
 ASN1_TIME_set.3,ASN1_TIME_print.3
 ASN1_TIME_set.3,ASN1_TIME_set_string.3
+ASN1_TIME_set.3,ASN1_TIME_to_generalizedtime.3
+ASN1_TIME_set.3,ASN1_UTCTIME_adj.3
+ASN1_TIME_set.3,ASN1_UTCTIME_check.3
+ASN1_TIME_set.3,ASN1_UTCTIME_cmp_time_t.3
+ASN1_TIME_set.3,ASN1_UTCTIME_print.3
+ASN1_TIME_set.3,ASN1_UTCTIME_set.3
+ASN1_TIME_set.3,ASN1_UTCTIME_set_string.3
 ASN1_TYPE_get.3,ASN1_TYPE_cmp.3
 ASN1_TYPE_get.3,ASN1_TYPE_free.3
 ASN1_TYPE_get.3,ASN1_TYPE_new.3
@@ -70,6 +85,7 @@ ASN1_item_d2i.3,ASN1_item_print.3
 ASN1_item_d2i.3,d2i_ASN1_TYPE.3
 ASN1_item_d2i.3,i2d_ASN1_TYPE.3
 ASN1_item_new.3,ASN1_item_free.3
+ASN1_time_parse.3,ASN1_TIME_set_tm.3
 ASN1_time_parse.3,ASN1_time_tm_cmp.3
 AUTHORITY_KEYID_new.3,AUTHORITY_KEYID_free.3
 BASIC_CONSTRAINTS_new.3,BASIC_CONSTRAINTS_free.3
@@ -146,6 +162,9 @@ BIO_new.3,BIO_free.3
 BIO_new.3,BIO_free_all.3
 BIO_new.3,BIO_set.3
 BIO_new.3,BIO_vfree.3
+BIO_printf.3,BIO_snprintf.3
+BIO_printf.3,BIO_vprintf.3
+BIO_printf.3,BIO_vsnprintf.3
 BIO_push.3,BIO_pop.3
 BIO_read.3,BIO_gets.3
 BIO_read.3,BIO_puts.3
@@ -298,6 +317,7 @@ BN_set_bit.3,BN_lshift1.3
 BN_set_bit.3,BN_mask_bits.3
 BN_set_bit.3,BN_rshift.3
 BN_set_bit.3,BN_rshift1.3
+BN_set_flags.3,BN_get_flags.3
 BN_set_negative.3,BN_is_negative.3
 BN_zero.3,BN_get_word.3
 BN_zero.3,BN_one.3
@@ -311,8 +331,10 @@ BUF_MEM_new.3,BUF_strdup.3
 CONF_modules_free.3,CONF_modules_finish.3
 CONF_modules_free.3,CONF_modules_unload.3
 CONF_modules_load_file.3,CONF_modules_load.3
+CRYPTO_get_mem_functions.3,CRYPTO_MEM_LEAK_CB.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_ctrl.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks.3
+CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks_cb.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks_fp.3
 CRYPTO_get_mem_functions.3,CRYPTO_set_mem_functions.3
 CRYPTO_set_ex_data.3,CRYPTO_EX_dup.3
@@ -555,7 +577,6 @@ EVP_AEAD_CTX_init.3,EVP_AEAD_nonce_length.3
 EVP_AEAD_CTX_init.3,EVP_aead_aes_128_gcm.3
 EVP_AEAD_CTX_init.3,EVP_aead_aes_256_gcm.3
 EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305.3
-EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305_ietf.3
 EVP_DigestInit.3,EVP_DigestFinal.3
 EVP_DigestInit.3,EVP_DigestFinal_ex.3
 EVP_DigestInit.3,EVP_DigestInit_ex.3
@@ -566,6 +587,7 @@ EVP_DigestInit.3,EVP_MD_CTX_cleanup.3
 EVP_DigestInit.3,EVP_MD_CTX_copy.3
 EVP_DigestInit.3,EVP_MD_CTX_copy_ex.3
 EVP_DigestInit.3,EVP_MD_CTX_create.3
+EVP_DigestInit.3,EVP_MD_CTX_ctrl.3
 EVP_DigestInit.3,EVP_MD_CTX_destroy.3
 EVP_DigestInit.3,EVP_MD_CTX_init.3
 EVP_DigestInit.3,EVP_MD_CTX_md.3
@@ -582,6 +604,7 @@ EVP_DigestInit.3,EVP_get_digestbynid.3
 EVP_DigestInit.3,EVP_get_digestbyobj.3
 EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
+EVP_DigestInit.3,EVP_md5_sha1.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
 EVP_DigestInit.3,EVP_sha1.3
@@ -641,6 +664,7 @@ EVP_EncryptInit.3,EVP_EncryptFinal_ex.3
 EVP_EncryptInit.3,EVP_EncryptInit_ex.3
 EVP_EncryptInit.3,EVP_EncryptUpdate.3
 EVP_EncryptInit.3,EVP_aes_128_cbc.3
+EVP_EncryptInit.3,EVP_aes_128_cbc_hmac_sha1.3
 EVP_EncryptInit.3,EVP_aes_128_ccm.3
 EVP_EncryptInit.3,EVP_aes_128_cfb.3
 EVP_EncryptInit.3,EVP_aes_128_ecb.3
@@ -653,6 +677,7 @@ EVP_EncryptInit.3,EVP_aes_192_ecb.3
 EVP_EncryptInit.3,EVP_aes_192_gcm.3
 EVP_EncryptInit.3,EVP_aes_192_ofb.3
 EVP_EncryptInit.3,EVP_aes_256_cbc.3
+EVP_EncryptInit.3,EVP_aes_256_cbc_hmac_sha1.3
 EVP_EncryptInit.3,EVP_aes_256_ccm.3
 EVP_EncryptInit.3,EVP_aes_256_cfb.3
 EVP_EncryptInit.3,EVP_aes_256_ecb.3
@@ -696,6 +721,7 @@ EVP_EncryptInit.3,EVP_rc2_ecb.3
 EVP_EncryptInit.3,EVP_rc2_ofb.3
 EVP_EncryptInit.3,EVP_rc4.3
 EVP_EncryptInit.3,EVP_rc4_40.3
+EVP_EncryptInit.3,EVP_rc4_hmac_md5.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_cbc.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_cfb.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_ecb.3
@@ -707,10 +733,10 @@ EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_generator.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_prime_len.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dsa_paramgen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3
+EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_keygen_pubexp.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_padding.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_pss_saltlen.3
-EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_signature_md.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_dup.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_free.3
@@ -1034,12 +1060,10 @@ RSA_get_ex_new_index.3,RSA_set_ex_data.3
 RSA_new.3,RSA_free.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_PKCS1_OAEP.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_PKCS1_type_2.3
-RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_SSLv23.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_none.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_OAEP.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_type_1.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_type_2.3
-RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_SSLv23.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_none.3
 RSA_print.3,DHparams_print.3
 RSA_print.3,DHparams_print_fp.3
@@ -1086,12 +1110,9 @@ SSL_CIPHER_get_name.3,SSL_CIPHER_get_version.3
 SSL_COMP_add_compression_method.3,SSL_COMP_get_compression_methods.3
 SSL_CTX_add_extra_chain_cert.3,SSL_CTX_clear_extra_chain_certs.3
 SSL_CTX_add_session.3,SSL_CTX_remove_session.3
-SSL_CTX_add_session.3,SSL_add_session.3
-SSL_CTX_add_session.3,SSL_remove_session.3
 SSL_CTX_ctrl.3,SSL_CTX_callback_ctrl.3
 SSL_CTX_ctrl.3,SSL_callback_ctrl.3
 SSL_CTX_ctrl.3,SSL_ctrl.3
-SSL_CTX_flush_sessions.3,SSL_flush_sessions.3
 SSL_CTX_get_ex_new_index.3,SSL_CTX_get_ex_data.3
 SSL_CTX_get_ex_new_index.3,SSL_CTX_set_ex_data.3
 SSL_CTX_get_verify_mode.3,SSL_CTX_get_verify_callback.3
@@ -1138,6 +1159,13 @@ SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove_cb.3
 SSL_CTX_sess_set_get_cb.3,get_session_cb.3
 SSL_CTX_sess_set_get_cb.3,new_session_cb.3
 SSL_CTX_sess_set_get_cb.3,remove_session_cb.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_curves.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_curves_list.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_groups_list.3
+SSL_CTX_set1_groups.3,SSL_set1_curves.3
+SSL_CTX_set1_groups.3,SSL_set1_curves_list.3
+SSL_CTX_set1_groups.3,SSL_set1_groups.3
+SSL_CTX_set1_groups.3,SSL_set1_groups_list.3
 SSL_CTX_set_alpn_select_cb.3,SSL_CTX_set_alpn_protos.3
 SSL_CTX_set_alpn_select_cb.3,SSL_get0_alpn_selected.3
 SSL_CTX_set_alpn_select_cb.3,SSL_select_next_proto.3
@@ -1160,6 +1188,9 @@ SSL_CTX_set_info_callback.3,SSL_set_info_callback.3
 SSL_CTX_set_max_cert_list.3,SSL_CTX_get_max_cert_list.3
 SSL_CTX_set_max_cert_list.3,SSL_get_max_cert_list.3
 SSL_CTX_set_max_cert_list.3,SSL_set_max_cert_list.3
+SSL_CTX_set_min_proto_version.3,SSL_CTX_set_max_proto_version.3
+SSL_CTX_set_min_proto_version.3,SSL_set_max_proto_version.3
+SSL_CTX_set_min_proto_version.3,SSL_set_min_proto_version.3
 SSL_CTX_set_mode.3,SSL_CTX_get_mode.3
 SSL_CTX_set_mode.3,SSL_get_mode.3
 SSL_CTX_set_mode.3,SSL_set_mode.3
@@ -1184,6 +1215,10 @@ SSL_CTX_set_session_id_context.3,SSL_set_session_id_context.3
 SSL_CTX_set_ssl_version.3,SSL_get_ssl_method.3
 SSL_CTX_set_ssl_version.3,SSL_set_ssl_method.3
 SSL_CTX_set_timeout.3,SSL_CTX_get_timeout.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_CTX_set_tlsext_servername_arg.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_get_servername.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_get_servername_type.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_set_tlsext_host_name.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_CTX_set_tlsext_status_arg.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_get_tlsext_status_ocsp_resp.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_set_tlsext_status_ocsp_resp.3
@@ -1196,7 +1231,6 @@ SSL_CTX_set_tmp_rsa_callback.3,SSL_CTX_set_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_need_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa_callback.3
-SSL_CTX_set_tmp_rsa_callback.3,tmp_rsa_callback.3
 SSL_CTX_set_verify.3,SSL_CTX_set_verify_depth.3
 SSL_CTX_set_verify.3,SSL_set_verify.3
