Merge branch 'vendor/LIBRESSL'
authorJohn Marino <draco@marino.st>
Tue, 6 Sep 2016 16:03:50 +0000 (11:03 -0500)
committerJohn Marino <draco@marino.st>
Tue, 6 Sep 2016 16:03:50 +0000 (11:03 -0500)
895 files changed:
crypto/libressl/COPYING [new file with mode: 0644]
crypto/libressl/ChangeLog [new file with mode: 0644]
crypto/libressl/VERSION [new file with mode: 0644]
crypto/libressl/apps/nc/atomicio.c [new file with mode: 0644]
crypto/libressl/apps/nc/atomicio.h [new file with mode: 0644]
crypto/libressl/apps/nc/compat/accept4.c [new file with mode: 0644]
crypto/libressl/apps/nc/compat/base64.c [new file with mode: 0644]
crypto/libressl/apps/nc/compat/readpassphrase.c [new file with mode: 0644]
crypto/libressl/apps/nc/compat/socket.c [new file with mode: 0644]
crypto/libressl/apps/nc/compat/strtonum.c [new file with mode: 0644]
crypto/libressl/apps/nc/compat/sys/socket.h [new file with mode: 0644]
crypto/libressl/apps/nc/nc.1 [new file with mode: 0644]
crypto/libressl/apps/nc/netcat.c [new file with mode: 0644]
crypto/libressl/apps/nc/socks.c [new file with mode: 0644]
crypto/libressl/apps/openssl/apps.c [new file with mode: 0644]
crypto/libressl/apps/openssl/apps.h [new file with mode: 0644]
crypto/libressl/apps/openssl/apps_posix.c [new file with mode: 0644]
crypto/libressl/apps/openssl/apps_win.c [new file with mode: 0644]
crypto/libressl/apps/openssl/asn1pars.c [new file with mode: 0644]
crypto/libressl/apps/openssl/ca.c [new file with mode: 0644]
crypto/libressl/apps/openssl/cert.pem [new file with mode: 0644]
crypto/libressl/apps/openssl/certhash.c [new file with mode: 0644]
crypto/libressl/apps/openssl/certhash_win.c [new file with mode: 0644]
crypto/libressl/apps/openssl/ciphers.c [new file with mode: 0644]
crypto/libressl/apps/openssl/cms.c [new file with mode: 0644]
crypto/libressl/apps/openssl/compat/poll_win.c [new file with mode: 0644]
crypto/libressl/apps/openssl/compat/strtonum.c [new file with mode: 0644]
crypto/libressl/apps/openssl/crl.c [new file with mode: 0644]
crypto/libressl/apps/openssl/crl2p7.c [new file with mode: 0644]
crypto/libressl/apps/openssl/dgst.c [new file with mode: 0644]
crypto/libressl/apps/openssl/dh.c [new file with mode: 0644]
crypto/libressl/apps/openssl/dhparam.c [new file with mode: 0644]
crypto/libressl/apps/openssl/dsa.c [new file with mode: 0644]
crypto/libressl/apps/openssl/dsaparam.c [new file with mode: 0644]
crypto/libressl/apps/openssl/ec.c [new file with mode: 0644]
crypto/libressl/apps/openssl/ecparam.c [new file with mode: 0644]
crypto/libressl/apps/openssl/enc.c [new file with mode: 0644]
crypto/libressl/apps/openssl/errstr.c [new file with mode: 0644]
crypto/libressl/apps/openssl/gendh.c [new file with mode: 0644]
crypto/libressl/apps/openssl/gendsa.c [new file with mode: 0644]
crypto/libressl/apps/openssl/genpkey.c [new file with mode: 0644]
crypto/libressl/apps/openssl/genrsa.c [new file with mode: 0644]
crypto/libressl/apps/openssl/nseq.c [new file with mode: 0644]
crypto/libressl/apps/openssl/ocsp.c [new file with mode: 0644]
crypto/libressl/apps/openssl/openssl.1 [new file with mode: 0644]
crypto/libressl/apps/openssl/openssl.c [new file with mode: 0644]
crypto/libressl/apps/openssl/openssl.cnf [new file with mode: 0644]
crypto/libressl/apps/openssl/passwd.c [new file with mode: 0644]
crypto/libressl/apps/openssl/pkcs12.c [new file with mode: 0644]
crypto/libressl/apps/openssl/pkcs7.c [new file with mode: 0644]
crypto/libressl/apps/openssl/pkcs8.c [new file with mode: 0644]
crypto/libressl/apps/openssl/pkey.c [new file with mode: 0644]
crypto/libressl/apps/openssl/pkeyparam.c [new file with mode: 0644]
crypto/libressl/apps/openssl/pkeyutl.c [new file with mode: 0644]
crypto/libressl/apps/openssl/prime.c [new file with mode: 0644]
crypto/libressl/apps/openssl/progs.h [new file with mode: 0644]
crypto/libressl/apps/openssl/rand.c [new file with mode: 0644]
crypto/libressl/apps/openssl/req.c [new file with mode: 0644]
crypto/libressl/apps/openssl/rsa.c [new file with mode: 0644]
crypto/libressl/apps/openssl/rsautl.c [new file with mode: 0644]
crypto/libressl/apps/openssl/s_apps.h [new file with mode: 0644]
crypto/libressl/apps/openssl/s_cb.c [new file with mode: 0644]
crypto/libressl/apps/openssl/s_client.c [new file with mode: 0644]
crypto/libressl/apps/openssl/s_server.c [new file with mode: 0644]
crypto/libressl/apps/openssl/s_socket.c [new file with mode: 0644]
crypto/libressl/apps/openssl/s_time.c [new file with mode: 0644]
crypto/libressl/apps/openssl/sess_id.c [new file with mode: 0644]
crypto/libressl/apps/openssl/smime.c [new file with mode: 0644]
crypto/libressl/apps/openssl/speed.c [new file with mode: 0644]
crypto/libressl/apps/openssl/spkac.c [new file with mode: 0644]
crypto/libressl/apps/openssl/testdsa.h [new file with mode: 0644]
crypto/libressl/apps/openssl/testrsa.h [new file with mode: 0644]
crypto/libressl/apps/openssl/timeouts.h [new file with mode: 0644]
crypto/libressl/apps/openssl/ts.c [new file with mode: 0644]
crypto/libressl/apps/openssl/verify.c [new file with mode: 0644]
crypto/libressl/apps/openssl/version.c [new file with mode: 0644]
crypto/libressl/apps/openssl/x509.c [new file with mode: 0644]
crypto/libressl/apps/openssl/x509v3.cnf [new file with mode: 0644]
crypto/libressl/crypto/VERSION [new file with mode: 0644]
crypto/libressl/crypto/aes/aes-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/aes-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_cbc.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_cfb.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_core.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_ctr.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_ecb.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_ige.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_locl.h [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_misc.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_ofb.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aes_wrap.c [new file with mode: 0644]
crypto/libressl/crypto/aes/aesni-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/aesni-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/aesni-sha1-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/aesni-sha1-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/bsaes-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/bsaes-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/vpaes-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/aes/vpaes-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_bitstr.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_bool.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_bytes.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_d2i_fp.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_digest.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_dup.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_enum.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_i2d_fp.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_int.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_mbstr.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_object.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_octet.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_print.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_set.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_sign.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_strex.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_strnid.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_time.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_time_tm.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_type.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_utf8.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/a_verify.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/ameth_lib.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn1_err.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn1_gen.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn1_lib.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn1_locl.h [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn1_par.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn_mime.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn_moid.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/asn_pack.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/bio_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/bio_ndef.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/charmap.h [new file with mode: 0644]
crypto/libressl/crypto/asn1/d2i_pr.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/d2i_pu.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/evp_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/f_enum.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/f_int.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/f_string.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/i2d_pr.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/i2d_pu.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/n_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/nsseq.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/p5_pbe.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/p5_pbev2.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/p8_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_bitst.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_crl.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_req.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_spki.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_x509.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/t_x509a.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_dec.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_enc.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_fre.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_new.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_prn.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_typ.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/tasn_utl.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_algor.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_attrib.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_bignum.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_crl.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_exten.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_info.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_long.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_name.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_nx509.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_pubkey.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_req.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_sig.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_spki.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_val.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_x509.c [new file with mode: 0644]
crypto/libressl/crypto/asn1/x_x509a.c [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_cfb64.c [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_ecb.c [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_enc.c [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_locl.h [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_ofb64.c [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_pi.h [new file with mode: 0644]
crypto/libressl/crypto/bf/bf_skey.c [new file with mode: 0644]
crypto/libressl/crypto/bio/b_dump.c [new file with mode: 0644]
crypto/libressl/crypto/bio/b_posix.c [new file with mode: 0644]
crypto/libressl/crypto/bio/b_print.c [new file with mode: 0644]
crypto/libressl/crypto/bio/b_sock.c [new file with mode: 0644]
crypto/libressl/crypto/bio/b_win.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bf_buff.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bf_nbio.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bf_null.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bio_cb.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bio_err.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bio_lib.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_acpt.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_bio.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_conn.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_dgram.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_fd.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_file.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_log.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_mem.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_null.c [new file with mode: 0644]
crypto/libressl/crypto/bio/bss_sock.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_add.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_asm.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_blind.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_const.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_ctx.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_depr.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_div.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_err.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_exp.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_exp2.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_gcd.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_gf2m.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_kron.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_lcl.h [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_lib.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_mod.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_mont.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_mpi.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_mul.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_nist.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_prime.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_prime.h [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_print.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_rand.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_recp.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_shift.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_sqr.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_sqrt.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_word.c [new file with mode: 0644]
