Land #376 , adjust MSVC warnings

Land #374 , hp-ux compatibility
Merge remote-tracking branch 'upstream/pr/374'
2018-01-07 16:22:00 -06:00 · 2018-01-07 16:21:11 -06:00 · 2018-01-07 16:19:36 -06:00 · 2018-01-06 18:51:45 +09:00 · 2018-01-06 18:12:50 +09:00 · 2018-01-06 00:28:49 +09:00
35 changed files with 538 additions and 129 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -45,6 +45,7 @@ Makefile.in
 # man pages
 *.1
 *.3
+*.5

 # tests
 test-driver
@@ -52,9 +53,11 @@ test-driver
 *.trs
 tests/aes_wrap*
 tests/arc4random_fork*
+tests/asn1evp*
 tests/asn1time*
 tests/cipher*
 tests/explicit_bzero*
+tests/freenull*
 tests/gost2814789t*
 tests/mont*
 tests/rfc5280time*
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -107,20 +107,23 @@ if(MSVC)
 	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
 	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
 		set(MSVC_DISABLED_WARNINGS_LIST
-			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
-		        	# indirection to slightly different base types from 'char [2]'
-			"C4100" # 'exarg' : unreferenced formal parameter
+			"C4018" # 'expression' : signed/unsigned mismatch
+			"C4057" # 'operator' : 'identifier1' indirection to
+		        	# slightly different base types from 'identifier2'
+			"C4100" # 'identifier' : unreferenced formal parameter
 			"C4127" # conditional expression is constant
-			"C4242" # 'function' : conversion from 'int' to 'uint8_t',
-			        # possible loss of data
-			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
-			        # possible loss of data
-			"C4267" # conversion from 'size_t' to 'some type that is almost
-				# certainly safe to convert a size_t to'.
+			"C4146" # unary minus operator applied to unsigned type,
+				# result still unsigned
+			"C4244" # 'argument' : conversion from 'type1' to 'type2',
+				# possible loss of data
+			"C4245" # 'conversion' : conversion from 'type1' to 'type2',
+				# signed/unsigned mismatch
+			"C4267" # 'var' : conversion from 'size_t' to 'type',
+				# possible loss of data
+			"C4389" # 'operator' : signed/unsigned mismatch
 			"C4706" # assignment within conditional expression
-			"C4820" # 'bytes' bytes padding added after construct 'member_name'
-			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
-			        # use the ISO C++ conformant name: _read.
+			"C4996" # The POSIX name for this item is deprecated.
+				# Instead, use the ISO C and C++ conformant name
 		)
 	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
 		add_definitions(-D_CRT_SUPPRESS_RESTRICT)
@@ -300,6 +303,7 @@ endif()
 check_type_size(time_t SIZEOF_TIME_T)
 if(SIZEOF_TIME_T STREQUAL "4")
 	set(SMALL_TIME_T true)
+	add_definitions(-DSMALL_TIME_T)
 	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
 	                " ** It will behave incorrectly when handling valid RFC5280 dates")
 endif()
@@ -317,6 +321,23 @@ if(NOT MSVC OR ENABLE_VSTEST)
 	add_subdirectory(tests)
 endif()

+if(NOT MSVC)
+	# Create pkgconfig files.
+	set(prefix      ${CMAKE_INSTALL_PREFIX})
+	set(exec_prefix \${prefix})
+	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
+	set(includedir  \${prefix}/include)
+	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
+	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
+	foreach(file ${OPENSSL_PKGCONFIGS})
+		get_filename_component(filename ${file} NAME)
+		string(REPLACE ".in" "" new_file "${filename}")
+		configure_file(${filename} pkgconfig/${new_file} @ONLY)
+	endforeach()
+	install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig
+		DESTINATION ${CMAKE_INSTALL_LIBDIR})
+endif()
+
 configure_file(
 	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
 	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
--- a/118
+++ b/118
@@ -28,6 +28,113 @@ history is also available from Git.

 LibreSSL Portable Release Notes:

+2.7.0 - Bug fixes and improvements
+
+	* Merged more DTLS support into the regular TLS code path, removing
+	  duplicated code.
+
+	* Converted ssl3_send_client_hello(), ssl3_send_server_hello() to CBB.
+
+	* Rewrite ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
+	  This removes the last remaining use of the old M_ASN1_* macros
+	  (asn1_mac.h) from API that needs to continue to exist.
+
+2.6.4 - Bug fixes
+
+	* Make tls_config_parse_protocols() work correctly when passed a NULL
+	  pointer for a protocol string. Issue found by semarie@, who also
+	  provided the diff.
+
+	* Correct TLS extensions handling when no extensions are present.
+	  If no TLS extensions are present in a client hello or server hello,
+	  omit the entire extensions block, rather than including it with a
+	  length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for
+	  providing packet captures and testing the fix.
+
+	* Fixed portable builds on older Android systems, and systems with out
+	  IPV6_TCLASS support.
+
+2.6.3 - OpenBSD 6.2 Release
+
+	* No core changes from LibreSSL 2.6.2
+
+	* Minor compatibility fixes in portable version.
+
+2.6.2 - Bug fixes
+
+	* Provide a useful error with libtls if there are no OCSP URLs in a
+	  peer certificate.
+
+	* Keep track of which keypair is in use by a TLS context, fixing a bug
+	  where a TLS server with SNI would only return the OCSP staple for the
+	  default keypair. Issue reported by William Graeber and confirmed by
+	  Andreas Bartelt.
+
+	* Fixed various issues in the OCSP extension parsing code.
+	  The original code incorrectly passes the pointer allocated via
+	  CBS_stow() (using malloc()) to a d2i_*() function and then calls
+	  free() on the now incremented pointer, most likely resulting in a
+	  crash. This issue was reported by Robert Swiecki who found the issue
+	  using honggfuzz.
+
+	* If tls_config_parse_protocols() is called with a NULL pointer,
+	  return the default protocols instead of crashing - this makes the
+	  behaviour more useful and mirrors what we already do in
+	  tls_config_set_ciphers() et al.
+
+2.6.1 - Code removal, rewrites
+
+	* Added a "-T tlscompat" option to nc(1), which enables the use of all
+	  TLS protocols and "compat" ciphers. This allows for TLS connections
+	  to TLS servers that are using less than ideal cipher suites, without
+	  having to resort to "-T tlsall" which enables all known cipher
+	  suites.  Diff from Kyle J. McKay.
+
+	* Added a new TLS extension handling framework, somewhat analogous to
+	  BoringSSL, and converted all TLS extensions to use it. Added new TLS
+	  extension regression tests.
+
+	* Improved and added many new manpages. Updated *check_private_key
+	  manpages with additional cautions regarding their use.
+
+	* Cleaned up the EC key/curve configuration handling.
+
+	* Added tls_config_set_ecdhecurves() to libtls, which allows the names
+	  of the eliptical curves that may be used during client and server
+	  key exchange to be specified.
+
+	* Converted more code paths to use CBB/CBS.
+
+	* Removed support for DSS/DSA, since we removed the cipher suites a
+	  while back.
+
+	* Removed NPN support. NPN was never standardised and the last draft
+	  expired in October 2012. ALPN was standardised in July 2014 and has
+	  been supported in LibreSSL since December 2014. NPN has also been
+	  removed from Chromium in May 2016.
+
+	* Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
+	  CryptoPro clients.
+
+	* Removed support for the TLS padding extension, which was added as a
+	  workaround for an old bug in F5's TLS termination.
+
+	* Worked around another bug in F5's TLS termination handling of the
+	  elliptical curves extension. RFC 4492 only defines elliptic_curves
+	  for ClientHello. However, F5 is sending it in ServerHello.  We need
+	  to skip over it since our TLS extension parsing code is now more
+	  strict. Thanks to Armin Wolfermann and WJ Liu for reporting.
+
+	* Added ability to clamp notafter valies in certificates for systems
+	  with 32-bit time_t. This is necessary to conform to RFC 5280
+	  4.1.2.5.
+
+	* Implemented the SSL_CTX_set_min_proto_version(3) API.
+
+	* Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
+
+	* Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
+
 2.6.0 - New APIs, bug fixes and improvements

 	* Added support for providing CRLs to libtls. Once a CRL is provided we
@@ -43,13 +150,10 @@ LibreSSL Portable Release Notes:
 	* Added definitions for three OIDs used in EV certificates.
 	  From Kyle J. McKay

-	* Plugged a memory leak in tls_ocsp_free.
+	* Added tls_peer_cert_chain_pem to libtls, useful in private
+	  certificate validation callbacks such as those in relayd.

-	* Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to
-	  libtls, useful in private certificate validation callbacks such as
-	  those in relayd.
-
-	* Converted explicit lear/free sequences to use freezero(3).
+	* Converted explicit clear/free sequences to use freezero(3).

 	* Reworked TLS certificate name verification code to more strictly
 	  follow RFC 6125.
@@ -70,7 +174,7 @@ LibreSSL Portable Release Notes:

 	* Added HKDF (HMAC Key Derivation Function) from BoringSSL

-	* Providea a tls_unload_file() function that frees the memory returned
+	* Provided a tls_unload_file() function that frees the memory returned
 	  from a tls_load_file() call, ensuring that it the contents become
 	  inaccessible. This is specifically needed on platforms where the
 	  library allocators may be different from the application allocator.
--- a/README.md
+++ b/README.md
@@ -56,20 +56,25 @@ or to the github
 Severe vulnerabilities or bugs requiring coordination with OpenSSL can be
 sent to the core team at libressl-security@openbsd.org.