 SSL_CTX_set_verify.3,SSL_set_verify_depth.3
@@ -1263,6 +1297,8 @@ SSL_load_client_CA_file.3,SSL_add_file_cert_subjects_to_stack.3
 SSL_num_renegotiations.3,SSL_clear_num_renegotiations.3
 SSL_num_renegotiations.3,SSL_total_renegotiations.3
 SSL_read.3,SSL_peek.3
+SSL_renegotiate.3,SSL_renegotiate_abbreviated.3
+SSL_renegotiate.3,SSL_renegotiate_pending.3
 SSL_rstate_string.3,SSL_rstate_string_long.3
 SSL_set1_param.3,SSL_CTX_set1_param.3
 SSL_set_connect_state.3,SSL_set_accept_state.3
@@ -1270,6 +1306,11 @@ SSL_set_fd.3,SSL_set_rfd.3
 SSL_set_fd.3,SSL_set_wfd.3
 SSL_set_max_send_fragment.3,SSL_CTX_set_max_send_fragment.3
 SSL_set_shutdown.3,SSL_get_shutdown.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_ecdh_auto.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_tmp_ecdh.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_tmp_ecdh_callback.3
+SSL_set_tmp_ecdh.3,SSL_set_ecdh_auto.3
+SSL_set_tmp_ecdh.3,SSL_set_tmp_ecdh_callback.3
 SSL_state_string.3,SSL_state_string_long.3
 SSL_want.3,SSL_want_nothing.3
 SSL_want.3,SSL_want_read.3
@@ -1293,6 +1334,28 @@ TS_REQ_new.3,TS_STATUS_INFO_free.3
 TS_REQ_new.3,TS_STATUS_INFO_new.3
 TS_REQ_new.3,TS_TST_INFO_free.3
 TS_REQ_new.3,TS_TST_INFO_new.3
+UI_UTIL_read_pw.3,UI_UTIL_read_pw_string.3
+UI_create_method.3,UI_destroy_method.3
+UI_create_method.3,UI_method_get_closer.3
+UI_create_method.3,UI_method_get_flusher.3
+UI_create_method.3,UI_method_get_opener.3
+UI_create_method.3,UI_method_get_prompt_constructor.3
+UI_create_method.3,UI_method_get_reader.3
+UI_create_method.3,UI_method_get_writer.3
+UI_create_method.3,UI_method_set_closer.3
+UI_create_method.3,UI_method_set_flusher.3
+UI_create_method.3,UI_method_set_opener.3
+UI_create_method.3,UI_method_set_prompt_constructor.3
+UI_create_method.3,UI_method_set_reader.3
+UI_create_method.3,UI_method_set_writer.3
+UI_get_string_type.3,UI_get0_action_string.3
+UI_get_string_type.3,UI_get0_output_string.3
+UI_get_string_type.3,UI_get0_result_string.3
+UI_get_string_type.3,UI_get0_test_string.3
+UI_get_string_type.3,UI_get_input_flags.3
+UI_get_string_type.3,UI_get_result_maxsize.3
+UI_get_string_type.3,UI_get_result_minsize.3
+UI_get_string_type.3,UI_set_result.3
 UI_new.3,UI_OpenSSL.3
 UI_new.3,UI_add_error_string.3
 UI_new.3,UI_add_info_string.3
@@ -1427,6 +1490,15 @@ X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
 X509_check_host.3,X509_check_email.3
 X509_check_host.3,X509_check_ip.3
 X509_check_host.3,X509_check_ip_asc.3
+X509_check_private_key.3,X509_REQ_check_private_key.3
+X509_cmp_time.3,X509_cmp_current_time.3
+X509_cmp_time.3,X509_time_adj.3
+X509_cmp_time.3,X509_time_adj_ex.3
+X509_digest.3,PKCS7_ISSUER_AND_SERIAL_digest.3
+X509_digest.3,X509_CRL_digest.3
+X509_digest.3,X509_NAME_digest.3
+X509_digest.3,X509_REQ_digest.3
+X509_digest.3,X509_pubkey_digest.3
 X509_get_pubkey.3,X509_REQ_get_pubkey.3
 X509_get_pubkey.3,X509_REQ_set_pubkey.3
 X509_get_pubkey.3,X509_get_X509_PUBKEY.3
@@ -1525,7 +1597,6 @@ d2i_ASN1_OCTET_STRING.3,d2i_ASN1_PRINTABLE.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_PRINTABLESTRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_T61STRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_TIME.3
-d2i_ASN1_OCTET_STRING.3,d2i_ASN1_TIME_new.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UINTEGER.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UNIVERSALSTRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UTCTIME.3
@@ -1545,7 +1616,6 @@ d2i_ASN1_OCTET_STRING.3,i2d_ASN1_PRINTABLE.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_PRINTABLESTRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_T61STRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_TIME.3
-d2i_ASN1_OCTET_STRING.3,i2d_ASN1_TIME_new.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UNIVERSALSTRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UTCTIME.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UTF8STRING.3
@@ -1606,8 +1676,6 @@ d2i_ECPKParameters.3,d2i_EC_PUBKEY_fp.3
 d2i_ECPKParameters.3,i2d_ECPKParameters.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_ECPKParameters.3,i2d_ECPKPrivateKey_fp.3
-d2i_ECPKParameters.3,i2d_ECPK_PUBKEY_fp.3
 d2i_ECPKParameters.3,i2d_ECParameters.3
 d2i_ECPKParameters.3,i2d_ECPrivateKey.3
 d2i_ECPKParameters.3,i2d_ECPrivateKey_bio.3
@@ -1931,6 +1999,13 @@ engine.3,ENGINE_unregister_STORE.3
 engine.3,ENGINE_unregister_ciphers.3
 engine.3,ENGINE_unregister_digests.3
 engine.3,ENGINE_up_ref.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_1024.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_768.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_1536.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_2048.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_3072.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_4096.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_6144.3
 lh_new.3,DECLARE_LHASH_OF.3
 lh_new.3,LHASH_COMP_FN_TYPE.3
 lh_new.3,LHASH_DOALL_ARG_FN_TYPE.3
@@ -1960,16 +2035,15 @@ tls_accept_socket.3,tls_accept_cbs.3
 tls_accept_socket.3,tls_accept_fds.3
 tls_client.3,tls_configure.3
 tls_client.3,tls_free.3
+tls_client.3,tls_reset.3
 tls_client.3,tls_server.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_file.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_mem.3
 tls_config_set_protocols.3,tls_config_parse_protocols.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_client.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_server.3
 tls_config_set_protocols.3,tls_config_set_alpn.3
 tls_config_set_protocols.3,tls_config_set_ciphers.3
 tls_config_set_protocols.3,tls_config_set_dheparams.3
-tls_config_set_protocols.3,tls_config_set_ecdhecurve.3
+tls_config_set_protocols.3,tls_config_set_ecdhecurves.3
 tls_config_set_session_id.3,tls_config_add_ticket_key.3
 tls_config_set_session_id.3,tls_config_set_session_lifetime.3
 tls_config_verify.3,tls_config_insecure_noverifycert.3
@@ -1994,19 +2068,28 @@ tls_init.3,tls_config_free.3
 tls_init.3,tls_config_new.3
 tls_load_file.3,tls_config_add_keypair_file.3
 tls_load_file.3,tls_config_add_keypair_mem.3
+tls_load_file.3,tls_config_add_keypair_ocsp_file.3
+tls_load_file.3,tls_config_add_keypair_ocsp_mem.3
 tls_load_file.3,tls_config_clear_keys.3
 tls_load_file.3,tls_config_set_ca_file.3
 tls_load_file.3,tls_config_set_ca_mem.3
 tls_load_file.3,tls_config_set_ca_path.3
 tls_load_file.3,tls_config_set_cert_file.3
 tls_load_file.3,tls_config_set_cert_mem.3
+tls_load_file.3,tls_config_set_crl_file.3
+tls_load_file.3,tls_config_set_crl_mem.3
 tls_load_file.3,tls_config_set_key_file.3
 tls_load_file.3,tls_config_set_key_mem.3
 tls_load_file.3,tls_config_set_keypair_file.3
 tls_load_file.3,tls_config_set_keypair_mem.3
+tls_load_file.3,tls_config_set_keypair_ocsp_file.3
+tls_load_file.3,tls_config_set_keypair_ocsp_mem.3
+tls_load_file.3,tls_config_set_ocsp_staple_file.3
+tls_load_file.3,tls_config_set_ocsp_staple_mem.3
 tls_load_file.3,tls_config_set_verify_depth.3
 tls_load_file.3,tls_config_verify_client.3
 tls_load_file.3,tls_config_verify_client_optional.3
+tls_load_file.3,tls_unload_file.3
 tls_ocsp_process_response.3,tls_peer_ocsp_cert_status.3
 tls_ocsp_process_response.3,tls_peer_ocsp_crl_reason.3
 tls_ocsp_process_response.3,tls_peer_ocsp_next_update.3
--- a/patches/http.c.patch
+++ b/patches/http.c.patch
@@ -0,0 +1,12 @@
+--- apps/ocspcheck/http.c.orig	Sun Jun  4 00:45:29 2017
+++ apps/ocspcheck/http.c	Sun Jun  4 00:45:57 2017
+@@ -35,7 +35,9 @@
+ #include "http.h"
+ #include <tls.h>
+ 
+#ifndef DEFAULT_CA_FILE
+ #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
+#endif
+ 
+ /*
+  * A buffer for transferring HTTP/S data.
--- a/patches/netcat.c.patch
+++ b/patches/netcat.c.patch
@@ -1,16 +1,16 @@
--- apps/nc/netcat.c.orig	Sat Nov  5 14:00:01 2016
-+++ apps/nc/netcat.c	Sat Nov  5 15:28:35 2016
-@@ -65,7 +65,9 @@
- #define POLL_NETIN 2
- #define POLL_STDOUT 3
- #define BUFSIZE 16384
+--- apps/nc/netcat.c.orig	Mon Jul 17 06:06:51 2017
+++ apps/nc/netcat.c	Mon Jul 17 06:11:24 2017
+@@ -66,7 +66,9 @@
+ #define POLL_NETIN	2
+ #define POLL_STDOUT	3
+ #define BUFSIZE		16384
 +#ifndef DEFAULT_CA_FILE
- #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
+ #define DEFAULT_CA_FILE	"/etc/ssl/cert.pem"
 +#endif
 
