update changelog for 2.4.2

set link library dependencies with MSVC, fixes #221
properly enable strnlen checks for MSVC
2016-07-31 17:55:50 -05:00 · 2016-07-31 17:12:35 -05:00 · 2016-07-31 17:12:35 -05:00 · 2016-07-29 07:51:02 -05:00
67 changed files with 1099 additions and 2702 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -39,7 +39,6 @@ Makefile.in
 *.la

 *.def
-*.sym
 *.pc

 # man pages
@@ -58,9 +57,7 @@ tests/explicit_bzero*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
-tests/ssl_versions*
 tests/timingsafe*
-tests/tls_ext_alpn*
 tests/*test
 tests/tests.h
 tests/*test.c
@@ -117,17 +114,10 @@ include/pqueue.h
 include/tls.h
 include/openssl/*.h

-/apps/ocspcheck/*.h
-/apps/ocspcheck/*.c
-/apps/ocspcheck/ocspcheck*
-/apps/ocspcheck/compat/inet_ntop.c
-/apps/ocspcheck/compat/memmem.c
-
 /apps/nc/*.h
 /apps/nc/*.c
 /apps/nc/nc*
 !/apps/nc/readpassphrase.c
-
 /apps/openssl/*.h
 /apps/openssl/*.c
 /apps/openssl/*.cnf
--- a/.travis.yml
+++ b/.travis.yml
@@ -10,23 +10,15 @@ matrix:
    - compiler: clang
      os: linux
      env: ARCH=native
-      dist: trusty
-      sudo: required
    - compiler: gcc
      os: linux
      env: ARCH=native
-      dist: trusty
-      sudo: required
    - compiler: gcc
      os: linux
      env: ARCH=mingw32
-      dist: trusty
-      sudo: required
    - compiler: gcc
      os: linux
      env: ARCH=mingw64
-      dist: trusty
-      sudo: required

 script:
  "./scripts/travis"
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,24 +4,21 @@ include(CheckLibraryExists)
 include(CheckIncludeFiles)
 include(CheckTypeSize)

-set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
-include(cmake_export_symbol)
-
 project (LibreSSL C)

 enable_testing()

-file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
+file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
 string(STRIP ${SSL_VERSION} SSL_VERSION)
 string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
 string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})

-file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
+file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
 string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
 string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
 string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})

-file(READ ${CMAKE_CURRENT_SOURCE_DIR}/tls/VERSION TLS_VERSION)
+file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
 string(STRIP ${TLS_VERSION} TLS_VERSION)
 string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
 string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
@@ -29,7 +26,6 @@ string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})
 option(ENABLE_ASM "Enable assembly" ON)
 option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
 option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
-option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
 set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)

 set(BUILD_NC true)
@@ -53,7 +49,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	set(BUILD_NC false)
 endif()

-if(WIN32)
+if(MSVC)
 	set(BUILD_NC false)
 endif()

@@ -77,8 +73,6 @@ endif()

 add_definitions(-DLIBRESSL_INTERNAL)
 add_definitions(-DOPENSSL_NO_HW_PADLOCK)
-add_definitions(-D__BEGIN_HIDDEN_DECLS=)
-add_definitions(-D__END_HIDDEN_DECLS=)

 set(CMAKE_POSITION_INDEPENDENT_CODE true)

@@ -86,19 +80,15 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 	add_definitions(-Wno-pointer-sign)
 endif()

-if(WIN32)
+if(MSVC)
+	add_definitions(-Dinline=__inline)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
 	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
-endif()

-if(MSVC)
-	add_definitions(-Dinline=__inline)
-	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
-	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
 	set(MSVC_DISABLED_WARNINGS_LIST
 		"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
 		        # indirection to slightly different base types from 'char [2]'
@@ -108,35 +98,14 @@ if(MSVC)
 		        # possible loss of data
 		"C4244" # 'function' : conversion from 'int' to 'uint8_t',
 		        # possible loss of data
-			"C4267" # conversion from 'size_t' to 'some type that is almost
-				# certainly safe to convert a size_t to'.
 		"C4706" # assignment within conditional expression
 		"C4820" # 'bytes' bytes padding added after construct 'member_name'
 		"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
 		        # use the ISO C++ conformant name: _read.
 	)
-	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
-		add_definitions(-D_CRT_SUPPRESS_RESTRICT)
-		set(MSVC_DISABLED_WARNINGS_LIST
-			"C111"  # Unreachable statement
-			"C128"  # Unreachable loop
-			"C167"  # Unexplict casting unsigned to signed
-			"C186"  # Pointless comparison of unsigned int with zero
-			"C188"  # Enumerated type mixed with another type
-			"C344"  # Redeclared type
-			"C556"  # Unexplict casting signed to unsigned
-			"C869"  # Unreferenced parameters
-			"C1786" # Deprecated functions
-			"C2545" # Empty else statement
-			"C2557" # Comparing signed to unsigned
-			"C2722" # List init syntax is c++11 feature
-			"C3280" # Declaration hides variable
-		)
-	endif()
 	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
 		${MSVC_DISABLED_WARNINGS_LIST})
-	string(REGEX REPLACE "[/-]W[1234][ ]?" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
+	set(CMAKE_C_FLAGS  "-MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
 endif()

 check_function_exists(asprintf HAVE_ASPRINTF)
@@ -174,7 +143,7 @@ if(HAVE_STRNDUP)
 	add_definitions(-DHAVE_STRNDUP)
 endif()

-if(WIN32)
+if(MSVC)
 	set(HAVE_STRNLEN true)
 	add_definitions(-DHAVE_STRNLEN)
 else()
@@ -251,24 +220,7 @@ if(ENABLE_ASM)
 	endif()
 endif()

-if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
-	set(BUILD_SHARED true)
-endif()
-
-# USE_SHARED builds applications (e.g. openssl) using shared LibreSSL.
-# By default, applications use LibreSSL static library to avoid dependencies.
-# USE_SHARED isn't set by default; use -DUSE_SHARED=ON with CMake to enable.
-# Can be helpful for debugging; don't use for public releases.
-if(NOT BUILD_SHARED)
-	set(USE_SHARED off)
-endif()
-
-if(USE_SHARED)
-	set(OPENSSL_LIBS tls-shared ssl-shared crypto-shared)
-else()
-	set(OPENSSL_LIBS tls ssl crypto)
-endif()
-
+set(OPENSSL_LIBS ssl crypto)
 if(CMAKE_HOST_WIN32)
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
 endif()
@@ -285,6 +237,10 @@ if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
 endif()

+if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|MINGW|CYGWIN)" OR MSVC))
+	set(BUILD_SHARED true)
+endif()
+
 check_type_size(time_t SIZEOF_TIME_T)
 if(SIZEOF_TIME_T STREQUAL "4")
 	set(SMALL_TIME_T true)
@@ -300,8 +256,6 @@ add_subdirectory(tls)
 add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
-endif()
-if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()

--- a/141
+++ b/141
@@ -28,150 +28,11 @@ history is also available from Git.

 LibreSSL Portable Release Notes:

-2.5.1 - Bug and security fixes, new features, documentation updates
-
-	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
-	  error. Reported by Theofilos Petsios.
-
-	* Detect zero-length encrypted session data early, instead of when
-	  malloc(0) fails or the HMAC check fails. Noted independently by
-	  jsing@ and Kurt Cancemi.
-
-	* Check for and handle failure of HMAC_{Update,Final} or
-	  EVP_DecryptUpdate().
-
-	* Massive update and normalization of manpages, conversion to
-	  mandoc format. Many pages were rewritten for clarity and accuracy.
-	  Portable doc links are up-to-date with a new conversion tool.
-
-	* Curve25519 Key Exchange support.
-
-	* Support for alternate chains for certificate verification.
-
-	* Code cleanups, CBS conversions, further unification of DTLS/SSL
-	  handshake code, further ASN1 macro expansion and removal.
-
-	* Private symbol are now hidden in libssl and libcryto.
-
-	* Friendly certificate verification error messages in libtls, peer
-	  verification is now always enabled.
-
-	* Added OCSP stapling support to libtls and netcat.
-
-	* Added ocspcheck utility to validate a certificate against its OCSP
-	  responder and save the reply for stapling
-
-	* Enhanced regression tests and error handling for libtls.
-
-	* Added explicit constant and non-constant time BN functions,
-	  defaulting to constant time wherever possible.
-
-	* Moved many leaked implementation details in public structs behind
-	  opaque pointers.
-
-	* Added ticket support to libtls.
-
-	* Added support for setting the supported EC curves via
-	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
-	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
-	  list of curves to be X25519, P-256 and P-384. All other curves must
-          be manually enabled.
-
-	* Added -groups option to openssl(1) s_client for specifying the curves
-          to be used in a colon-separated list.
-
-	* Merged client/server version negotiation code paths into one,
-	  reducing much duplicate code.
-
-	* Removed error function codes from libssl and libcrypto.
-
-	* Fixed an issue where a truncated packet could crash via an OOB read.
-
-	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
-	  client-initiated renegotiation. This is the default for libtls
-	  servers.
-
-	* Avoid a side-channel cache-timing attack that can leak the ECDSA
-	  private keys when signing. This is due to BN_mod_inverse() being
-	  used without the constant time flag being set. Reported by Cesar
-	  Pereida Garcia and Billy Brumley (Tampere University of Technology).
-	  The fix was developed by Cesar Pereida Garcia.
-
-	* iOS and MacOS compatibility updates from Simone Basso and Jacob
-	  Berkman.
-
-
-2.5.0 - New APIs, bug fixes and improvements
-
-	* libtls now supports ALPN and SNI
-
-	* libtls adds a new callback interface for integrating custom IO
-	  functions. Thanks to Tobias Pape.
-
-	* libtls now handles 4 cipher suite groups:
-	    "secure" (TLSv1.2+AEAD+PFS)
-	    "compat" (HIGH:!aNULL)
-	    "legacy" (HIGH:MEDIUM:!aNULL)
-	    "insecure" (ALL:!aNULL:!eNULL)
-
-	    This allows for flexibility and finer grained control, rather than
-	    having two extremes (an issue raised by Marko Kreen some time ago).
-
-	* Tightened error handling for tls_config_set_ciphers().
-
-	* libtls now always loads CA, key and certificate files at the time the
-	  configuration function is called. This simplifies code and results in
-	  a single memory based code path being used to provide data to libssl.
-
-	* Add support for OCSP intermediate certificates.
-
-	* Added functions used by stunnel and exim from BoringSSL - this
-	  brings in X509_check_host, X509_check_email, X509_check_ip, and
-	  X509_check_ip_asc.
-
-	* Added initial support for iOS, thanks to Jacob Berkman.
-
-	* Improved behavior of arc4random on Windows when using memory leak
-	  analysis software.
-
-	* Correctly handle an EOF that occurs prior to the TLS handshake
-	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
-	  Kreen.
-
-	* Limit the support of the "backward compatible" ssl2 handshake to
-	  only be used if TLS 1.0 is enabled.
-
-	* Fix incorrect results in certain cases on 64-bit systems when
-	  BN_mod_word() can return incorrect results. BN_mod_word() now can
-	  return an error condition. Thanks to Brian Smith.
-
-	* Added constant-time updates to address CVE-2016-0702
-
-	* Fixed undefined behavior in BN_GF2m_mod_arr()
-
-	* Removed unused Cryptographic Message Support (CMS)
-
-	* More conversions of long long idioms to time_t
-
-	* Improved compatibility by avoiding printing NULL strings with
-	  printf.
-
-	* Reverted change that cleans up the EVP cipher context in
-	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
-	  previous behaviour.
-
-	* Avoid unbounded memory growth in libssl, which can be triggered by a
-	  TLS client repeatedly renegotiating and sending OCSP Status Request
-	  TLS extensions.
-
-	* Avoid falling back to a weak digest for (EC)DH when using SNI with
-	  libssl.
-
 2.4.2 - Bug fixes and improvements

 	* Fixed loading default certificate locations with openssl s_client.

-	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
+	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
 	  RFC6960. Also added fixes for OCSP to work with intermediate
 	  certificates provided in responses.

--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,7 @@ pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc

 EXTRA_DIST = README.md README.windows VERSION config scripts
-EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in
+EXTRA_DIST += CMakeLists.txt cmake_uninstall.cmake.in

 .PHONY: install_sw
 install_sw: install
--- a/Makefile.am.common
+++ b/Makefile.am.common
@@ -1,3 +1,2 @@
 AM_CFLAGS =
 AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
-AM_CPPFLAGS += -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=
--- a/2
+++ b/2
@@ -1 +1 @@
-master
+OPENBSD_6_0
--- a/apps/CMakeLists.txt
+++ b/apps/CMakeLists.txt
@@ -1,3 +1,2 @@
-add_subdirectory(ocspcheck)
 add_subdirectory(openssl)
 add_subdirectory(nc)
--- a/apps/Makefile.am
+++ b/apps/Makefile.am
@@ -1,5 +1,5 @@
 include $(top_srcdir)/Makefile.am.common

-SUBDIRS = ocspcheck openssl nc
+SUBDIRS = openssl nc

 EXTRA_DIST = CMakeLists.txt
--- a/apps/nc/Makefile.am
+++ b/apps/nc/Makefile.am
@@ -11,12 +11,17 @@ endif
 EXTRA_DIST = nc.1
 EXTRA_DIST += CMakeLists.txt

-nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+nc_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
 nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
 nc_LDADD += $(abs_top_builddir)/tls/libtls.la
-nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)

 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
+if OPENSSLDIR_DEFINED
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"@OPENSSLDIR@/cert.pem\"
+else
+AM_CPPFLAGS += -DDEFAULT_CA_FILE=\"$(sysconfdir)/ssl/cert.pem\"
+endif