crypto/libressl/crypto/bn/bn_x931p.c [new file with mode: 0644]
crypto/libressl/crypto/bn/gf2m-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/gf2m-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/modexp512-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/modexp512-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/mont-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/mont-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/mont5-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/bn/mont5-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/buffer/buf_err.c [new file with mode: 0644]
crypto/libressl/crypto/buffer/buf_str.c [new file with mode: 0644]
crypto/libressl/crypto/buffer/buffer.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/camellia.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/camellia.h [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_cbc.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_cfb.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_ctr.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_ecb.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_locl.h [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_misc.c [new file with mode: 0644]
crypto/libressl/crypto/camellia/cmll_ofb.c [new file with mode: 0644]
crypto/libressl/crypto/cast/c_cfb64.c [new file with mode: 0644]
crypto/libressl/crypto/cast/c_ecb.c [new file with mode: 0644]
crypto/libressl/crypto/cast/c_enc.c [new file with mode: 0644]
crypto/libressl/crypto/cast/c_ofb64.c [new file with mode: 0644]
crypto/libressl/crypto/cast/c_skey.c [new file with mode: 0644]
crypto/libressl/crypto/cast/cast_lcl.h [new file with mode: 0644]
crypto/libressl/crypto/cast/cast_s.h [new file with mode: 0644]
crypto/libressl/crypto/chacha/chacha-merged.c [new file with mode: 0644]
crypto/libressl/crypto/chacha/chacha.c [new file with mode: 0644]
crypto/libressl/crypto/cmac/cm_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/cmac/cm_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/cmac/cmac.c [new file with mode: 0644]
crypto/libressl/crypto/comp/c_rle.c [new file with mode: 0644]
crypto/libressl/crypto/comp/c_zlib.c [new file with mode: 0644]
crypto/libressl/crypto/comp/comp_err.c [new file with mode: 0644]
crypto/libressl/crypto/comp/comp_lib.c [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random.c [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_aix.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_freebsd.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_hpux.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_linux.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_netbsd.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_osx.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_solaris.h [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_uniform.c [new file with mode: 0644]
crypto/libressl/crypto/compat/arc4random_win.h [new file with mode: 0644]
crypto/libressl/crypto/compat/bsd-asprintf.c [new file with mode: 0644]
crypto/libressl/crypto/compat/chacha_private.h [new file with mode: 0644]
crypto/libressl/crypto/compat/explicit_bzero.c [new file with mode: 0644]
crypto/libressl/crypto/compat/explicit_bzero_win.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_aix.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_freebsd.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_hpux.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_linux.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_netbsd.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_osx.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_solaris.c [new file with mode: 0644]
crypto/libressl/crypto/compat/getentropy_win.c [new file with mode: 0644]
crypto/libressl/crypto/compat/inet_pton.c [new file with mode: 0644]
crypto/libressl/crypto/compat/posix_win.c [new file with mode: 0644]
crypto/libressl/crypto/compat/reallocarray.c [new file with mode: 0644]
crypto/libressl/crypto/compat/strcasecmp.c [new file with mode: 0644]
crypto/libressl/crypto/compat/strlcat.c [new file with mode: 0644]
crypto/libressl/crypto/compat/strlcpy.c [new file with mode: 0644]
crypto/libressl/crypto/compat/strndup.c [new file with mode: 0644]
crypto/libressl/crypto/compat/strnlen.c [new file with mode: 0644]
crypto/libressl/crypto/compat/timegm.c [new file with mode: 0644]
crypto/libressl/crypto/compat/timingsafe_bcmp.c [new file with mode: 0644]
crypto/libressl/crypto/compat/timingsafe_memcmp.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_api.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_def.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_def.h [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_err.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_lib.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_mall.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_mod.c [new file with mode: 0644]
crypto/libressl/crypto/conf/conf_sap.c [new file with mode: 0644]
crypto/libressl/crypto/constant_time_locl.h [new file with mode: 0644]
crypto/libressl/crypto/cpt_err.c [new file with mode: 0644]
crypto/libressl/crypto/cpuid-elf-x86_64.S [new file with mode: 0644]
crypto/libressl/crypto/cpuid-macosx-x86_64.S [new file with mode: 0644]
crypto/libressl/crypto/cryptlib.c [new file with mode: 0644]
crypto/libressl/crypto/cryptlib.h [new file with mode: 0644]
crypto/libressl/crypto/cversion.c [new file with mode: 0644]
crypto/libressl/crypto/des/cbc_cksm.c [new file with mode: 0644]
crypto/libressl/crypto/des/cbc_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/cfb64ede.c [new file with mode: 0644]
crypto/libressl/crypto/des/cfb64enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/cfb_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/des_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/des_locl.h [new file with mode: 0644]
crypto/libressl/crypto/des/ecb3_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/ecb_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/ede_cbcm_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/enc_read.c [new file with mode: 0644]
crypto/libressl/crypto/des/enc_writ.c [new file with mode: 0644]
crypto/libressl/crypto/des/fcrypt.c [new file with mode: 0644]
crypto/libressl/crypto/des/fcrypt_b.c [new file with mode: 0644]
crypto/libressl/crypto/des/ncbc_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/ofb64ede.c [new file with mode: 0644]
crypto/libressl/crypto/des/ofb64enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/ofb_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/pcbc_enc.c [new file with mode: 0644]
crypto/libressl/crypto/des/qud_cksm.c [new file with mode: 0644]
crypto/libressl/crypto/des/rand_key.c [new file with mode: 0644]
crypto/libressl/crypto/des/set_key.c [new file with mode: 0644]
crypto/libressl/crypto/des/spr.h [new file with mode: 0644]
crypto/libressl/crypto/des/str2key.c [new file with mode: 0644]
crypto/libressl/crypto/des/xcbc_enc.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_check.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_depr.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_err.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_gen.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_key.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_lib.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/dh/dh_prn.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_depr.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_err.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_gen.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_key.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_lib.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_locl.h [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_ossl.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_prn.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_sign.c [new file with mode: 0644]
crypto/libressl/crypto/dsa/dsa_vrf.c [new file with mode: 0644]
crypto/libressl/crypto/dso/dso_dlfcn.c [new file with mode: 0644]
crypto/libressl/crypto/dso/dso_err.c [new file with mode: 0644]
crypto/libressl/crypto/dso/dso_lib.c [new file with mode: 0644]
crypto/libressl/crypto/dso/dso_null.c [new file with mode: 0644]
crypto/libressl/crypto/dso/dso_openssl.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec2_mult.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec2_oct.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec2_smpl.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_check.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_curve.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_cvt.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_err.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_key.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_lcl.h [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_mult.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_oct.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ec_print.c [new file with mode: 0644]
crypto/libressl/crypto/ec/eck_prn.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ecp_mont.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ecp_nist.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ecp_oct.c [new file with mode: 0644]
crypto/libressl/crypto/ec/ecp_smpl.c [new file with mode: 0644]
crypto/libressl/crypto/ecdh/ech_err.c [new file with mode: 0644]
crypto/libressl/crypto/ecdh/ech_key.c [new file with mode: 0644]
crypto/libressl/crypto/ecdh/ech_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ecdh/ech_locl.h [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_err.c [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_locl.h [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_ossl.c [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_sign.c [new file with mode: 0644]
crypto/libressl/crypto/ecdsa/ecs_vrf.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_all.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_cnf.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_ctrl.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_dyn.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_err.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_fat.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_init.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_int.h [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_lib.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_list.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_openssl.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/engine/eng_table.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_asnmth.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_cipher.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_dh.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_digest.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_dsa.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_ecdh.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_ecdsa.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_pkmeth.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_rand.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_rsa.c [new file with mode: 0644]
crypto/libressl/crypto/engine/tb_store.c [new file with mode: 0644]
crypto/libressl/crypto/err/err.c [new file with mode: 0644]
crypto/libressl/crypto/err/err_all.c [new file with mode: 0644]
crypto/libressl/crypto/err/err_prn.c [new file with mode: 0644]
crypto/libressl/crypto/evp/bio_b64.c [new file with mode: 0644]
crypto/libressl/crypto/evp/bio_enc.c [new file with mode: 0644]
crypto/libressl/crypto/evp/bio_md.c [new file with mode: 0644]
crypto/libressl/crypto/evp/c_all.c [new file with mode: 0644]
crypto/libressl/crypto/evp/digest.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_aes.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_aes_cbc_hmac_sha1.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_bf.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_camellia.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_cast.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_chacha.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_chacha20poly1305.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_des.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_des3.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_gost2814789.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_idea.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_null.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_old.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_rc2.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_rc4.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_rc4_hmac_md5.c [new file with mode: 0644]
crypto/libressl/crypto/evp/e_xcbc_d.c [new file with mode: 0644]