- #define TLS_LEGACY	(1 << 1)
+ #define TLS_ALL	(1 << 1)
 #define TLS_NOVERIFY	(1 << 2)
-@@ -93,9 +95,13 @@
+@@ -95,9 +97,13 @@
 int	Dflag;					/* sodebug */
 int	Iflag;					/* TCP receive buffer size */
 int	Oflag;					/* TCP send buffer size */
@@ -24,16 +24,7 @@
 
 int	usetls;					/* use TLS */
 char    *Cflag;					/* Public cert file */
-@@ -148,7 +154,7 @@
- 	struct servent *sv;
- 	socklen_t len;
- 	struct sockaddr_storage cliaddr;
-	char *proxy;
-+	char *proxy = NULL;
- 	const char *errstr, *proxyhost = "", *proxyport = NULL;
- 	struct addrinfo proxyhints;
- 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -258,12 +264,14 @@
+@@ -266,12 +272,14 @@
 		case 'u':
 			uflag = 1;
 			break;
@@ -48,7 +39,7 @@
 		case 'v':
 			vflag = 1;
 			break;
-@@ -299,9 +307,11 @@
+@@ -318,9 +326,11 @@
 		case 'o':
 			oflag = optarg;
 			break;
@@ -60,7 +51,7 @@
 		case 'T':
 			errstr = NULL;
 			errno = 0;
-@@ -325,9 +335,11 @@
+@@ -344,9 +354,11 @@
 	argc -= optind;
 	argv += optind;
 