 nc_SOURCES = atomicio.c
 nc_SOURCES += netcat.c
--- a/apps/nc/compat/base64.c
+++ b/apps/nc/compat/base64.c
@@ -0,0 +1,315 @@
+/*	$OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+static const char Base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+	   output will be an integral multiple of 4 characters
+	   with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+	   characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+	   characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(src, srclength, target, targsize)
+	u_char const *src;
+	size_t srclength;
+	char *target;
+	size_t targsize;
+{
+	size_t datalength = 0;
+	u_char input[3];
+	u_char output[4];
+	int i;
+
+	while (2 < srclength) {
+		input[0] = *src++;
+		input[1] = *src++;
+		input[2] = *src++;
+		srclength -= 3;
+
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		output[3] = input[2] & 0x3f;
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		target[datalength++] = Base64[output[2]];
+		target[datalength++] = Base64[output[3]];
+	}
+    
+	/* Now we worry about padding. */
+	if (0 != srclength) {
+		/* Get what's left. */
+		input[0] = input[1] = input[2] = '\0';
+		for (i = 0; i < srclength; i++)
+			input[i] = *src++;
+	
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		if (srclength == 1)
+			target[datalength++] = Pad64;
+		else
+			target[datalength++] = Base64[output[2]];
+		target[datalength++] = Pad64;
+	}
+	if (datalength >= targsize)
+		return (-1);
+	target[datalength] = '\0';	/* Returned value doesn't count \0. */
+	return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(src, target, targsize)
+	char const *src;
+	u_char *target;
+	size_t targsize;
+{
+	int tarindex, state, ch;
+	u_char nextbyte;
+	char *pos;
+
+	state = 0;
+	tarindex = 0;
+
+	while ((ch = (unsigned char)*src++) != '\0') {
+		if (isspace(ch))	/* Skip whitespace anywhere. */
+			continue;
+
+		if (ch == Pad64)
+			break;
+
+		pos = strchr(Base64, ch);
+		if (pos == 0) 		/* A non-base64 character. */
+			return (-1);
+
+		switch (state) {
+		case 0:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] = (pos - Base64) << 2;
+			}
+			state = 1;
+			break;
+		case 1:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 4;
+				nextbyte = ((pos - Base64) & 0x0f) << 4;
+				if (tarindex + 1 < targsize)
+					target[tarindex+1] = nextbyte;
+				else if (nextbyte)
+					return (-1);
+			}
+			tarindex++;
+			state = 2;
+			break;
+		case 2:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 2;
+				nextbyte = ((pos - Base64) & 0x03) << 6;
+				if (tarindex + 1 < targsize)
+					target[tarindex+1] = nextbyte;
+				else if (nextbyte)
+					return (-1);
+			}
+			tarindex++;
+			state = 3;
+			break;
+		case 3:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] |= (pos - Base64);
+			}
+			tarindex++;
+			state = 0;
+			break;
+		}
+	}
+
+	/*
+	 * We are done decoding Base-64 chars.  Let's see if we ended
+	 * on a byte boundary, and/or with erroneous trailing characters.
+	 */
+
+	if (ch == Pad64) {			/* We got a pad char. */
+		ch = (unsigned char)*src++;	/* Skip it, get next. */
+		switch (state) {
+		case 0:		/* Invalid = in first position */
+		case 1:		/* Invalid = in second position */
+			return (-1);
+
+		case 2:		/* Valid, means one byte of info */
+			/* Skip any number of spaces. */
+			for (; ch != '\0'; ch = (unsigned char)*src++)
+				if (!isspace(ch))
+					break;
+			/* Make sure there is another trailing = sign. */
+			if (ch != Pad64)
+				return (-1);
+			ch = (unsigned char)*src++;		/* Skip the = */
+			/* Fall through to "single trailing =" case. */
+			/* FALLTHROUGH */
+
+		case 3:		/* Valid, means two bytes of info */
+			/*
+			 * We know this char is an =.  Is there anything but
+			 * whitespace after it?
+			 */
+			for (; ch != '\0'; ch = (unsigned char)*src++)
+				if (!isspace(ch))
+					return (-1);
+
+			/*
+			 * Now make sure for cases 2 and 3 that the "extra"
+			 * bits that slopped past the last full byte were
+			 * zeros.  If we don't check them, they become a
+			 * subliminal channel.
+			 */
+			if (target && tarindex < targsize &&
+			    target[tarindex] != 0)
+				return (-1);
+		}
+	} else {
+		/*
+		 * We ended by seeing the end of the string.  Make sure we
+		 * have no partial bytes lying around.
+		 */
+		if (state != 0)
+			return (-1);
+	}
+
+	return (tarindex);
+}
--- a/apps/nc/compat/strtonum.c
+++ b/apps/nc/compat/strtonum.c
@@ -0,0 +1,65 @@
+/*	$OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $	*/
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define	INVALID		1
+#define	TOOSMALL	2
+#define	TOOLARGE	3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+	long long ll = 0;
+	int error = 0;
+	char *ep;
+	struct errval {
+		const char *errstr;
+		int err;
+	} ev[4] = {
+		{ NULL,		0 },
+		{ "invalid",	EINVAL },
+		{ "too small",	ERANGE },
+		{ "too large",	ERANGE },
+	};
+
+	ev[0].err = errno;
+	errno = 0;
+	if (minval > maxval) {
+		error = INVALID;
+	} else {
+		ll = strtoll(numstr, &ep, 10);
+		if (numstr == ep || *ep != '\0')
+			error = INVALID;
+		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+			error = TOOSMALL;
+		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+			error = TOOLARGE;
+	}
+	if (errstrp != NULL)
+		*errstrp = ev[error].errstr;
+	errno = ev[error].err;
+	if (error)
+		ll = 0;
+
+	return (ll);
+}
--- a/apps/ocspcheck/CMakeLists.txt
+++ b/apps/ocspcheck/CMakeLists.txt
@@ -1,42 +0,0 @@
-if(NOT MSVC)
-
-include_directories(
-	.
-	./compat
-	../../include
-	../../include/compat
-)
-
-set(
-	OCSPCHECK_SRC
-	http.c
-	ocspcheck.c
-)
-
-check_function_exists(inet_ntop HAVE_INET_NTOP)
-if(HAVE_INET_NTOP)
-        add_definitions(-DHAVE_INET_NTOP)
-else()
-        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
-endif()
-
-check_function_exists(inet_ntop HAVE_MEMMEM)
-if(HAVE_MEMMEM)
-        add_definitions(-DHAVE_MEMMEM)
-else()
-        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c)
-endif()
-
-if(NOT "${OPENSSLDIR}" STREQUAL "")
-	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
-else()
-	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
-endif()
-
-add_executable(ocspcheck ${OCSPCHECK_SRC})
-target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})
-
-install(TARGETS ocspcheck DESTINATION bin)
-install(FILES ocspcheck.8 DESTINATION share/man/man8)
-
-endif()
--- a/apps/ocspcheck/Makefile.am
+++ b/apps/ocspcheck/Makefile.am
@@ -1,23 +0,0 @@
-include $(top_srcdir)/Makefile.am.common
-
-bin_PROGRAMS = ocspcheck
-
-EXTRA_DIST = ocspcheck.8
-EXTRA_DIST += CMakeLists.txt
-
-ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
-ocspcheck_LDADD += $(abs_top_builddir)/ssl/libssl.la
-ocspcheck_LDADD += $(abs_top_builddir)/tls/libtls.la
-ocspcheck_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
-
-ocspcheck_SOURCES = http.c
-ocspcheck_SOURCES += ocspcheck.c
-noinst_HEADERS = http.h
-
-if !HAVE_INET_NTOP
-ocspcheck_SOURCES += compat/inet_ntop.c
-endif
-
-if !HAVE_MEMMEM
-ocspcheck_SOURCES += compat/memmem.c
-endif
--- a/apps/ocspcheck/compat/.gitignore
+++ b/apps/ocspcheck/compat/.gitignore
--- a/apps/openssl/CMakeLists.txt
+++ b/apps/openssl/CMakeLists.txt
@@ -10,6 +10,7 @@ set(
 	asn1pars.c
 	ca.c
 	ciphers.c
+	cms.c
 	crl.c
 	crl2p7.c
 	dgst.c
--- a/apps/openssl/Makefile.am
+++ b/apps/openssl/Makefile.am
@@ -4,14 +4,15 @@ bin_PROGRAMS = openssl

 dist_man_MANS = openssl.1

-openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la
+openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+openssl_LDADD += $(abs_top_builddir)/ssl/libssl.la
 openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
-openssl_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)

 openssl_SOURCES = apps.c
 openssl_SOURCES += asn1pars.c
 openssl_SOURCES += ca.c
 openssl_SOURCES += ciphers.c
+openssl_SOURCES += cms.c
 openssl_SOURCES += crl.c
 openssl_SOURCES += crl2p7.c
 openssl_SOURCES += dgst.c
@@ -92,9 +93,9 @@ EXTRA_DIST += CMakeLists.txt

 install-exec-hook:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
@@ -107,9 +108,9 @@ install-exec-hook:

 uninstall-local:
 	@if [ "@OPENSSLDIR@x" != "x" ]; then \
-		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
+		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
 	else \
-		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
 	fi; \
 	for i in cert.pem openssl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
--- a/cmake_export_symbol.cmake
+++ b/cmake_export_symbol.cmake
@@ -1,44 +0,0 @@
-macro(export_symbol TARGET FILENAME)
-
-	set(FLAG "")
-
-	if(WIN32)
-		string(REPLACE ".sym" ".def" DEF_FILENAME ${FILENAME})
-		file(WRITE ${DEF_FILENAME} "EXPORTS\n")
-		file(READ ${FILENAME} SYMBOLS)
-		file(APPEND ${DEF_FILENAME} "${SYMBOLS}")
-		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})
-
-	elseif(APPLE)
-		set(FLAG "-exported_symbols_list ${FILENAME}")
-		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
-
-	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
-		file(READ ${FILENAME} SYMBOLS)
-		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
-		string(REPLACE "\n" "\n+e " SYMBOLS ${SYMBOLS})
-		string(REPLACE ".sym" ".opt" OPT_FILENAME ${FILENAME})
-		file(WRITE ${OPT_FILENAME} "+e ${SYMBOLS}")
-		set(FLAG "-Wl,-c,${OPT_FILENAME}")
-		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
-
-	elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
-		file(READ ${FILENAME} SYMBOLS)
-		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
-		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
-		file(WRITE ${VER_FILENAME}
-			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
-		set(FLAG "-Wl,-M${VER_FILENAME}")
-		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
-
-	elseif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
-		file(READ ${FILENAME} SYMBOLS)
-		string(REPLACE "\n" ";\n" SYMBOLS ${SYMBOLS})
-		string(REPLACE ".sym" ".ver" VER_FILENAME ${FILENAME})
-		file(WRITE ${VER_FILENAME}
-			"{\nglobal:\n${SYMBOLS}\nlocal:\n*;\n};\n")
-		set(FLAG "-Wl,--version-script,\"${VER_FILENAME}\"")
-		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})
-	endif()
-
-endmacro()
--- a/configure.ac
+++ b/configure.ac
@@ -54,8 +54,6 @@ CHECK_CRYPTO_COMPAT
 CHECK_VA_COPY
 CHECK_B64_NTOP

-GENERATE_CRYPTO_PORTABLE_SYM
-
 AC_ARG_WITH([openssldir],
 	AS_HELP_STRING([--with-openssldir],
 		       [Set the default openssl directory]),
@@ -128,7 +126,6 @@ AC_CONFIG_FILES([
 	tls/Makefile
 	tests/Makefile
 	apps/Makefile
-	apps/ocspcheck/Makefile
 	apps/openssl/Makefile
 	apps/nc/Makefile
 	man/Makefile
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -3,7 +3,6 @@ include_directories(
 	../include
 	../include/compat
 	asn1
-	bn
 	dsa
 	evp
 	modes
@@ -12,24 +11,24 @@ include_directories(
 if(HOST_ASM_ELF_X86_64)
 	set(
 		ASM_X86_64_ELF_SRC
-		aes/aes-elf-x86_64.S
-		aes/bsaes-elf-x86_64.S
-		aes/vpaes-elf-x86_64.S
-		aes/aesni-elf-x86_64.S
-		aes/aesni-sha1-elf-x86_64.S
-		bn/modexp512-elf-x86_64.S
-		bn/mont-elf-x86_64.S
-		bn/mont5-elf-x86_64.S
-		bn/gf2m-elf-x86_64.S
-		camellia/cmll-elf-x86_64.S
-		md5/md5-elf-x86_64.S
-		modes/ghash-elf-x86_64.S
-		rc4/rc4-elf-x86_64.S
-		rc4/rc4-md5-elf-x86_64.S
-		sha/sha1-elf-x86_64.S
+		aes/aes-elf-x86_64.s
+		aes/bsaes-elf-x86_64.s
+		aes/vpaes-elf-x86_64.s
+		aes/aesni-elf-x86_64.s
+		aes/aesni-sha1-elf-x86_64.s
+		bn/modexp512-elf-x86_64.s
+		bn/mont-elf-x86_64.s
+		bn/mont5-elf-x86_64.s
+		bn/gf2m-elf-x86_64.s
+		camellia/cmll-elf-x86_64.s
+		md5/md5-elf-x86_64.s
+		modes/ghash-elf-x86_64.s
+		rc4/rc4-elf-x86_64.s
+		rc4/rc4-md5-elf-x86_64.s
+		sha/sha1-elf-x86_64.s
 		sha/sha256-elf-x86_64.S
 		sha/sha512-elf-x86_64.S
-		whrlpool/wp-elf-x86_64.S
+		whrlpool/wp-elf-x86_64.s
 		cpuid-elf-x86_64.S
 	)
 	add_definitions(-DAES_ASM)
@@ -54,24 +53,24 @@ endif()
 if(HOST_ASM_MACOSX_X86_64)
 	set(
 		ASM_X86_64_MACOSX_SRC
-		aes/aes-macosx-x86_64.S
-		aes/bsaes-macosx-x86_64.S
-		aes/vpaes-macosx-x86_64.S
-		aes/aesni-macosx-x86_64.S
-		aes/aesni-sha1-macosx-x86_64.S
-		bn/modexp512-macosx-x86_64.S
-		bn/mont-macosx-x86_64.S
-		bn/mont5-macosx-x86_64.S
-		bn/gf2m-macosx-x86_64.S
-		camellia/cmll-macosx-x86_64.S
-		md5/md5-macosx-x86_64.S
-		modes/ghash-macosx-x86_64.S
-		rc4/rc4-macosx-x86_64.S
-		rc4/rc4-md5-macosx-x86_64.S
-		sha/sha1-macosx-x86_64.S
+		aes/aes-macosx-x86_64.s
+		aes/bsaes-macosx-x86_64.s
+		aes/vpaes-macosx-x86_64.s
+		aes/aesni-macosx-x86_64.s
+		aes/aesni-sha1-macosx-x86_64.s
+		bn/modexp512-macosx-x86_64.s
+		bn/mont-macosx-x86_64.s
+		bn/mont5-macosx-x86_64.s
+		bn/gf2m-macosx-x86_64.s
+		camellia/cmll-macosx-x86_64.s
+		md5/md5-macosx-x86_64.s
+		modes/ghash-macosx-x86_64.s
+		rc4/rc4-macosx-x86_64.s
+		rc4/rc4-md5-macosx-x86_64.s
+		sha/sha1-macosx-x86_64.s
 		sha/sha256-macosx-x86_64.S
 		sha/sha512-macosx-x86_64.S
-		whrlpool/wp-macosx-x86_64.S
+		whrlpool/wp-macosx-x86_64.s
 		cpuid-macosx-x86_64.S
 	)
 	add_definitions(-DAES_ASM)
@@ -282,8 +281,6 @@ set(
 	conf/conf_mall.c
 	conf/conf_mod.c
 	conf/conf_sap.c
-	curve25519/curve25519-generic.c
-	curve25519/curve25519.c
 	des/cbc_cksm.c
 	des/cbc_enc.c
 	des/cfb64ede.c
@@ -352,10 +349,6 @@ set(
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
-	ec/ecp_nistp224.c
-	ec/ecp_nistp256.c
-	ec/ecp_nistp521.c
-	ec/ecp_nistputil.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
@@ -470,6 +463,7 @@ set(
 	idea/i_ecb.c
 	idea/i_ofb64.c
 	idea/i_skey.c
+	krb5/krb5_asn.c
 	lhash/lh_stats.c
 	lhash/lhash.c
 	md4/md4_dgst.c
@@ -653,75 +647,46 @@ endif()

 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c)
-	set(CRYPTO_UNEXPORT ${CRYPTO_UNEXPORT} BIO_s_log)
 	set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c)
 endif()

 if(CMAKE_HOST_WIN32)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} gettimeofday)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_perror)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fopen)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fgets)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_open)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_rename)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_connect)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_close)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_read)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_write)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_getsockopt)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_setsockopt)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} sleep)
 endif()

 if(NOT HAVE_ASPRINTF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/bsd-asprintf.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} asprintf)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} vasprintf)
 endif()

 if(NOT HAVE_INET_PTON)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/inet_pton.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} inet_pton)
 endif()

 if(NOT HAVE_REALLOCARRAY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray)
 endif()

 if(NOT HAVE_STRCASECMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strcasecmp.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} strcasecmp)
 endif()

 if(NOT HAVE_STRLCAT)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcat.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcat)
 endif()

 if(NOT HAVE_STRLCPY)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strlcpy.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} strlcpy)
 endif()

 if(NOT HAVE_STRNDUP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strndup.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} strndup)
 	if(NOT HAVE_STRNLEN)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/strnlen.c)
-		set(EXTRA_EXPORT ${EXTRA_EXPORT} strnlen)
 	endif()
 endif()

-if(NOT HAVE_STRSEP)
-	set(CRYPTO_SRC ${CRYPTO_SRC} compat/strsep.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} strsep)
-endif()
-
 if(NOT HAVE_TIMEGM)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} timegm)
 endif()

 if(NOT HAVE_EXPLICIT_BZERO)
@@ -731,13 +696,10 @@ if(NOT HAVE_EXPLICIT_BZERO)
 		set(CRYPTO_SRC ${CRYPTO_SRC} compat/explicit_bzero.c)
 		set_source_files_properties(compat/explicit_bzero.c PROPERTIES COMPILE_FLAGS -O0)
 	endif()
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} explicit_bzero)
 endif()

 if(NOT HAVE_ARC4RANDOM_BUF)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_buf)

 	if(NOT HAVE_GETENTROPY)
 		if(CMAKE_HOST_WIN32)
@@ -753,27 +715,23 @@ if(NOT HAVE_ARC4RANDOM_BUF)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_netbsd.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin")
-			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_osx.c)
+			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_darwin.c)
 		elseif(CMAKE_SYSTEM_NAME MATCHES "SunOS")
 			set(CRYPTO_SRC ${CRYPTO_SRC} compat/getentropy_solaris.c)
 		endif()
-		set(EXTRA_EXPORT ${EXTRA_EXPORT} getentropy)
 	endif()
 endif()

 if(NOT HAVE_ARC4RANDOM_UNIFORM)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/arc4random_uniform.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} arc4random_uniform)
 endif()

 if(NOT HAVE_TIMINGSAFE_BCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_bcmp.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_bcmp)
 endif()

 if(NOT HAVE_TIMINGSAFE_MEMCMP)
 	set(CRYPTO_SRC ${CRYPTO_SRC} compat/timingsafe_memcmp.c)
-	set(EXTRA_EXPORT ${EXTRA_EXPORT} timingsafe_memcmp)
 endif()

 if(NOT ENABLE_ASM)
@@ -790,30 +748,14 @@ else()
 	add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\")
 endif()