crypto/libressl/crypto/evp/encode.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_aead.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_enc.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_err.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_key.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_lib.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_locl.h [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_pbe.c [new file with mode: 0644]
crypto/libressl/crypto/evp/evp_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_dss.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_dss1.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_ecdsa.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_gost2814789.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_gostr341194.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_md4.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_md5.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_null.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_ripemd.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_sha1.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_sigver.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_streebog.c [new file with mode: 0644]
crypto/libressl/crypto/evp/m_wp.c [new file with mode: 0644]
crypto/libressl/crypto/evp/names.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p5_crpt.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p5_crpt2.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_dec.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_enc.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_lib.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_open.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_seal.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_sign.c [new file with mode: 0644]
crypto/libressl/crypto/evp/p_verify.c [new file with mode: 0644]
crypto/libressl/crypto/evp/pmeth_fn.c [new file with mode: 0644]
crypto/libressl/crypto/evp/pmeth_gn.c [new file with mode: 0644]
crypto/libressl/crypto/evp/pmeth_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ex_data.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost.h [new file with mode: 0644]
crypto/libressl/crypto/gost/gost2814789.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost89_keywrap.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost89_params.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost89imit_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost89imit_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost_asn1.h [new file with mode: 0644]
crypto/libressl/crypto/gost/gost_err.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gost_locl.h [new file with mode: 0644]
crypto/libressl/crypto/gost/gostr341001.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gostr341001_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gostr341001_key.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gostr341001_params.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gostr341001_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/gost/gostr341194.c [new file with mode: 0644]
crypto/libressl/crypto/gost/streebog.c [new file with mode: 0644]
crypto/libressl/crypto/hmac/hm_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/hmac/hm_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/hmac/hmac.c [new file with mode: 0644]
crypto/libressl/crypto/idea/i_cbc.c [new file with mode: 0644]
crypto/libressl/crypto/idea/i_cfb64.c [new file with mode: 0644]
crypto/libressl/crypto/idea/i_ecb.c [new file with mode: 0644]
crypto/libressl/crypto/idea/i_ofb64.c [new file with mode: 0644]
crypto/libressl/crypto/idea/i_skey.c [new file with mode: 0644]
crypto/libressl/crypto/idea/idea_lcl.h [new file with mode: 0644]
crypto/libressl/crypto/krb5/krb5_asn.c [new file with mode: 0644]
crypto/libressl/crypto/lhash/lh_stats.c [new file with mode: 0644]
crypto/libressl/crypto/lhash/lhash.c [new file with mode: 0644]
crypto/libressl/crypto/malloc-wrapper.c [new file with mode: 0644]
crypto/libressl/crypto/md32_common.h [new file with mode: 0644]
crypto/libressl/crypto/md4/md4_dgst.c [new file with mode: 0644]
crypto/libressl/crypto/md4/md4_locl.h [new file with mode: 0644]
crypto/libressl/crypto/md4/md4_one.c [new file with mode: 0644]
crypto/libressl/crypto/md5/md5-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/md5/md5-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/md5/md5_dgst.c [new file with mode: 0644]
crypto/libressl/crypto/md5/md5_locl.h [new file with mode: 0644]
crypto/libressl/crypto/md5/md5_one.c [new file with mode: 0644]
crypto/libressl/crypto/mem_clr.c [new file with mode: 0644]
crypto/libressl/crypto/mem_dbg.c [new file with mode: 0644]
crypto/libressl/crypto/modes/cbc128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/ccm128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/cfb128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/ctr128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/cts128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/gcm128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/ghash-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/modes/ghash-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/modes/modes_lcl.h [new file with mode: 0644]
crypto/libressl/crypto/modes/ofb128.c [new file with mode: 0644]
crypto/libressl/crypto/modes/xts128.c [new file with mode: 0644]
crypto/libressl/crypto/o_init.c [new file with mode: 0644]
crypto/libressl/crypto/o_str.c [new file with mode: 0644]
crypto/libressl/crypto/o_time.c [new file with mode: 0644]
crypto/libressl/crypto/o_time.h [new file with mode: 0644]
crypto/libressl/crypto/objects/o_names.c [new file with mode: 0644]
crypto/libressl/crypto/objects/obj_dat.c [new file with mode: 0644]
crypto/libressl/crypto/objects/obj_dat.h [new file with mode: 0644]
crypto/libressl/crypto/objects/obj_err.c [new file with mode: 0644]
crypto/libressl/crypto/objects/obj_lib.c [new file with mode: 0644]
crypto/libressl/crypto/objects/obj_xref.c [new file with mode: 0644]
crypto/libressl/crypto/objects/obj_xref.h [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_asn.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_cl.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_err.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_ext.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_ht.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_prn.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_srv.c [new file with mode: 0644]
crypto/libressl/crypto/ocsp/ocsp_vfy.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_all.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_err.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_info.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_lib.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_oth.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_pk8.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_pkey.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_seal.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_sign.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_x509.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pem_xaux.c [new file with mode: 0644]
crypto/libressl/crypto/pem/pvkfmt.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_add.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_asn.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_attr.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_crpt.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_crt.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_decr.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_init.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_key.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_kiss.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_mutl.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_npas.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_p8d.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_p8e.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/p12_utl.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs12/pk12err.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/bio_pk7.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pk7_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pk7_attr.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pk7_doit.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pk7_lib.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pk7_mime.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pk7_smime.c [new file with mode: 0644]
crypto/libressl/crypto/pkcs7/pkcs7err.c [new file with mode: 0644]
crypto/libressl/crypto/poly1305/poly1305-donna.c [new file with mode: 0644]
crypto/libressl/crypto/poly1305/poly1305.c [new file with mode: 0644]
crypto/libressl/crypto/rand/rand_err.c [new file with mode: 0644]
crypto/libressl/crypto/rand/rand_lib.c [new file with mode: 0644]
crypto/libressl/crypto/rand/randfile.c [new file with mode: 0644]
crypto/libressl/crypto/rc2/rc2_cbc.c [new file with mode: 0644]
crypto/libressl/crypto/rc2/rc2_ecb.c [new file with mode: 0644]
crypto/libressl/crypto/rc2/rc2_locl.h [new file with mode: 0644]
crypto/libressl/crypto/rc2/rc2_skey.c [new file with mode: 0644]
crypto/libressl/crypto/rc2/rc2cfb64.c [new file with mode: 0644]
crypto/libressl/crypto/rc2/rc2ofb64.c [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4-md5-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4-md5-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4_enc.c [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4_locl.h [new file with mode: 0644]
crypto/libressl/crypto/rc4/rc4_skey.c [new file with mode: 0644]
crypto/libressl/crypto/ripemd/rmd_dgst.c [new file with mode: 0644]
crypto/libressl/crypto/ripemd/rmd_locl.h [new file with mode: 0644]
crypto/libressl/crypto/ripemd/rmd_one.c [new file with mode: 0644]
crypto/libressl/crypto/ripemd/rmdconst.h [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_ameth.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_chk.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_crpt.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_depr.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_eay.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_err.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_gen.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_lib.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_locl.h [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_none.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_oaep.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_pk1.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_pmeth.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_prn.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_pss.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_saos.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_sign.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_ssl.c [new file with mode: 0644]
crypto/libressl/crypto/rsa/rsa_x931.c [new file with mode: 0644]
crypto/libressl/crypto/sha/sha1-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/sha/sha1-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/sha/sha1_one.c [new file with mode: 0644]
crypto/libressl/crypto/sha/sha1dgst.c [new file with mode: 0644]
crypto/libressl/crypto/sha/sha256-elf-x86_64.S [new file with mode: 0644]
crypto/libressl/crypto/sha/sha256-macosx-x86_64.S [new file with mode: 0644]
crypto/libressl/crypto/sha/sha256.c [new file with mode: 0644]
crypto/libressl/crypto/sha/sha512-elf-x86_64.S [new file with mode: 0644]
crypto/libressl/crypto/sha/sha512-macosx-x86_64.S [new file with mode: 0644]
crypto/libressl/crypto/sha/sha512.c [new file with mode: 0644]
crypto/libressl/crypto/sha/sha_locl.h [new file with mode: 0644]
crypto/libressl/crypto/stack/stack.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_asn1.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_conf.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_err.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_req_print.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_req_utils.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_rsp_print.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_rsp_sign.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_rsp_utils.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_rsp_verify.c [new file with mode: 0644]
crypto/libressl/crypto/ts/ts_verify_ctx.c [new file with mode: 0644]
crypto/libressl/crypto/txt_db/txt_db.c [new file with mode: 0644]
crypto/libressl/crypto/ui/ui_err.c [new file with mode: 0644]
crypto/libressl/crypto/ui/ui_lib.c [new file with mode: 0644]
crypto/libressl/crypto/ui/ui_locl.h [new file with mode: 0644]
crypto/libressl/crypto/ui/ui_openssl.c [new file with mode: 0644]
crypto/libressl/crypto/ui/ui_openssl_win.c [new file with mode: 0644]
crypto/libressl/crypto/ui/ui_util.c [new file with mode: 0644]
crypto/libressl/crypto/whrlpool/wp-elf-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/whrlpool/wp-macosx-x86_64.s [new file with mode: 0644]
crypto/libressl/crypto/whrlpool/wp_block.c [new file with mode: 0644]
crypto/libressl/crypto/whrlpool/wp_dgst.c [new file with mode: 0644]
crypto/libressl/crypto/whrlpool/wp_locl.h [new file with mode: 0644]
crypto/libressl/crypto/x509/by_dir.c [new file with mode: 0644]
crypto/libressl/crypto/x509/by_file.c [new file with mode: 0644]