-## Prerequisites when building from git ##
+# Building LibreSSL #

-If you have checked this source using Git, follow these initial steps to
-prepare the source tree for building:
+## Prerequisites when building from a Git checkout ##
+
+If you have checked this source using Git, or have downloaded a source tarball
+from Github, follow these initial steps to prepare the source tree for
+building. _Note: Your build will fail if you do not follow these instructions! If you cannot follow these instructions (e.g. Windows system using CMake) or cannot meet these prerequistes, please download an official release distribution from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official releases is strongly advised if you are not a developer._

 1. Ensure you have the following packages installed:
-   automake, autoconf, git, libtool, perl, pod2man
+   automake, autoconf, git, libtool, perl
 2. Run './autogen.sh' to prepare the source tree for building or
   run './dist.sh' to prepare a tarball.

-## Building LibreSSL ##
+## Steps that apply to all builds ##

-Once you have a source tree from Git or FTP, run these commands to build and
-install the package on most systems:
+Once you have a source tree, either by downloaded using git and having
+run the autogen.sh script above, or by downloading a release distribution from
+an OpenBSD mirror, run these commands to build and install the package on most
+systems:

 ```sh
 ./configure   # see ./configure --help for configuration options
@@ -119,9 +124,9 @@ should work. See README.windows for more information

 #### Windows - Visual Studio ####

-LibreSSL builds using the CMake target "Visual Studio 12 2013", and may build
-against older/newer targets as well. To generate a Visual Studio project,
-install CMake, enter the LibreSSL source directory and run:
+LibreSSL builds using the CMake target "Visual Studio 12 2013" and newer. To
+generate a Visual Studio project, install CMake, enter the LibreSSL source
+directory and run:

 ```sh
 mkdir build-vs2013
@@ -129,13 +134,14 @@ install CMake, enter the LibreSSL source directory and run:
 cmake -G"Visual Studio 12 2013" ..
 ```

-This will generate a LibreSSL.sln file that you can incorporate into other
-projects or build by itself.
+Replace "Visual Studion 12 2013" with whatever version of Visual Studio you
+have installed. This will generate a LibreSSL.sln file that you can incorporate
+into other projects or build by itself.

 #### Cmake - Additional Options ####

-| Option Name | Default | Description 
-| ------------ | -----: | ------ 
+| Option Name | Default | Description
+| ------------ | -----: | ------
 |  LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules.  Can be specified from command line using <br>```-DLIBRESSL_SKIP_INSTALL=ON``` |
 |  ENABLE_ASM | ON | builds assembly optimized rules. |
 |  ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
--- a/apps/ocspcheck/CMakeLists.txt
+++ b/apps/ocspcheck/CMakeLists.txt
@@ -20,7 +20,7 @@ else()
        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
 endif()

-check_function_exists(inet_ntop HAVE_MEMMEM)
+check_function_exists(memmem HAVE_MEMMEM)
 if(HAVE_MEMMEM)
        add_definitions(-DHAVE_MEMMEM)
 else()
--- a/apps/openssl/CMakeLists.txt
+++ b/apps/openssl/CMakeLists.txt
@@ -88,5 +88,5 @@ else()
 endif()
 if(ENABLE_LIBRESSL_INSTALL)
 	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
-	install(DIRECTORY DESTINATION ${CONF_DIR}/cert)
+	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
 endif(ENABLE_LIBRESSL_INSTALL)
--- a/apps/openssl/apps_win.c
+++ b/apps/openssl/apps_win.c
@@ -13,7 +13,7 @@
 #include "apps.h"

 double
-app_tminterval(int stop, int usertime)
+app_timer_user(int stop)
 {
 	static unsigned __int64 tmstart;
 	union {
@@ -22,13 +22,11 @@ app_tminterval(int stop, int usertime)
 	} ct, et, kt, ut;

 	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);
-
-	if (stop == TM_START) {
-		tmstart = ut.u64 + kt.u64;
-	} else {
+	if (stop)
 		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
-	}
-	return 0;
+
+	tmstart = ut.u64 + kt.u64;
+	return 0.0;
 }

 int
--- a/apps/openssl/compat/poll_win.c
+++ b/apps/openssl/compat/poll_win.c
@@ -253,7 +253,9 @@ poll(struct pollfd *pfds, nfds_t nfds, int timeout_ms)
 	looptime_ms = timeout_ms > 100 ? 100 : timeout_ms;

 	do {
-		struct timeval tv = {0, looptime_ms * 1000};
+		struct timeval tv;
+		tv.tv_sec = 0;
+		tv.tv_usec = looptime_ms * 1000;
 		int handle_signaled = 0;

 		/*
--- a/check-release.sh
+++ b/check-release.sh
@@ -57,6 +57,7 @@ fi
 echo "differences between release and regenerated release tag:"
 diff -urN \
 	-x *.3 \
+	-x *.5 \
 	-x Makefile.in \
 	-x aclocal.m4 \
 	-x compile \
--- a/cmake_export_symbol.cmake
+++ b/cmake_export_symbol.cmake
@@ -10,7 +10,13 @@ macro(export_symbol TARGET FILENAME)
 		target_sources(${TARGET} PRIVATE ${DEF_FILENAME})

 	elseif(APPLE)
-		set(FLAG "-exported_symbols_list ${FILENAME}")
+		file(READ ${FILENAME} SYMBOLS)
+		string(REGEX REPLACE "\n$" "" SYMBOLS ${SYMBOLS})
+		string(REPLACE "\n" "\n_" SYMBOLS ${SYMBOLS})
+		string(REGEX REPLACE "(.)$" "\\1\\n" SYMBOLS ${SYMBOLS})
+		string(REPLACE ".sym" ".exp" EXP_FILENAME ${FILENAME})
+		file(WRITE ${EXP_FILENAME} "_${SYMBOLS}")
+		set(FLAG "-exported_symbols_list ${EXP_FILENAME}")
 		set_target_properties(${TARGET} PROPERTIES LINK_FLAGS ${FLAG})

 	elseif(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
--- a/configure.ac
+++ b/configure.ac
@@ -134,6 +134,7 @@ AC_CONFIG_FILES([

 AM_CONDITIONAL([SMALL_TIME_T], [test "$ac_cv_sizeof_time_t" = "4"])
 if test "$ac_cv_sizeof_time_t" = "4"; then
+    AC_DEFINE([SMALL_TIME_T])
    echo " ** Warning, this system is unable to represent times past 2038"
    echo " ** It will behave incorrectly when handling valid RFC5280 dates"

--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -352,10 +352,6 @@ set(
 	ec/ecp_mont.c
 	ec/ecp_nist.c
 	ec/ecp_oct.c
-	ec/ecp_nistp224.c
-	ec/ecp_nistp256.c
-	ec/ecp_nistp521.c
-	ec/ecp_nistputil.c
 	ec/ecp_smpl.c
 	ecdh/ech_err.c
 	ecdh/ech_key.c
@@ -563,7 +559,6 @@ set(
 	rsa/rsa_pss.c
 	rsa/rsa_saos.c
 	rsa/rsa_sign.c
-	rsa/rsa_ssl.c
 	rsa/rsa_x931.c
 	sha/sha1_one.c
 	sha/sha1dgst.c
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -524,10 +524,6 @@ libcrypto_la_SOURCES += ec/ec_print.c
 libcrypto_la_SOURCES += ec/eck_prn.c
 libcrypto_la_SOURCES += ec/ecp_mont.c
 libcrypto_la_SOURCES += ec/ecp_nist.c
-libcrypto_la_SOURCES += ec/ecp_nistp224.c
-libcrypto_la_SOURCES += ec/ecp_nistp256.c
-libcrypto_la_SOURCES += ec/ecp_nistp521.c
-libcrypto_la_SOURCES += ec/ecp_nistputil.c
 libcrypto_la_SOURCES += ec/ecp_oct.c
 libcrypto_la_SOURCES += ec/ecp_smpl.c
 noinst_HEADERS += ec/ec_lcl.h
@@ -803,7 +799,6 @@ libcrypto_la_SOURCES += rsa/rsa_prn.c
 libcrypto_la_SOURCES += rsa/rsa_pss.c
 libcrypto_la_SOURCES += rsa/rsa_saos.c
 libcrypto_la_SOURCES += rsa/rsa_sign.c
-libcrypto_la_SOURCES += rsa/rsa_ssl.c
 libcrypto_la_SOURCES += rsa/rsa_x931.c
 noinst_HEADERS += rsa/rsa_locl.h

--- a/crypto/compat/posix_win.c
+++ b/crypto/compat/posix_win.c
@@ -209,6 +209,7 @@ posix_setsockopt(int sockfd, int level, int optname,
 }

 #ifdef _MSC_VER
+struct timezone;
 int gettimeofday(struct timeval * tp, struct timezone * tzp)
 {
 	/*
--- a/dist.sh
+++ b/dist.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e

-rm -f man/*.1 man/*.3 include/openssl/*.h
+rm -f man/*.[35] include/openssl/*.h
 ./autogen.sh
 ./configure
 make -j2 distcheck
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -3,5 +3,6 @@ if(ENABLE_LIBRESSL_INSTALL)
 	        DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
 	        PATTERN "CMakeLists.txt" EXCLUDE
 	        PATTERN "compat" EXCLUDE
+	        PATTERN "pqueue.h" EXCLUDE
 	        PATTERN "Makefile*" EXCLUDE)
 endif(ENABLE_LIBRESSL_INSTALL)
--- a/include/compat/err.h
+++ b/include/compat/err.h
@@ -34,9 +34,9 @@ err(int eval, const char *fmt, ...)
 		vfprintf(stderr, fmt, ap);
 		fprintf(stderr, ": ");
 	}
+	va_end(ap);
 	fprintf(stderr, "%s\n", strerror(sverrno));
 	exit(eval);
-	va_end(ap);
 }

 #if defined(_MSC_VER)
@@ -52,9 +52,9 @@ errx(int eval, const char *fmt, ...)
 	va_start(ap, fmt);
 	if (fmt != NULL)
 		vfprintf(stderr, fmt, ap);
+	va_end(ap);
 	fprintf(stderr, "\n");
 	exit(eval);
-	va_end(ap);
 }

 static inline void
@@ -68,8 +68,8 @@ warn(const char *fmt, ...)
 		vfprintf(stderr, fmt, ap);
 		fprintf(stderr, ": ");
 	}
-	fprintf(stderr, "%s\n", strerror(sverrno));
 	va_end(ap);
+	fprintf(stderr, "%s\n", strerror(sverrno));
 }

 static inline void
@@ -80,8 +80,8 @@ warnx(const char *fmt, ...)
 	va_start(ap, fmt);
 	if (fmt != NULL)
 		vfprintf(stderr, fmt, ap);
-	fprintf(stderr, "\n");
 	va_end(ap);
+	fprintf(stderr, "\n");
 }

 #endif
--- a/include/compat/sys/time.h
+++ b/include/compat/sys/time.h
@@ -13,4 +13,20 @@ int gettimeofday(struct timeval *tp, void *tzp);
 #include_next <sys/time.h>
 #endif

+#ifndef CLOCK_MONOTONIC
+#define CLOCK_MONOTONIC CLOCK_REALTIME
+#endif
+
+#ifndef timersub
+#define timersub(tvp, uvp, vvp)                                         \
+	do {                                                            \
+		(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec;          \
+		(vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec;       \
+		if ((vvp)->tv_usec < 0) {                               \
+			(vvp)->tv_sec--;                                \
+			(vvp)->tv_usec += 1000000;                      \
+		}                                                       \
+	} while (0)
+#endif
+
 #endif
--- a/include/compat/time.h
+++ b/include/compat/time.h
@@ -21,3 +21,15 @@ struct tm *__gmtime_r(const time_t * t, struct tm * tm);
 #ifndef HAVE_TIMEGM
 time_t timegm(struct tm *tm);
 #endif
+
+#ifndef timespecsub
+#define timespecsub(tsp, usp, vsp)                                      \
+        do {                                                            \
+                (vsp)->tv_sec = (tsp)->tv_sec - (usp)->tv_sec;          \
+                (vsp)->tv_nsec = (tsp)->tv_nsec - (usp)->tv_nsec;       \
+                if ((vsp)->tv_nsec < 0) {                               \
+                        (vsp)->tv_sec--;                                \
+                        (vsp)->tv_nsec += 1000000000L;                  \