-file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto.sym SYMS)
-foreach(SYM IN LISTS CRYPTO_UNEXPORT)
-	string(REPLACE "${SYM}\n" "" SYMS ${SYMS})
-endforeach()
-file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym ${SYMS})
-if(EXTRA_EXPORT)
-	list(SORT EXTRA_EXPORT)
-	foreach(SYM IN LISTS EXTRA_EXPORT)
-		file(APPEND ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym "${SYM}\n")
-	endforeach()
-endif()
-
-add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 if (BUILD_SHARED)
+	add_library(crypto-objects OBJECT ${CRYPTO_SRC})
 	add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
 	add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
-	export_symbol(crypto-shared ${CMAKE_CURRENT_SOURCE_DIR}/crypto_p.sym)
-	if (WIN32)
-		target_link_libraries(crypto-shared Ws2_32.lib)
-		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
+	if (MSVC)
+		target_link_libraries(crypto-shared crypto Ws2_32.lib)
 	endif()
-	set_target_properties(crypto-shared PROPERTIES
-		OUTPUT_NAME crypto${CRYPTO_POSTFIX}
-		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
+	set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
 	set_target_properties(crypto-shared PROPERTIES VERSION
 		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
 	install(TARGETS crypto crypto-shared DESTINATION lib)
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -1,7 +1,6 @@
 include $(top_srcdir)/Makefile.am.common

 AM_CPPFLAGS += -I$(top_srcdir)/crypto/asn1
-AM_CPPFLAGS += -I$(top_srcdir)/crypto/bn
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/evp
 AM_CPPFLAGS += -I$(top_srcdir)/crypto/modes
 AM_CPPFLAGS += -I$(top_srcdir)/crypto
@@ -10,12 +9,11 @@ lib_LTLIBRARIES = libcrypto.la

 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
-EXTRA_DIST += crypto.sym

 # needed for a CMake target
 EXTRA_DIST += compat/strcasecmp.c

-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols $(top_srcdir)/crypto/crypto_portable.sym
+libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
@@ -73,10 +71,6 @@ libcompat_la_SOURCES += compat/strnlen.c
 endif
 endif

-if !HAVE_STRSEP
-libcompat_la_SOURCES += compat/strsep.c
-endif
-
 if !HAVE_ASPRINTF
 libcompat_la_SOURCES += compat/bsd-asprintf.c
 endif
@@ -139,7 +133,6 @@ noinst_HEADERS += constant_time_locl.h
 noinst_HEADERS += cryptlib.h
 noinst_HEADERS += md32_common.h
 noinst_HEADERS += o_time.h
-noinst_HEADERS += x86_arch.h

 # aes
 libcrypto_la_SOURCES += aes/aes_cfb.c
@@ -349,12 +342,6 @@ libcrypto_la_SOURCES += conf/conf_mod.c
 libcrypto_la_SOURCES += conf/conf_sap.c
 noinst_HEADERS += conf/conf_def.h

-# curve25519
-libcrypto_la_SOURCES += curve25519/curve25519-generic.c
-libcrypto_la_SOURCES += curve25519/curve25519.c
-noinst_HEADERS += curve25519/curve25519_internal.h
-
-
 # des
 libcrypto_la_SOURCES += des/cbc_cksm.c
 libcrypto_la_SOURCES += des/cbc_enc.c
@@ -435,10 +422,6 @@ libcrypto_la_SOURCES += ec/ec_print.c
 libcrypto_la_SOURCES += ec/eck_prn.c
 libcrypto_la_SOURCES += ec/ecp_mont.c
 libcrypto_la_SOURCES += ec/ecp_nist.c
-libcrypto_la_SOURCES += ec/ecp_nistp224.c
-libcrypto_la_SOURCES += ec/ecp_nistp256.c
-libcrypto_la_SOURCES += ec/ecp_nistp521.c
-libcrypto_la_SOURCES += ec/ecp_nistputil.c
 libcrypto_la_SOURCES += ec/ecp_oct.c
 libcrypto_la_SOURCES += ec/ecp_smpl.c
 noinst_HEADERS += ec/ec_lcl.h
@@ -580,6 +563,9 @@ libcrypto_la_SOURCES += idea/i_ofb64.c
 libcrypto_la_SOURCES += idea/i_skey.c
 noinst_HEADERS += idea/idea_lcl.h

+# krb5
+libcrypto_la_SOURCES += krb5/krb5_asn.c
+
 # lhash
 libcrypto_la_SOURCES += lhash/lh_stats.c
 libcrypto_la_SOURCES += lhash/lhash.c
@@ -783,7 +769,6 @@ libcrypto_la_SOURCES += x509/x509spki.c
 libcrypto_la_SOURCES += x509/x509type.c
 libcrypto_la_SOURCES += x509/x_all.c
 noinst_HEADERS += x509/x509_lcl.h
-noinst_HEADERS += x509/vpm_int.h

 # x509v3
 libcrypto_la_SOURCES += x509v3/pcy_cache.c
--- a/crypto/Makefile.am.elf-x86_64
+++ b/crypto/Makefile.am.elf-x86_64
@@ -1,22 +1,22 @@

-ASM_X86_64_ELF = aes/aes-elf-x86_64.S
-ASM_X86_64_ELF += aes/bsaes-elf-x86_64.S
-ASM_X86_64_ELF += aes/vpaes-elf-x86_64.S
-ASM_X86_64_ELF += aes/aesni-elf-x86_64.S
-ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.S
-ASM_X86_64_ELF += bn/modexp512-elf-x86_64.S
-ASM_X86_64_ELF += bn/mont-elf-x86_64.S
-ASM_X86_64_ELF += bn/mont5-elf-x86_64.S
-ASM_X86_64_ELF += bn/gf2m-elf-x86_64.S
-ASM_X86_64_ELF += camellia/cmll-elf-x86_64.S
-ASM_X86_64_ELF += md5/md5-elf-x86_64.S
-ASM_X86_64_ELF += modes/ghash-elf-x86_64.S
-ASM_X86_64_ELF += rc4/rc4-elf-x86_64.S
-ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.S
-ASM_X86_64_ELF += sha/sha1-elf-x86_64.S
+ASM_X86_64_ELF = aes/aes-elf-x86_64.s
+ASM_X86_64_ELF += aes/bsaes-elf-x86_64.s
+ASM_X86_64_ELF += aes/vpaes-elf-x86_64.s
+ASM_X86_64_ELF += aes/aesni-elf-x86_64.s
+ASM_X86_64_ELF += aes/aesni-sha1-elf-x86_64.s
+ASM_X86_64_ELF += bn/modexp512-elf-x86_64.s
+ASM_X86_64_ELF += bn/mont-elf-x86_64.s
+ASM_X86_64_ELF += bn/mont5-elf-x86_64.s
+ASM_X86_64_ELF += bn/gf2m-elf-x86_64.s
+ASM_X86_64_ELF += camellia/cmll-elf-x86_64.s
+ASM_X86_64_ELF += md5/md5-elf-x86_64.s
+ASM_X86_64_ELF += modes/ghash-elf-x86_64.s
+ASM_X86_64_ELF += rc4/rc4-elf-x86_64.s
+ASM_X86_64_ELF += rc4/rc4-md5-elf-x86_64.s
+ASM_X86_64_ELF += sha/sha1-elf-x86_64.s
 ASM_X86_64_ELF += sha/sha256-elf-x86_64.S
 ASM_X86_64_ELF += sha/sha512-elf-x86_64.S
-ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.S
+ASM_X86_64_ELF += whrlpool/wp-elf-x86_64.s
 ASM_X86_64_ELF += cpuid-elf-x86_64.S

 EXTRA_DIST += $(ASM_X86_64_ELF)
--- a/crypto/Makefile.am.macosx-x86_64
+++ b/crypto/Makefile.am.macosx-x86_64
@@ -1,22 +1,22 @@

-ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.S
-ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.S
-ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.S
-ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.S
-ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.S
-ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.S
-ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.S
-ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.S
-ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.S
+ASM_X86_64_MACOSX = aes/aes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/bsaes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/vpaes-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/aesni-macosx-x86_64.s
+ASM_X86_64_MACOSX += aes/aesni-sha1-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/modexp512-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/mont-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/mont5-macosx-x86_64.s
+ASM_X86_64_MACOSX += bn/gf2m-macosx-x86_64.s
+ASM_X86_64_MACOSX += camellia/cmll-macosx-x86_64.s
+ASM_X86_64_MACOSX += md5/md5-macosx-x86_64.s
+ASM_X86_64_MACOSX += modes/ghash-macosx-x86_64.s
+ASM_X86_64_MACOSX += rc4/rc4-macosx-x86_64.s
+ASM_X86_64_MACOSX += rc4/rc4-md5-macosx-x86_64.s
+ASM_X86_64_MACOSX += sha/sha1-macosx-x86_64.s
 ASM_X86_64_MACOSX += sha/sha256-macosx-x86_64.S
 ASM_X86_64_MACOSX += sha/sha512-macosx-x86_64.S
-ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.S
+ASM_X86_64_MACOSX += whrlpool/wp-macosx-x86_64.s
 ASM_X86_64_MACOSX += cpuid-macosx-x86_64.S

 EXTRA_DIST += $(ASM_X86_64_MACOSX)
--- a/crypto/compat/b_win.c
+++ b/crypto/compat/b_win.c
@@ -23,8 +23,8 @@ BIO_sock_init(void)
 	if (!wsa_init_done) {
 		if (WSAStartup(version_requested, &wsa_state) != 0) {
 			int err = WSAGetLastError();
-			SYSerror(err);
-			BIOerror(BIO_R_WSASTARTUP);
+			SYSerr(SYS_F_WSASTARTUP, err);
+			BIOerr(BIO_F_BIO_SOCK_INIT, BIO_R_WSASTARTUP);
 			return (-1);
 		}
 		wsa_init_done = 1;
--- a/crypto/compat/inet_pton.c
+++ b/crypto/compat/inet_pton.c
@@ -0,0 +1,212 @@
+/*	$OpenBSD: inet_pton.c,v 1.9 2015/01/16 16:48:51 deraadt Exp $	*/
+
+/* Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <string.h>
+#include <errno.h>
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int	inet_pton4(const char *src, u_char *dst);
+static int	inet_pton6(const char *src, u_char *dst);
+
+/* int
+ * inet_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+inet_pton(int af, const char *src, void *dst)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(const char *src, u_char *dst)
+{
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	u_char tmp[INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			u_int new = *tp * 10 + (pch - digits);
+
+			if (new > 255)
+				return (0);
+			if (! saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+			*tp = new;
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+
+	memcpy(dst, tmp, INADDRSZ);
+	return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(const char *src, u_char *dst)
+{
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	u_char tmp[IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit, count_xdigit;
+	u_int val;
+
+	memset((tp = tmp), '\0', IN6ADDRSZ);
+	endp = tp + IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = count_xdigit = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			if (count_xdigit >= 4)
+				return (0);
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			count_xdigit++;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			} else if (*src == '\0') {
+				return (0);
+			}
+			if (tp + INT16SZ > endp)
+				return (0);
+			*tp++ = (u_char) (val >> 8) & 0xff;
+			*tp++ = (u_char) val & 0xff;
+			saw_xdigit = 0;
+			count_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += INADDRSZ;
+			saw_xdigit = 0;
+			count_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (saw_xdigit) {
+		if (tp + INT16SZ > endp)
+			return (0);
+		*tp++ = (u_char) (val >> 8) & 0xff;
+		*tp++ = (u_char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			return (0);
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memcpy(dst, tmp, IN6ADDRSZ);
+	return (1);
+}
--- a/crypto/compat/posix_win.c
+++ b/crypto/compat/posix_win.c
@@ -12,7 +12,6 @@
 #include <ws2tcpip.h>

 #include <errno.h>
-#include <fcntl.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -40,28 +39,6 @@ posix_fopen(const char *path, const char *mode)
 	return fopen(path, mode);
 }

-int
-posix_open(const char *path, ...)
-{
-	va_list ap;
-	int mode = 0;
-	int flags;
-
-	va_start(ap, path);
-	flags = va_arg(ap, int);
-	if (flags & O_CREAT)
-		mode = va_arg(ap, int);
-	va_end(ap);
-
-	flags |= O_BINARY;
-	if (flags & O_CLOEXEC) {
-		flags &= ~O_CLOEXEC;
-		flags |= O_NOINHERIT;
-	}
-	flags &= ~O_NONBLOCK;
-	return open(path, flags, mode);
-}
-
 char *
 posix_fgets(char *s, int size, FILE *stream)
 {
@@ -132,9 +109,6 @@ wsa_errno(int err)
 	case WSAEAFNOSUPPORT:
 		errno = EAFNOSUPPORT;
 		break;
-	case WSAEBADF:
-		errno = EBADF;
-		break;
 	case WSAENETRESET:
 	case WSAENOTCONN:
 	case WSAECONNABORTED:
@@ -161,7 +135,7 @@ posix_close(int fd)
 {
 	if (closesocket(fd) == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return (err == WSAENOTSOCK || err == WSAEBADF) ?
+		return err == WSAENOTSOCK ?
 			close(fd) : wsa_errno(err);
 	}
 	return 0;
@@ -173,7 +147,7 @@ posix_read(int fd, void *buf, size_t count)
 	ssize_t rc = recv(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return (err == WSAENOTSOCK || err == WSAEBADF) ?
+		return err == WSAENOTSOCK ?
 			read(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
@@ -185,7 +159,7 @@ posix_write(int fd, const void *buf, size_t count)
 	ssize_t rc = send(fd, buf, count, 0);
 	if (rc == SOCKET_ERROR) {
 		int err = WSAGetLastError();
-		return (err == WSAENOTSOCK || err == WSAEBADF) ?
+		return err == WSAENOTSOCK ?
 			write(fd, buf, count) : wsa_errno(err);
 	}
 	return rc;
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -8,7 +8,6 @@ noinst_HEADERS = pqueue.h
 noinst_HEADERS += compat/dirent.h
 noinst_HEADERS += compat/dirent_msvc.h
 noinst_HEADERS += compat/err.h
-noinst_HEADERS += compat/fcntl.h
 noinst_HEADERS += compat/limits.h
 noinst_HEADERS += compat/netdb.h
 noinst_HEADERS += compat/poll.h
@@ -30,6 +29,7 @@ noinst_HEADERS += compat/netinet/in.h
 noinst_HEADERS += compat/netinet/ip.h
 noinst_HEADERS += compat/netinet/tcp.h

+noinst_HEADERS += compat/sys/cdefs.h
 noinst_HEADERS += compat/sys/ioctl.h
 noinst_HEADERS += compat/sys/mman.h
 noinst_HEADERS += compat/sys/param.h
--- a/include/compat/arpa/inet.h
+++ b/include/compat/arpa/inet.h
@@ -14,10 +14,6 @@

 #endif

-#ifndef HAVE_INET_NTOP
-const char * inet_ntop(int af, const void *src, char *dst, socklen_t size);
-#endif
-
 #ifndef HAVE_INET_PTON
 int inet_pton(int af, const char * src, void * dst);
 #endif
--- a/include/compat/err.h
+++ b/include/compat/err.h
@@ -18,11 +18,6 @@
 #include <stdio.h>
 #include <string.h>

-#if defined(_MSC_VER)
-__declspec(noreturn)
-#else
-__attribute__((noreturn))
-#endif
 static inline void
 err(int eval, const char *fmt, ...)
 {
@@ -39,11 +34,6 @@ err(int eval, const char *fmt, ...)
 	va_end(ap);
 }

-#if defined(_MSC_VER)
-__declspec(noreturn)
-#else
-__attribute__((noreturn))
-#endif
 static inline void
 errx(int eval, const char *fmt, ...)
 {
--- a/include/compat/fcntl.h
+++ b/include/compat/fcntl.h
@@ -1,32 +0,0 @@
-/*
- * Public domain
- * fcntl.h compatibility shim
- */
-
-#ifndef _WIN32
-#include_next <fcntl.h>
-#else
-
-#ifdef _MSC_VER
-#if _MSC_VER >= 1900
-#include <../ucrt/fcntl.h>
-#else
-#include <../include/fcntl.h>
-#endif
-#else
-#include_next <fcntl.h>
-#endif
-
-#endif
-
-#ifndef O_NONBLOCK
-#define O_NONBLOCK      0x100000
-#endif
-
-#ifndef O_CLOEXEC
-#define O_CLOEXEC       0x200000
-#endif
-
-#ifndef FD_CLOEXEC
-#define FD_CLOEXEC      1
-#endif
--- a/include/compat/limits.h
+++ b/include/compat/limits.h
@@ -5,14 +5,6 @@