crypto/libressl/crypto/x509/by_mem.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_att.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_cmp.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_d2.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_def.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_err.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_ext.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_lcl.h [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_lu.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_obj.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_r2x.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_req.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_set.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_trs.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_txt.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_v3.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_vfy.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509_vpm.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509cset.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509name.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509rset.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509spki.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x509type.c [new file with mode: 0644]
crypto/libressl/crypto/x509/x_all.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/ext_dat.h [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_cache.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_data.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_int.h [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_lib.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_map.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_node.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/pcy_tree.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_akey.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_akeya.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_alt.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_bcons.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_bitst.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_conf.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_cpols.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_crld.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_enum.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_extku.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_genn.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_ia5.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_info.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_int.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_lib.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_ncons.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_ocsp.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_pci.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_pcia.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_pcons.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_pku.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_pmaps.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_prn.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_purp.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_skey.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_sxnet.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3_utl.c [new file with mode: 0644]
crypto/libressl/crypto/x509v3/v3err.c [new file with mode: 0644]
crypto/libressl/include/compat/arpa/inet.h [new file with mode: 0644]
crypto/libressl/include/compat/arpa/nameser.h [new file with mode: 0644]
crypto/libressl/include/compat/dirent.h [new file with mode: 0644]
crypto/libressl/include/compat/dirent_msvc.h [new file with mode: 0644]
crypto/libressl/include/compat/err.h [new file with mode: 0644]
crypto/libressl/include/compat/limits.h [new file with mode: 0644]
crypto/libressl/include/compat/machine/endian.h [new file with mode: 0644]
crypto/libressl/include/compat/netdb.h [new file with mode: 0644]
crypto/libressl/include/compat/netinet/in.h [new file with mode: 0644]
crypto/libressl/include/compat/netinet/ip.h [new file with mode: 0644]
crypto/libressl/include/compat/netinet/tcp.h [new file with mode: 0644]
crypto/libressl/include/compat/poll.h [new file with mode: 0644]
crypto/libressl/include/compat/readpassphrase.h [new file with mode: 0644]
crypto/libressl/include/compat/resolv.h [new file with mode: 0644]
crypto/libressl/include/compat/stdio.h [new file with mode: 0644]
crypto/libressl/include/compat/stdlib.h [new file with mode: 0644]
crypto/libressl/include/compat/string.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/cdefs.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/ioctl.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/mman.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/param.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/select.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/socket.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/stat.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/time.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/types.h [new file with mode: 0644]
crypto/libressl/include/compat/sys/uio.h [new file with mode: 0644]
crypto/libressl/include/compat/time.h [new file with mode: 0644]
crypto/libressl/include/compat/unistd.h [new file with mode: 0644]
crypto/libressl/include/compat/win32netcompat.h [new file with mode: 0644]
crypto/libressl/include/openssl/aes.h [new file with mode: 0644]
crypto/libressl/include/openssl/asn1.h [new file with mode: 0644]
crypto/libressl/include/openssl/asn1_mac.h [new file with mode: 0644]
crypto/libressl/include/openssl/asn1t.h [new file with mode: 0644]
crypto/libressl/include/openssl/bio.h [new file with mode: 0644]
crypto/libressl/include/openssl/blowfish.h [new file with mode: 0644]
crypto/libressl/include/openssl/bn.h [new file with mode: 0644]
crypto/libressl/include/openssl/buffer.h [new file with mode: 0644]
crypto/libressl/include/openssl/camellia.h [new file with mode: 0644]
crypto/libressl/include/openssl/cast.h [new file with mode: 0644]
crypto/libressl/include/openssl/chacha.h [new file with mode: 0644]
crypto/libressl/include/openssl/cmac.h [new file with mode: 0644]
crypto/libressl/include/openssl/cms.h [new file with mode: 0644]
crypto/libressl/include/openssl/comp.h [new file with mode: 0644]
crypto/libressl/include/openssl/conf.h [new file with mode: 0644]
crypto/libressl/include/openssl/conf_api.h [new file with mode: 0644]
crypto/libressl/include/openssl/crypto.h [new file with mode: 0644]
crypto/libressl/include/openssl/des.h [new file with mode: 0644]
crypto/libressl/include/openssl/dh.h [new file with mode: 0644]
crypto/libressl/include/openssl/dsa.h [new file with mode: 0644]
crypto/libressl/include/openssl/dso.h [new file with mode: 0644]
crypto/libressl/include/openssl/dtls1.h [new file with mode: 0644]
crypto/libressl/include/openssl/ec.h [new file with mode: 0644]
crypto/libressl/include/openssl/ecdh.h [new file with mode: 0644]
crypto/libressl/include/openssl/ecdsa.h [new file with mode: 0644]
crypto/libressl/include/openssl/engine.h [new file with mode: 0644]
crypto/libressl/include/openssl/err.h [new file with mode: 0644]
crypto/libressl/include/openssl/evp.h [new file with mode: 0644]
crypto/libressl/include/openssl/gost.h [new file with mode: 0644]
crypto/libressl/include/openssl/hmac.h [new file with mode: 0644]
crypto/libressl/include/openssl/idea.h [new file with mode: 0644]
crypto/libressl/include/openssl/krb5_asn.h [new file with mode: 0644]
crypto/libressl/include/openssl/lhash.h [new file with mode: 0644]
crypto/libressl/include/openssl/md4.h [new file with mode: 0644]
crypto/libressl/include/openssl/md5.h [new file with mode: 0644]
crypto/libressl/include/openssl/modes.h [new file with mode: 0644]
crypto/libressl/include/openssl/obj_mac.h [new file with mode: 0644]
crypto/libressl/include/openssl/objects.h [new file with mode: 0644]
crypto/libressl/include/openssl/ocsp.h [new file with mode: 0644]
crypto/libressl/include/openssl/opensslconf.h [new file with mode: 0644]
crypto/libressl/include/openssl/opensslfeatures.h [new file with mode: 0644]
crypto/libressl/include/openssl/opensslv.h [new file with mode: 0644]
crypto/libressl/include/openssl/ossl_typ.h [new file with mode: 0644]
crypto/libressl/include/openssl/pem.h [new file with mode: 0644]
crypto/libressl/include/openssl/pem2.h [new file with mode: 0644]
crypto/libressl/include/openssl/pkcs12.h [new file with mode: 0644]
crypto/libressl/include/openssl/pkcs7.h [new file with mode: 0644]
crypto/libressl/include/openssl/poly1305.h [new file with mode: 0644]
crypto/libressl/include/openssl/rand.h [new file with mode: 0644]
crypto/libressl/include/openssl/rc2.h [new file with mode: 0644]
crypto/libressl/include/openssl/rc4.h [new file with mode: 0644]
crypto/libressl/include/openssl/ripemd.h [new file with mode: 0644]
crypto/libressl/include/openssl/rsa.h [new file with mode: 0644]
crypto/libressl/include/openssl/safestack.h [new file with mode: 0644]
crypto/libressl/include/openssl/sha.h [new file with mode: 0644]
crypto/libressl/include/openssl/srtp.h [new file with mode: 0644]
crypto/libressl/include/openssl/ssl.h [new file with mode: 0644]
crypto/libressl/include/openssl/ssl2.h [new file with mode: 0644]
crypto/libressl/include/openssl/ssl23.h [new file with mode: 0644]
crypto/libressl/include/openssl/ssl3.h [new file with mode: 0644]
crypto/libressl/include/openssl/stack.h [new file with mode: 0644]
crypto/libressl/include/openssl/tls1.h [new file with mode: 0644]
crypto/libressl/include/openssl/ts.h [new file with mode: 0644]
crypto/libressl/include/openssl/txt_db.h [new file with mode: 0644]
crypto/libressl/include/openssl/ui.h [new file with mode: 0644]
crypto/libressl/include/openssl/ui_compat.h [new file with mode: 0644]
crypto/libressl/include/openssl/whrlpool.h [new file with mode: 0644]
crypto/libressl/include/openssl/x509.h [new file with mode: 0644]
crypto/libressl/include/openssl/x509_vfy.h [new file with mode: 0644]
crypto/libressl/include/openssl/x509v3.h [new file with mode: 0644]
crypto/libressl/include/pqueue.h [new file with mode: 0644]
crypto/libressl/include/tls.h [new file with mode: 0644]
crypto/libressl/ssl/VERSION [new file with mode: 0644]
crypto/libressl/ssl/bio_ssl.c [new file with mode: 0644]
crypto/libressl/ssl/bs_ber.c [new file with mode: 0644]
crypto/libressl/ssl/bs_cbb.c [new file with mode: 0644]
crypto/libressl/ssl/bs_cbs.c [new file with mode: 0644]
crypto/libressl/ssl/bytestring.h [new file with mode: 0644]
crypto/libressl/ssl/d1_both.c [new file with mode: 0644]
crypto/libressl/ssl/d1_clnt.c [new file with mode: 0644]
crypto/libressl/ssl/d1_enc.c [new file with mode: 0644]
crypto/libressl/ssl/d1_lib.c [new file with mode: 0644]
crypto/libressl/ssl/d1_meth.c [new file with mode: 0644]
crypto/libressl/ssl/d1_pkt.c [new file with mode: 0644]
crypto/libressl/ssl/d1_srtp.c [new file with mode: 0644]
crypto/libressl/ssl/d1_srvr.c [new file with mode: 0644]
crypto/libressl/ssl/pqueue.c [new file with mode: 0644]
crypto/libressl/ssl/s23_clnt.c [new file with mode: 0644]
crypto/libressl/ssl/s23_lib.c [new file with mode: 0644]
crypto/libressl/ssl/s23_pkt.c [new file with mode: 0644]
crypto/libressl/ssl/s23_srvr.c [new file with mode: 0644]
crypto/libressl/ssl/s3_both.c [new file with mode: 0644]
crypto/libressl/ssl/s3_cbc.c [new file with mode: 0644]
crypto/libressl/ssl/s3_clnt.c [new file with mode: 0644]
crypto/libressl/ssl/s3_lib.c [new file with mode: 0644]
crypto/libressl/ssl/s3_pkt.c [new file with mode: 0644]
crypto/libressl/ssl/s3_srvr.c [new file with mode: 0644]
crypto/libressl/ssl/srtp.h [new file with mode: 0644]
crypto/libressl/ssl/ssl_algs.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_asn1.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_cert.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_ciph.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_err.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_err2.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_lib.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_locl.h [new file with mode: 0644]
crypto/libressl/ssl/ssl_rsa.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_sess.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_stat.c [new file with mode: 0644]
crypto/libressl/ssl/ssl_txt.c [new file with mode: 0644]
crypto/libressl/ssl/t1_clnt.c [new file with mode: 0644]
crypto/libressl/ssl/t1_enc.c [new file with mode: 0644]
crypto/libressl/ssl/t1_lib.c [new file with mode: 0644]
crypto/libressl/ssl/t1_meth.c [new file with mode: 0644]
crypto/libressl/ssl/t1_reneg.c [new file with mode: 0644]
crypto/libressl/ssl/t1_srvr.c [new file with mode: 0644]
crypto/libressl/tls/VERSION [new file with mode: 0644]
crypto/libressl/tls/strsep.c [new file with mode: 0644]
crypto/libressl/tls/tls.c [new file with mode: 0644]
crypto/libressl/tls/tls_client.c [new file with mode: 0644]
crypto/libressl/tls/tls_config.c [new file with mode: 0644]
crypto/libressl/tls/tls_conninfo.c [new file with mode: 0644]
crypto/libressl/tls/tls_internal.h [new file with mode: 0644]
crypto/libressl/tls/tls_peer.c [new file with mode: 0644]
crypto/libressl/tls/tls_server.c [new file with mode: 0644]
crypto/libressl/tls/tls_util.c [new file with mode: 0644]
crypto/libressl/tls/tls_verify.c [new file with mode: 0644]

diff --git a/crypto/libressl/COPYING b/crypto/libressl/COPYING
new file mode 100644 (file)
index 0000000..892e14a
--- /dev/null
@@ -0,0 +1,133 @@
+
+  LibReSSL files are retained under the copyright of the authors. New
+  additions are ISC licensed as per OpenBSD's normal licensing policy,
+  or are placed in the public domain. 