+                }                                                       \
+        } while (0)
+#endif
--- a/m4/check-libc.m4
+++ b/m4/check-libc.m4
@@ -2,10 +2,23 @@ AC_DEFUN([CHECK_LIBC_COMPAT], [
 # Check for libc headers
 AC_CHECK_HEADERS([err.h readpassphrase.h])
 # Check for general libc functions
-AC_CHECK_FUNCS([asprintf freezero getpagesize inet_ntop inet_pton memmem])
+AC_CHECK_FUNCS([asprintf freezero inet_ntop inet_pton memmem])
 AC_CHECK_FUNCS([readpassphrase reallocarray recallocarray])
 AC_CHECK_FUNCS([strlcat strlcpy strndup strnlen strsep strtonum])
 AC_CHECK_FUNCS([timegm _mkgmtime])
+AC_CACHE_CHECK([for getpagesize], ac_cv_func_getpagesize, [
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+// Since Android NDK v16 getpagesize is defined as inline inside unistd.h
+#ifdef __ANDROID__
+#	include <unistd.h>
+#endif
+		]], [[
+	getpagesize();
+]])],
+	[ ac_cv_func_getpagesize="yes" ],
+	[ ac_cv_func_getpagesize="no"
+	])
+])
 AM_CONDITIONAL([HAVE_ASPRINTF], [test "x$ac_cv_func_asprintf" = xyes])
 AM_CONDITIONAL([HAVE_FREEZERO], [test "x$ac_cv_func_freezero" = xyes])
 AM_CONDITIONAL([HAVE_GETPAGESIZE], [test "x$ac_cv_func_getpagesize" = xyes])
--- a/m4/check-os-options.m4
+++ b/m4/check-os-options.m4
@@ -13,6 +13,7 @@ case $host_os in
 		;;
 	*cygwin*)
 		HOST_OS=cygwin
+		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
 		;;
 	*darwin*)
 		HOST_OS=darwin
--- a/man/CMakeLists.txt
+++ b/man/CMakeLists.txt
@@ -5,7 +5,7 @@ if(ENABLE_LIBRESSL_INSTALL)
 	    )

 	install(DIRECTORY .
-	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man1
-	    FILES_MATCHING PATTERN "*.1"
+	    DESTINATION ${CMAKE_INSTALL_MANDIR}/man5
+	    FILES_MATCHING PATTERN "*.5"
 	    )
 endif(ENABLE_LIBRESSL_INSTALL)
--- a/man/links
+++ b/man/links
@@ -3,6 +3,8 @@ ACCESS_DESCRIPTION_new.3,ACCESS_DESCRIPTION_free.3
 ACCESS_DESCRIPTION_new.3,AUTHORITY_INFO_ACCESS_free.3
 ACCESS_DESCRIPTION_new.3,AUTHORITY_INFO_ACCESS_new.3
 ASN1_OBJECT_new.3,ASN1_OBJECT_free.3
+ASN1_STRING_TABLE_add.3,ASN1_STRING_TABLE_cleanup.3
+ASN1_STRING_TABLE_add.3,ASN1_STRING_TABLE_get.3
 ASN1_STRING_length.3,ASN1_STRING_cmp.3
 ASN1_STRING_length.3,ASN1_STRING_data.3
 ASN1_STRING_length.3,ASN1_STRING_dup.3
@@ -50,10 +52,23 @@ ASN1_STRING_new.3,DISPLAYTEXT_free.3
 ASN1_STRING_new.3,DISPLAYTEXT_new.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print.3
 ASN1_STRING_print_ex.3,ASN1_STRING_print_ex_fp.3
+ASN1_STRING_print_ex.3,ASN1_tag2str.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_adj.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_check.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_print.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_set.3
+ASN1_TIME_set.3,ASN1_GENERALIZEDTIME_set_string.3
 ASN1_TIME_set.3,ASN1_TIME_adj.3
 ASN1_TIME_set.3,ASN1_TIME_check.3
 ASN1_TIME_set.3,ASN1_TIME_print.3
 ASN1_TIME_set.3,ASN1_TIME_set_string.3
+ASN1_TIME_set.3,ASN1_TIME_to_generalizedtime.3
+ASN1_TIME_set.3,ASN1_UTCTIME_adj.3
+ASN1_TIME_set.3,ASN1_UTCTIME_check.3
+ASN1_TIME_set.3,ASN1_UTCTIME_cmp_time_t.3
+ASN1_TIME_set.3,ASN1_UTCTIME_print.3
+ASN1_TIME_set.3,ASN1_UTCTIME_set.3
+ASN1_TIME_set.3,ASN1_UTCTIME_set_string.3
 ASN1_TYPE_get.3,ASN1_TYPE_cmp.3
 ASN1_TYPE_get.3,ASN1_TYPE_free.3
 ASN1_TYPE_get.3,ASN1_TYPE_new.3
@@ -70,6 +85,7 @@ ASN1_item_d2i.3,ASN1_item_print.3
 ASN1_item_d2i.3,d2i_ASN1_TYPE.3
 ASN1_item_d2i.3,i2d_ASN1_TYPE.3
 ASN1_item_new.3,ASN1_item_free.3
+ASN1_time_parse.3,ASN1_TIME_set_tm.3
 ASN1_time_parse.3,ASN1_time_tm_cmp.3
 AUTHORITY_KEYID_new.3,AUTHORITY_KEYID_free.3
 BASIC_CONSTRAINTS_new.3,BASIC_CONSTRAINTS_free.3
@@ -146,6 +162,9 @@ BIO_new.3,BIO_free.3
 BIO_new.3,BIO_free_all.3
 BIO_new.3,BIO_set.3
 BIO_new.3,BIO_vfree.3
+BIO_printf.3,BIO_snprintf.3
+BIO_printf.3,BIO_vprintf.3
+BIO_printf.3,BIO_vsnprintf.3
 BIO_push.3,BIO_pop.3
 BIO_read.3,BIO_gets.3
 BIO_read.3,BIO_puts.3
@@ -298,6 +317,7 @@ BN_set_bit.3,BN_lshift1.3
 BN_set_bit.3,BN_mask_bits.3
 BN_set_bit.3,BN_rshift.3
 BN_set_bit.3,BN_rshift1.3
+BN_set_flags.3,BN_get_flags.3
 BN_set_negative.3,BN_is_negative.3
 BN_zero.3,BN_get_word.3
 BN_zero.3,BN_one.3
@@ -311,8 +331,10 @@ BUF_MEM_new.3,BUF_strdup.3
 CONF_modules_free.3,CONF_modules_finish.3
 CONF_modules_free.3,CONF_modules_unload.3
 CONF_modules_load_file.3,CONF_modules_load.3
+CRYPTO_get_mem_functions.3,CRYPTO_MEM_LEAK_CB.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_ctrl.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks.3
+CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks_cb.3
 CRYPTO_get_mem_functions.3,CRYPTO_mem_leaks_fp.3
 CRYPTO_get_mem_functions.3,CRYPTO_set_mem_functions.3
 CRYPTO_set_ex_data.3,CRYPTO_EX_dup.3
@@ -555,7 +577,6 @@ EVP_AEAD_CTX_init.3,EVP_AEAD_nonce_length.3
 EVP_AEAD_CTX_init.3,EVP_aead_aes_128_gcm.3
 EVP_AEAD_CTX_init.3,EVP_aead_aes_256_gcm.3
 EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305.3
-EVP_AEAD_CTX_init.3,EVP_aead_chacha20_poly1305_ietf.3
 EVP_DigestInit.3,EVP_DigestFinal.3
 EVP_DigestInit.3,EVP_DigestFinal_ex.3
 EVP_DigestInit.3,EVP_DigestInit_ex.3
@@ -566,6 +587,7 @@ EVP_DigestInit.3,EVP_MD_CTX_cleanup.3
 EVP_DigestInit.3,EVP_MD_CTX_copy.3
 EVP_DigestInit.3,EVP_MD_CTX_copy_ex.3
 EVP_DigestInit.3,EVP_MD_CTX_create.3
+EVP_DigestInit.3,EVP_MD_CTX_ctrl.3
 EVP_DigestInit.3,EVP_MD_CTX_destroy.3
 EVP_DigestInit.3,EVP_MD_CTX_init.3
 EVP_DigestInit.3,EVP_MD_CTX_md.3
@@ -582,6 +604,7 @@ EVP_DigestInit.3,EVP_get_digestbynid.3
 EVP_DigestInit.3,EVP_get_digestbyobj.3
 EVP_DigestInit.3,EVP_md2.3
 EVP_DigestInit.3,EVP_md5.3
+EVP_DigestInit.3,EVP_md5_sha1.3
 EVP_DigestInit.3,EVP_md_null.3
 EVP_DigestInit.3,EVP_ripemd160.3
 EVP_DigestInit.3,EVP_sha1.3
@@ -641,6 +664,7 @@ EVP_EncryptInit.3,EVP_EncryptFinal_ex.3
 EVP_EncryptInit.3,EVP_EncryptInit_ex.3
 EVP_EncryptInit.3,EVP_EncryptUpdate.3
 EVP_EncryptInit.3,EVP_aes_128_cbc.3
+EVP_EncryptInit.3,EVP_aes_128_cbc_hmac_sha1.3
 EVP_EncryptInit.3,EVP_aes_128_ccm.3
 EVP_EncryptInit.3,EVP_aes_128_cfb.3
 EVP_EncryptInit.3,EVP_aes_128_ecb.3
@@ -653,6 +677,7 @@ EVP_EncryptInit.3,EVP_aes_192_ecb.3
 EVP_EncryptInit.3,EVP_aes_192_gcm.3
 EVP_EncryptInit.3,EVP_aes_192_ofb.3
 EVP_EncryptInit.3,EVP_aes_256_cbc.3
+EVP_EncryptInit.3,EVP_aes_256_cbc_hmac_sha1.3
 EVP_EncryptInit.3,EVP_aes_256_ccm.3
 EVP_EncryptInit.3,EVP_aes_256_cfb.3
 EVP_EncryptInit.3,EVP_aes_256_ecb.3
@@ -696,6 +721,7 @@ EVP_EncryptInit.3,EVP_rc2_ecb.3
 EVP_EncryptInit.3,EVP_rc2_ofb.3
 EVP_EncryptInit.3,EVP_rc4.3
 EVP_EncryptInit.3,EVP_rc4_40.3
+EVP_EncryptInit.3,EVP_rc4_hmac_md5.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_cbc.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_cfb.3
 EVP_EncryptInit.3,EVP_rc5_32_12_16_ecb.3
@@ -707,10 +733,10 @@ EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_generator.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dh_paramgen_prime_len.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_dsa_paramgen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3
+EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_keygen_pubexp.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_padding.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_pss_saltlen.3
-EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3
 EVP_PKEY_CTX_ctrl.3,EVP_PKEY_CTX_set_signature_md.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_dup.3
 EVP_PKEY_CTX_new.3,EVP_PKEY_CTX_free.3
@@ -1034,12 +1060,10 @@ RSA_get_ex_new_index.3,RSA_set_ex_data.3
 RSA_new.3,RSA_free.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_PKCS1_OAEP.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_PKCS1_type_2.3
-RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_SSLv23.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_add_none.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_OAEP.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_type_1.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_PKCS1_type_2.3
-RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_SSLv23.3
 RSA_padding_add_PKCS1_type_1.3,RSA_padding_check_none.3
 RSA_print.3,DHparams_print.3
 RSA_print.3,DHparams_print_fp.3
@@ -1086,12 +1110,9 @@ SSL_CIPHER_get_name.3,SSL_CIPHER_get_version.3
 SSL_COMP_add_compression_method.3,SSL_COMP_get_compression_methods.3
 SSL_CTX_add_extra_chain_cert.3,SSL_CTX_clear_extra_chain_certs.3
 SSL_CTX_add_session.3,SSL_CTX_remove_session.3