 #ifdef _MSC_VER
 #include <../include/limits.h>
-#if _MSC_VER >= 1900
-#include <../ucrt/stdlib.h>
-#else
-#include <../include/stdlib.h>
-#endif
-#ifndef PATH_MAX
-#define PATH_MAX _MAX_PATH
-#endif
 #else
 #include_next <limits.h>
 #endif
--- a/include/compat/stdio.h
+++ b/include/compat/stdio.h
@@ -26,10 +26,6 @@ int asprintf(char **str, const char *fmt, ...);

 #ifdef _WIN32

-#if defined(_MSC_VER)
-#define __func__ __FUNCTION__
-#endif
-
 void posix_perror(const char *s);
 FILE * posix_fopen(const char *path, const char *mode);
 char * posix_fgets(char *s, int size, FILE *stream);
--- a/include/compat/sys/cdefs.h
+++ b/include/compat/sys/cdefs.h
@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/cdefs.h compatibility shim
+ */
+
+#ifndef LIBCRYPTOCOMPAT_SYS_CDEFS_H
+#define LIBCRYPTOCOMPAT_SYS_CDEFS_H
+
+#ifdef _WIN32
+
+#define __warn_references(sym,msg)
+
+#else
+
+#include_next <sys/cdefs.h>
+
+#ifndef __warn_references
+
+#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
+#define __warn_references(sym,msg)          \
+  __asm__(".section .gnu.warning." __STRING(sym)  \
+         " ; .ascii \"" msg "\" ; .text");
+#else
+#define __warn_references(sym,msg)
+#endif
+
+#endif /* __warn_references */
+
+#endif /* _WIN32 */
+
+#endif /* LIBCRYPTOCOMPAT_SYS_CDEFS_H */
--- a/include/compat/sys/socket.h
+++ b/include/compat/sys/socket.h
@@ -8,10 +8,3 @@
 #else
 #include <win32netcompat.h>
 #endif
-
-#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
-#define SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
-#define SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
-int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2]);
-#define socketpair(d,t,p,sv) bsd_socketpair(d,t,p,sv)
-#endif
--- a/include/compat/sys/stat.h
+++ b/include/compat/sys/stat.h
@@ -8,15 +8,6 @@

 #ifndef _MSC_VER
 #include_next <sys/stat.h>
-
-/* for old MinGW */
-#ifndef S_IRGRP
-#define S_IRGRP         0
-#endif
-#ifndef S_IROTH
-#define S_IROTH         0
-#endif
-
 #else

 #include <windows.h>
--- a/include/compat/sys/types.h
+++ b/include/compat/sys/types.h
@@ -44,25 +44,4 @@ typedef SSIZE_T ssize_t;
 # define __bounded__(x, y, z)
 #endif

-#ifdef _WIN32
-#define __warn_references(sym,msg)
-#else
-
-#ifndef __warn_references
-
-#ifndef __STRING
-#define __STRING(x) #x
-#endif
-
-#if defined(__GNUC__)  && defined (HAS_GNU_WARNING_LONG)
-#define __warn_references(sym,msg)          \
-  __asm__(".section .gnu.warning." __STRING(sym)  \
-         " ; .ascii \"" msg "\" ; .text");
-#else
-#define __warn_references(sym,msg)
-#endif
-
-#endif /* __warn_references */
-#endif /* _WIN32 */
-
 #endif
--- a/include/compat/unistd.h
+++ b/include/compat/unistd.h
@@ -14,9 +14,6 @@
 #include <io.h>
 #include <process.h>

-#define STDOUT_FILENO   1
-#define STDERR_FILENO   2
-
 #define R_OK    4
 #define W_OK    2
 #define X_OK    0
@@ -41,8 +38,4 @@ int getentropy(void *buf, size_t buflen);

 #define pledge(request, paths) 0

-#ifndef HAVE_PIPE2
-int pipe2(int fildes[2], int flags);
-#endif
-
 #endif
--- a/include/compat/win32netcompat.h
+++ b/include/compat/win32netcompat.h
@@ -26,10 +26,7 @@

 int posix_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

-int posix_open(const char *path, ...);
-
 int posix_close(int fd);
-
 ssize_t posix_read(int fd, void *buf, size_t count);

 ssize_t posix_write(int fd, const void *buf, size_t count);
@@ -42,7 +39,6 @@ int posix_setsockopt(int sockfd, int level, int optname,

 #ifndef NO_REDEF_POSIX_FUNCTIONS
 #define connect(sockfd, addr, addrlen) posix_connect(sockfd, addr, addrlen)
-#define open(path, ...) posix_open(path, __VA_ARGS__)
 #define close(fd) posix_close(fd)
 #define read(fd, buf, count) posix_read(fd, buf, count)
 #define write(fd, buf, count) posix_write(fd, buf, count)
--- a/libtls-standalone/src/Makefile.am
+++ b/libtls-standalone/src/Makefile.am
@@ -8,7 +8,6 @@ libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
 libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la

 libtls_la_SOURCES = tls.c
-libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_client.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_server.c
--- a/m4/check-libc.m4
+++ b/m4/check-libc.m4
@@ -2,11 +2,10 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf inet_ntop inet_pton memmem readpassphrase])
-AC_CHECK_FUNCS([reallocarray strlcat strlcpy strndup strnlen strsep strtonum])
+AC_CHECK_FUNCS([asprintf inet_pton memmem readpassphrase reallocarray])
+AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
-AM_CONDITIONAL([HAVE_INET_NTOP], [test "x$ac_cv_func_inet_ntop" = xyes])
 AM_CONDITIONAL([HAVE_INET_PTON], [test "x$ac_cv_func_inet_pton" = xyes])
 AM_CONDITIONAL([HAVE_MEMMEM], [test "x$ac_cv_func_memmem" = xyes])
 AM_CONDITIONAL([HAVE_READPASSPHRASE], [test "x$ac_cv_func_readpassphrase" = xyes])
@@ -21,12 +20,10 @@ AM_CONDITIONAL([HAVE_TIMEGM], [test "x$ac_cv_func_timegm" = xyes])
 ])

 AC_DEFUN([CHECK_SYSCALL_COMPAT], [
-AC_CHECK_FUNCS([accept4 pipe2 pledge poll socketpair])
+AC_CHECK_FUNCS([accept4 pledge poll])
 AM_CONDITIONAL([HAVE_ACCEPT4], [test "x$ac_cv_func_accept4" = xyes])
-AM_CONDITIONAL([HAVE_PIPE2], [test "x$ac_cv_func_pipe2" = xyes])
 AM_CONDITIONAL([HAVE_PLEDGE], [test "x$ac_cv_func_pledge" = xyes])
 AM_CONDITIONAL([HAVE_POLL], [test "x$ac_cv_func_poll" = xyes])
-AM_CONDITIONAL([HAVE_SOCKETPAIR], [test "x$ac_cv_func_socketpair" = xyes])
 ])

 AC_DEFUN([CHECK_B64_NTOP], [
@@ -50,52 +47,7 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
 AC_DEFUN([CHECK_CRYPTO_COMPAT], [
 # Check crypto-related libc functions and syscalls
 AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
-AC_CHECK_FUNCS([explicit_bzero getauxval])
-
-AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <sys/types.h>
-#include <unistd.h>
-
-/*
- * Explanation:
- *
- *   - iOS <= 10.1 fails because of missing sys/random.h
- *
- *   - in macOS 10.12 getentropy is not tagged as introduced in
- *     10.12 so we cannot use it for target < 10.12
- */
-#ifdef __APPLE__
-#  include <AvailabilityMacros.h>
-#  include <TargetConditionals.h>
-
-# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
-#  include <sys/random.h> /* Not available as of iOS <= 10.1 */
-# else
-
-#  include <sys/random.h> /* Pre 10.12 systems should die here */
-
-/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
-#  ifndef MAC_OS_X_VERSION_10_12
-#    define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
-#  endif
-#  if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
-#    if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
-#      error "Targeting on Mac OSX 10.11 or earlier"
-#    endif
-#  endif
-
-# endif
-#endif /* __APPLE__ */
-		]], [[
-	char buffer;
-	(void)getentropy(&buffer, sizeof (buffer));
-]])],
-	[ ac_cv_func_getentropy="yes" ],
-	[ ac_cv_func_getentropy="no"
-	])
-])
-
+AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
 AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
 AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
 AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
@@ -144,77 +96,3 @@ if test "x$ac_cv_have___va_copy" = "xyes" ; then
 	AC_DEFINE([HAVE___VA_COPY], [1], [Define if __va_copy exists])
 fi
 ])
-
-AC_DEFUN([GENERATE_CRYPTO_PORTABLE_SYM], [
-crypto_sym=$srcdir/crypto/crypto.sym
-crypto_p_sym=$srcdir/crypto/crypto_portable.sym
-echo "generating $crypto_p_sym ..."
-chmod u+w $srcdir/crypto
-cp $crypto_sym $crypto_p_sym
-chmod u+w $crypto_p_sym
-if test "x$ac_cv_func_arc4random" = "xno" ; then
-	echo arc4random >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_arc4random_buf" = "xno" ; then
-	echo arc4random_buf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_arc4random_uniform" = "xno" ; then
-	echo arc4random_uniform >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_asprintf" = "xno" ; then
-	echo asprintf >> $crypto_p_sym
-	echo vasprintf >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_explicit_bzero" = "xno" ; then
-	echo explicit_bzero >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_getentropy" = "xno" ; then
-	echo getentropy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_inet_pton" = "xno" ; then
-	echo inet_pton >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_reallocarray" = "xno" ; then
-	echo reallocarray >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcat" = "xno" ; then
-	echo strlcat >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strlcpy" = "xno" ; then
-	echo strlcpy >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strndup" = "xno" ; then
-	echo strndup >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strnlen" = "xno" ; then
-	echo strnlen >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_strsep" = "xno" ; then
-	echo strsep >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timegm" = "xno" ; then
-	echo timegm >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_bcmp" = "xno" ; then
-	echo timingsafe_bcmp >> $crypto_p_sym
-fi
-if test "x$ac_cv_func_timingsafe_memcmp" = "xno" ; then
-	echo timingsafe_memcmp >> $crypto_p_sym
-fi
-if test "x$HOST_OS" = "xwin" ; then
-	echo posix_perror >> $crypto_p_sym
-	echo posix_fopen >> $crypto_p_sym
-	echo posix_fgets >> $crypto_p_sym
-	echo posix_open >> $crypto_p_sym
-	echo posix_rename >> $crypto_p_sym
-	echo posix_connect >> $crypto_p_sym
-	echo posix_close >> $crypto_p_sym
-	echo posix_read >> $crypto_p_sym
-	echo posix_write >> $crypto_p_sym
-	echo posix_getsockopt >> $crypto_p_sym
-	echo posix_setsockopt >> $crypto_p_sym
-
-	grep -v BIO_s_log $crypto_p_sym > $crypto_p_sym.tmp
-	mv $crypto_p_sym.tmp $crypto_p_sym
-fi
-])
--- a/m4/check-os-options.m4
+++ b/m4/check-os-options.m4
@@ -17,45 +17,10 @@ case $host_os in
 	*darwin*)
 		HOST_OS=darwin
 		HOST_ABI=macosx
-		#
-		# Don't use arc4random on systems before 10.12 because of
 		# weak seed on failure to open /dev/random, based on latest
 		# public source:
 		# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
-		#
-		# We use the presence of getentropy() to detect 10.12. The
-		# following check take into account that:
- 		#
-		#   - iOS <= 10.1 fails because of missing getentropy and
-		#     hence they miss sys/random.h
-		#
-		#   - in macOS 10.12 getentropy is not tagged as introduced in
-		#     10.12 so we cannot use it for target < 10.12
-		#
-		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <AvailabilityMacros.h>
-#include <unistd.h>
-#include <sys/random.h>  /* Systems without getentropy() should die here */
-
-/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
-#ifndef MAC_OS_X_VERSION_10_12
-#  define MAC_OS_X_VERSION_10_12 101200
-#endif
-#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
-#  if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
-#    error "Running on Mac OSX 10.11 or earlier"
-#  endif
-#endif
-                       ]], [[
-char buf[1]; getentropy(buf, 1);
-					   ]])],
-                       [ USE_BUILTIN_ARC4RANDOM=no ],
-                       [ USE_BUILTIN_ARC4RANDOM=yes ]
-		)
-		AC_MSG_CHECKING([whether to use builtin arc4random])
-		AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
-		# Not available on iOS
-		AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
+		USE_BUILTIN_ARC4RANDOM=yes
 		;;
 	*freebsd*)
 		HOST_OS=freebsd
--- a/man/links
+++ b/man/links
--- a/man/update_links.sh
+++ b/man/update_links.sh
@@ -1,19 +1,18 @@
 #!/bin/sh

 # Run this periodically to ensure that the manpage links are up to date
-(
-    cd /usr/src/usr.bin/mandoc/
-    make obj
-    make cleandir
-    make depend
-    make
-    cd /usr/src/regress/usr.bin/mandoc/db/mlinks/
-    make obj
-    make cleandir
-    make
-)
-
-makewhatis -a .

 echo "# This is an auto-generated file by $0" > links
-/usr/src/regress/usr.bin/mandoc/db/mlinks/obj/mlinks mandoc.db | sort >> links
+doas makewhatis
+for i in `ls -1 *.3`; do
+  name=`echo $i|cut -d. -f1`
+  links=`sqlite3 /usr/share/man/mandoc.db \
+    "select names.name from mlinks,names where mlinks.name='$name' and mlinks.pageid=names.pageid;"`
+  for j in $links; do
+    a=`echo "x$j" | tr '[:upper:]' '[:lower:]'`
+    b=`echo "x$name" | tr '[:upper:]' '[:lower:]'`
+    if [[ $a != $b && $a != *"<type>"* ]]; then
+      echo $name.3,$j.3 >> links
+    fi
+  done
+done
--- a/patches/aeadtest.c.patch
+++ b/patches/aeadtest.c.patch
@@ -1,15 +0,0 @@
--- tests/aeadtest.c.orig	2016-10-18 17:03:33.845870889 +0900
-+++ tests/aeadtest.c	2016-10-18 17:11:19.880841283 +0900
-@@ -75,6 +75,12 @@
- 
- #define BUF_MAX 1024
- 
-+#ifdef _MSC_VER
-+#ifdef IN
-+#undef IN
-+#endif
-+#endif
-+
- /* These are the different types of line that are found in the input file. */
- enum {
- 	AEAD = 0,	/* name of the AEAD algorithm. */
--- a/patches/bio.h.patch
+++ b/patches/bio.h.patch
@@ -1,36 +0,0 @@
--- include/openssl/bio.h.orig	Mon Oct  3 06:09:28 2016
-+++ include/openssl/bio.h	Sun Nov  6 04:24:57 2016
-@@ -678,8 +678,24 @@
-
- /*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
-
-+#ifdef __MINGW_PRINTF_FORMAT
- int
- BIO_printf(BIO *bio, const char *format, ...)
-+	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 3), __nonnull__(2)));
-+int
-+BIO_vprintf(BIO *bio, const char *format, va_list args)
-+	__attribute__((__format__(__MINGW_PRINTF_FORMAT, 2, 0), __nonnull__(2)));
-+int
-+BIO_snprintf(char *buf, size_t n, const char *format, ...)
-+	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 4),
-+	    __nonnull__(3)));
-+int
-+BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
-+	__attribute__((__deprecated__, __format__(__MINGW_PRINTF_FORMAT, 3, 0),
-+	    __nonnull__(3)));
-+#else
-+int
-+BIO_printf(BIO *bio, const char *format, ...)
- 	__attribute__((__format__(__printf__, 2, 3), __nonnull__(2)));
- int
- BIO_vprintf(BIO *bio, const char *format, va_list args)
-@@ -692,6 +708,8 @@
- BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
- 	__attribute__((__deprecated__, __format__(__printf__, 3, 0),
- 	    __nonnull__(3)));
-+#endif
-+
-
- /* BEGIN ERROR CODES */
- /* The following lines are auto generated by the script mkerr.pl. Any changes
--- a/patches/netcat.c.patch
+++ b/patches/netcat.c.patch
@@ -1,5 +1,5 @@
--- apps/nc/netcat.c.orig	Sat Nov  5 14:00:01 2016
-+++ apps/nc/netcat.c	Sat Nov  5 15:28:35 2016
+--- apps/nc/netcat.c.orig	Thu Jun 30 19:56:49 2016
+++ apps/nc/netcat.c	Thu Jun 30 19:59:09 2016
@@ -65,7 +65,9 @@
 #define POLL_NETIN 2
 #define POLL_STDOUT 3
@@ -10,7 +10,7 @@
 