+
+  The OpenSSL code is distributed under the terms of the original OpenSSL
+  licenses which follow:
+
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts.  In case of any license issues
+  related to OpenSSL please contact openssl-core@openssl.org.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
diff --git a/crypto/libressl/ChangeLog b/crypto/libressl/ChangeLog
new file mode 100644 (file)
index 0000000..6ec28e0
--- /dev/null
@@ -0,0 +1,594 @@
+Because this project is maintained both in the OpenBSD tree using CVS and in
+Git, it can be confusing following all of the changes.
+
+Most of the libssl and libcrypto source code is is here in OpenBSD CVS:
+
+       http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/
+
+Some of the libcrypto and OS-compatibility files for entropy and random number
+generation are here:
+
+       http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/
+
+A simplified TLS wrapper library is here:
+
+       http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/
+
+The LibreSSL Portable project copies these portions of the OpenBSD tree, along
+with relevant portions of the C library, to a Git repository. This makes it
+easier to follow all of the relevant changes to the upstream project in a
+single place:
+
+       https://github.com/libressl-portable/openbsd
+
+The portable bits of the project are largely maintained out-of-tree, and their
+history is also available from Git.
+
+       https://github.com/libressl-portable/portable
+
+LibreSSL Portable Release Notes:
+
+2.4.2 - Bug fixes and improvements
+
+       * Fixed loading default certificate locations with openssl s_client.
+
+       * Ensured OSCP only uses and compares GENERALIZEDTIME values as per
+         RFC6960. Also added fixes for OCSP to work with intermediate
+         certificates provided in responses.
+
+       * Improved behavior of arc4random on Windows to not appear to leak
+         memory in debug tools, reduced privileges of allocated memory.
+
+       * Fixed incorrect results from BN_mod_word() when the modulus is too
+         large, thanks to Brian Smith from BoringSSL.
+
+       * Correctly handle an EOF prior to completing the TLS handshake in
+         libtls.
+
+       * Improved libtls ceritificate loading and cipher string validation.
+
+       * Updated libtls cipher group suites into four categories:
+           "secure"   (TLSv1.2+AEAD+PFS)
+           "compat"   (HIGH:!aNULL)
+           "legacy"   (HIGH:MEDIUM:!aNULL)
+           "insecure" (ALL:!aNULL:!eNULL)
+         This allows for flexibility and finer grained control, rather than
+         having two extremes.
+
+       * Limited support for 'backward compatible' SSLv2 handshake packets to
+         when TLS 1.0 is enabled, providing more restricted compatibility
+         with TLS 1.0 clients.
+
+       * openssl(1) and other documentation improvements.
+
+       * Removed flags for disabling constant-time operations.
+         This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
+         DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
+         all of these operations unconditionally constant-time.
+
+
+2.4.1 - Security fix
+
+       * Correct a problem that prevents the DSA signing algorithm from
+         running in constant time even if the flag BN_FLG_CONSTTIME is set.
+         This issue was reported by Cesar Pereida (Aalto University), Billy
+         Brumley (Tampere University of Technology), and Yuval Yarom (The
+         University of Adelaide and NICTA). The fix was developed by Cesar
+         Pereida.
+
+2.4.0 - Build improvements, new features
+
+       * Many improvements to the CMake build infrastructure, including
+         Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
+         Inoguchi for this work.
+
+       * Added missing error handling around bn_wexpand() calls.
+
+       * Added explicit_bzero calls for freed ASN.1 objects.
+
+       * Fixed X509_*set_object functions to return 0 on allocation failure.
+
+       * Implemented the IETF ChaCha20-Poly1305 cipher suites.
+
+       * Changed default EVP_aead_chacha20_poly1305() implementation to the
+         IETF version, which is now the default.
+
+       * Fixed password prompts from openssl(1) to properly handle ^C.
+
+       * Reworked error handling in libtls so that configuration errors are
+         visible.
+
+       * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
+
+       * Manpage fixes and updates
+
+2.3.5 - Reliability fix
+
+       * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
+
+2.3.4 - Security Update
+
+       * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
+       From OpenSSL.
+
+       * Minor build fixes
+
+2.3.3 - OpenBSD 5.9 release branch tagged
+
+       * Reworked build scripts to better sync with OpenNTPD-portable
+
+       * Fixed broken manpage links
+
+       * Fixed an nginx compatibility issue by adding an 'install_sw' make alias
+
+       * Fixed HP-UX builds
+
+       * Changed the default configuration directory to c:\LibreSSL\ssl on Windows
+         binary builds
+
+       * cert.pem has been reorganized and synced with Mozilla's certificate store
+
+2.3.2 - Compatibility and Reliability fixes
+
+       * Changed format of LIBRESSL_VERSION_NUMBER to match that of
+         OPENSSL_VERSION_NUMBER, see:
+         https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
+
+       * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
+         construction introduced in RFC 7539, which is different than that
+         already used in TLS with EVP_aead_chacha20_poly1305()
+
+       * Avoid a potential undefined C99+ behavior due to shift overflow in
+         AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
+
+       * More man pages converted from pod to mdoc format
+
+       * Added COMODO RSA Certification Authority and QuoVadis
+         root certificates to cert.pem
+
+       * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
+         Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
+         certificate from cert.pem
+
+       * Added support for building nc(1) on Solaris
+
+       * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
+
+       * Improved console handling with openssl(1) on Windows
+
+       * Ensure the network stack is enabled on Windows when running
+         tls_init()
+
+       * Fixed incorrect TLS certificate loading by nc(1)
+
+       * Added support for Solaris 11.3's getentropy(2) system call
+
+       * Enabled support for using NetBSD 7.0's arc4random(3) implementation
+
+       * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
+
+       * Fixes from OpenSSL 1.0.1q
+        - CVE-2015-3194 - NULL pointer dereference in client side certificate
+                          validation.
+        - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
+
+       * The following OpenSSL CVEs did not apply to LibreSSL
+        - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
+                          squaring procedure.
+        - CVE-2015-3196 - Double free race condition of the identify hint
+                          data.
+
+        See https://marc.info/?l=openbsd-announce&m=144925068504102
+
+2.3.1 - ASN.1 and time handling cleanups
+
+       * ASN.1 cleanups and RFC5280 compliance fixes.
+
+       * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
+         now checks if the host OS supports 64-bit time_t.
+
+       * Fixed a leak in SSL_new in the error path.
+
+       * Support always extracting the peer cipher and version with libtls.
+
+       * Added ability to check certificate validity times with libtls,
+         tls_peer_cert_notbefore and tls_peer_cert_notafter.
+
+       * Changed tls_connect_servername to use the first address that resolves with
+         getaddrinfo().
+
+       * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
+         initial commit in 2004).
+
+       * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
+         by Qualys Security.
+
+       * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
+         sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
+
+       * Reject too small bits value in BN_generate_prime_ex(), so that it does
+         not risk becoming negative in probable_prime_dh_safe(), reported by
+               Franck Denis.
+
+       * Enable nc(1) builds on more platforms.
+
+2.3.0 - SSLv3 removed, libtls API changes, portability improvements
+
+       * SSLv3 is now permanently removed from the tree.
+
+       * The libtls API is changed from the 2.2.x series.
+
+         The read/write functions work correctly with external event
+         libraries.  See the tls_init man page for examples of using libtls
+         correctly in asynchronous mode.
+
+         Client-side verification is now supported, with the client supplying
+         the certificate to the server.