-SSL_CTX_add_session.3,SSL_add_session.3
-SSL_CTX_add_session.3,SSL_remove_session.3
 SSL_CTX_ctrl.3,SSL_CTX_callback_ctrl.3
 SSL_CTX_ctrl.3,SSL_callback_ctrl.3
 SSL_CTX_ctrl.3,SSL_ctrl.3
-SSL_CTX_flush_sessions.3,SSL_flush_sessions.3
 SSL_CTX_get_ex_new_index.3,SSL_CTX_get_ex_data.3
 SSL_CTX_get_ex_new_index.3,SSL_CTX_set_ex_data.3
 SSL_CTX_get_verify_mode.3,SSL_CTX_get_verify_callback.3
@@ -1138,6 +1159,13 @@ SSL_CTX_sess_set_get_cb.3,SSL_CTX_sess_set_remove_cb.3
 SSL_CTX_sess_set_get_cb.3,get_session_cb.3
 SSL_CTX_sess_set_get_cb.3,new_session_cb.3
 SSL_CTX_sess_set_get_cb.3,remove_session_cb.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_curves.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_curves_list.3
+SSL_CTX_set1_groups.3,SSL_CTX_set1_groups_list.3
+SSL_CTX_set1_groups.3,SSL_set1_curves.3
+SSL_CTX_set1_groups.3,SSL_set1_curves_list.3
+SSL_CTX_set1_groups.3,SSL_set1_groups.3
+SSL_CTX_set1_groups.3,SSL_set1_groups_list.3
 SSL_CTX_set_alpn_select_cb.3,SSL_CTX_set_alpn_protos.3
 SSL_CTX_set_alpn_select_cb.3,SSL_get0_alpn_selected.3
 SSL_CTX_set_alpn_select_cb.3,SSL_select_next_proto.3
@@ -1160,6 +1188,9 @@ SSL_CTX_set_info_callback.3,SSL_set_info_callback.3
 SSL_CTX_set_max_cert_list.3,SSL_CTX_get_max_cert_list.3
 SSL_CTX_set_max_cert_list.3,SSL_get_max_cert_list.3
 SSL_CTX_set_max_cert_list.3,SSL_set_max_cert_list.3
+SSL_CTX_set_min_proto_version.3,SSL_CTX_set_max_proto_version.3
+SSL_CTX_set_min_proto_version.3,SSL_set_max_proto_version.3
+SSL_CTX_set_min_proto_version.3,SSL_set_min_proto_version.3
 SSL_CTX_set_mode.3,SSL_CTX_get_mode.3
 SSL_CTX_set_mode.3,SSL_get_mode.3
 SSL_CTX_set_mode.3,SSL_set_mode.3
@@ -1184,6 +1215,10 @@ SSL_CTX_set_session_id_context.3,SSL_set_session_id_context.3
 SSL_CTX_set_ssl_version.3,SSL_get_ssl_method.3
 SSL_CTX_set_ssl_version.3,SSL_set_ssl_method.3
 SSL_CTX_set_timeout.3,SSL_CTX_get_timeout.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_CTX_set_tlsext_servername_arg.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_get_servername.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_get_servername_type.3
+SSL_CTX_set_tlsext_servername_callback.3,SSL_set_tlsext_host_name.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_CTX_set_tlsext_status_arg.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_get_tlsext_status_ocsp_resp.3
 SSL_CTX_set_tlsext_status_cb.3,SSL_set_tlsext_status_ocsp_resp.3
@@ -1196,7 +1231,6 @@ SSL_CTX_set_tmp_rsa_callback.3,SSL_CTX_set_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_need_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa.3
 SSL_CTX_set_tmp_rsa_callback.3,SSL_set_tmp_rsa_callback.3
-SSL_CTX_set_tmp_rsa_callback.3,tmp_rsa_callback.3
 SSL_CTX_set_verify.3,SSL_CTX_set_verify_depth.3
 SSL_CTX_set_verify.3,SSL_set_verify.3
 SSL_CTX_set_verify.3,SSL_set_verify_depth.3
@@ -1263,6 +1297,8 @@ SSL_load_client_CA_file.3,SSL_add_file_cert_subjects_to_stack.3
 SSL_num_renegotiations.3,SSL_clear_num_renegotiations.3
 SSL_num_renegotiations.3,SSL_total_renegotiations.3
 SSL_read.3,SSL_peek.3
+SSL_renegotiate.3,SSL_renegotiate_abbreviated.3
+SSL_renegotiate.3,SSL_renegotiate_pending.3
 SSL_rstate_string.3,SSL_rstate_string_long.3
 SSL_set1_param.3,SSL_CTX_set1_param.3
 SSL_set_connect_state.3,SSL_set_accept_state.3
@@ -1270,6 +1306,11 @@ SSL_set_fd.3,SSL_set_rfd.3
 SSL_set_fd.3,SSL_set_wfd.3
 SSL_set_max_send_fragment.3,SSL_CTX_set_max_send_fragment.3
 SSL_set_shutdown.3,SSL_get_shutdown.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_ecdh_auto.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_tmp_ecdh.3
+SSL_set_tmp_ecdh.3,SSL_CTX_set_tmp_ecdh_callback.3
+SSL_set_tmp_ecdh.3,SSL_set_ecdh_auto.3
+SSL_set_tmp_ecdh.3,SSL_set_tmp_ecdh_callback.3
 SSL_state_string.3,SSL_state_string_long.3
 SSL_want.3,SSL_want_nothing.3
 SSL_want.3,SSL_want_read.3
@@ -1293,6 +1334,28 @@ TS_REQ_new.3,TS_STATUS_INFO_free.3
 TS_REQ_new.3,TS_STATUS_INFO_new.3
 TS_REQ_new.3,TS_TST_INFO_free.3
 TS_REQ_new.3,TS_TST_INFO_new.3
+UI_UTIL_read_pw.3,UI_UTIL_read_pw_string.3
+UI_create_method.3,UI_destroy_method.3
+UI_create_method.3,UI_method_get_closer.3
+UI_create_method.3,UI_method_get_flusher.3
+UI_create_method.3,UI_method_get_opener.3
+UI_create_method.3,UI_method_get_prompt_constructor.3
+UI_create_method.3,UI_method_get_reader.3
+UI_create_method.3,UI_method_get_writer.3
+UI_create_method.3,UI_method_set_closer.3
+UI_create_method.3,UI_method_set_flusher.3
+UI_create_method.3,UI_method_set_opener.3
+UI_create_method.3,UI_method_set_prompt_constructor.3
+UI_create_method.3,UI_method_set_reader.3
+UI_create_method.3,UI_method_set_writer.3
+UI_get_string_type.3,UI_get0_action_string.3
+UI_get_string_type.3,UI_get0_output_string.3
+UI_get_string_type.3,UI_get0_result_string.3
+UI_get_string_type.3,UI_get0_test_string.3
+UI_get_string_type.3,UI_get_input_flags.3
+UI_get_string_type.3,UI_get_result_maxsize.3
+UI_get_string_type.3,UI_get_result_minsize.3
+UI_get_string_type.3,UI_set_result.3
 UI_new.3,UI_OpenSSL.3
 UI_new.3,UI_add_error_string.3
 UI_new.3,UI_add_info_string.3
@@ -1427,6 +1490,15 @@ X509_VERIFY_PARAM_set_flags.3,X509_VERIFY_PARAM_set_trust.3
 X509_check_host.3,X509_check_email.3
 X509_check_host.3,X509_check_ip.3
 X509_check_host.3,X509_check_ip_asc.3
+X509_check_private_key.3,X509_REQ_check_private_key.3
+X509_cmp_time.3,X509_cmp_current_time.3
+X509_cmp_time.3,X509_time_adj.3
+X509_cmp_time.3,X509_time_adj_ex.3
+X509_digest.3,PKCS7_ISSUER_AND_SERIAL_digest.3
+X509_digest.3,X509_CRL_digest.3
+X509_digest.3,X509_NAME_digest.3
+X509_digest.3,X509_REQ_digest.3
+X509_digest.3,X509_pubkey_digest.3
 X509_get_pubkey.3,X509_REQ_get_pubkey.3
 X509_get_pubkey.3,X509_REQ_set_pubkey.3
 X509_get_pubkey.3,X509_get_X509_PUBKEY.3
@@ -1525,7 +1597,6 @@ d2i_ASN1_OCTET_STRING.3,d2i_ASN1_PRINTABLE.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_PRINTABLESTRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_T61STRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_TIME.3
-d2i_ASN1_OCTET_STRING.3,d2i_ASN1_TIME_new.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UINTEGER.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UNIVERSALSTRING.3
 d2i_ASN1_OCTET_STRING.3,d2i_ASN1_UTCTIME.3
@@ -1545,7 +1616,6 @@ d2i_ASN1_OCTET_STRING.3,i2d_ASN1_PRINTABLE.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_PRINTABLESTRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_T61STRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_TIME.3
-d2i_ASN1_OCTET_STRING.3,i2d_ASN1_TIME_new.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UNIVERSALSTRING.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UTCTIME.3
 d2i_ASN1_OCTET_STRING.3,i2d_ASN1_UTF8STRING.3
@@ -1606,8 +1676,6 @@ d2i_ECPKParameters.3,d2i_EC_PUBKEY_fp.3
 d2i_ECPKParameters.3,i2d_ECPKParameters.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_bio.3
 d2i_ECPKParameters.3,i2d_ECPKParameters_fp.3
-d2i_ECPKParameters.3,i2d_ECPKPrivateKey_fp.3
-d2i_ECPKParameters.3,i2d_ECPK_PUBKEY_fp.3
 d2i_ECPKParameters.3,i2d_ECParameters.3
 d2i_ECPKParameters.3,i2d_ECPrivateKey.3
 d2i_ECPKParameters.3,i2d_ECPrivateKey_bio.3
@@ -1931,6 +1999,13 @@ engine.3,ENGINE_unregister_STORE.3
 engine.3,ENGINE_unregister_ciphers.3
 engine.3,ENGINE_unregister_digests.3
 engine.3,ENGINE_up_ref.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_1024.3
+get_rfc3526_prime_8192.3,get_rfc2409_prime_768.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_1536.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_2048.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_3072.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_4096.3
+get_rfc3526_prime_8192.3,get_rfc3526_prime_6144.3
 lh_new.3,DECLARE_LHASH_OF.3
 lh_new.3,LHASH_COMP_FN_TYPE.3
 lh_new.3,LHASH_DOALL_ARG_FN_TYPE.3
@@ -1960,16 +2035,15 @@ tls_accept_socket.3,tls_accept_cbs.3
 tls_accept_socket.3,tls_accept_fds.3
 tls_client.3,tls_configure.3
 tls_client.3,tls_free.3
+tls_client.3,tls_reset.3
 tls_client.3,tls_server.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_file.3
-tls_config_ocsp_require_stapling.3,tls_config_set_ocsp_staple_mem.3
 tls_config_set_protocols.3,tls_config_parse_protocols.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_client.3
 tls_config_set_protocols.3,tls_config_prefer_ciphers_server.3
 tls_config_set_protocols.3,tls_config_set_alpn.3