 #define TLS_LEGACY	(1 << 1)
 #define TLS_NOVERIFY	(1 << 2)
-@@ -93,9 +95,13 @@
+@@ -92,9 +94,13 @@
 int	Dflag;					/* sodebug */
 int	Iflag;					/* TCP receive buffer size */
 int	Oflag;					/* TCP send buffer size */
@@ -24,7 +24,7 @@
 
 int	usetls;					/* use TLS */
 char    *Cflag;					/* Public cert file */
-@@ -148,7 +154,7 @@
+@@ -152,7 +158,7 @@
 	struct servent *sv;
 	socklen_t len;
 	struct sockaddr_storage cliaddr;
@@ -33,7 +33,7 @@
 	const char *errstr, *proxyhost = "", *proxyport = NULL;
 	struct addrinfo proxyhints;
 	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
-@@ -258,12 +264,14 @@
+@@ -262,12 +268,14 @@
 		case 'u':
 			uflag = 1;
 			break;
@@ -48,9 +48,9 @@
 		case 'v':
 			vflag = 1;
 			break;
-@@ -299,9 +307,11 @@
- 		case 'o':
- 			oflag = optarg;
+@@ -300,9 +308,11 @@
+ 				errx(1, "TCP send window %s: %s",
+ 				    errstr, optarg);
 			break;
 +#ifdef TCP_MD5SIG
 		case 'S':
@@ -60,7 +60,7 @@
 		case 'T':
 			errstr = NULL;
 			errno = 0;
-@@ -325,9 +335,11 @@
+@@ -326,9 +336,11 @@
 	argc -= optind;
 	argv += optind;
 
@@ -72,19 +72,31 @@
 
 	if (family == AF_UNIX) {
 		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -836,7 +848,10 @@
+@@ -480,7 +492,10 @@
+ 				errx(1, "-H and -T noverify may not be used"
+ 				    "together");
+ 			tls_config_insecure_noverifycert(tls_cfg);
+-		}
+		} else {
+                        if (Rflag && access(Rflag, R_OK) == -1)
+                                errx(1, "unable to find root CA file %s", Rflag);
+                }
+ 	}
+ 	if (lflag) {
+ 		struct tls *tls_cctx = NULL;
+@@ -832,7 +847,10 @@
 remote_connect(const char *host, const char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
-	int s = -1, error, on = 1, save_errno;
-+	int s = -1, error, save_errno;
+-	int s, error, on = 1, save_errno;
+	int s, error, save_errno;
 +#ifdef SO_BINDANY
 +	int on = 1;
 +#endif
 
- 	if ((error = getaddrinfo(host, port, &hints, &res0)))
+ 	if ((error = getaddrinfo(host, port, &hints, &res)))
 		errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -850,8 +865,10 @@
+@@ -847,8 +865,10 @@
 		if (sflag || pflag) {
 			struct addrinfo ahints, *ares;
 
@@ -93,22 +105,22 @@
 			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
 +#endif
 			memset(&ahints, 0, sizeof(struct addrinfo));
- 			ahints.ai_family = res->ai_family;
+ 			ahints.ai_family = res0->ai_family;
 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -922,7 +939,10 @@
+@@ -919,7 +939,10 @@
 local_listen(char *host, char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
-	int s = -1, ret, x = 1, save_errno;
-+	int s = -1, save_errno;
+-	int s, ret, x = 1, save_errno;
+	int s, save_errno;
 +#ifdef SO_REUSEPORT
 +	int ret, x = 1;
 +#endif
 	int error;
 
 	/* Allow nodename to be null. */
-@@ -943,9 +963,11 @@
- 		    res->ai_protocol)) < 0)
+@@ -941,9 +964,11 @@
+ 		    res0->ai_protocol)) < 0)
 			continue;
 
 +#ifdef SO_REUSEPORT
@@ -117,9 +129,9 @@
 			err(1, NULL);
 +#endif
 
- 		set_common_sockopts(s, res->ai_family);
+ 		set_common_sockopts(s, res0->ai_family);
 
-@@ -1403,11 +1425,13 @@
+@@ -1401,11 +1426,13 @@
 {
 	int x = 1;
 
@@ -133,7 +145,7 @@
 	if (Dflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
 			&x, sizeof(x)) == -1)
-@@ -1444,13 +1468,17 @@
+@@ -1442,13 +1469,17 @@
 	}
 
 	if (minttl != -1) {
@@ -152,7 +164,7 @@
 	}
 }
 
-@@ -1644,14 +1672,22 @@
+@@ -1605,14 +1636,22 @@
 	\t-P proxyuser\tUsername for proxy authentication\n\
 	\t-p port\t	Specify local port for remote connects\n\
 	\t-R CAfile	CA bundle\n\
--- a/patches/ocsp_test.c.patch
+++ b/patches/ocsp_test.c.patch
@@ -1,14 +0,0 @@
--- tests/ocsp_test.c.orig	2016-10-18 18:12:39.854607509 +0900
-+++ tests/ocsp_test.c	2016-10-18 18:14:29.261600559 +0900
-@@ -16,6 +16,11 @@
- 	hints.ai_family = AF_INET;
- 	hints.ai_socktype = SOCK_STREAM;
- 
-+#ifdef _MSC_VER
-+	if (BIO_sock_init() != 1)
-+		exit(-1);
-+#endif
-+
- 	error = getaddrinfo(host, port, &hints, &res);
- 	if (error != 0) {
- 		perror("getaddrinfo()");
--- a/patches/openssl.c.patch
+++ b/patches/openssl.c.patch
@@ -1,6 +1,6 @@
--- apps/openssl/openssl.c.orig	Fri Nov  4 09:33:19 2016
-+++ apps/openssl/openssl.c	Sat Nov  5 15:28:35 2016
-@@ -396,7 +396,9 @@
+--- apps/openssl/openssl.c.orig	Sun Sep 13 09:11:31 2015
+++ apps/openssl/openssl.c	Sun Sep 13 09:10:02 2015
+@@ -399,7 +399,9 @@
 static void
 openssl_startup(void)
 {
--- a/patches/windows_headers.patch
+++ b/patches/windows_headers.patch
@@ -24,8 +24,8 @@ diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
 +#define __attribute__(a)
 +#endif
 +
- #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
- #define OPENSSLDIR "/etc/ssl"
+ /* Generate 80386 code? */
+ #undef I386_ONLY
 
 diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
 --- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
--- a/scripts/travis
+++ b/scripts/travis
@@ -21,6 +21,9 @@ if [ "x$ARCH" = "xnative" ]; then
 		make
 		make test
 	else
+		sudo apt-get update
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:kalakris/cmake
 		sudo apt-get update
 		sudo apt-get install -y cmake ninja-build
 		cmake -GNinja ..
@@ -35,8 +38,12 @@ else
 	export CC=$CPU-w64-mingw32-gcc

 	if [ -z $(which $CC) ]; then
+		# Update Ubuntu 12.04 with current mingw toolchain
 		sudo apt-get update
-		sudo apt-get install -y mingw-w64 make
+		sudo apt-get install -y python-software-properties
+		sudo apt-add-repository -y ppa:tobydox/mingw-x-precise
+		sudo apt-get update
+		sudo apt-get install -y $ARCH-x-gcc make
 		export PATH=$PATH:/opt/$ARCH/bin
 	fi

--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -19,24 +19,27 @@ set(
 	d1_srtp.c
 	d1_srvr.c
 	pqueue.c
+	s23_clnt.c
+	s23_lib.c
+	s23_pkt.c
+	s23_srvr.c
+	s3_both.c
 	s3_cbc.c
+	s3_clnt.c
 	s3_lib.c
+	s3_pkt.c
+	s3_srvr.c
 	ssl_algs.c
 	ssl_asn1.c
-	ssl_both.c
 	ssl_cert.c
 	ssl_ciph.c
-	ssl_clnt.c
 	ssl_err.c
+	ssl_err2.c
 	ssl_lib.c
-	ssl_packet.c
-	ssl_pkt.c
 	ssl_rsa.c
 	ssl_sess.c
-	ssl_srvr.c
 	ssl_stat.c
 	ssl_txt.c
-	ssl_versions.c
 	t1_clnt.c
 	t1_enc.c
 	t1_lib.c
@@ -45,18 +48,14 @@ set(
 	t1_srvr.c
 )

-add_library(ssl-objects OBJECT ${SSL_SRC})
 if (BUILD_SHARED)
+	add_library(ssl-objects OBJECT ${SSL_SRC})
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
-	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
-	if (WIN32)
+	if (MSVC)
 		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
-		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
 	endif()
-	set_target_properties(ssl-shared PROPERTIES
-		OUTPUT_NAME ssl${SSL_POSTFIX}
-		ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX})
+	set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
 	set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
 		SOVERSION ${SSL_MAJOR_VERSION})
 	install(TARGETS ssl ssl-shared DESTINATION lib)
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@@ -4,9 +4,8 @@ lib_LTLIBRARIES = libssl.la

 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
-EXTRA_DIST += ssl.sym

-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
 libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la

 libssl_la_SOURCES = bio_ssl.c
@@ -22,24 +21,27 @@ libssl_la_SOURCES += d1_pkt.c
 libssl_la_SOURCES += d1_srtp.c
 libssl_la_SOURCES += d1_srvr.c
 libssl_la_SOURCES += pqueue.c
+libssl_la_SOURCES += s23_clnt.c
+libssl_la_SOURCES += s23_lib.c
+libssl_la_SOURCES += s23_pkt.c
+libssl_la_SOURCES += s23_srvr.c
+libssl_la_SOURCES += s3_both.c
 libssl_la_SOURCES += s3_cbc.c
+libssl_la_SOURCES += s3_clnt.c
 libssl_la_SOURCES += s3_lib.c
+libssl_la_SOURCES += s3_pkt.c
+libssl_la_SOURCES += s3_srvr.c
 libssl_la_SOURCES += ssl_algs.c
 libssl_la_SOURCES += ssl_asn1.c
-libssl_la_SOURCES += ssl_both.c
 libssl_la_SOURCES += ssl_cert.c
 libssl_la_SOURCES += ssl_ciph.c
-libssl_la_SOURCES += ssl_clnt.c
 libssl_la_SOURCES += ssl_err.c
+libssl_la_SOURCES += ssl_err2.c
 libssl_la_SOURCES += ssl_lib.c
-libssl_la_SOURCES += ssl_packet.c
-libssl_la_SOURCES += ssl_pkt.c
 libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
-libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
 libssl_la_SOURCES += ssl_txt.c
-libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
 libssl_la_SOURCES += t1_enc.c
 libssl_la_SOURCES += t1_lib.c
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -9,146 +9,133 @@ include_directories(
 	../apps/openssl/compat
 )

-add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_CURRENT_SOURCE_DIR}/../apps/openssl/cert.pem\")
-
-foreach(lib IN LISTS OPENSSL_LIBS)
-	if(${lib} STREQUAL "tls-shared")
-		set(TESTS_LIBS ${TESTS_LIBS} tls)
-	elseif(${lib} STREQUAL "ssl-shared")
-		set(TESTS_LIBS ${TESTS_LIBS} ssl)
-	elseif(${lib} STREQUAL "crypto-shared")
-		set(TESTS_LIBS ${TESTS_LIBS} crypto)
-	else()
-		set(TESTS_LIBS ${TESTS_LIBS} ${lib})
-	endif()
-endforeach()
-
 # aeadtest
 add_executable(aeadtest aeadtest.c)
-target_link_libraries(aeadtest ${TESTS_LIBS})
-add_test(aeadtest aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtests.txt)
+target_link_libraries(aeadtest ${OPENSSL_LIBS})
+add_test(aeadtest ${CMAKE_CURRENT_SOURCE_DIR}/aeadtest.sh)
+set_tests_properties(aeadtest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # aes_wrap
 add_executable(aes_wrap aes_wrap.c)
-target_link_libraries(aes_wrap ${TESTS_LIBS})
+target_link_libraries(aes_wrap ${OPENSSL_LIBS})
 add_test(aes_wrap aes_wrap)

 # arc4randomforktest
 # Windows/mingw does not have fork, but Cygwin does.
 if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
 add_executable(arc4randomforktest arc4randomforktest.c)
-	target_link_libraries(arc4randomforktest ${TESTS_LIBS})
+target_link_libraries(arc4randomforktest ${OPENSSL_LIBS})
 add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()

 # asn1test
 add_executable(asn1test asn1test.c)
-target_link_libraries(asn1test ${TESTS_LIBS})
+target_link_libraries(asn1test ${OPENSSL_LIBS})
 add_test(asn1test asn1test)

 # asn1time
 add_executable(asn1time asn1time.c)
-target_link_libraries(asn1time ${TESTS_LIBS})
+target_link_libraries(asn1time ${OPENSSL_LIBS})
 add_test(asn1time asn1time)

 # base64test
 add_executable(base64test base64test.c)
-target_link_libraries(base64test ${TESTS_LIBS})
+target_link_libraries(base64test ${OPENSSL_LIBS})
 add_test(base64test base64test)

 # bftest
 add_executable(bftest bftest.c)
-target_link_libraries(bftest ${TESTS_LIBS})
+target_link_libraries(bftest ${OPENSSL_LIBS})
 add_test(bftest bftest)

 # biotest
 # the BIO tests rely on resolver results that are OS and environment-specific
 if(ENABLE_EXTRATESTS)
 	add_executable(biotest biotest.c)
-	target_link_libraries(biotest ${TESTS_LIBS})
+	target_link_libraries(biotest ${OPENSSL_LIBS})
 	add_test(biotest biotest)
 endif()

 # bntest
 add_executable(bntest bntest.c)
-set_source_files_properties(bntest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
-target_link_libraries(bntest ${TESTS_LIBS})
+target_link_libraries(bntest ${OPENSSL_LIBS})
 add_test(bntest bntest)

 # bytestringtest
 add_executable(bytestringtest bytestringtest.c)
-target_link_libraries(bytestringtest ${TESTS_LIBS})
+target_link_libraries(bytestringtest ${OPENSSL_LIBS})
 add_test(bytestringtest bytestringtest)

 # casttest
 add_executable(casttest casttest.c)
-target_link_libraries(casttest ${TESTS_LIBS})
+target_link_libraries(casttest ${OPENSSL_LIBS})
 add_test(casttest casttest)

 # chachatest
 add_executable(chachatest chachatest.c)
-target_link_libraries(chachatest ${TESTS_LIBS})
+target_link_libraries(chachatest ${OPENSSL_LIBS})
 add_test(chachatest chachatest)

 # cipher_list
 add_executable(cipher_list cipher_list.c)
-target_link_libraries(cipher_list ${TESTS_LIBS})
+target_link_libraries(cipher_list ${OPENSSL_LIBS})
 add_test(cipher_list cipher_list)

 # cipherstest
 add_executable(cipherstest cipherstest.c)
-target_link_libraries(cipherstest ${TESTS_LIBS})
+target_link_libraries(cipherstest ${OPENSSL_LIBS})
 add_test(cipherstest cipherstest)

 # clienttest
 add_executable(clienttest clienttest.c)
-target_link_libraries(clienttest ${TESTS_LIBS})
+target_link_libraries(clienttest ${OPENSSL_LIBS})
 add_test(clienttest clienttest)

 # cts128test
 add_executable(cts128test cts128test.c)
-target_link_libraries(cts128test ${TESTS_LIBS})
+target_link_libraries(cts128test ${OPENSSL_LIBS})
 add_test(cts128test cts128test)

 # destest
 add_executable(destest destest.c)
-target_link_libraries(destest ${TESTS_LIBS})
+target_link_libraries(destest ${OPENSSL_LIBS})
 add_test(destest destest)

 # dhtest
 add_executable(dhtest dhtest.c)
-target_link_libraries(dhtest ${TESTS_LIBS})
+target_link_libraries(dhtest ${OPENSSL_LIBS})
 add_test(dhtest dhtest)

 # dsatest
 add_executable(dsatest dsatest.c)
-target_link_libraries(dsatest ${TESTS_LIBS})
+target_link_libraries(dsatest ${OPENSSL_LIBS})
 add_test(dsatest dsatest)

 # ecdhtest
 add_executable(ecdhtest ecdhtest.c)
-target_link_libraries(ecdhtest ${TESTS_LIBS})
+target_link_libraries(ecdhtest ${OPENSSL_LIBS})
 add_test(ecdhtest ecdhtest)

 # ecdsatest
 add_executable(ecdsatest ecdsatest.c)
-target_link_libraries(ecdsatest ${TESTS_LIBS})
+target_link_libraries(ecdsatest ${OPENSSL_LIBS})
 add_test(ecdsatest ecdsatest)

 # ectest
 add_executable(ectest ectest.c)
-target_link_libraries(ectest ${TESTS_LIBS})
+target_link_libraries(ectest ${OPENSSL_LIBS})
 add_test(ectest ectest)

 # enginetest
 add_executable(enginetest enginetest.c)
-target_link_libraries(enginetest ${TESTS_LIBS})
+target_link_libraries(enginetest ${OPENSSL_LIBS})
 add_test(enginetest enginetest)