@@ -72,7 +63,7 @@
 
 	if (family == AF_UNIX) {
 		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -836,7 +848,10 @@
+@@ -892,7 +904,10 @@
 remote_connect(const char *host, const char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
@@ -83,8 +74,8 @@
 +#endif
 
 	if ((error = getaddrinfo(host, port, &hints, &res0)))
- 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -850,8 +865,10 @@
+ 		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
+@@ -907,8 +922,10 @@
 		if (sflag || pflag) {
 			struct addrinfo ahints, *ares;
 
@@ -95,7 +86,7 @@
 			memset(&ahints, 0, sizeof(struct addrinfo));
 			ahints.ai_family = res->ai_family;
 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -922,7 +939,10 @@
+@@ -979,7 +996,10 @@
 local_listen(char *host, char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
@@ -107,7 +98,7 @@
 	int error;
 
 	/* Allow nodename to be null. */
-@@ -943,9 +963,11 @@
+@@ -1000,9 +1020,11 @@
 		    res->ai_protocol)) < 0)
 			continue;
 
@@ -119,7 +110,7 @@
 
 		set_common_sockopts(s, res->ai_family);
 
-@@ -1403,11 +1425,13 @@
+@@ -1458,11 +1480,13 @@
 {
 	int x = 1;
 
@@ -133,7 +124,24 @@
 	if (Dflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
 			&x, sizeof(x)) == -1)
-@@ -1444,13 +1468,17 @@
+@@ -1473,9 +1497,16 @@
+ 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IP ToS");
+ 
+#ifdef IPV6_TCLASS
+ 		else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+ 		    IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
+ 			err(1, "set IPv6 traffic class");
+#else
+		else if (af == AF_INET6) {
+			errno = ENOPROTOOPT
+			err(1, "set IPv6 traffic class not supported");
+		}
+#endif
+ 	}
+ 	if (Iflag) {
+ 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
+@@ -1499,13 +1530,17 @@
 	}
 
 	if (minttl != -1) {
@@ -152,7 +160,7 @@
 	}
 }
 
-@@ -1644,14 +1672,22 @@
+@@ -1714,14 +1749,22 @@
 	\t-P proxyuser\tUsername for proxy authentication\n\
 	\t-p port\t	Specify local port for remote connects\n\
 	\t-R CAfile	CA bundle\n\
@@ -160,10 +168,10 @@
 -	\t-S		Enable the TCP MD5 signature option\n\
 +	\t-r		Randomize remote ports\n"
 +#ifdef TCP_MD5SIG
-+        "\
+	"\
 +	\t-S		Enable the TCP MD5 signature option\n"
 +#endif
-+        "\
+	"\
 	\t-s source	Local source address\n\
 	\t-T keyword	TOS value or TLS options\n\
 	\t-t		Answer TELNET negotiation\n\
@@ -172,10 +180,10 @@
 -	\t-V rtable	Specify alternate routing table\n\
 +	\t-u		UDP mode\n"
 +#ifdef SO_RTABLE
-+        "\
+	"\
 +	\t-V rtable	Specify alternate routing table\n"
 +#endif
-+        "\
+	"\
 	\t-v		Verbose\n\
+ 	\t-W recvlimit	Terminate after receiving a number of packets\n\
 	\t-w timeout	Timeout for connects and final net reads\n\
- 	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
--- a/patches/tls.h.patch
+++ b/patches/tls.h.patch
@@ -0,0 +1,32 @@
+--- include/tls.h.orig	2017-02-13 20:19:55.918636579 +0900
+++ include/tls.h	2017-02-13 20:21:18.313073161 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
+#ifdef _MSC_VER
+#ifndef LIBRESSL_INTERNAL
+#include <basetsd.h>
+typedef SSIZE_T ssize_t;
+#endif
+#endif
+
+ #include <sys/types.h>
+ 
+ #include <stddef.h>
+--- libtls-standalone/include/tls.h.orig	2017-02-13 20:21:48.297958529 +0900
+++ libtls-standalone/include/tls.h	2017-02-13 20:21:48.296958502 +0900
+@@ -22,6 +22,13 @@
+ extern "C" {
+ #endif
+ 
+#ifdef _MSC_VER
+#ifndef LIBRESSL_INTERNAL
+#include <basetsd.h>
+typedef SSIZE_T ssize_t;
+#endif
+#endif
+
+ #include <sys/types.h>
+ 
+ #include <stddef.h>
--- a/patches/tls_internal.h.patch
+++ b/patches/tls_internal.h.patch
@@ -1,12 +1,12 @@
--- ./openbsd/src/lib/libtls/tls_internal.h	Thu Oct 15 16:12:24 2015
-+++ ./tls/tls_internal.h	Sun Dec  6 20:18:17 2015
-@@ -24,7 +24,9 @@
+--- tls/tls_internal.h.orig	Sun Jul  9 06:16:17 2017
+++ tls/tls_internal.h	Mon Jul 17 06:10:01 2017
+@@ -26,7 +26,9 @@
 
- #include <openssl/ssl.h>
+ __BEGIN_HIDDEN_DECLS
 
 +#ifndef _PATH_SSL_CA_FILE
 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
 +#endif
 