 tls_config_set_protocols.3,tls_config_set_ciphers.3
 tls_config_set_protocols.3,tls_config_set_dheparams.3
-tls_config_set_protocols.3,tls_config_set_ecdhecurve.3
+tls_config_set_protocols.3,tls_config_set_ecdhecurves.3
 tls_config_set_session_id.3,tls_config_add_ticket_key.3
 tls_config_set_session_id.3,tls_config_set_session_lifetime.3
 tls_config_verify.3,tls_config_insecure_noverifycert.3
@@ -1978,6 +2052,7 @@ tls_config_verify.3,tls_config_insecure_noverifytime.3
 tls_conn_version.3,tls_conn_alpn_selected.3
 tls_conn_version.3,tls_conn_cipher.3
 tls_conn_version.3,tls_conn_servername.3
+tls_conn_version.3,tls_peer_cert_chain_pem.3
 tls_conn_version.3,tls_peer_cert_contains_name.3
 tls_conn_version.3,tls_peer_cert_hash.3
 tls_conn_version.3,tls_peer_cert_issuer.3
@@ -1994,19 +2069,28 @@ tls_init.3,tls_config_free.3
 tls_init.3,tls_config_new.3
 tls_load_file.3,tls_config_add_keypair_file.3
 tls_load_file.3,tls_config_add_keypair_mem.3
+tls_load_file.3,tls_config_add_keypair_ocsp_file.3
+tls_load_file.3,tls_config_add_keypair_ocsp_mem.3
 tls_load_file.3,tls_config_clear_keys.3
 tls_load_file.3,tls_config_set_ca_file.3
 tls_load_file.3,tls_config_set_ca_mem.3
 tls_load_file.3,tls_config_set_ca_path.3
 tls_load_file.3,tls_config_set_cert_file.3
 tls_load_file.3,tls_config_set_cert_mem.3
+tls_load_file.3,tls_config_set_crl_file.3
+tls_load_file.3,tls_config_set_crl_mem.3
 tls_load_file.3,tls_config_set_key_file.3
 tls_load_file.3,tls_config_set_key_mem.3
 tls_load_file.3,tls_config_set_keypair_file.3
 tls_load_file.3,tls_config_set_keypair_mem.3
+tls_load_file.3,tls_config_set_keypair_ocsp_file.3
+tls_load_file.3,tls_config_set_keypair_ocsp_mem.3
+tls_load_file.3,tls_config_set_ocsp_staple_file.3
+tls_load_file.3,tls_config_set_ocsp_staple_mem.3
 tls_load_file.3,tls_config_set_verify_depth.3
 tls_load_file.3,tls_config_verify_client.3
 tls_load_file.3,tls_config_verify_client_optional.3
+tls_load_file.3,tls_unload_file.3
 tls_ocsp_process_response.3,tls_peer_ocsp_cert_status.3
 tls_ocsp_process_response.3,tls_peer_ocsp_crl_reason.3
 tls_ocsp_process_response.3,tls_peer_ocsp_next_update.3
--- a/patches/netcat.c.patch
+++ b/patches/netcat.c.patch
@@ -1,5 +1,5 @@
--- apps/nc/netcat.c.orig	2017-07-07 00:10:09.009409624 +0900
-+++ apps/nc/netcat.c	2017-07-07 00:30:32.380088772 +0900
+--- apps/nc/netcat.c.orig	Mon Jul 17 06:06:51 2017
+++ apps/nc/netcat.c	Mon Jul 17 06:11:24 2017
@@ -66,7 +66,9 @@
 #define POLL_NETIN	2
 #define POLL_STDOUT	3
@@ -10,7 +10,7 @@
 
 #define TLS_ALL	(1 << 1)
 #define TLS_NOVERIFY	(1 << 2)
-@@ -94,9 +96,13 @@ int	zflag;					/* Port Scan Flag */
+@@ -95,9 +97,13 @@
 int	Dflag;					/* sodebug */
 int	Iflag;					/* TCP receive buffer size */
 int	Oflag;					/* TCP send buffer size */
@@ -24,7 +24,7 @@
 
 int	usetls;					/* use TLS */
 char    *Cflag;					/* Public cert file */
-@@ -265,12 +271,14 @@ main(int argc, char *argv[])
+@@ -266,12 +272,14 @@
 		case 'u':
 			uflag = 1;
 			break;
@@ -39,7 +39,7 @@
 		case 'v':
 			vflag = 1;
 			break;
-@@ -317,9 +325,11 @@ main(int argc, char *argv[])
+@@ -318,9 +326,11 @@
 		case 'o':
 			oflag = optarg;
 			break;
@@ -51,7 +51,7 @@
 		case 'T':
 			errstr = NULL;
 			errno = 0;
-@@ -343,9 +353,11 @@ main(int argc, char *argv[])
+@@ -344,9 +354,11 @@
 	argc -= optind;
 	argv += optind;
 
@@ -63,7 +63,7 @@
 
 	if (family == AF_UNIX) {
 		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
-@@ -888,7 +900,10 @@ int
+@@ -892,7 +904,10 @@
 remote_connect(const char *host, const char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
@@ -75,7 +75,7 @@
 
 	if ((error = getaddrinfo(host, port, &hints, &res0)))
 		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
-@@ -903,8 +918,10 @@ remote_connect(const char *host, const c
+@@ -907,8 +922,10 @@
 		if (sflag || pflag) {
 			struct addrinfo ahints, *ares;
 
@@ -86,7 +86,7 @@
 			memset(&ahints, 0, sizeof(struct addrinfo));
 			ahints.ai_family = res->ai_family;
 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
-@@ -975,7 +992,10 @@ int
+@@ -979,7 +996,10 @@
 local_listen(char *host, char *port, struct addrinfo hints)
 {
 	struct addrinfo *res, *res0;
@@ -98,7 +98,7 @@
 	int error;
 
 	/* Allow nodename to be null. */
-@@ -996,9 +1016,11 @@ local_listen(char *host, char *port, str
+@@ -1000,9 +1020,11 @@
 		    res->ai_protocol)) < 0)
 			continue;
 
@@ -110,7 +110,7 @@
 
 		set_common_sockopts(s, res->ai_family);
 
-@@ -1454,11 +1476,13 @@ set_common_sockopts(int s, int af)
+@@ -1458,11 +1480,13 @@
 {
 	int x = 1;
 
@@ -124,7 +124,7 @@
 	if (Dflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
 			&x, sizeof(x)) == -1)
-@@ -1469,9 +1493,16 @@ set_common_sockopts(int s, int af)
+@@ -1473,9 +1497,16 @@
 		    IP_TOS, &Tflag, sizeof(Tflag)) == -1)
 			err(1, "set IP ToS");
 
@@ -134,14 +134,14 @@
 			err(1, "set IPv6 traffic class");
 +#else
 +		else if (af == AF_INET6) {
-+			errno = ENOPROTOOPT
+			errno = ENOPROTOOPT;
 +			err(1, "set IPv6 traffic class not supported");
 +		}
 +#endif
 	}
 	if (Iflag) {
 		if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
-@@ -1495,13 +1526,17 @@ set_common_sockopts(int s, int af)
+@@ -1499,13 +1530,17 @@
 	}
 
 	if (minttl != -1) {
@@ -160,7 +160,7 @@
 	}
 }
 
-@@ -1709,14 +1744,22 @@ help(void)
+@@ -1714,14 +1749,22 @@
 	\t-P proxyuser\tUsername for proxy authentication\n\
 	\t-p port\t	Specify local port for remote connects\n\
 	\t-R CAfile	CA bundle\n\
--- a/patches/tls_internal.h.patch
+++ b/patches/tls_internal.h.patch
@@ -1,12 +1,12 @@
--- ./openbsd/src/lib/libtls/tls_internal.h	Thu Oct 15 16:12:24 2015
-+++ ./tls/tls_internal.h	Sun Dec  6 20:18:17 2015
-@@ -24,7 +24,9 @@
+--- tls/tls_internal.h.orig	Sun Jul  9 06:16:17 2017
+++ tls/tls_internal.h	Mon Jul 17 06:10:01 2017
+@@ -26,7 +26,9 @@
 
- #include <openssl/ssl.h>
+ __BEGIN_HIDDEN_DECLS
 
 +#ifndef _PATH_SSL_CA_FILE
 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
 +#endif
 
- #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
 #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
+ #define TLS_CIPHERS_COMPAT	"HIGH:!aNULL"
--- a/patches/tlsexttest.c.patch
+++ b/patches/tlsexttest.c.patch
@@ -0,0 +1,111 @@
+--- tests/tlsexttest.c.orig	2017-12-30 20:03:09.279079726 +0900
+++ tests/tlsexttest.c	2017-12-30 20:07:21.849939140 +0900
+@@ -1676,7 +1676,9 @@ static unsigned char tlsext_sni_clienthe
+ };
+ 
+ static unsigned char tlsext_sni_serverhello[] = {
+	0x00
+ };
+const size_t sizeof_tlsext_sni_serverhello = 0;
+ 
+ static int
+ test_tlsext_sni_clienthello(void)
+@@ -1839,9 +1841,9 @@ test_tlsext_sni_serverhello(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_sni_serverhello)) {
+	if (dlen != sizeof_tlsext_sni_serverhello) {
+ 		FAIL("got serverhello SNI with length %zu, "
+-		    "want length %zu\n", dlen, sizeof(tlsext_sni_serverhello));
+		    "want length %zu\n", dlen, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+@@ -1850,14 +1852,14 @@ test_tlsext_sni_serverhello(void)
+ 		fprintf(stderr, "received:\n");
+ 		hexdump(data, dlen);
+ 		fprintf(stderr, "test data:\n");
+-		hexdump(tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
+		hexdump(tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 		goto err;
+ 	}
+ 
+ 	free(ssl->session->tlsext_hostname);
+ 	ssl->session->tlsext_hostname = NULL;
+ 
+-	CBS_init(&cbs, tlsext_sni_serverhello, sizeof(tlsext_sni_serverhello));
+	CBS_init(&cbs, tlsext_sni_serverhello, sizeof_tlsext_sni_serverhello);
+ 	if (!tlsext_sni_serverhello_parse(ssl, &cbs, &alert)) {
+ 		FAIL("failed to parse serverhello SNI\n");
+ 		goto err;
+@@ -2741,7 +2743,10 @@ unsigned char tlsext_clienthello_default
+ 	0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
+ };
+ 
+-unsigned char tlsext_clienthello_disabled[] = {};
+unsigned char tlsext_clienthello_disabled[] = {
+	0x00
+};
+const size_t sizeof_tlsext_clienthello_disabled = 0;
+ 
+ static int
+ test_tlsext_clienthello_build(void)
+@@ -2806,18 +2811,18 @@ test_tlsext_clienthello_build(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_clienthello_disabled)) {
+	if (dlen != sizeof_tlsext_clienthello_disabled) {
+ 		FAIL("got clienthello extensions with length %zu, "
+ 		    "want length %zu\n", dlen,
+-		    sizeof(tlsext_clienthello_disabled));
+		    sizeof_tlsext_clienthello_disabled);