 # evptest
 add_executable(evptest evptest.c)
-target_link_libraries(evptest ${TESTS_LIBS})
-add_test(evptest evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptests.txt)
+target_link_libraries(evptest ${OPENSSL_LIBS})
+add_test(evptest ${CMAKE_CURRENT_SOURCE_DIR}/evptest.sh)
+set_tests_properties(evptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # explicit_bzero
 # explicit_bzero relies on SA_ONSTACK, which is unavailable on Windows
@@ -156,126 +143,118 @@ if(NOT CMAKE_HOST_WIN32)
 if(HAVE_MEMMEM)
 	add_executable(explicit_bzero explicit_bzero.c)
 else()
-		add_executable(explicit_bzero explicit_bzero.c compat/memmem.c)
+	add_executable(explicit_bzero explicit_bzero.c memmem.c)
 endif()
-	target_link_libraries(explicit_bzero ${TESTS_LIBS})
+target_link_libraries(explicit_bzero ${OPENSSL_LIBS})
 add_test(explicit_bzero explicit_bzero)
 endif()

 # exptest
 add_executable(exptest exptest.c)
-set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERNAL)
-target_link_libraries(exptest ${TESTS_LIBS})
+target_link_libraries(exptest ${OPENSSL_LIBS})
 add_test(exptest exptest)

 # gcm128test
 add_executable(gcm128test gcm128test.c)
-target_link_libraries(gcm128test ${TESTS_LIBS})
+target_link_libraries(gcm128test ${OPENSSL_LIBS})
 add_test(gcm128test gcm128test)

 # gost2814789t
 add_executable(gost2814789t gost2814789t.c)
-target_link_libraries(gost2814789t ${TESTS_LIBS})
+target_link_libraries(gost2814789t ${OPENSSL_LIBS})
 add_test(gost2814789t gost2814789t)

 # hmactest
 add_executable(hmactest hmactest.c)
-target_link_libraries(hmactest ${TESTS_LIBS})
+target_link_libraries(hmactest ${OPENSSL_LIBS})
 add_test(hmactest hmactest)

 # ideatest
 add_executable(ideatest ideatest.c)
-target_link_libraries(ideatest ${TESTS_LIBS})
+target_link_libraries(ideatest ${OPENSSL_LIBS})
 add_test(ideatest ideatest)

 # igetest
 add_executable(igetest igetest.c)
-target_link_libraries(igetest ${TESTS_LIBS})
+target_link_libraries(igetest ${OPENSSL_LIBS})
 add_test(igetest igetest)

 # md4test
 add_executable(md4test md4test.c)
-target_link_libraries(md4test ${TESTS_LIBS})
+target_link_libraries(md4test ${OPENSSL_LIBS})
 add_test(md4test md4test)

 # md5test
 add_executable(md5test md5test.c)
-target_link_libraries(md5test ${TESTS_LIBS})
+target_link_libraries(md5test ${OPENSSL_LIBS})
 add_test(md5test md5test)

 # mont
 add_executable(mont mont.c)
-target_link_libraries(mont ${TESTS_LIBS})
+target_link_libraries(mont ${OPENSSL_LIBS})
 add_test(mont mont)

 # ocsp_test
 if(ENABLE_EXTRATESTS)
 	add_executable(ocsp_test ocsp_test.c)
-	target_link_libraries(ocsp_test ${TESTS_LIBS})
-	if(NOT MSVC)
+	target_link_libraries(ocsp_test ${OPENSSL_LIBS})
 	add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
-	else()
-		add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.bat)
-	endif()
+	set_tests_properties(ocsptest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
 endif()

 # optionstest
 add_executable(optionstest optionstest.c)
-target_link_libraries(optionstest ${TESTS_LIBS})
+target_link_libraries(optionstest ${OPENSSL_LIBS})
 add_test(optionstest optionstest)

 # pbkdf2
 add_executable(pbkdf2 pbkdf2.c)
-target_link_libraries(pbkdf2 ${TESTS_LIBS})
+target_link_libraries(pbkdf2 ${OPENSSL_LIBS})
 add_test(pbkdf2 pbkdf2)

 # pidwraptest
 # pidwraptest relies on an OS-specific way to give out pids and is generally
 # awkward on systems with slow fork
-if(ENABLE_EXTRATESTS AND NOT MSVC)
+if(ENABLE_EXTRATESTS)
 	add_executable(pidwraptest pidwraptest.c)
-	target_link_libraries(pidwraptest ${TESTS_LIBS})
+	target_link_libraries(pidwraptest ${OPENSSL_LIBS})
 	add_test(pidwraptest ${CMAKE_CURRENT_SOURCE_DIR}/pidwraptest.sh)
 endif()

 # pkcs7test
 add_executable(pkcs7test pkcs7test.c)
-target_link_libraries(pkcs7test ${TESTS_LIBS})
+target_link_libraries(pkcs7test ${OPENSSL_LIBS})
 add_test(pkcs7test pkcs7test)

 # poly1305test
 add_executable(poly1305test poly1305test.c)
-target_link_libraries(poly1305test ${TESTS_LIBS})
+target_link_libraries(poly1305test ${OPENSSL_LIBS})
 add_test(poly1305test poly1305test)

 # pq_test
 add_executable(pq_test pq_test.c)
-target_link_libraries(pq_test ${TESTS_LIBS})
-if(NOT MSVC)
+target_link_libraries(pq_test ${OPENSSL_LIBS})
 add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.sh)
-else()
-	add_test(pq_test ${CMAKE_CURRENT_SOURCE_DIR}/pq_test.bat)
-endif()
 set_tests_properties(pq_test PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # randtest
 add_executable(randtest randtest.c)
-target_link_libraries(randtest ${TESTS_LIBS})
+target_link_libraries(randtest ${OPENSSL_LIBS})
 add_test(randtest randtest)

 # rc2test
 add_executable(rc2test rc2test.c)
-target_link_libraries(rc2test ${TESTS_LIBS})
+target_link_libraries(rc2test ${OPENSSL_LIBS})
 add_test(rc2test rc2test)

 # rc4test
 add_executable(rc4test rc4test.c)
-target_link_libraries(rc4test ${TESTS_LIBS})
+target_link_libraries(rc4test ${OPENSSL_LIBS})
 add_test(rc4test rc4test)

 # rfc5280time
 add_executable(rfc5280time rfc5280time.c)
-target_link_libraries(rfc5280time ${TESTS_LIBS})
+target_link_libraries(rfc5280time ${OPENSSL_LIBS})
 if(SMALL_TIME_T)
 	add_test(rfc5280time ${CMAKE_CURRENT_SOURCE_DIR}/rfc5280time_small.test)
 else()
@@ -284,118 +263,53 @@ endif()

 # rmdtest
 add_executable(rmdtest rmdtest.c)
-target_link_libraries(rmdtest ${TESTS_LIBS})
+target_link_libraries(rmdtest ${OPENSSL_LIBS})
 add_test(rmdtest rmdtest)

-# rsa_test
-add_executable(rsa_test rsa_test.c)
-target_link_libraries(rsa_test ${TESTS_LIBS})
-add_test(rsa_test rsa_test)
-
 # sha1test
 add_executable(sha1test sha1test.c)
-target_link_libraries(sha1test ${TESTS_LIBS})
+target_link_libraries(sha1test ${OPENSSL_LIBS})
 add_test(sha1test sha1test)

 # sha256test
 add_executable(sha256test sha256test.c)
-target_link_libraries(sha256test ${TESTS_LIBS})
+target_link_libraries(sha256test ${OPENSSL_LIBS})
 add_test(sha256test sha256test)

 # sha512test
 add_executable(sha512test sha512test.c)
-target_link_libraries(sha512test ${TESTS_LIBS})
+target_link_libraries(sha512test ${OPENSSL_LIBS})
 add_test(sha512test sha512test)

-# ssl_versions
-add_executable(ssl_versions ssl_versions.c)
-target_link_libraries(ssl_versions ${TESTS_LIBS})
-add_test(ssl_versions ssl_versions)
-
 # ssltest
 add_executable(ssltest ssltest.c)
-target_link_libraries(ssltest ${TESTS_LIBS})
-if(NOT MSVC)
+target_link_libraries(ssltest ${OPENSSL_LIBS})
 add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.sh)
-else()
-	add_test(ssltest ${CMAKE_CURRENT_SOURCE_DIR}/ssltest.bat)
-endif()
 set_tests_properties(ssltest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # testdsa
-if(NOT MSVC)
 add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.sh)
-else()
-	add_test(testdsa ${CMAKE_CURRENT_SOURCE_DIR}/testdsa.bat)
-endif()
 set_tests_properties(testdsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # testenc
-if(NOT MSVC)
 add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.sh)
-else()
-	add_test(testenc ${CMAKE_CURRENT_SOURCE_DIR}/testenc.bat)
-endif()
 set_tests_properties(testenc PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # testrsa
-if(NOT MSVC)
 add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.sh)
-else()
-	add_test(testrsa ${CMAKE_CURRENT_SOURCE_DIR}/testrsa.bat)
-endif()
 set_tests_properties(testrsa PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")

 # timingsafe
 add_executable(timingsafe timingsafe.c)
-target_link_libraries(timingsafe ${TESTS_LIBS})
+target_link_libraries(timingsafe ${OPENSSL_LIBS})
 add_test(timingsafe timingsafe)

-# tlstest
-set(TLSTEST_SRC tlstest.c)
-check_function_exists(pipe2 HAVE_PIPE2)
-if(HAVE_PIPE2)
-	add_definitions(-DHAVE_PIPE2)
-else()
-	set(TLSTEST_SRC ${TLSTEST_SRC} compat/pipe2.c)
-endif()
-
-add_executable(tlstest ${TLSTEST_SRC})
-target_link_libraries(tlstest ${TESTS_LIBS})
-if(NOT MSVC)
-	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.sh)
-else()
-	add_test(tlstest ${CMAKE_CURRENT_SOURCE_DIR}/tlstest.bat)
-endif()
-set_tests_properties(tlstest PROPERTIES ENVIRONMENT "srcdir=${CMAKE_CURRENT_SOURCE_DIR}")
-
-# tls_ext_alpn
-add_executable(tls_ext_alpn tls_ext_alpn.c)
-target_link_libraries(tls_ext_alpn ${TESTS_LIBS})
-add_test(tls_ext_alpn tls_ext_alpn)
-
 # utf8test
 add_executable(utf8test utf8test.c)
-target_link_libraries(utf8test ${TESTS_LIBS})
+target_link_libraries(utf8test ${OPENSSL_LIBS})
 add_test(utf8test utf8test)

 # verifytest
 add_executable(verifytest verifytest.c)
-target_link_libraries(verifytest tls ${TESTS_LIBS})
+target_link_libraries(verifytest tls ${OPENSSL_LIBS})
 add_test(verifytest verifytest)
-
-# x25519test
-add_executable(x25519test x25519test.c)
-target_link_libraries(x25519test ${TESTS_LIBS})
-add_test(x25519test x25519test)
-
-if(ENABLE_VSTEST AND USE_SHARED)
-	add_custom_command(TARGET x25519test POST_BUILD
-		COMMAND "${CMAKE_COMMAND}" -E copy
-		"$<TARGET_FILE:tls-shared>"
-		"$<TARGET_FILE:ssl-shared>"
-		"$<TARGET_FILE:crypto-shared>"
-		"${CMAKE_CURRENT_BINARY_DIR}"
-		COMMENT "Copying DLLs for regression tests")
-endif()
-
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -5,15 +5,11 @@ AM_CPPFLAGS += -I $(top_srcdir)/crypto/asn1
 AM_CPPFLAGS += -I $(top_srcdir)/ssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl
 AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
-AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"

-LDADD = $(abs_top_builddir)/tls/.libs/libtls.a
-LDADD += $(abs_top_builddir)/ssl/.libs/libssl.a
-LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto.a
-LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
-if HOST_ASM_MACOSX_X86_64
-LDADD += $(abs_top_builddir)/crypto/.libs/libcrypto_la-cpuid-macosx-x86_64.o
-endif
+LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
+LDADD += $(abs_top_builddir)/ssl/libssl.la
+LDADD += $(abs_top_builddir)/crypto/libcrypto.la
+LDADD += $(abs_top_builddir)/tls/libtls.la

 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh

@@ -73,7 +69,6 @@ endif

 # bntest
 TESTS += bntest
-bntest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 check_PROGRAMS += bntest
 bntest_SOURCES = bntest.c

@@ -163,7 +158,7 @@ TESTS += explicit_bzero
 check_PROGRAMS += explicit_bzero
 explicit_bzero_SOURCES = explicit_bzero.c
 if !HAVE_MEMMEM
-explicit_bzero_SOURCES += compat/memmem.c
+explicit_bzero_SOURCES += memmem.c
 endif
 endif
 endif
@@ -171,7 +166,6 @@ endif
 # exptest
 TESTS += exptest
 check_PROGRAMS += exptest
-exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c

 # gcm128test
@@ -220,7 +214,7 @@ TESTS += ocsptest.sh
 check_PROGRAMS += ocsp_test
 ocsp_test_SOURCES = ocsp_test.c
 endif
-EXTRA_DIST += ocsptest.sh ocsptest.bat
+EXTRA_DIST += ocsptest.sh

 # optionstest
 TESTS += optionstest
@@ -256,7 +250,7 @@ poly1305test_SOURCES = poly1305test.c
 TESTS += pq_test.sh
 check_PROGRAMS += pq_test
 pq_test_SOURCES = pq_test.c
-EXTRA_DIST += pq_test.sh pq_test.bat
+EXTRA_DIST += pq_test.sh
 EXTRA_DIST += pq_expected.txt

 # randtest
@@ -289,11 +283,6 @@ TESTS += rmdtest
 check_PROGRAMS += rmdtest
 rmdtest_SOURCES = rmdtest.c

-# rsa_test
-TESTS += rsa_test
-check_PROGRAMS += rsa_test
-rsa_test_SOURCES = rsa_test.c
-
 # sha1test
 TESTS += sha1test
 check_PROGRAMS += sha1test
@@ -309,50 +298,31 @@ TESTS += sha512test
 check_PROGRAMS += sha512test
 sha512test_SOURCES = sha512test.c

-# ssl_versions
-TESTS += ssl_versions
-check_PROGRAMS += ssl_versions
-ssl_versions_SOURCES = ssl_versions.c
-
 # ssltest
 TESTS += ssltest.sh
 check_PROGRAMS += ssltest
 ssltest_SOURCES = ssltest.c
-EXTRA_DIST += ssltest.sh ssltest.bat
-EXTRA_DIST += testssl testssl.bat ca.pem server.pem
+EXTRA_DIST += ssltest.sh
+EXTRA_DIST += testssl ca.pem server.pem

 # testdsa
 TESTS += testdsa.sh
-EXTRA_DIST += testdsa.sh testdsa.bat
+EXTRA_DIST += testdsa.sh
 EXTRA_DIST += openssl.cnf