- #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
 #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+ #define TLS_CIPHERS_COMPAT	"HIGH:!aNULL"
--- a/patches/tlsexttest.c.patch
+++ b/patches/tlsexttest.c.patch
@@ -0,0 +1,41 @@
+--- tests/tlsexttest.c.orig	Sun Sep  3 00:44:51 2017
+++ tests/tlsexttest.c	Sun Sep  3 00:47:06 2017
+@@ -1676,7 +1676,9 @@ static unsigned char tlsext_sni_clienthello[] = {
+ };
+ 
+ static unsigned char tlsext_sni_serverhello[] = {
+	0x00
+ };
+const size_t sizeof_tlsext_sni_serverhello = 0;
+ 
+ static int
+ test_tlsext_sni_clienthello(void)
+@@ -1839,9 +1841,9 @@ test_tlsext_sni_serverhello(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_sni_serverhello)) {
+	if (dlen != sizeof_tlsext_sni_serverhello) {
+ 		FAIL("got serverhello SNI with length %zu, "
+-		    "want length %zu\n", dlen, sizeof(tlsext_sni_serverhello));
+		    "want length %zu\n", dlen, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+@@ -1850,14 +1852,14 @@ test_tlsext_sni_serverhello(void)
+ 		fprintf(stderr, "received:\n");
+ 		hexdump(data, dlen);
+ 		fprintf(stderr, "test data:\n");
+-		hexdump(tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
+		hexdump(tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+ 	free(ssl->session->tlsext_hostname);
+ 	ssl->session->tlsext_hostname = NULL;
+ 
+-	CBS_init(&cbs, tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
+	CBS_init(&cbs, tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 	if (!tlsext_sni_serverhello_parse(ssl, &cbs, &alert)) {
+ 		FAIL("failed to parse serverhello SNI\n");
+ 		goto err;
--- a/patches/windows_headers.patch
+++ b/patches/windows_headers.patch
@@ -4,36 +4,35 @@ diff -u include/openssl.orig/dtls1.h include/openssl/dtls1.h
@@ -60,7 +60,11 @@
 #ifndef HEADER_DTLS1_H
 #define HEADER_DTLS1_H
- 
+
 +#if defined(_WIN32)
 +#include <winsock2.h>
 +#else
 #include <sys/time.h>
 +#endif
- 
+
 #include <stdio.h>
 #include <stdlib.h>
-diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
--- include/openssl.orig/opensslconf.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/opensslconf.h	Mon Dec  7 07:56:14 2015
+--- include/openssl/opensslconf.h.orig	Sat Nov  5 08:36:25 2016
+++ include/openssl/opensslconf.h	Mon Jul 17 06:06:58 2017
@@ -1,6 +1,10 @@
 #include <openssl/opensslfeatures.h>
 /* crypto/opensslconf.h.in */
- 
+
 +#if defined(_MSC_VER) && !defined(__attribute__)
 +#define __attribute__(a)
 +#endif
 +
 #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
 #define OPENSSLDIR "/etc/ssl"
-
+ #endif
 diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
 --- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
 +++ include/openssl/ossl_typ.h	Mon Dec  7 07:56:14 2015
@@ -80,6 +80,22 @@
 typedef struct ASN1_ITEM_st ASN1_ITEM;
 typedef struct asn1_pctx_st ASN1_PCTX;
- 
+
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
@@ -59,7 +58,7 @@ diff -u include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
@@ -69,6 +69,18 @@
 extern "C" {
 #endif
- 
+
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
@@ -81,7 +80,7 @@ diff -u include/openssl.orig/x509.h include/openssl/x509.h
@@ -112,6 +112,19 @@
 extern "C" {
 #endif
- 
+
 +#if defined(_WIN32)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -35,13 +35,14 @@ set(
 	ssl_sess.c
 	ssl_srvr.c
 	ssl_stat.c
+	ssl_tlsext.c
 	ssl_txt.c
 	ssl_versions.c
 	t1_clnt.c
 	t1_enc.c
+	t1_hash.c
 	t1_lib.c
 	t1_meth.c
-	t1_reneg.c
 	t1_srvr.c
 )

@@ -50,8 +51,9 @@ if (BUILD_SHARED)
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
 	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+	target_link_libraries(ssl-shared crypto-shared)
 	if (WIN32)
-		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+		target_link_libraries(ssl-shared Ws2_32.lib)
 		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
 	endif()
 	set_target_properties(ssl-shared PROPERTIES
@@ -59,8 +61,12 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
-	install(TARGETS ssl ssl-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl ssl-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(ssl STATIC ${SSL_SRC})
-	install(TARGETS ssl DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS ssl DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@@ -38,15 +38,17 @@ libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
 libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
+libssl_la_SOURCES += ssl_tlsext.c
 libssl_la_SOURCES += ssl_txt.c
 libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
 libssl_la_SOURCES += t1_enc.c
+libssl_la_SOURCES += t1_hash.c
 libssl_la_SOURCES += t1_lib.c
 libssl_la_SOURCES += t1_meth.c
-libssl_la_SOURCES += t1_reneg.c
 libssl_la_SOURCES += t1_srvr.c

 noinst_HEADERS = srtp.h
 noinst_HEADERS += ssl_locl.h
+noinst_HEADERS += ssl_tlsext.h
 noinst_HEADERS += bytestring.h
--- a/tap-driver.sh
+++ b/tap-driver.sh
@@ -1,5 +1,5 @@
 #! /bin/sh
-# Copyright (C) 2011-2014 Free Software Foundation, Inc.
+# Copyright (C) 2011-2017 Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -646,6 +646,6 @@ test $? -eq 0 || fatal "I/O or internal error"
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
+# time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -168,6 +168,11 @@ set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERN
 target_link_libraries(exptest ${TESTS_LIBS})
 add_test(exptest exptest)

+# freenull
+add_executable(freenull freenull.c)
+target_link_libraries(freenull ${TESTS_LIBS})
+add_test(freenull freenull)
+
 # gcm128test
 add_executable(gcm128test gcm128test.c)
 target_link_libraries(gcm128test ${TESTS_LIBS})
@@ -178,6 +183,11 @@ add_executable(gost2814789t gost2814789t.c)
 target_link_libraries(gost2814789t ${TESTS_LIBS})
 add_test(gost2814789t gost2814789t)

+# hkdf_test
+add_executable(hkdf_test hkdf_test.c)
+target_link_libraries(hkdf_test ${TESTS_LIBS})
+add_test(hkdf_test hkdf_test)
+
 # hmactest
 add_executable(hmactest hmactest.c)
 target_link_libraries(hmactest ${TESTS_LIBS})
@@ -292,6 +302,16 @@ add_executable(rsa_test rsa_test.c)
 target_link_libraries(rsa_test ${TESTS_LIBS})
 add_test(rsa_test rsa_test)

+# servertest
+add_executable(servertest servertest.c)
+target_link_libraries(servertest ${TESTS_LIBS})
+if(NOT MSVC)
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.sh)
+else()
+	add_test(servertest ${CMAKE_CURRENT_SOURCE_DIR}/servertest.bat)
+endif()
+set_tests_properties(servertest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
+
 # sha1test
 add_executable(sha1test sha1test.c)
 target_link_libraries(sha1test ${TESTS_LIBS})
@@ -351,6 +371,11 @@ add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${TESTS_LIBS})
 add_test(timingsafe timingsafe)

+# tlsexttest
+add_executable(tlsexttest tlsexttest.c)
+target_link_libraries(tlsexttest ${TESTS_LIBS})
+add_test(tlsexttest tlsexttest)
+
 # tlstest
 set(TLSTEST_SRC tlstest.c)
 check_function_exists(pipe2 HAVE_PIPE2)
@@ -374,6 +399,11 @@ add_executable(tls_ext_alpn tls_ext_alpn.c)
 target_link_libraries(tls_ext_alpn ${TESTS_LIBS})
 add_test(tls_ext_alpn tls_ext_alpn)

+# tls_prf
+add_executable(tls_prf tls_prf.c)
+target_link_libraries(tls_prf ${TESTS_LIBS})
+add_test(tls_prf tls_prf)
+
 # utf8test
 add_executable(utf8test utf8test.c)
 target_link_libraries(utf8test ${TESTS_LIBS})
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -174,6 +174,12 @@ check_PROGRAMS += exptest
 exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c

+# freenull
+TESTS += freenull
+check_PROGRAMS += freenull
+freenull_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
+freenull_SOURCES = freenull.c
+
 # gcm128test
 TESTS += gcm128test
 check_PROGRAMS += gcm128test
@@ -184,6 +190,11 @@ TESTS += gost2814789t
 check_PROGRAMS += gost2814789t
 gost2814789t_SOURCES = gost2814789t.c

+# hkdf_test
+TESTS += hkdftest
+check_PROGRAMS += hkdftest
+hkdftest_SOURCES = hkdf_test.c
+
 # hmactest
 TESTS += hmactest
 check_PROGRAMS += hmactest
@@ -294,6 +305,12 @@ TESTS += rsa_test
 check_PROGRAMS += rsa_test
 rsa_test_SOURCES = rsa_test.c

+# servertest
+TESTS += servertest.sh
+check_PROGRAMS += servertest
+servertest_SOURCES = servertest.c
+EXTRA_DIST += servertest.sh servertest.bat
+
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
@@ -339,6 +356,12 @@ TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c