+ 		compare_data(data, dlen, tlsext_clienthello_disabled,
+-		    sizeof(tlsext_clienthello_disabled));
+		    sizeof_tlsext_clienthello_disabled);
+ 		goto err;
+ 	}
+ 	if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
+ 		FAIL("clienthello extensions differs:\n");
+ 		compare_data(data, dlen, tlsext_clienthello_disabled,
+-		    sizeof(tlsext_clienthello_disabled));
+		    sizeof_tlsext_clienthello_disabled);
+ 		goto err;
+ 	}
+ 
+@@ -2832,7 +2837,10 @@ test_tlsext_clienthello_build(void)
+ 	return (failure);
+ }
+ 
+-unsigned char tlsext_serverhello_default[] = {};
+unsigned char tlsext_serverhello_default[] = {
+	0x00
+};
+const size_t sizeof_tlsext_serverhello_default = 0;
+ 
+ unsigned char tlsext_serverhello_enabled[] = {
+ 	0x00, 0x13, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
+@@ -2872,18 +2880,18 @@ test_tlsext_serverhello_build(void)
+ 	if (!CBB_finish(&cbb, &data, &dlen))
+ 		errx(1, "failed to finish CBB");
+ 
+-	if (dlen != sizeof(tlsext_serverhello_default)) {
+	if (dlen != sizeof_tlsext_serverhello_default) {
+ 		FAIL("got serverhello extensions with length %zu, "
+ 		    "want length %zu\n", dlen,
+-		    sizeof(tlsext_serverhello_default));
+		    sizeof_tlsext_serverhello_default);
+ 		compare_data(data, dlen, tlsext_serverhello_default,
+-		    sizeof(tlsext_serverhello_default));
+		    sizeof_tlsext_serverhello_default);
+ 		goto err;
+ 	}
+ 	if (memcmp(data, tlsext_serverhello_default, dlen) != 0) {
+ 		FAIL("serverhello extensions differs:\n");
+ 		compare_data(data, dlen, tlsext_serverhello_default,
+-		    sizeof(tlsext_serverhello_default));
+		    sizeof_tlsext_serverhello_default);
+ 		goto err;
+ 	}
+ 
--- a/patches/windows_headers.patch
+++ b/patches/windows_headers.patch
@@ -4,36 +4,35 @@ diff -u include/openssl.orig/dtls1.h include/openssl/dtls1.h
@@ -60,7 +60,11 @@
 #ifndef HEADER_DTLS1_H
 #define HEADER_DTLS1_H
- 
+
 +#if defined(_WIN32)
 +#include <winsock2.h>
 +#else
 #include <sys/time.h>
 +#endif
- 
+
 #include <stdio.h>
 #include <stdlib.h>
-diff -u include/openssl.orig/opensslconf.h include/openssl/opensslconf.h
--- include/openssl.orig/opensslconf.h	Mon Dec  7 07:58:32 2015
-+++ include/openssl/opensslconf.h	Mon Dec  7 07:56:14 2015
+--- include/openssl/opensslconf.h.orig	Sat Nov  5 08:36:25 2016
+++ include/openssl/opensslconf.h	Mon Jul 17 06:06:58 2017
@@ -1,6 +1,10 @@
 #include <openssl/opensslfeatures.h>
 /* crypto/opensslconf.h.in */
- 
+
 +#if defined(_MSC_VER) && !defined(__attribute__)
 +#define __attribute__(a)
 +#endif
 +
 #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
 #define OPENSSLDIR "/etc/ssl"
-
+ #endif
 diff -u include/openssl.orig/ossl_typ.h include/openssl/ossl_typ.h
 --- include/openssl.orig/ossl_typ.h	Mon Dec  7 07:58:32 2015
 +++ include/openssl/ossl_typ.h	Mon Dec  7 07:56:14 2015
@@ -80,6 +80,22 @@
 typedef struct ASN1_ITEM_st ASN1_ITEM;
 typedef struct asn1_pctx_st ASN1_PCTX;
- 
+
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
@@ -59,7 +58,7 @@ diff -u include/openssl.orig/pkcs7.h include/openssl/pkcs7.h
@@ -69,6 +69,18 @@
 extern "C" {
 #endif
- 
+
 +#if defined(_WIN32) && defined(__WINCRYPT_H__)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
@@ -81,7 +80,7 @@ diff -u include/openssl.orig/x509.h include/openssl/x509.h
@@ -112,6 +112,19 @@
 extern "C" {
 #endif
- 
+
 +#if defined(_WIN32)
 +#ifndef LIBRESSL_INTERNAL
 +#ifdef _MSC_VER
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -35,6 +35,7 @@ set(
 	ssl_sess.c
 	ssl_srvr.c
 	ssl_stat.c
+	ssl_tlsext.c
 	ssl_txt.c
 	ssl_versions.c
 	t1_clnt.c
@@ -42,7 +43,6 @@ set(
 	t1_hash.c
 	t1_lib.c
 	t1_meth.c
-	t1_reneg.c
 	t1_srvr.c
 )

@@ -51,8 +51,9 @@ if (BUILD_SHARED)
 	add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
 	add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
 	export_symbol(ssl-shared ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym)
+	target_link_libraries(ssl-shared crypto-shared)
 	if (WIN32)
-		target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
+		target_link_libraries(ssl-shared Ws2_32.lib)
 		set(SSL_POSTFIX -${SSL_MAJOR_VERSION})
 	endif()
 	set_target_properties(ssl-shared PROPERTIES
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@@ -38,6 +38,7 @@ libssl_la_SOURCES += ssl_rsa.c
 libssl_la_SOURCES += ssl_sess.c
 libssl_la_SOURCES += ssl_srvr.c
 libssl_la_SOURCES += ssl_stat.c
+libssl_la_SOURCES += ssl_tlsext.c
 libssl_la_SOURCES += ssl_txt.c
 libssl_la_SOURCES += ssl_versions.c
 libssl_la_SOURCES += t1_clnt.c
@@ -45,9 +46,9 @@ libssl_la_SOURCES += t1_enc.c
 libssl_la_SOURCES += t1_hash.c
 libssl_la_SOURCES += t1_lib.c
 libssl_la_SOURCES += t1_meth.c
-libssl_la_SOURCES += t1_reneg.c
 libssl_la_SOURCES += t1_srvr.c

 noinst_HEADERS = srtp.h
 noinst_HEADERS += ssl_locl.h
+noinst_HEADERS += ssl_tlsext.h
 noinst_HEADERS += bytestring.h
--- a/tap-driver.sh
+++ b/tap-driver.sh
@@ -1,5 +1,5 @@
 #! /bin/sh
-# Copyright (C) 2011-2014 Free Software Foundation, Inc.
+# Copyright (C) 2011-2017 Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -646,6 +646,6 @@ test $? -eq 0 || fatal "I/O or internal error"
 # eval: (add-hook 'write-file-hooks 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
+# time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -41,6 +41,11 @@ if(NOT CMAKE_HOST_WIN32 AND NOT CMAKE_SYSTEM_NAME MATCHES "MINGW")
 	add_test(arc4randomforktest ${CMAKE_CURRENT_SOURCE_DIR}/arc4randomforktest.sh)
 endif()

+# asn1evp
+add_executable(asn1evp asn1evp.c)
+target_link_libraries(asn1evp ${TESTS_LIBS})
+add_test(asn1evp asn1evp)
+
 # asn1test
 add_executable(asn1test asn1test.c)
 target_link_libraries(asn1test ${TESTS_LIBS})
@@ -105,6 +110,11 @@ add_executable(clienttest clienttest.c)
 target_link_libraries(clienttest ${TESTS_LIBS})
 add_test(clienttest clienttest)

+# configtest
+add_executable(configtest configtest.c)
+target_link_libraries(configtest ${TESTS_LIBS})
+add_test(configtest configtest)
+
 # cts128test
 add_executable(cts128test cts128test.c)
 target_link_libraries(cts128test ${TESTS_LIBS})
@@ -168,6 +178,11 @@ set_source_files_properties(exptest.c PROPERTIES COMPILE_FLAGS -ULIBRESSL_INTERN
 target_link_libraries(exptest ${TESTS_LIBS})
 add_test(exptest exptest)

+# freenull
+add_executable(freenull freenull.c)
+target_link_libraries(freenull ${TESTS_LIBS})
+add_test(freenull freenull)
+
 # gcm128test
 add_executable(gcm128test gcm128test.c)
 target_link_libraries(gcm128test ${TESTS_LIBS})
@@ -366,6 +381,11 @@ add_executable(timingsafe timingsafe.c)
 target_link_libraries(timingsafe ${TESTS_LIBS})
 add_test(timingsafe timingsafe)

+# tlsexttest
+add_executable(tlsexttest tlsexttest.c)
+target_link_libraries(tlsexttest ${TESTS_LIBS})
+add_test(tlsexttest tlsexttest)
+
 # tlstest
 set(TLSTEST_SRC tlstest.c)
 check_function_exists(pipe2 HAVE_PIPE2)
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -43,6 +43,11 @@ arc4randomforktest_SOURCES = arc4randomforktest.c
 endif
 EXTRA_DIST += arc4randomforktest.sh

+# asn1evp
+TESTS += asn1evp
+check_PROGRAMS += asn1evp
+asn1evp_SOURCES = asn1evp.c
+
 # asn1test
 TESTS += asn1test
 check_PROGRAMS += asn1test
@@ -108,6 +113,11 @@ TESTS += clienttest
 check_PROGRAMS += clienttest
 clienttest_SOURCES = clienttest.c

+# configtest
+TESTS += configtest
+check_PROGRAMS += configtest
+configtest_SOURCES = configtest.c
+
 # cts128test
 TESTS += cts128test
 check_PROGRAMS += cts128test
@@ -174,6 +184,11 @@ check_PROGRAMS += exptest
 exptest_CPPFLAGS = $(AM_CPPFLAGS) -ULIBRESSL_INTERNAL
 exptest_SOURCES = exptest.c

+# freenull
+TESTS += freenull
+check_PROGRAMS += freenull
+freenull_SOURCES = freenull.c
+
 # gcm128test
 TESTS += gcm128test
 check_PROGRAMS += gcm128test
@@ -350,6 +365,11 @@ TESTS += timingsafe
 check_PROGRAMS += timingsafe
 timingsafe_SOURCES = timingsafe.c

+# tlsexttest
+TESTS += tlsexttest
+check_PROGRAMS += tlsexttest
+tlsexttest_SOURCES = tlsexttest.c
+
 # tlstest
 TESTS += tlstest.sh
 check_PROGRAMS += tlstest
--- a/tests/testssl.bat
+++ b/tests/testssl.bat
@@ -123,18 +123,6 @@ for %%p in ( SSLv3 ) do (
  )
 )

-REM #
-REM # Next Protocol Negotiation tests
-REM #
-echo "Testing NPN..."
-%ssltest% -bio_pair -tls1 -npn_client & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server_reject & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 & if !errorlevel! neq 0 exit /b 1