 # testenc
 TESTS += testenc.sh
-EXTRA_DIST += testenc.sh testenc.bat
+EXTRA_DIST += testenc.sh

 # testrsa
 TESTS += testrsa.sh
-EXTRA_DIST += testrsa.sh testrsa.bat
+EXTRA_DIST += testrsa.sh

 # timingsafe
 TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c

-# tlstest
-TESTS += tlstest.sh
-check_PROGRAMS += tlstest
-tlstest_SOURCES = tlstest.c
-if !HAVE_PIPE2
-tlstest_SOURCES += compat/pipe2.c
-endif
-EXTRA_DIST += tlstest.sh tlstest.bat
-
-# tls_ext_alpn
-TESTS += tls_ext_alpn
-check_PROGRAMS += tls_ext_alpn
-tls_ext_alpn_SOURCES = tls_ext_alpn.c
-
 # utf8test
 TESTS += utf8test
 check_PROGRAMS += utf8test
@@ -362,8 +332,3 @@ utf8test_SOURCES = utf8test.c
 TESTS += verifytest
 check_PROGRAMS += verifytest
 verifytest_SOURCES = verifytest.c
-
-# x25519test
-TESTS += x25519test
-check_PROGRAMS += x25519test
-x25519test_SOURCES = x25519test.c
--- a/tests/compat/pipe2.c
+++ b/tests/compat/pipe2.c
@@ -1,167 +0,0 @@
-/*
- * Public domain
- *
- * pipe2/pipe/socketpair emulation
- * Brent Cook <bcook@openbsd.org>
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/socket.h>
-
-#undef socketpair
-
-#ifdef _WIN32
-
-static int setfd(int fd, int flag)
-{
-	int rc = -1;
-	if (flag & FD_CLOEXEC) {
-		HANDLE h = (HANDLE)_get_osfhandle(fd);
-		if (h != NULL)
-			rc = SetHandleInformation(h, HANDLE_FLAG_INHERIT, 0) == 0 ? -1 : 0;
-	}
-	return rc;
-}
-
-static int setfl(int fd, int flag)
-{
-	int rc = -1;
-	if (flag & O_NONBLOCK) {
-		long mode = 1;
-		rc = ioctlsocket(fd, FIONBIO, &mode);
-	}
-	return rc;
-}
-
-int socketpair(int domain, int type, int protocol, int socket_vector[2])
-{
-	if (domain != AF_UNIX || !(type & SOCK_STREAM) || protocol != PF_UNSPEC)
-		return -1;
-
-	socket_vector[0] = -1;
-	socket_vector[1] = -1;
-
-	int listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
-	if (listener == -1) {
-		return -1;
-	}
-
-	struct sockaddr_in addr = {
-		.sin_family = AF_INET,
-		.sin_addr.s_addr = htonl(INADDR_LOOPBACK),
-		.sin_port = 0,
-	};
-
-	int yes = 1, e;
-	if (setsockopt(listener, SOL_SOCKET, SO_REUSEADDR,
-			(void *)&yes, sizeof yes) == -1)
-		goto err;
-
-	if (bind(listener, (struct sockaddr *)&addr, sizeof addr) != 0)
-		goto err;
-
-	memset(&addr, 0, sizeof addr);
-	socklen_t addrlen = sizeof addr;
-	if (getsockname(listener, (struct sockaddr *)&addr, &addrlen) != 0)
-		goto err;
-
-	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-	addr.sin_family = AF_INET;
-
-	if (listen(listener, 1) != 0)
-		goto err;
-
-	socket_vector[0] = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
-	if (socket_vector[0] == -1)
-		goto err;
-
-	if (connect(socket_vector[0], (struct sockaddr *)&addr, sizeof addr) != 0)
-		goto err;
-
-	socket_vector[1] = accept(listener, NULL, NULL);
-	if (socket_vector[1] == -1)
-		goto err;
-
-	closesocket(listener);
-	return 0;
-
-err:
-	e = WSAGetLastError();
-	closesocket(listener);
-	closesocket(socket_vector[0]);
-	closesocket(socket_vector[1]);
-	WSASetLastError(e);
-	socket_vector[0] = -1;
-	socket_vector[1] = -1;
-	return -1;
-}
-
-int pipe(int fildes[2])
-{
-	return socketpair(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, PF_UNSPEC, fildes);
-}
-
-#else
-
-static int setfd(int fd, int flag)
-{
-	int flags = fcntl(fd, F_GETFD);
-	flags |= flag;
-	return fcntl(fd, F_SETFD, flags);
-}
-
-static int setfl(int fd, int flag)
-{
-	int flags = fcntl(fd, F_GETFL);
-	flags |= flag;
-	return fcntl(fd, F_SETFL, flags);
-}
-#endif
-
-int pipe2(int fildes[2], int flags)
-{
-	int rc = pipe(fildes);
-	if (rc == 0) {
-		if (flags & O_NONBLOCK) {
-			rc |= setfl(fildes[0], O_NONBLOCK);
-			rc |= setfl(fildes[1], O_NONBLOCK);
-		}
-		if (flags & O_CLOEXEC) {
-			rc |= setfd(fildes[0], FD_CLOEXEC);
-			rc |= setfd(fildes[1], FD_CLOEXEC);
-		}
-		if (rc != 0) {
-			int e = errno;
-			close(fildes[0]);
-			close(fildes[1]);
-			errno = e;
-		}
-	}
-	return rc;
-}
-
-int bsd_socketpair(int domain, int type, int protocol, int socket_vector[2])
-{
-	int flags = type & ~0xf;
-	type &= 0xf;
-	int rc = socketpair(domain, type, protocol, socket_vector);
-	if (rc == 0) {
-		if (flags & SOCK_NONBLOCK) {
-			rc |= setfl(socket_vector[0], O_NONBLOCK);
-			rc |= setfl(socket_vector[1], O_NONBLOCK);
-		}
-		if (flags & SOCK_CLOEXEC) {
-			rc |= setfd(socket_vector[0], FD_CLOEXEC);
-			rc |= setfd(socket_vector[1], FD_CLOEXEC);
-		}
-		if (rc != 0) {
-			int e = errno;
-			close(socket_vector[0]);
-			close(socket_vector[1]);
-			errno = e;
-		}
-	}
-	return rc;
-}
--- a/tests/ocsptest.bat
+++ b/tests/ocsptest.bat
@@ -1,11 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	ocsptest.bat
-
-set TEST=Debug\ocsp_test.exe
-if not exist %TEST% exit /b 1
-
-%TEST% www.amazon.com 443 & if !errorlevel! neq 0 exit /b 1
-%TEST% cloudflare.com 443 & if !errorlevel! neq 0 exit /b 1
-
-endlocal
--- a/tests/pq_test.bat
+++ b/tests/pq_test.bat
@@ -1,14 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	pq_test.bat
-
-set TEST=Debug\pq_test.exe
-if not exist %TEST% exit /b 1
-
-set pq_output=pq_output.txt
-if exist %pq_output% del %pq_output%
-
-%TEST% > %pq_output%
-fc /b %pq_output% %srcdir%\pq_expected.txt
-
-endlocal
--- a/tests/ssltest.bat
+++ b/tests/ssltest.bat
@@ -1,21 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	ssltest.bat
-
-set ssltest_bin=Debug\ssltest.exe
-if not exist %ssltest_bin% exit /b 1
-
-set openssl_bin=..\apps\openssl\Debug\openssl.exe
-if not exist %openssl_bin% exit /b 1
-
-if "%srcdir%"=="" (
-	set srcdir=.
-)
-
-%srcdir%\testssl.bat %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem ^
-    %ssltest_bin% %openssl_bin%
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-endlocal
--- a/tests/testdsa.bat
+++ b/tests/testdsa.bat
@@ -1,38 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	testdsa.bat
-
-
-REM # Test DSA certificate generation of openssl
-
-set cmd=..\apps\openssl\Debug\openssl.exe
-if not exist %cmd% exit /b 1
-
-if "%srcdir%"=="" (
-	set srcdir=.
-)
-
-REM # Generate DSA paramter set
-%cmd% dsaparam 512 -out dsa512.pem
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-
-REM # Generate a DSA certificate
-%cmd% req -config %srcdir%\openssl.cnf -x509 -newkey dsa:dsa512.pem -out testdsa.pem -keyout testdsa.key
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-
-REM # Now check the certificate
-%cmd% x509 -text -in testdsa.pem
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-del testdsa.key dsa512.pem testdsa.pem
-
-exit /b 0
-endlocal
--- a/tests/testenc.bat
+++ b/tests/testenc.bat
@@ -1,69 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	testenc.bat
-
-set test=p
-set cmd=..\apps\openssl\Debug\openssl.exe
-if not exist %cmd% exit /b 1
-
-set srcdir=..\..\tests
-
-copy %srcdir%\openssl.cnf %test%
-
-echo cat
-%cmd% enc -in %test% -out %test%.cipher
-%cmd% enc -in %test%.cipher -out %test%.clear
-fc /b %test% %test%.clear
-if !errorlevel! neq 0 (
-	exit /b 1
-) else (
-	del %test%.cipher %test%.clear
-)
-
-echo base64
-%cmd% enc -a -e -in %test% -out %test%.cipher
-%cmd% enc -a -d -in %test%.cipher -out %test%.clear
-fc /b %test% %test%.clear
-if !errorlevel! neq 0 (
-	exit /b 1
-) else (
-	del %test%.cipher %test%.clear
-)
-
-for %%i in (
-	aes-128-cbc aes-128-cfb aes-128-cfb1 aes-128-cfb8
-	aes-128-ecb aes-128-ofb aes-192-cbc aes-192-cfb
-	aes-192-cfb1 aes-192-cfb8 aes-192-ecb aes-192-ofb
-	aes-256-cbc aes-256-cfb aes-256-cfb1 aes-256-cfb8
-	aes-256-ecb aes-256-ofb
-	bf-cbc bf-cfb bf-ecb bf-ofb
-	cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb
-	des-cbc des-cfb des-cfb8 des-ecb des-ede
-	des-ede-cbc des-ede-cfb des-ede-ofb des-ede3
-	des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb desx-cbc
-	rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
-	rc4 rc4-40
-) do (
-	echo %%i
-	%cmd% %%i -e -k test -in %test% -out %test%.%%i.cipher
-	%cmd% %%i -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
-	fc /b %test% %test%.%%i.clear
-	if !errorlevel! neq 0 (
-		exit /b 1
-	) else (
-		del %test%.%%i.cipher %test%.%%i.clear
-	)
-
-	echo %%i base64
-	%cmd% %%i -a -e -k test -in %test% -out %test%.%%i.cipher
-	%cmd% %%i -a -d -k test -in %test%.%%i.cipher -out %test%.%%i.clear
-	fc /b %test% %test%.%%i.clear
-	if !errorlevel! neq 0 (
-		exit /b 1
-	) else (
-		del %test%.%%i.cipher %test%.%%i.clear
-	)
-)
-
-del %test%
-endlocal
--- a/tests/testrsa.bat
+++ b/tests/testrsa.bat
@@ -1,38 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	testrsa.bat
-
-
-REM # Test RSA certificate generation of openssl
-
-set cmd=..\apps\openssl\Debug\openssl.exe
-if not exist %cmd% exit /b 1
-
-if "%srcdir%"=="" (
-	set srcdir=.
-)
-
-REM # Generate RSA private key
-%cmd% genrsa -out rsakey.pem
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-
-REM # Generate an RSA certificate
-%cmd% req -config %srcdir%\openssl.cnf -key rsakey.pem -new -x509 -days 365 -out rsacert.pem
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-
-REM # Now check the certificate
-%cmd% x509 -text -in rsacert.pem
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-del rsacert.pem rsakey.pem
-
-exit /b 0
-endlocal
--- a/tests/testssl.bat
+++ b/tests/testssl.bat
@@ -1,157 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	testssl.bat
-
-set key=%1
-set cert=%2
-set CA=-CAfile %3
-set ssltest=%4 -key %key% -cert %cert% -c_key %key% -c_cert %cert%
-set openssl=%5
-set extra=%6
-
-%openssl% version & if !errorlevel! neq 0 exit /b 1
-
-for /f "usebackq" %%s in (`%openssl% x509 -in %cert% -text -noout ^| find /c "DSA Public Key"`) do set lines=%%s
-if %lines% gtr 0 (
-  set dsa_cert=YES
-) else (
-  set dsa_cert=NO
-)
-
-REM #########################################################################
-
-echo test sslv2/sslv3
-%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with server authentication
-%ssltest% -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with client authentication
-%ssltest% -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with both client and server authentication
-%ssltest% -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 via BIO pair
-%ssltest% %extra% & if !errorlevel! neq 0 exit /b 1
-
-if %dsa_cert%==NO (
-  echo "test sslv2/sslv3 w/o (EC)DHE via BIO pair"
-  %ssltest% -bio_pair -no_dhe -no_ecdhe %extra% & if !errorlevel! neq 0 exit /b 1
-)
-
-echo test sslv2/sslv3 with 1024bit DHE via BIO pair
-%ssltest% -bio_pair -dhe1024dsa -v %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with server authentication
-%ssltest% -bio_pair -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with client authentication via BIO pair
-%ssltest% -bio_pair -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with both client and server authentication via BIO pair
-%ssltest% -bio_pair -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
-%ssltest% -bio_pair -server_auth -client_auth -app_verify %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo "Testing ciphersuites"
-for %%p in ( TLSv1.2 ) do (
-  echo "Testing ciphersuites for %%p"
-  for /f "usebackq" %%c in (`%openssl% ciphers -v "%%p+aRSA"`) do (
-    echo "Testing %%c"
-    %ssltest% -cipher %%c
-    if !errorlevel! neq 0 (
-      echo "Failed %%c"
-      exit /b 1
-    )
-  )
-)
-
-REM ##########################################################################
-
-for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
-if %nodh%==no-dh (
-  echo skipping anonymous DH tests
-) else (
-  echo test tls1 with 1024bit anonymous DH, multiple handshakes
-  %ssltest% -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
-)
-
-REM #for /f "usebackq" %%s in (`%openssl% no-rsa`) do set norsa=%%s
-REM #if %norsa%==no-rsa (
-REM #  echo skipping RSA tests
-REM #) else (
-REM #  echo "test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes"
-REM #  %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -no_dhe -no_ecdhe -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
-REM #
-REM #  for /f "usebackq" %%s in (`%openssl% no-dh`) do set nodh=%%s
-REM #  if %nodh%==no-dh (
-REM #    echo skipping RSA+DHE tests
-REM #  ) else (
-REM #    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-REM #    %ssltest% -v -bio_pair -tls1 -cert ..\apps\server2.pem -dhe1024dsa -num 10 -f -time %extra% & if !errorlevel! neq 0 exit /b 1
-REM #  )
-REM #)
-
-REM #
-REM # DTLS tests
-REM #
-
-echo test dtlsv1
-%ssltest% -dtls1 %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test dtlsv1 with server authentication
-%ssltest% -dtls1 -server_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test dtlsv1 with client authentication
-%ssltest% -dtls1 -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo test dtlsv1 with both client and server authentication
-%ssltest% -dtls1 -server_auth -client_auth %CA% %extra% & if !errorlevel! neq 0 exit /b 1
-
-echo "Testing DTLS ciphersuites"
-for %%p in ( SSLv3 ) do (
-  echo "Testing ciphersuites for %%p"
-  for /f "usebackq" %%c in (`%openssl% ciphers -v "RSA+%%p:-RC4"`) do (
-    echo "Testing %%c"
-    %ssltest% -cipher %%c -dtls1
-    if !errorlevel! neq 0 (
-      echo "Failed %%c"
-      exit /b 1
-    )
-  )
-)
-
-REM #
-REM # Next Protocol Negotiation tests
-REM #
-echo "Testing NPN..."
-%ssltest% -bio_pair -tls1 -npn_client & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 -reuse & if !errorlevel! neq 0 exit /b 1
-
-REM #
-REM # ALPN tests
-REM #
-echo "Testing ALPN..."
-%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server bar & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client foo -alpn_server foo ^
-  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo ^
-  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo ^
-  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar ^
-  -alpn_expected foo & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo ^
-  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo ^
-  -alpn_expected bar & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo & if !errorlevel! neq 0 exit /b 1
-
-endlocal
--- a/tests/tlstest.bat
+++ b/tests/tlstest.bat
@@ -1,17 +0,0 @@
-@echo off
-setlocal enabledelayedexpansion
-REM	tlstest.bat
-
-set tlstest_bin=Debug\tlstest.exe
-if not exist %tlstest_bin% exit /b 1
-
-if "%srcdir%"=="" (
-	set srcdir=.
-)
-
-%tlstest_bin% %srcdir%\server.pem %srcdir%\server.pem %srcdir%\ca.pem
-if !errorlevel! neq 0 (
-	exit /b 1
-)
-
-endlocal
--- a/tests/tlstest.sh
+++ b/tests/tlstest.sh
@@ -1,13 +0,0 @@
-#!/bin/sh
-set -e
-
-tlstest_bin=./tlstest
-if [ -e ./tlstest.exe ]; then
-	tlstest_bin=./tlstest.exe
-fi
-
-if [ -z $srcdir ]; then
-	srcdir=.
-fi
-
-$tlstest_bin $srcdir/server.pem $srcdir/server.pem $srcdir/ca.pem
--- a/tls/CMakeLists.txt
+++ b/tls/CMakeLists.txt
@@ -7,36 +7,34 @@ include_directories(
 set(
 	TLS_SRC
 	tls.c
-	tls_bio_cb.c
 	tls_client.c
 	tls_config.c
 	tls_conninfo.c
 	tls_server.c
-	tls_ocsp.c
 	tls_peer.c
 	tls_util.c
 	tls_verify.c
 )


+if(NOT HAVE_STRSEP)
+	set(TLS_SRC ${TLS_SRC} strsep.c)
+endif()
+
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
 else()
 	add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
 endif()

-add_library(tls-objects OBJECT ${TLS_SRC})
 if (BUILD_SHARED)
+	add_library(tls-objects OBJECT ${TLS_SRC})
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
-	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
-	if (WIN32)
+	if (MSVC)
 		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
-		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
 	endif()
-	set_target_properties(tls-shared PROPERTIES
-		OUTPUT_NAME tls${TLS_POSTFIX}
-		ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX})
+	set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
 	set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
 		SOVERSION ${TLS_MAJOR_VERSION})
 	install(TARGETS tls tls-shared DESTINATION lib)
--- a/tls/Makefile.am
+++ b/tls/Makefile.am
@@ -4,9 +4,8 @@ lib_LTLIBRARIES = libtls.la