+# tlsexttest
+TESTS += tlsexttest
+check_PROGRAMS += tlsexttest
+tlsexttest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
+tlsexttest_SOURCES = tlsexttest.c
+
 # tlstest
 TESTS += tlstest.sh
 check_PROGRAMS += tlstest
@@ -353,6 +376,11 @@ TESTS += tls_ext_alpn
 check_PROGRAMS += tls_ext_alpn
 tls_ext_alpn_SOURCES = tls_ext_alpn.c

+# tls_prf
+TESTS += tls_prf
+check_PROGRAMS += tls_prf
+tls_prf_SOURCES = tls_prf.c
+
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test
--- a/tests/servertest.bat
+++ b/tests/servertest.bat
@@ -0,0 +1,17 @@
+@echo off
+setlocal enabledelayedexpansion
+REM	servertest.bat
+
+set servertest_bin=Debug\servertest.exe
+if not exist %servertest_bin% exit /b 1
+
+if "%srcdir%"=="" (
+	set srcdir=.
+)
+
+%servertest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+if !errorlevel! neq 0 (
+	exit /b 1
+)
+
+endlocal
--- a/tests/servertest.sh
+++ b/tests/servertest.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+servertest_bin=./servertest
+if [ -e ./servertest.exe ]; then
+	servertest_bin=./servertest.exe
+fi
+
+if [ -z $srcdir ]; then
+	srcdir=.
+fi
+
+$servertest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem
--- a/tests/testssl.bat
+++ b/tests/testssl.bat
@@ -123,18 +123,6 @@ for %%p in ( SSLv3 ) do (
  )
 )

-REM #
-REM # Next Protocol Negotiation tests
-REM #
-echo "Testing NPN..."
-%ssltest% -bio_pair -tls1 -npn_client & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 -reuse & if !errorlevel! neq 0 exit /b 1
-
 REM #
 REM # ALPN tests
 REM #
--- a/tests/tlstest.bat
+++ b/tests/tlstest.bat
@@ -9,7 +9,7 @@ if "%srcdir%"=="" (
 	set srcdir=.
 )

-%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
+%tlstest_bin% %srcdir%\ca.pem %srcdir%\server.pem %srcdir%\server.pem
 if !errorlevel! neq 0 (
 	exit /b 1
 )
--- a/tests/tlstest.sh
+++ b/tests/tlstest.sh
@@ -10,4 +10,4 @@ if [ -z $srcdir ]; then
 	srcdir=.
 fi

-$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem
+$tlstest_bin $srcdir/ca.pem $srcdir/server.pem $srcdir/server.pem
--- a/tls/CMakeLists.txt
+++ b/tls/CMakeLists.txt
@@ -30,8 +30,9 @@ if (BUILD_SHARED)
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
 	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
+	target_link_libraries(tls-shared ssl-shared crypto-shared)
 	if (WIN32)
-		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+		target_link_libraries(tls-shared Ws2_32.lib)
 		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
 	endif()
 	set_target_properties(tls-shared PROPERTIES
@@ -39,9 +40,13 @@ if (BUILD_SHARED)
 		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
-	install(TARGETS tls tls-shared DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls tls-shared DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 else()
 	add_library(tls STATIC ${TLS_SRC})
-	install(TARGETS tls DESTINATION lib)
+	if(ENABLE_LIBRESSL_INSTALL)
+		install(TARGETS tls DESTINATION ${CMAKE_INSTALL_LIBDIR})
+	endif(ENABLE_LIBRESSL_INSTALL)
 endif()

--- a/update.sh
+++ b/update.sh
@@ -18,16 +18,17 @@ fi

 # setup source paths
 CWD=`pwd`
-libc_src=$CWD/openbsd/src/lib/libc
-libc_regress=$CWD/openbsd/src/regress/lib/libc
-libcrypto_src=$CWD/openbsd/src/lib/libcrypto
-libcrypto_regress=$CWD/openbsd/src/regress/lib/libcrypto
-libssl_src=$CWD/openbsd/src/lib/libssl
-libssl_regress=$CWD/openbsd/src/regress/lib/libssl
-libtls_src=$CWD/openbsd/src/lib/libtls
-libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-bin_src=$CWD/openbsd/src/usr.bin
-sbin_src=$CWD/openbsd/src/usr.sbin
+OPENBSD_SRC=$CWD/openbsd/src
+libc_src=$OPENBSD_SRC/lib/libc
+libc_regress=$OPENBSD_SRC/regress/lib/libc
+libcrypto_src=$OPENBSD_SRC/lib/libcrypto
+libcrypto_regress=$OPENBSD_SRC/regress/lib/libcrypto
+libssl_src=$OPENBSD_SRC/lib/libssl
+libssl_regress=$OPENBSD_SRC/regress/lib/libssl
+libtls_src=$OPENBSD_SRC/lib/libtls
+libtls_regress=$OPENBSD_SRC/regress/lib/libtls
+bin_src=$OPENBSD_SRC/usr.bin
+sbin_src=$OPENBSD_SRC/usr.sbin

 # load library versions
 . $libcrypto_src/shlib_version
@@ -62,6 +63,10 @@ do_cp_libc() {
 CP_LIBC='do_cp_libc'

 CP='cp -p'
+GREP='grep'
+if [ -x /opt/csw/bin/ggrep ]; then
+	GREP='/opt/csw/bin/ggrep'
+fi

 $CP $libssl_src/LICENSE COPYING

@@ -78,6 +83,7 @@ for i in crypto/compat libtls-standalone/compat; do
 	    $libc_src/crypt/chacha_private.h \
 	    $libc_src/net/inet_pton.c \
 	    $libc_src/stdlib/reallocarray.c \
+	    $libc_src/stdlib/recallocarray.c \
 	    $libc_src/string/explicit_bzero.c \
 	    $libc_src/string/strcasecmp.c \
 	    $libc_src/string/strlcpy.c \
@@ -119,7 +125,7 @@ copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
-	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
+	pem/pem2.h hkdf/hkdf.h hmac/hmac.h rand/rand.h md5/md5.h
 	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
@@ -150,7 +156,7 @@ done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
 # add the libcrypto symbol export list
-grep '^[[:alpha:]]' < $libcrypto_src/Symbols.list > crypto/crypto.sym
+$GREP -v OPENSSL_ia32cap_P $libcrypto_src/Symbols.list | $GREP '^[[:alpha:]]' > crypto/crypto.sym

 # generate assembly crypto algorithms
 asm_src=$libcrypto_src
@@ -205,7 +211,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 	fi
 done
 # add the libtls symbol export list
-grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
+$GREP '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym

 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -258,7 +264,7 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
 	$CP $libssl_src/$i ssl
 done
 # add the libssl symbol export list
-grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
+$GREP '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym

 # copy libcrypto tests
 echo "copying tests"
@@ -303,7 +309,7 @@ add_man_links() {
 	filter=$1
 	dest=$2
 	echo "install-data-hook:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
@@ -311,7 +317,7 @@ add_man_links() {
 	done
 	echo "" >> $dest
 	echo "uninstall-local:" >> $dest
-	for i in `grep $filter man/links`; do
+	for i in `$GREP $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
 			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
@@ -332,25 +338,32 @@ done
 # copy manpages
 echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
-echo dist_man_MANS = >> man/Makefile.am
+echo dist_man3_MANS = >> man/Makefile.am
+echo dist_man5_MANS = >> man/Makefile.am