+
+         Also, when using tls_connect_fds, tls_connect_socket or
+         tls_accept_fds, libtls no longer implicitly closes the passed in
+         sockets. The caller is responsible for closing them in this case.
+
+       * When loading a DSA key from an raw (without DH parameters) ASN.1
+         serialization, perform some consistency checks on its `p' and `q'
+         values, and return an error if the checks failed.
+
+         Thanks for Georgi Guninski (guninski at guninski dot com) for
+         mentioning the possibility of a weak (non prime) q value and
+         providing a test case.
+
+         See
+         https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
+         for a longer discussion.
+
+       * Fixed a bug in ECDH_compute_key that can lead to silent truncation
+         of the result key without error. A coding error could cause software
+         to use much shorter keys than intended.
+
+       * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
+         longer supported.
+
+       * The engine command and parameters are removed from the openssl(1).
+         Previous releases removed dynamic and builtin engine support
+         already.
+
+       * SHA-0 is removed, which was withdrawn shortly after publication 20
+         years ago.
+
+       * Added Certplus CA root certificate to the default cert.pem file.
+
+       * New interface OPENSSL_cpu_caps is provided that does not allow
+         software to inadvertently modify cpu capability flags.
+         OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
+
+       * The out_len argument of AEAD changed from ssize_t to size_t.
+
+       * Deduplicated DTLS code, sharing bugfixes and improvements with
+         TLS.
+
+       * Converted 'nc' to use libtls for client and server operations; it is
+         included in the libressl-portable distribution as an example of how
+         to use the library.
+
+2.2.3 - Bug fixes, build enhancements
+
+       * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
+         include TLS extensions, resulting in such handshakes being aborted.
+         This release corrects the handling of such messages. Thanks to
+         Ligushka from github for reporting the issue.
+
+       * Added install target for cmake builds. Thanks to TheNietsnie from
+         github.
+
+       * Updated pkgconfig files to correctly report the release version
+         number, not the individual library ABI version numbers. Thanks to
+         Jan Engelhardt for reporting the issue.
+
+2.2.2 - More TLS parser rework, bug fixes, expanded portable build support
+
+       * Switched 'openssl dhparam' default from 512 to 2048 bits
+
+       * Reworked openssl(1) option handling
+
+       * More CRYPTO ByteString (CBC) packet parsing conversions
+
+       * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success
+
+       * Fixed dozens of Coverity issues including dead code, memory leaks,
+         logic errors and more.
+
+       * Ensure that openssl(1) restores terminal echo state after reading a
+         password.
+
+       * Incorporated fix for OpenSSL Issue #3683
+
+       * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped
+         for each portable release.
+
+       * Removed workarounds for TLS client padding bugs.
+
+       * No longer disable ECDHE-ECDSA on OS X
+
+       * Removed SSLv3 support from openssl(1)
+
+       * Removed IE 6 SSLv3 workarounds.
+
+       * Modified tls_write in libtls to allow partial writes, clarified with
+         examples in the documentation.
+
+       * Removed RSAX engine
+
+       * Tested SSLv3 removal with the OpenBSD ports tree and found several
+         applications that were not ready to build without SSLv3 yet. For
+         now, building a program that intentionally uses SSLv3 will result in
+         a linker warning.
+
+       * Added TLS_method, TLS_client_method and TLS_server_method as a
+         replacement for the SSLv23_*method calls.
+
+       * Added initial cmake build support, including support for building with
+         Visual Studio, currently tested with Visual Studio 2013 Community
+         Edition.
+
+       * --with-enginesdir is removed as a configuration parameter
+
+       * Default cert.pem, openssl.cnf, and x509v3.cnf files are now
+         installed under $sysconfdir/ssl or the directory specified by
+         --with-openssldir. Previous versions of LibreSSL left these empty.
+
+2.2.1 - Build fixes, feature added, features removed
+
+       * Assorted build fixes for musl, HP-UX, Mingw, Solaris.
+
+       * Initial support for Windows Embedded 2009, Server 2003, XP
+
+       * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API
+
+       * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL
+
+       * Removed Dynamic Engine support
+
+       * Removed unused and obsolete MDC-2DES cipher
+
+       * Removed workarounds for obsolete SSL implementations
+
+2.2.0 - Build cleanups and new OS support, Security Updates
+
+       * AIX Support - thanks to Michael Felt
+
+       * Cygwin Support - thanks to Corinna Vinschen
+
+       * Refactored build macros, support packaging libtls independently.
+         There are more pieces required to support building and using OpenSSL
+         with libtls, but this is an initial start at providing an
+         independent package for people to start hacking on.
+
+       * Removal of OPENSSL_issetugid and all library getenv calls.
+         Applications can and should no longer rely on environment variables
+         for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still
+         supported with the openssl(1) command.
+
+       * libtls API and documentation additions
+
+       * Various bug fixes and simplifications to libssl and libcrypto
+
+       * Fixes for the following issues are integrated into LibreSSL 2.2.0:
+        - CVE-2015-1788 - Malformed ECParameters causes infinite loop
+        - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
+        - CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+       * The following CVEs did not apply to LibreSSL or were fixed in
+         earlier releases:
+        - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam)
+        - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
+        - CVE-2014-8176 - Invalid free in DTLS
+
+       * Fixes for the following CVEs are still in review for LibreSSL
+        - CVE-2015-1791 - Race condition handling NewSessionTicket
+
+2.1.6 - Security update
+
+       * Fixes for the following issues are integrated into LibreSSL 2.1.6:
+         - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
+         - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
+         - CVE-2015-0287 - ASN.1 structure reuse memory corruption
+         - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
+         - CVE-2015-0289 - PKCS7 NULL pointer dereferences
+
+       * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen
+         is integrated for safety, but LibreSSL is not vulnerable.
+
+       * Libtls is now built by default. The --enable-libtls
+         configuration option is no longer required.
+         The libtls API is now stable for the 2.1.x series.
+
+2.1.5 - Bug fixes and a security update
+       * Fix incorrect comparison function in openssl(1) certhash command.
+         Thanks to Christian Neukirchen / Void Linux.
+
+       * Windows port improvements and bug fixes.
+         - Removed a dependency on libgcc in 32-bit dynamic libraries.
+         - Correct a hang in openssl(1) reading from stdin on an connection.
+         - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and
+           any other network-related commands to function properly.
+
+       * Reject all server DH keys smaller than 1024 bits.
+
+2.1.4 - Security and feature updates
+       * Improvements to libtls:
+         - a new API for loading CA chains directly from memory instead of a
+           file, allowing verification with privilege separation in a chroot
+           without direct access to CA certificate files.
+
+         - Ciphers default to TLSv1.2 with AEAD and PFS.
+
+         - Improved error handling and message generation
+
+         - New APIs and improved documentation
+
+       * Added X509_STORE_load_mem API for loading certificates from memory.
+         This facilitates accessing certificates from a chrooted environment.
+
+       * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
+         using 'TLSv1.2+AEAD' as the cipher selection string.
+
+       * Dead and disabled code removal including MD5, Netscape workarounds,
+         non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more.
+
+       * ASN1 macro maze expanded to aid reading and searching the code.
+
+       * NULL pointer asserts removed in favor of letting the OS/signal
+         handler catch them.
+
+       * Refactored argument handling in openssl(1) for consistency and
+         maintainability.
+
+       * New openssl(1) command 'certhash' replaces the c_rehash script.
+
+       * Support for building with OPENSSL_NO_DEPRECATED
+
+       * Server-side support for TLS_FALLBACK_SCSV for compatibility with
+         various auditor and vulnerability scanners.
+
+       * Dozens of issues found with the Coverity scanner fixed.
+
+       * Security Updates:
+
+         - Fix a minor information leak that was introduced in t1_lib.c
+           r1.71, whereby an additional 28 bytes of .rodata (or .data) is
+           provided to the network. In most cases this is a non-issue since
+           the memory content is already public. Issue found and reported by
+           Felix Groebert of the Google Security Team.
+
+         - Fixes for the following low-severity issues were integrated into
+           LibreSSL from OpenSSL 1.0.1k:
+
+            CVE-2015-0205 - DH client certificates accepted without
+                            verification
+            CVE-2014-3570 - Bignum squaring may produce incorrect results
+            CVE-2014-8275 - Certificate fingerprints can be modified
+            CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
+            Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA.
+
+           The following CVEs were fixed in earlier LibreSSL releases:
+            CVE-2015-0206 - Memory leak handling repeated DLTS records
+            CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites.
+
+           The following CVEs did not apply to LibreSSL:
+            CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
+            CVE-2014-3569 - no-ssl3 configuration sets method to NULL
+            CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
+
+2.1.3 - Security update and OS support improvements
+       * Fixed various memory leaks in DTLS, including fixes for
+         CVE-2015-0206.
+
+       * Added Application-Layer Protocol Negotiation (ALPN) support.
+
+       * Removed GOST R 34.10-94 signature authentication.
+
+       * Removed nonfunctional Netscape browser-hang workaround code.
+
+       * Simplfied and refactored SSL/DTLS handshake code.
+
+       * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
+
+       * Hide timing info about padding errors during handshakes.
+
+       * Improved libtls support for non-blocking sockets, added randomized
+         session ID contexts. Work is ongoing with this library - feedback
+         and potential use-cases are welcome.
+
+       * Support building Windows DLLs.
+         Thanks to Jan Engelhard.
+
+       * Packaged config wrapper for better compatibility with OpenSSL-based
+         build systems.
+         Thanks to @technion from github
+
+       * Ensure the stack is marked non-executable for assembly sections.