-%ssltest% -bio_pair -tls1 -npn_client -npn_server -num 2 -reuse & if !errorlevel! neq 0 exit /b 1
-
 REM #
 REM # ALPN tests
 REM #
--- a/tls/CMakeLists.txt
+++ b/tls/CMakeLists.txt
@@ -30,8 +30,9 @@ if (BUILD_SHARED)
 	add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
 	add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
 	export_symbol(tls-shared ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym)
+	target_link_libraries(tls-shared ssl-shared crypto-shared)
 	if (WIN32)
-		target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
+		target_link_libraries(tls-shared Ws2_32.lib)
 		set(TLS_POSTFIX -${TLS_MAJOR_VERSION})
 	endif()
 	set_target_properties(tls-shared PROPERTIES
--- a/update.sh
+++ b/update.sh
@@ -13,6 +13,7 @@ if [ ! -d openbsd ]; then
 	fi
 fi
 (cd openbsd
+ git fetch
 git checkout $openbsd_branch
 git pull --rebase)

@@ -338,25 +339,32 @@ done
 # copy manpages
 echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am
-echo dist_man_MANS = >> man/Makefile.am
+echo dist_man3_MANS = >> man/Makefile.am
+echo dist_man5_MANS = >> man/Makefile.am

 (cd man
 	for i in `ls -1 $libssl_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done

 	for i in `ls -1 $libcrypto_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
 	done

 	for i in `ls -1 $libtls_src/man/*.3 | sort`; do
 		NAME=`basename "$i"`
 		$CP $i .
-		echo "dist_man_MANS += $NAME" >> Makefile.am
+		echo "dist_man3_MANS += $NAME" >> Makefile.am
+	done
+
+	for i in `ls -1 $libcrypto_src/man/*.5 | sort`; do
+		NAME=`basename "$i"`
+		$CP $i .
+		echo "dist_man5_MANS += $NAME" >> Makefile.am
 	done
 )
 add_man_links . man/Makefile.am
Author	SHA1	Message	Date
Brent Cook	af624440e2	Land #376 , adjust MSVC warnings	2018-01-07 16:22:00 -06:00
Brent Cook	c3210983a5	Land #374 , hp-ux compatibility Merge remote-tracking branch 'upstream/pr/374'	2018-01-07 16:21:11 -06:00
Brent Cook	40e04292a0	Land #375 , adjust va_end calls to match scope	2018-01-07 16:19:36 -06:00
kinichiro	0ee8aa8eaf	Remove unneeded -ULIBRESSL_INTERNAL	2018-01-06 18:51:45 +09:00
kinichiro	b0e9f0a354	Reconsider MSVC warning list - Remove C4242 and C4820 - Warning explanation from manual - Sort by warning code	2018-01-06 18:12:50 +09:00
kinichiro	1f4bfb9a4d	Call va_end soon after using variable length variable - This fix MSVC compiler warning C4702 "unreachable code".	2018-01-06 00:28:49 +09:00
kinichiro	861a6ca1db	Modify regress tests/tlsexttest.c for 0 sized array - Windows and hp-ux ANSI compiler can not handle 0 sized array initialization.	2017-12-30 20:15:56 +09:00
Brent Cook	52c39d42ea	Land #373 , add app_timer_user for Windows	2017-12-28 03:39:59 -06:00
Brent Cook	9a7fb37405	Land #372 , Add CLOCK_MONOTONIC and timersub compatibility stubs	2017-12-28 03:38:41 -06:00
kinichiro	82ce59838e	Add app_timer_user for Windows build	2017-12-26 22:49:01 +09:00
kinichiro	965a89108e	Add CLOCK_MONOTONIC and timersub for the OS that does not have them	2017-12-25 16:30:49 +09:00
kinichiro	f69775d7b2	Add regress configtest	2017-12-22 23:35:48 +09:00
kinichiro	b38d7f0f8a	Add regress asn1evp	2017-12-22 23:33:15 +09:00
Brent Cook	7b6953e9a9	add timerspecsub	2017-12-12 03:31:35 -06:00
Brent Cook	6d0192ff17	update for 2.7.0	2017-12-11 06:14:02 -06:00
Brent Cook	426595b267	update links	2017-12-11 05:08:54 -06:00
Brent Cook	0f7609af9a	add release notes	2017-12-11 04:58:15 -06:00
Kyle J. McKay	26b40cb773	netcat.c.patch: eliminate syntax error from patch If the target system does not define IPV6_TCLASS, this part of the patch handles that with an ENOPROTOOPT error rather than failing to compile. Unfortunately it's missing a trailing semicolon leading to a compilation error. Add the missing semicolon to fix the problem. Signed-off-by: Kyle J. McKay <mackyle@gmail.com>	2017-12-05 15:22:15 -08:00
Evgen Bodunov	aff3a43fa0	Fixed getpagesize detection on Android	2017-11-23 15:28:25 +03:00
Brent Cook	53b5b56f39	Land #359 , create correct certs dir with CMake install	2017-11-23 05:43:27 -06:00
Aric Belsito	653ba21752	Create correct directory in CMake install. Was creating ${CONFDIR}/cert instead of ${CONFDIR}/certs.	2017-11-06 11:52:03 -08:00
Brent Cook	09ca0f7b8b	fetch before update to grab new branches	2017-11-05 17:14:55 -06:00
Brent Cook	b32a92bc44	update changelog	2017-11-05 17:11:46 -06:00
Bernard Spil	794f48f1d8	Separate man(5) pages	2017-10-22 16:10:38 +02:00
Brent Cook	cd9f686793	Land #355 , update libc checks	2017-09-26 09:21:38 -05:00
kinichiro	9bb3e03722	Fix checking memmem in apps/ocspcheck/CMakeLists.txt - Issue #352 pointed out by @d3x0r	2017-09-26 22:02:21 +09:00
Brent Cook	07b9f6c371	update release notes	2017-09-25 23:06:21 -05:00
Brent Cook	6054891d43	Land #348 , include .5 manpages	2017-09-17 10:08:19 -05:00
Aric Belsito	cbe57bef04	Some CMake Fixes. pqueue.h was getting installed when it shouldn't. pkgconfig files were not getting installed or generated.	2017-09-10 11:54:23 -07:00
kinichiro	03502b8d8f	Add *.5 manpages in libcrypto/man/	2017-09-10 12:58:47 +09:00
Brent Cook	8a2a079b6d	spelling	2017-09-06 18:37:12 -05:00
Brent Cook	c53c374f83	update VS prerequisites, refer to autogen.sh more	2017-09-04 16:32:43 -05:00
Brent Cook	fa1c469601	Land #344 , fix regress tlxexttest for certain C compilers	2017-09-04 16:24:49 -05:00
Brent Cook	7035c7268d	be more concise, formatting	2017-09-04 16:24:14 -05:00
Brent Cook	82fda3d410	update changes	2017-09-04 16:18:20 -05:00
Brent Cook	b623db7bfb	enhance README warnings, remove pod2man requirement	2017-09-04 16:14:54 -05:00
Brent Cook	3612cbe3a0	update manpage links	2017-09-03 21:52:59 -05:00
Brent Cook	d653deef65	add 2.6.1 changelog	2017-09-03 21:52:18 -05:00
kinichiro	512573f0de	Add patch for regress tlsexttest Some compiler does not support 0 sized array. This patch changes 0 sized array to have NULL and using variable instead of sizeof function.	2017-09-03 01:16:36 +09:00
kinichiro	f4d2b810cb	Remove rsa/rsa_ssl.c	2017-09-01 23:37:09 +09:00
Brent Cook	7dc68c82bc	set SMALL_TIME_T when sizeof time_t == 4	2017-08-14 12:15:00 -05:00
Brent Cook	4916f940c8	use standard initialization for poll loop delay	2017-08-13 16:09:32 -05:00
Brent Cook	9e7fd1fa31	declare struct timezone outside of the function declaration	2017-08-13 16:04:03 -05:00
Brent Cook	e0cffc6b48	disable signed/unsigned mismatch in vs builds	2017-08-13 11:49:04 -05:00
Brent Cook	8f255707f0	Land #338 , disable NPN tests	2017-08-13 08:54:38 -05:00
Brent Cook	4c6097c220	bump to latest version of tap driver	2017-08-13 08:54:03 -05:00
kinichiro	23b5d39cfb	Remove NPN test coverage for Windows.	2017-08-13 19:10:46 +09:00
Brent Cook	94e4224f5f	don't build empty object files	2017-08-12 10:05:30 -05:00
Brent Cook	bdec057318	Land #332 , fix shared library dependencies with cmake for libssl/libtls	2017-08-12 09:46:19 -05:00
kinichiro	9be0359cc3	Remove ssl/t1_reneg.c	2017-08-12 01:15:17 +09:00
Masud Rahman	1dd6a52f2d	ssl/tls cmake: fix shared library dependencies Ensure that the 'ssl' depends on 'crypto' and that 'tls' depends on 'ssl' and 'crypto' for all platforms. Prior to this commit, the dependency was only specified for the 'WIN32' CMake build.	2017-07-24 15:26:29 -04:00
Brent Cook	5ec2c381e4	rebase patches on latest, remove fuzz	2017-07-17 06:13:21 -05:00
Brent Cook	86434e03e8	update manpage links	2017-07-17 06:06:08 -05:00
Brent Cook	58ba8785fb	add tlsext	2017-07-17 05:12:55 -05:00
Brent Cook	e53af8da67	Land #329 , modify symbol exports for Darwin with cmake builds	2017-07-17 04:29:39 -05:00
Brent Cook	9887c82768	Land #331 , add prototype definitions of asprintf and vasprintf for CYGWIN build	2017-07-17 04:25:21 -05:00
kinichiro	5afc4e3cd8	add prototype definitions of asprintf and vasprintf for CYGWIN build - define _GNU_SOURCE in case of cygwin As compilation warning report by @Dravion	2017-07-16 23:59:55 +09:00
kinichiro	f7cf93fd22	Add regression test freenull	2017-07-16 11:49:15 +09:00
Brent Cook	cefd44a86e	changelog corrections	2017-07-12 04:08:47 -05:00
Masud Rahman	73e51e012f	cmake_export_symbol: Darwin compatibility The Darwin platform prefixes all C symbols with an underscore. At link-time of a shared library, libressl generates a list of symbols to export, but does not prefix each symbol with an underscore. This commit addresses that issue.	2017-06-25 18:19:20 -04:00