 (cd man
 	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done

 	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done

 	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
+	done
+
+	for i in `ls -1 $libcrypto_src/man/*.5 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man5_MANS += $NAME" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am
Author	SHA1	Message	Date
Brent Cook	fe8a52a0d9	update changelog	2017-11-05 17:13:06 -06:00
Brent Cook	727aeabdd8	make OPENBSD_6_2 branch	2017-11-02 05:59:08 -05:00
Bernard Spil	794f48f1d8	Separate man(5) pages	2017-10-22 16:10:38 +02:00
Brent Cook	cd9f686793	Land #355 , update libc checks	2017-09-26 09:21:38 -05:00
kinichiro	9bb3e03722	Fix checking memmem in apps/ocspcheck/CMakeLists.txt - Issue #352 pointed out by @d3x0r	2017-09-26 22:02:21 +09:00
Brent Cook	07b9f6c371	update release notes	2017-09-25 23:06:21 -05:00
Brent Cook	6054891d43	Land #348 , include .5 manpages	2017-09-17 10:08:19 -05:00
Aric Belsito	cbe57bef04	Some CMake Fixes. pqueue.h was getting installed when it shouldn't. pkgconfig files were not getting installed or generated.	2017-09-10 11:54:23 -07:00
kinichiro	03502b8d8f	Add *.5 manpages in libcrypto/man/	2017-09-10 12:58:47 +09:00
Brent Cook	8a2a079b6d	spelling	2017-09-06 18:37:12 -05:00
Brent Cook	c53c374f83	update VS prerequisites, refer to autogen.sh more	2017-09-04 16:32:43 -05:00
Brent Cook	fa1c469601	Land #344 , fix regress tlxexttest for certain C compilers	2017-09-04 16:24:49 -05:00
Brent Cook	7035c7268d	be more concise, formatting	2017-09-04 16:24:14 -05:00
Brent Cook	82fda3d410	update changes	2017-09-04 16:18:20 -05:00
Brent Cook	b623db7bfb	enhance README warnings, remove pod2man requirement	2017-09-04 16:14:54 -05:00
Brent Cook	3612cbe3a0	update manpage links	2017-09-03 21:52:59 -05:00
Brent Cook	d653deef65	add 2.6.1 changelog	2017-09-03 21:52:18 -05:00
kinichiro	512573f0de	Add patch for regress tlsexttest Some compiler does not support 0 sized array. This patch changes 0 sized array to have NULL and using variable instead of sizeof function.	2017-09-03 01:16:36 +09:00
kinichiro	f4d2b810cb	Remove rsa/rsa_ssl.c	2017-09-01 23:37:09 +09:00
Brent Cook	7dc68c82bc	set SMALL_TIME_T when sizeof time_t == 4	2017-08-14 12:15:00 -05:00
Brent Cook	4916f940c8	use standard initialization for poll loop delay	2017-08-13 16:09:32 -05:00
Brent Cook	9e7fd1fa31	declare struct timezone outside of the function declaration	2017-08-13 16:04:03 -05:00
Brent Cook	e0cffc6b48	disable signed/unsigned mismatch in vs builds	2017-08-13 11:49:04 -05:00
Brent Cook	8f255707f0	Land #338 , disable NPN tests	2017-08-13 08:54:38 -05:00
Brent Cook	4c6097c220	bump to latest version of tap driver	2017-08-13 08:54:03 -05:00
kinichiro	23b5d39cfb	Remove NPN test coverage for Windows.	2017-08-13 19:10:46 +09:00
Brent Cook	94e4224f5f	don't build empty object files	2017-08-12 10:05:30 -05:00
Brent Cook	bdec057318	Land #332 , fix shared library dependencies with cmake for libssl/libtls	2017-08-12 09:46:19 -05:00
kinichiro	9be0359cc3	Remove ssl/t1_reneg.c	2017-08-12 01:15:17 +09:00
Masud Rahman	1dd6a52f2d	ssl/tls cmake: fix shared library dependencies Ensure that the 'ssl' depends on 'crypto' and that 'tls' depends on 'ssl' and 'crypto' for all platforms. Prior to this commit, the dependency was only specified for the 'WIN32' CMake build.	2017-07-24 15:26:29 -04:00
Brent Cook	5ec2c381e4	rebase patches on latest, remove fuzz	2017-07-17 06:13:21 -05:00
Brent Cook	86434e03e8	update manpage links	2017-07-17 06:06:08 -05:00
Brent Cook	58ba8785fb	add tlsext	2017-07-17 05:12:55 -05:00
Brent Cook	e53af8da67	Land #329 , modify symbol exports for Darwin with cmake builds	2017-07-17 04:29:39 -05:00
Brent Cook	9887c82768	Land #331 , add prototype definitions of asprintf and vasprintf for CYGWIN build	2017-07-17 04:25:21 -05:00
kinichiro	5afc4e3cd8	add prototype definitions of asprintf and vasprintf for CYGWIN build - define _GNU_SOURCE in case of cygwin As compilation warning report by @Dravion	2017-07-16 23:59:55 +09:00
kinichiro	f7cf93fd22	Add regression test freenull	2017-07-16 11:49:15 +09:00
Brent Cook	cefd44a86e	changelog corrections	2017-07-12 04:08:47 -05:00
Brent Cook	5e6de6ebce	remove duplcate changelog entry	2017-07-09 11:00:20 -05:00
Brent Cook	c92119f50a	added 2.6.0 Changes	2017-07-09 10:36:22 -05:00
Brent Cook	51e5279c24	Updated changelog	2017-07-09 06:16:59 -05:00
Brent Cook	70ee57c6ad	Land #328 , generate the crypto export symbol list at build time	2017-07-09 05:12:21 -05:00
Brent Cook	0dbae37735	Land #324 , Add option LIBRESSL_SKIP_INSTALL	2017-07-09 05:06:06 -05:00
Brent Cook	e550534203	make it easier to swap grep (Solaris grep doesn't support alpha)	2017-07-08 19:05:35 -05:00
Brent Cook	9b88fa46bb	generate the crypto export symbol list at build time we currently do it at configure time, which makes this a generated source, but generated sources should be cleaned up, which breaks 'make clean; make'	2017-07-08 17:46:16 -05:00
kinichiro	c18852f650	Set Solaris build default to 64 bit	2017-07-08 01:43:07 +09:00
d3x0r	0e82f22d16	Okay really one more try.	2017-07-07 01:21:16 -07:00
d3x0r	9cad7f785b	Okay one more try.	2017-07-07 01:20:21 -07:00
d3x0r	08869b75db	use \- to prevent hyphen wrapping	2017-07-07 01:17:48 -07:00
d3x0r	fc4e1b9572	use ‑ to prevent hyphen wrapping	2017-07-07 01:11:57 -07:00
d3x0r	a8cd9fdbd6	use ‑ option hyphen wrapping	2017-07-07 01:07:05 -07:00
d3x0r	3471d20142	Fix formatting for description of openssldir and skip install; add <nobr> to prevent option hyphen wrapping	2017-07-07 01:04:34 -07:00
d3x0r	a61122ef6c	Fix formatting for description of openssldir and skip install	2017-07-07 01:01:08 -07:00
d3x0r	360a67cd34	Add documentation about available CMake options.	2017-07-07 00:59:05 -07:00
d3x0r	a4d80ca56a	Merge branch 'master' of https://github.com/libressl-portable/portable into SkipInstall Fix merge conflicts from GNUInstallDirs merge to master.	2017-07-06 23:11:11 -07:00