+         Thanks to Anthony G. Bastile.
+
+       * Enable extra compiler hardening flags by default, where applicable.
+         The default set of hardening features can vary by OS to OS, so
+         feedback is welcome on this. To disable the default hardening flags,
+         specify '--disable-hardening' during configure.
+         Thanks to Jim Barlow
+
+       * Initial HP-UX support, tested with HP-UX 11.31 ia64
+         Thanks to Kinichiro Inoguchi
+
+       * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64
+         Imported from OpenNTPD, thanks to @gitisihara from github
+
+2.1.2 - Many new features and improvements
+       * Added reworked GOST cipher suite support
+          thanks to Dmitry Eremin-Solenikov
+
+       * Enabled Camellia ciphers due to improved patent situation
+
+       * Use builtin arc4random implementation on OS X and FreeBSD
+          this addresses some deficiencies in the native implementations of
+          these operating systems, see commit logs for more information
+
+       * Added initial Windows mingw-w64 support (32 and 64-bit)
+          thanks to Song Dongsheng and others for code and feedback
+
+       * Enabled assembly optimizations on x86_64 CPUs
+          supports Linux, *BSD, Solaris and OS X operating systems
+          thanks to Wouter Clarie for the initial implementation
+
+       * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1)
+
+       * Improved build infrastructure, 'make distcheck' now passes
+          this simplifies and speeds developer efficiency
+          thanks to Dmitry Eremin-Solenikov and Wouter Clarie
+
+       * Allow conditional building of the libtls library
+          expect the API and ABI of the library to change
+          feedback is welcome
+
+       * Fixes for more memory leaks, cleanups, etc.
+
+2.1.1 - Security update
+       * Address POODLE attack by disabling SSLv3 by default
+
+       * Fix Eliptical Curve cipher selection bug
+         (https://github.com/libressl-portable/portable/issues/35)
+
+2.1.0 - First release from the OpenBSD 5.7 tree
+       * Added support for automatic ephemeral EC keys
+
+       * Fixes for many memory leaks and overflows in error handlers
+
+       * The TLS padding extension (that works around bugs in F5 terminators) is
+         off by default
+
+       * support for getrandom(2) on Linux 3.17
+
+       * the NO_ASM macro is no longer being set, providing the first bits toward
+         enabling other assembly offloads.
+
+2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i
+       * CVE-2014-3506
+       * CVE-2014-3507
+       * CVE-2014-3508 (partially vulnerable)he
+       * CVE-2014-3509
+       * CVE-2014-3510
+       * CVE-2014-3511
+       * Synced LibreSSL Portable with the release version of OpenBSD 5.6
+
+2.0.4 - Portability fixes, deleted unused SRP code
+
+2.0.3 - Portability fixes, improvements to fork detection
+
+2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork
+
+2.0.1 - Portability fixes:
+       * Removed -Werror and and other non-portable compiler flags
+
+       * Allow setting OPENSSLDIR and ENGINSDIR
+
+2.0.0 - First release from the OpenBSD 5.6 tree
+       * Removal of many obsolete features and coding conventions from the OpenSSL
+         1.0.1h source
diff --git a/crypto/libressl/VERSION b/crypto/libressl/VERSION
new file mode 100644 (file)
index 0000000..b674b92
--- /dev/null
@@ -0,0 +1,2 @@
+2.4.2
+
diff --git a/crypto/libressl/apps/nc/atomicio.c b/crypto/libressl/apps/nc/atomicio.c
new file mode 100644 (file)
index 0000000..8ca68b4
--- /dev/null
@@ -0,0 +1,67 @@
+/* $OpenBSD: atomicio.c,v 1.10 2011/01/08 00:47:19 jeremy Exp $ */
+/*
+ * Copyright (c) 2006 Damien Miller. All rights reserved.
+ * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
+ * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <errno.h>
+#include <poll.h>
+#include <unistd.h>
+
+#include "atomicio.h"
+
+/*
+ * ensure all of data on socket comes through. f==read || f==vwrite
+ */
+size_t
+atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
+{
+       char *s = _s;
+       size_t pos = 0;
+       ssize_t res;
+       struct pollfd pfd;
+
+       pfd.fd = fd;
+       pfd.events = f == read ? POLLIN : POLLOUT;
+       while (n > pos) {
+               res = (f) (fd, s + pos, n - pos);
+               switch (res) {
+               case -1:
+                       if (errno == EINTR)
+                               continue;
+                       if ((errno == EAGAIN) || (errno == ENOBUFS)) {
+                               (void)poll(&pfd, 1, -1);
+                               continue;
+                       }
+                       return 0;
+               case 0:
+                       errno = EPIPE;
+                       return pos;
+               default:
+                       pos += (size_t)res;
+               }
+       }
+       return (pos);
+}
diff --git a/crypto/libressl/apps/nc/atomicio.h b/crypto/libressl/apps/nc/atomicio.h
new file mode 100644 (file)
index 0000000..8edc3e8
--- /dev/null
@@ -0,0 +1,39 @@
+/* $OpenBSD: atomicio.h,v 1.1 2005/05/24 20:13:28 avsm Exp $ */
+
+/*
+ * Copyright (c) 2006 Damien Miller.  All rights reserved.
+ * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _ATOMICIO_H
+#define _ATOMICIO_H
+
+/*
+ * Ensure all of data on socket comes through. f==read || f==vwrite
+ */
+size_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
+
+#define vwrite (ssize_t (*)(int, void *, size_t))write
+
+#endif /* _ATOMICIO_H */
diff --git a/crypto/libressl/apps/nc/compat/accept4.c b/crypto/libressl/apps/nc/compat/accept4.c
new file mode 100644 (file)
index 0000000..278198b
--- /dev/null
@@ -0,0 +1,17 @@
+#include <sys/socket.h>
+#include <fcntl.h>
+
+int
+accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags)
+{
+       int rets = accept(s, addr, addrlen);
+       if (rets == -1)
+               return s;
+
+       if (flags & SOCK_CLOEXEC) {
+               flags = fcntl(s, F_GETFD);
+               fcntl(rets, F_SETFD, flags | FD_CLOEXEC);
+       }
+
+       return rets;
+}
diff --git a/crypto/libressl/apps/nc/compat/base64.c b/crypto/libressl/apps/nc/compat/base64.c
new file mode 100644 (file)
index 0000000..e90696d
--- /dev/null
@@ -0,0 +1,315 @@
+/*     $OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $      */
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+static const char Base64[] =
+       "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+          output will be an integral multiple of 4 characters
+          with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+          characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+          characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(src, srclength, target, targsize)
+       u_char const *src;
+       size_t srclength;
+       char *target;
+       size_t targsize;
+{
+       size_t datalength = 0;
+       u_char input[3];
+       u_char output[4];
+       int i;
+
+       while (2 < srclength) {
+               input[0] = *src++;
+               input[1] = *src++;
+               input[2] = *src++;
+               srclength -= 3;
+
+               output[0] = input[0] >> 2;
+               output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+               output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+               output[3] = input[2] & 0x3f;
+
+               if (datalength + 4 > targsize)
+                       return (-1);
+               target[datalength++] = Base64[output[0]];
+               target[datalength++] = Base64[output[1]];
+               target[datalength++] = Base64[output[2]];
+               target[datalength++] = Base64[output[3]];
+       }
+    
+       /* Now we worry about padding. */
+       if (0 != srclength) {
+               /* Get what's left. */
+               input[0] = input[1] = input[2] = '\0';
+               for (i = 0; i < srclength; i++)
+                       input[i] = *src++;
+       
+               output[0] = input[0] >> 2;
+               output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+               output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+
+               if (datalength + 4 > targsize)
+                       return (-1);
+               target[datalength++] = Base64[output[0]];
+               target[datalength++] = Base64[output[1]];
+               if (srclength == 1)
+                       target[datalength++] = Pad64;
+               else
+                       target[datalength++] = Base64[output[2]];
+               target[datalength++] = Pad64;
+       }
+       if (datalength >= targsize)
+               return (-1);
+       target[datalength] = '\0';      /* Returned value doesn't count \0. */
+       return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(src, target, targsize)
+       char const *src;
+       u_char *target;
+       size_t targsize;
+{
+       int tarindex, state, ch;
+       u_char nextbyte;
+       char *pos;
+
+       state = 0;
+       tarindex = 0;
+
+       while ((ch = (unsigned char)*src++) != '\0') {
+               if (isspace(ch))        /* Skip whitespace anywhere. */
+                       continue;
+
+               if (ch == Pad64)
+                       break;
+
+               pos = strchr(Base64, ch);
+               if (pos == 0)           /* A non-base64 character. */
+                       return (-1);
+
+               switch (state) {
+               case 0:
+                       if (target) {
+                               if (tarindex >= targsize)
+                                       return (-1);
+                               target[tarindex] = (pos - Base64) << 2;
+                       }
+                       state = 1;
+                       break;
+               case 1:
+                       if (target) {
+                               if (tarindex >= targsize)
+                                       return (-1);
+                               target[tarindex]   |=  (pos - Base64) >> 4;
+                               nextbyte = ((pos - Base64) & 0x0f) << 4;
+                               if (tarindex + 1 < targsize)
+                                       target[tarindex+1] = nextbyte;
+                               else if (nextbyte)
+                                       return (-1);
+                       }
+                       tarindex++;
+                       state = 2;
+                       break;
+               case 2:
+                       if (target) {
+                               if (tarindex >= targsize)
+                                       return (-1);
+                               target[tarindex]   |=  (pos - Base64) >> 2;
+                               nextbyte = ((pos - Base64) & 0x03) << 6;
+                               if (tarindex + 1 < targsize)
+                                       target[tarindex+1] = nextbyte;
+                               else if (nextbyte)
+                                       return (-1);
+                       }
+                       tarindex++;
+                       state = 3;
+                       break;
+               case 3:
+                       if (target) {
+                               if (tarindex >= targsize)
+                                       return (-1);
+                               target[tarindex] |= (pos - Base64);
+                       }
+                       tarindex++;
+                       state = 0;
+                       break;
+               }
+       }
+
+       /*
+        * We are done decoding Base-64 chars.  Let's see if we ended
+        * on a byte boundary, and/or with erroneous trailing characters.