 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
-EXTRA_DIST += tls.sym

-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
 libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
 libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
 libtls_la_LIBADD += $(PLATFORM_LDADD)
@@ -20,12 +19,14 @@ endif

 libtls_la_SOURCES = tls.c
 libtls_la_SOURCES += tls_client.c
-libtls_la_SOURCES += tls_bio_cb.c
 libtls_la_SOURCES += tls_config.c
 libtls_la_SOURCES += tls_conninfo.c
 libtls_la_SOURCES += tls_server.c
-libtls_la_SOURCES += tls_ocsp.c
 libtls_la_SOURCES += tls_peer.c
 libtls_la_SOURCES += tls_util.c
 libtls_la_SOURCES += tls_verify.c
 noinst_HEADERS = tls_internal.h
+
+if !HAVE_STRSEP
+libtls_la_SOURCES += strsep.c
+endif
--- a/update.sh
+++ b/update.sh
@@ -13,6 +13,7 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
 git checkout $openbsd_branch
 git pull --rebase)

@@ -26,16 +27,15 @@ libssl_src=$CWD/openbsd/src/lib/libssl
 libssl_regress=$CWD/openbsd/src/regress/lib/libssl
 libtls_src=$CWD/openbsd/src/lib/libtls
 libtls_regress=$CWD/openbsd/src/regress/lib/libtls
-bin_src=$CWD/openbsd/src/usr.bin
-sbin_src=$CWD/openbsd/src/usr.sbin
+app_src=$CWD/openbsd/src/usr.bin

 # load library versions
-. $libcrypto_src/shlib_version
+. $libcrypto_src/crypto/shlib_version
 libcrypto_version=$major:$minor:0
 echo "libcrypto version $libcrypto_version"
 echo $libcrypto_version > crypto/VERSION

-. $libssl_src/shlib_version
+. $libssl_src/ssl/shlib_version
 libssl_version=$major:$minor:0
 echo "libssl version $libssl_version"
 echo $libssl_version > ssl/VERSION
@@ -63,11 +63,11 @@ CP_LIBC='do_cp_libc'

 CP='cp -p'

-$CP $libssl_src/LICENSE COPYING
+$CP $libssl_src/src/LICENSE COPYING

-$CP $libcrypto_src/arch/amd64/opensslconf.h include/openssl
-$CP $libcrypto_src/opensslfeatures.h include/openssl
-$CP $libssl_src/pqueue.h include
+$CP $libcrypto_src/crypto/arch/amd64/opensslconf.h include/openssl
+$CP $libssl_src/src/crypto/opensslfeatures.h include/openssl
+$CP $libssl_src/src/ssl/pqueue.h include

 $CP $libtls_src/tls.h include
 $CP $libtls_src/tls.h libtls-standalone/include
@@ -76,19 +76,17 @@ for i in crypto/compat libtls-standalone/compat; do
 	for j in $libc_src/crypt/arc4random.c \
 	    $libc_src/crypt/arc4random_uniform.c \
 	    $libc_src/crypt/chacha_private.h \
-	    $libc_src/net/inet_pton.c \
-	    $libc_src/stdlib/reallocarray.c \
 	    $libc_src/string/explicit_bzero.c \
+	    $libc_src/stdlib/reallocarray.c \
 	    $libc_src/string/strcasecmp.c \
 	    $libc_src/string/strlcpy.c \
 	    $libc_src/string/strlcat.c \
 	    $libc_src/string/strndup.c \
 	    $libc_src/string/strnlen.c \
-	    $libc_src/string/strsep.c \
 	    $libc_src/string/timingsafe_bcmp.c \
 	    $libc_src/string/timingsafe_memcmp.c \
-	    $libcrypto_src/arc4random/getentropy_*.c \
-	    $libcrypto_src/arc4random/arc4random_*.h; do
+	    $libcrypto_src/crypto/getentropy_*.c \
+	    $libcrypto_src/crypto/arc4random_*.h; do
 		$CP_LIBC $j $i
 	done
 done
@@ -102,36 +100,36 @@ $CP crypto/compat/arc4random*.h \
 	crypto/compat/bsd-asprintf.c \
 	libtls-standalone/compat

-(cd $libcrypto_src/objects/;
+(cd $libssl_src/src/crypto/objects/;
 	perl objects.pl objects.txt obj_mac.num obj_mac.h;
 	perl obj_dat.pl obj_mac.h obj_dat.h )
 mkdir -p include/openssl crypto/objects
-$MV $libcrypto_src/objects/obj_mac.h ./include/openssl/obj_mac.h
-$MV $libcrypto_src/objects/obj_dat.h ./crypto/objects/obj_dat.h
+$MV $libssl_src/src/crypto/objects/obj_mac.h ./include/openssl/obj_mac.h
+$MV $libssl_src/src/crypto/objects/obj_dat.h ./crypto/objects/obj_dat.h

 copy_hdrs() {
 	for file in $2; do
-		$CP $1/$file include/openssl
+		$CP $libssl_src/src/$1/$file include/openssl
 	done
 }

-copy_hdrs $libcrypto_src "stack/stack.h lhash/lhash.h stack/safestack.h
+copy_hdrs crypto "stack/stack.h lhash/lhash.h stack/safestack.h
 	ossl_typ.h err/err.h crypto.h comp/comp.h x509/x509.h buffer/buffer.h
 	objects/objects.h asn1/asn1.h bn/bn.h ec/ec.h ecdsa/ecdsa.h
 	ecdh/ecdh.h rsa/rsa.h sha/sha.h x509/x509_vfy.h pkcs7/pkcs7.h pem/pem.h
 	pem/pem2.h hmac/hmac.h rand/rand.h md5/md5.h
-	asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
+	krb5/krb5_asn.h asn1/asn1_mac.h x509v3/x509v3.h conf/conf.h ocsp/ocsp.h
 	aes/aes.h modes/modes.h asn1/asn1t.h dso/dso.h bf/blowfish.h
 	bio/bio.h cast/cast.h cmac/cmac.h conf/conf_api.h des/des.h dh/dh.h
-	dsa/dsa.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
+	dsa/dsa.h cms/cms.h engine/engine.h ui/ui.h pkcs12/pkcs12.h ts/ts.h
 	md4/md4.h ripemd/ripemd.h whrlpool/whrlpool.h idea/idea.h
 	rc2/rc2.h rc4/rc4.h ui/ui_compat.h txt_db/txt_db.h
 	chacha/chacha.h evp/evp.h poly1305/poly1305.h camellia/camellia.h
-	gost/gost.h curve25519/curve25519.h"
+	gost/gost.h"

-copy_hdrs $libssl_src "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"
+copy_hdrs ssl "srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h"

-$CP $libcrypto_src/opensslv.h include/openssl
+$CP $libssl_src/src/crypto/opensslv.h include/openssl
 awk '/LIBRESSL_VERSION_TEXT/ {print $4}' < include/openssl/opensslv.h | cut -d\" -f1 > VERSION
 echo "LibreSSL version `cat VERSION`"

@@ -142,18 +140,16 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' crypto/Makefile.am` ; do
 	dir=`dirname $i`
 	mkdir -p crypto/$dir
 	if [ $dir != "compat" ]; then
-		if [ -e $libcrypto_src/$i ]; then
-			$CP $libcrypto_src/$i crypto/$i
+		if [ -e $libssl_src/src/crypto/$i ]; then
+			$CP $libssl_src/src/crypto/$i crypto/$i
 		fi
 	fi
 done
 $CP crypto/compat/b_win.c crypto/bio
 $CP crypto/compat/ui_openssl_win.c crypto/ui
-# add the libcrypto symbol export list
-grep '^[[:alpha:]]' < $libcrypto_src/Symbols.list > crypto/crypto.sym

 # generate assembly crypto algorithms
-asm_src=$libcrypto_src
+asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
 	[ $1 = "elf" ] && cat <<-EOF >> $3.tmp
@@ -174,24 +170,24 @@ gen_asm() {
 }
 for abi in elf macosx; do
 	echo generating ASM source for $abi
-	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.S
-	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.S
-	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.S
-	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.S
-	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.S
-	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.S
-	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.S
-	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.S
-	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.S
+	gen_asm_stdout $abi aes/asm/aes-x86_64.pl        crypto/aes/aes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/vpaes-x86_64.pl      crypto/aes/vpaes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/bsaes-x86_64.pl      crypto/aes/bsaes-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aesni-x86_64.pl      crypto/aes/aesni-$abi-x86_64.s
+	gen_asm_stdout $abi aes/asm/aesni-sha1-x86_64.pl crypto/aes/aesni-sha1-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/modexp512-x86_64.pl   crypto/bn/modexp512-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-mont.pl        crypto/bn/mont-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-mont5.pl       crypto/bn/mont5-$abi-x86_64.s
+	gen_asm_stdout $abi bn/asm/x86_64-gf2m.pl        crypto/bn/gf2m-$abi-x86_64.s
+	gen_asm_stdout $abi camellia/asm/cmll-x86_64.pl  crypto/camellia/cmll-$abi-x86_64.s
+	gen_asm_stdout $abi md5/asm/md5-x86_64.pl        crypto/md5/md5-$abi-x86_64.s
+	gen_asm_stdout $abi modes/asm/ghash-x86_64.pl    crypto/modes/ghash-$abi-x86_64.s
+	gen_asm_stdout $abi rc4/asm/rc4-x86_64.pl        crypto/rc4/rc4-$abi-x86_64.s
+	gen_asm_stdout $abi rc4/asm/rc4-md5-x86_64.pl    crypto/rc4/rc4-md5-$abi-x86_64.s
+	gen_asm_stdout $abi sha/asm/sha1-x86_64.pl       crypto/sha/sha1-$abi-x86_64.s
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha256-$abi-x86_64.S
 	gen_asm        $abi sha/asm/sha512-x86_64.pl     crypto/sha/sha512-$abi-x86_64.S
-	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.S
+	gen_asm_stdout $abi whrlpool/asm/wp-x86_64.pl    crypto/whrlpool/wp-$abi-x86_64.s
 	gen_asm        $abi x86_64cpuid.pl               crypto/cpuid-$abi-x86_64.S
 done

@@ -204,8 +200,9 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
-# add the libtls symbol export list
-grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
+
+$CP_LIBC $libc_src/string/strsep.c tls
+$CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat

 mkdir -p libtls-standalone/m4
 $CP m4/check*.m4 \
@@ -216,38 +213,25 @@ sed -e "s/compat\///" crypto/Makefile.am.arc4random > \

 # copy nc(1) source
 echo "copying nc(1) source"
-$CP $bin_src/nc/nc.1 apps/nc
+$CP $app_src/nc/nc.1 apps/nc
 rm -f apps/nc/*.c apps/nc/*.h
-$CP_LIBC $libc_src/net/base64.c apps/nc/compat
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/nc/compat
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/nc/Makefile.am` ; do
-	if [ -e $bin_src/nc/$i ]; then
-		$CP $bin_src/nc/$i apps/nc
-	fi
-done
-
-# copy ocspcheck(1) source
-echo "copying ocspcheck(1) source"
-$CP $sbin_src/ocspcheck/ocspcheck.8 apps/ocspcheck
-rm -f apps/ocspcheck/*.c apps/ocspcheck/*.h
-$CP_LIBC $libc_src/net/inet_ntop.c apps/ocspcheck/compat
-$CP_LIBC $libc_src/string/memmem.c apps/ocspcheck/compat
-for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/ocspcheck/Makefile.am` ; do
-	if [ -e $sbin_src/ocspcheck/$i ]; then
-		$CP $sbin_src/ocspcheck/$i apps/ocspcheck
+	if [ -e $app_src/nc/$i ]; then
+		$CP $app_src/nc/$i apps/nc
 	fi
 done

 # copy openssl(1) source
 echo "copying openssl(1) source"
-$CP $bin_src/openssl/openssl.1 apps/openssl
+$CP $app_src/openssl/openssl.1 apps/openssl
 $CP_LIBC $libc_src/stdlib/strtonum.c apps/openssl/compat
 $CP $libcrypto_src/cert.pem apps/openssl
 $CP $libcrypto_src/openssl.cnf apps/openssl
 $CP $libcrypto_src/x509v3.cnf apps/openssl
 for i in `awk '/SOURCES|HEADERS|MANS/ { print $3 }' apps/openssl/Makefile.am` ; do
-	if [ -e $bin_src/openssl/$i ]; then
-		$CP $bin_src/openssl/$i apps/openssl
+	if [ -e $app_src/openssl/$i ]; then
+		$CP $app_src/openssl/$i apps/openssl
 	fi
 done

@@ -255,10 +239,8 @@ done
 echo "copying libssl source"
 rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
-	$CP $libssl_src/$i ssl
+	$CP $libssl_src/src/ssl/$i ssl
 done
-# add the libssl symbol export list
-grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym

 # copy libcrypto tests
 echo "copying tests"
@@ -267,11 +249,12 @@ for i in `find $libcrypto_regress -name '*.c'`; do
 done
 $CP $libcrypto_regress/evp/evptests.txt tests
 $CP $libcrypto_regress/aead/aeadtests.txt tests
+$CP $libcrypto_regress/pqueue/expected.txt tests/pq_expected.txt

 # copy libc tests
 $CP $libc_regress/arc4random-fork/arc4random-fork.c tests/arc4randomforktest.c
 $CP $libc_regress/explicit_bzero/explicit_bzero.c tests
-$CP_LIBC $libc_src/string/memmem.c tests/compat
+$CP_LIBC $libc_src/string/memmem.c tests
 $CP $libc_regress/timingsafe/timingsafe.c tests

 # copy libssl tests
@@ -282,7 +265,6 @@ done
 $CP $libssl_regress/unit/tests.h tests
 $CP $libssl_regress/certs/ca.pem tests
 $CP $libssl_regress/certs/server.pem tests
-$CP $libssl_regress/pqueue/expected.txt tests/pq_expected.txt

 # copy libtls tests
 for i in `find $libtls_regress -name '*.c'`; do
@@ -306,7 +288,7 @@ add_man_links() {
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	ln -sf \"$1\" \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
+			echo "	ln -sf $1 \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
 		fi
 	done
 	echo "" >> $dest
@@ -314,7 +296,7 @@ add_man_links() {
 	for i in `grep $filter man/links`; do
 		IFS=","; set $i; unset IFS
 		if [ "$2" != "" ]; then
-			echo "	-rm -f \"\$(DESTDIR)\$(mandir)/man3/$2\"" >> $dest
+			echo "	-rm -f \$(DESTDIR)\$(mandir)/man3/$2" >> $dest
 		fi
 	done
 }
@@ -334,8 +316,12 @@ echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
 echo dist_man_MANS = >> man/Makefile.am

+$CP $libtls_src/tls_init.3 man
+echo "dist_man_MANS += tls_init.3" >> man/Makefile.am
+
 (cd man
-	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
+	# update new-style manpages
+	for i in `ls -1 $libssl_src/src/doc/ssl/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
 		echo "dist_man_MANS += $NAME" >> Makefile.am
@@ -347,10 +333,24 @@ echo dist_man_MANS = >> man/Makefile.am
 		echo "dist_man_MANS += $NAME" >> Makefile.am
 	done

-	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
-		NAME=`basename "$i"`
-		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+	# convert remaining POD manpages
+	for i in `ls -1 $libssl_src/src/doc/crypto/*.pod | sort`; do
+		BASE=`echo $i|sed -e "s/\.pod//"`
+		NAME=`basename "$BASE"`
+		# reformat file if new
+		if [ ! -f $NAME.3 -o $BASE.pod -nt $NAME.3 -o ../include/openssl/opensslv.h -nt $NAME.3 ]; then
+			echo processing $NAME
+			pod2man --official --release="LibreSSL $VERSION" --center=LibreSSL \
+				--section=3 $POD2MAN --name=$NAME < $BASE.pod > $NAME.3
+		fi
+		echo "dist_man_MANS += $NAME.3" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am
+
+# standalone libtls manpages
+mkdir -p libtls-standalone/man
+echo "dist_man_MANS = tls_init.3" > libtls-standalone/man/Makefile.am
+
+$CP $libtls_src/tls_init.3 libtls-standalone/man
+add_man_links tls_init libtls-standalone/man/Makefile.am
Author	SHA1	Message	Date
Brent Cook	48ecc2d05d	update changelog for 2.4.2	2016-07-31 17:55:50 -05:00
Brent Cook	7f322bfe7e	set link library dependencies with MSVC, fixes #221	2016-07-31 17:12:35 -05:00
Brent Cook	47d4f7109f	properly enable strnlen checks for MSVC	2016-07-31 17:12:35 -05:00
Brent Cook	12348e6f64	create OPENBSD_6_0 branch	2016-07-29 07:51:02 -05:00