Brent Cook	334245374a	Land #323 , use GNUInstallDirs from cmake to specify install paths	2017-07-06 23:58:40 -05:00
Brent Cook	52080abbf7	Land #326 , fix tests/tlstest.bat argument order	2017-07-06 23:57:05 -05:00
kinichiro	322b82367d	fix tests/tlstest.bat	2017-07-07 01:40:35 +09:00
kinichiro	1f7777169d	update netcat patch	2017-07-07 00:46:48 +09:00
d3x0r	2557dd7439	Add option LIBRESSL_SKIP_INSTALL Internally LIBRESSL_SKIP_INSTALL, if not set becomes ENABLE_LIBRESSL_INSTALL so this by default is enabled. defining LIBRESSL_SKIP_INSTALL before hand will disable all install() rules. This is useful if another project includes and links to this statically. I chose to add a prefix to avoid potential name collision because the options are cached globally. If the installation is skipped, maybe it should also disable building apps? I didn't do that.	2017-07-06 02:09:44 -07:00
d3x0r	a2bd5ebaba	use GNUInstallDirs from cmake to specify install paths. Primarily this is to select whether 'lib64' or 'lib' is used on linux type systems.	2017-07-06 01:49:43 -07:00
Brent Cook	728bda1830	Land #318 , Fix CMake module include path	2017-07-05 23:17:49 -05:00
Brent Cook	8a658c37b5	Land #316 , Remove misleading CFLAGS / LDFLAGS	2017-07-05 23:16:45 -05:00
Masud Rahman	73e51e012f	cmake_export_symbol: Darwin compatibility The Darwin platform prefixes all C symbols with an underscore. At link-time of a shared library, libressl generates a list of symbols to export, but does not prefix each symbol with an underscore. This commit addresses that issue.	2017-06-25 18:19:20 -04:00
Matt Stancliff	fe79df3c90	Fix CMake module include path Need to search the current directory, not the overall project root directory if this is being included as a sub-dependency of another project.	2017-06-15 23:11:13 -04:00
Brent Cook	8b80bcdad8	re-add getpagesize fallback, needed for Android	2017-06-11 11:21:34 -05:00
Paul Graham	b49242fcb0	Remove misleading CFLAGS / LDFLAGS. These variables were being ignored because libtool doesn't pass -static-libgcc to GCC. If you want to link libgcc statically, currently the only way to achieve this is to manually add -static-libgcc to CC variable. See: http://www.mingw.org/wiki/HOWTO_Sneak_GCC_Switches_Past_Libtool	2017-06-09 13:33:14 +02:00
Brent Cook	0974d6f011	update nc patch	2017-06-03 20:13:25 -05:00
kinichiro	d3f3daec18	defining DEFAULT_CA_FILE only if it is not defined. indicated by Kyle J. McKay mackyle@gmail.com	2017-06-04 00:56:11 +09:00
Brent Cook	0da71010d6	update tlstest argument ordering	2017-05-18 00:31:20 -05:00
Brent Cook	e7b0c0069b	fix hkdftest name	2017-05-18 00:31:07 -05:00
kinichiro	530fbba1ed	Add definition of in_addr_t for Windows build	2017-05-14 00:00:10 +09:00
kinichiro	63042e98f8	Add HKDF functionality	2017-05-13 23:59:59 +09:00
Brent Cook	f494c6aaf7	Land #310 , make it easier to build from cvs source	2017-05-08 08:32:38 -05:00
kinichiro	6cb87c121a	Modify update.sh to change the path of openbsd source tree easily With this modification, we can build portable with /usr/src easily.	2017-05-07 00:47:32 +09:00
Brent Cook	32ab245f05	remove OPENSSL_ia32cap_P from crypto.sym when generated	2017-05-01 00:20:49 -05:00
Brent Cook	6374bfa401	add 2.5.4 changelog	2017-05-01 00:20:40 -05:00
Brent Cook	7ba183503a	include amd64 in the mix	2017-04-29 18:37:18 -05:00
Brent Cook	1f13e7956b	only include ia32 syms on i?86/x86_64 targets	2017-04-29 18:36:14 -05:00
Brent Cook	993f5cf6f9	add back copyright notice from OpenBSD malloc.c from which this came.	2017-04-28 00:26:40 -05:00
Brent Cook	53fb56ea87	Land #306 , add freezero	2017-04-28 00:22:43 -05:00
kinichiro	048625cf2b	Add freezero support	2017-04-22 23:37:20 +09:00
Steven McDonald	7ec0510e33	Fix pkg-config metadata for libcrypto It looks like this was copied and pasted from libssl.pc.in. This patch identifies it as libcrypto rather than libssl.	2017-04-18 00:52:32 +10:00
Brent Cook	9d2418ae3a	add nc(1) manpage to install if enabled	2017-04-12 08:18:20 -05:00
Brent Cook	922cd9c94e	move crypto_portable.sym to builddir	2017-04-10 09:30:29 -05:00
Brent Cook	7ecfed7690	update changelog for stable release	2017-04-06 06:24:12 -05:00
Brent Cook	2c66480f5e	tag OpenBSD 6.1 release	2017-04-03 22:55:17 -05:00
Brent Cook	22bda9840b	condense and refine changelog a bit	2017-03-25 21:25:58 -05:00
Brent Cook	19cf5c9b01	update changelog for 2.5.2	2017-03-25 17:19:25 -05:00
Brent Cook	570717c488	rebase netcat patch	2017-03-25 12:03:37 -05:00
kinichiro	cb73e4bef6	Add regress tls_prf	2017-03-17 21:33:01 +09:00
kinichiro	350170b6ab	Add regress servertest	2017-03-17 21:32:51 +09:00
Brent Cook	ff462f05a2	add getpagesize check for cmake	2017-03-16 20:54:16 -05:00
Brent Cook	764ab1e6a9	remove sysconf fallback for now	2017-03-16 19:25:42 -05:00
Brent Cook	d5b247cc4f	Land #297 , Add recallocarray	2017-03-16 19:23:36 -05:00
Brent Cook	8f69fe98db	Land #287 , document steps to enable 64-bit time_t on mingw-w64 toolchain	2017-03-16 18:56:06 -05:00
Brent Cook	8622dc7536	Land #288 , update conditions under which getentropy, arc4random* are exported	2017-03-16 18:53:12 -05:00
kinichiro	c61c9821e8	Add support for getpagesize	2017-03-15 22:02:11 +09:00
kinichiro	8877e9bc55	Add recallocarray	2017-03-09 23:00:04 +09:00
kinichiro	27f0879030	Add ssl/t1_hash.c	2017-03-08 00:17:25 +09:00
kinichiro	f2c14deb58	Add crypto/evp/m_md5_sha1.c	2017-03-05 11:17:20 +09:00
kinichiro	5297e9d486	Fix condition of arc4random* and getentropy for Cygwin build - Fix the condition of exporting getentropy - Modify the CMake condition of including arc4random_uniform as same as autoconf	2017-02-20 11:50:47 +09:00
Paul Graham	3b4d3d7541	Remove "exit 1" (added by mistake)	2017-02-18 22:17:59 +01:00
Paul Graham	b2b47a7d11	Document 32-bit time_t problem on minw-w64 toolchain and how to avoid it	2017-02-15 23:04:04 +01:00
kinichiro	9d75e5ea97	Add definition of ssize_t to tls.h for Windows	2017-02-13 20:25:49 +09:00
Brent Cook	3ba2699dab	ignore mandoc db, compat files	2017-02-07 07:53:52 -06:00
kinichiro	7383bf673b	Fix patch for netcat.c	2017-02-07 18:38:03 +09:00