+        */
+
+       if (ch == Pad64) {                      /* We got a pad char. */
+               ch = (unsigned char)*src++;     /* Skip it, get next. */
+               switch (state) {
+               case 0:         /* Invalid = in first position */
+               case 1:         /* Invalid = in second position */
+                       return (-1);
+
+               case 2:         /* Valid, means one byte of info */
+                       /* Skip any number of spaces. */
+                       for (; ch != '\0'; ch = (unsigned char)*src++)
+                               if (!isspace(ch))
+                                       break;
+                       /* Make sure there is another trailing = sign. */
+                       if (ch != Pad64)
+                               return (-1);
+                       ch = (unsigned char)*src++;             /* Skip the = */
+                       /* Fall through to "single trailing =" case. */
+                       /* FALLTHROUGH */
+
+               case 3:         /* Valid, means two bytes of info */
+                       /*
+                        * We know this char is an =.  Is there anything but
+                        * whitespace after it?
+                        */
+                       for (; ch != '\0'; ch = (unsigned char)*src++)
+                               if (!isspace(ch))
+                                       return (-1);
+
+                       /*
+                        * Now make sure for cases 2 and 3 that the "extra"
+                        * bits that slopped past the last full byte were
+                        * zeros.  If we don't check them, they become a
+                        * subliminal channel.
+                        */
+                       if (target && tarindex < targsize &&
+                           target[tarindex] != 0)
+                               return (-1);
+               }
+       } else {
+               /*
+                * We ended by seeing the end of the string.  Make sure we
+                * have no partial bytes lying around.
+                */
+               if (state != 0)
+                       return (-1);
+       }
+
+       return (tarindex);
+}
diff --git a/crypto/libressl/apps/nc/compat/readpassphrase.c b/crypto/libressl/apps/nc/compat/readpassphrase.c
new file mode 100644 (file)
index 0000000..f3aa248
--- /dev/null
@@ -0,0 +1,205 @@
+/*     $OpenBSD: readpassphrase.c,v 1.22 2010/01/13 10:20:54 dtucker Exp $     */
+
+/*
+ * Copyright (c) 2000-2002, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
+
+#include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <readpassphrase.h>
+
+#ifndef _PATH_TTY
+# define _PATH_TTY "/dev/tty"
+#endif
+
+#ifdef TCSASOFT
+# define _T_FLUSH      (TCSAFLUSH|TCSASOFT)
+#else
+# define _T_FLUSH      (TCSAFLUSH)
+#endif
+
+/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
+#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
+#  define _POSIX_VDISABLE       VDISABLE
+#endif
+
+#ifndef _NSIG
+# ifdef NSIG
+#  define _NSIG NSIG
+# else
+#  define _NSIG 128
+# endif
+#endif
+
+static volatile sig_atomic_t signo[_NSIG];
+
+static void handler(int);
+
+char *
+readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
+{
+       ssize_t bytes_written = 0;
+       ssize_t nr;
+       int input, output, save_errno, i, need_restart;
+       char ch, *p, *end;
+       struct termios term, oterm;
+       struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
+       struct sigaction savetstp, savettin, savettou, savepipe;
+
+       /* I suppose we could alloc on demand in this case (XXX). */
+       if (bufsiz == 0) {
+               errno = EINVAL;
+               return(NULL);
+       }
+
+restart:
+       for (i = 0; i < _NSIG; i++)
+               signo[i] = 0;
+       nr = -1;
+       save_errno = 0;
+       need_restart = 0;
+       /*
+        * Read and write to /dev/tty if available.  If not, read from
+        * stdin and write to stderr unless a tty is required.
+        */
+       if ((flags & RPP_STDIN) ||
+           (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
+               if (flags & RPP_REQUIRE_TTY) {
+                       errno = ENOTTY;
+                       return(NULL);
+               }
+               input = STDIN_FILENO;
+               output = STDERR_FILENO;
+       }
+
+       /*
+        * Catch signals that would otherwise cause the user to end
+        * up with echo turned off in the shell.  Don't worry about
+        * things like SIGXCPU and SIGVTALRM for now.
+        */
+       sigemptyset(&sa.sa_mask);
+       sa.sa_flags = 0;                /* don't restart system calls */
+       sa.sa_handler = handler;
+       (void)sigaction(SIGALRM, &sa, &savealrm);
+       (void)sigaction(SIGHUP, &sa, &savehup);
+       (void)sigaction(SIGINT, &sa, &saveint);
+       (void)sigaction(SIGPIPE, &sa, &savepipe);
+       (void)sigaction(SIGQUIT, &sa, &savequit);
+       (void)sigaction(SIGTERM, &sa, &saveterm);
+       (void)sigaction(SIGTSTP, &sa, &savetstp);
+       (void)sigaction(SIGTTIN, &sa, &savettin);
+       (void)sigaction(SIGTTOU, &sa, &savettou);
+
+       /* Turn off echo if possible. */
+       if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
+               memcpy(&term, &oterm, sizeof(term));
+               if (!(flags & RPP_ECHO_ON))
+                       term.c_lflag &= ~(ECHO | ECHONL);
+#ifdef VSTATUS
+               if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
+                       term.c_cc[VSTATUS] = _POSIX_VDISABLE;
+#endif
+               (void)tcsetattr(input, _T_FLUSH, &term);
+       } else {
+               memset(&term, 0, sizeof(term));
+               term.c_lflag |= ECHO;
+               memset(&oterm, 0, sizeof(oterm));
+               oterm.c_lflag |= ECHO;
+       }
+
+       /* No I/O if we are already backgrounded. */
+       if (signo[SIGTTOU] != 1 && signo[SIGTTIN] != 1) {
+               if (!(flags & RPP_STDIN))
+                       bytes_written = write(output, prompt, strlen(prompt));
+               end = buf + bufsiz - 1;
+               p = buf;
+               while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
+                       if (p < end) {
+                               if ((flags & RPP_SEVENBIT))
+                                       ch &= 0x7f;
+                               if (isalpha((unsigned char)ch)) {
+                                       if ((flags & RPP_FORCELOWER))
+                                               ch = (char)tolower((unsigned char)ch);
+                                       if ((flags & RPP_FORCEUPPER))
+                                               ch = (char)toupper((unsigned char)ch);
+                               }
+                               *p++ = ch;
+                       }
+               }
+               *p = '\0';
+               save_errno = errno;
+               if (!(term.c_lflag & ECHO))
+                       bytes_written = write(output, "\n", 1);
+       }
+
+       (void) bytes_written;
+
+       /* Restore old terminal settings and signals. */
+       if (memcmp(&term, &oterm, sizeof(term)) != 0) {
+               while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
+                   errno == EINTR)
+                       continue;
+       }
+       (void)sigaction(SIGALRM, &savealrm, NULL);
+       (void)sigaction(SIGHUP, &savehup, NULL);
+       (void)sigaction(SIGINT, &saveint, NULL);
+       (void)sigaction(SIGQUIT, &savequit, NULL);
+       (void)sigaction(SIGPIPE, &savepipe, NULL);
+       (void)sigaction(SIGTERM, &saveterm, NULL);
+       (void)sigaction(SIGTSTP, &savetstp, NULL);
+       (void)sigaction(SIGTTIN, &savettin, NULL);
+       (void)sigaction(SIGTTOU, &savettou, NULL);
+       if (input != STDIN_FILENO)
+               (void)close(input);
+
+       /*
+        * If we were interrupted by a signal, resend it to ourselves
+        * now that we have restored the signal handlers.
+        */
+       for (i = 0; i < _NSIG; i++) {
+               if (signo[i]) {
+                       kill(getpid(), i);
+                       switch (i) {
+                       case SIGTSTP:
+                       case SIGTTIN:
+                       case SIGTTOU:
+                               need_restart = 1;
+                       }
+               }
+       }
+       if (need_restart)
+               goto restart;
+
+       if (save_errno)
+               errno = save_errno;
+       return(nr == -1 ? NULL : buf);
+}
+
+static void handler(int s)
+{
+       signo[s] = 1;
+}
diff --git a/crypto/libressl/apps/nc/compat/socket.c b/crypto/libressl/apps/nc/compat/socket.c
new file mode 100644 (file)
index 0000000..fd699f9
--- /dev/null
@@ -0,0 +1,29 @@
+#define SOCKET_FLAGS_PRIV
+
+#include <sys/socket.h>
+
+#ifdef NEED_SOCKET_FLAGS
+
+#include <fcntl.h>
+
+int
+_socket(int domain, int type, int protocol)
+{
+       int s = socket(domain, type & ~(SOCK_CLOEXEC | SOCK_NONBLOCK), protocol);
+       int flags;
+       if (s == -1)
+               return s;
+
+       if (type & SOCK_CLOEXEC) {
+               flags = fcntl(s, F_GETFD);
+               fcntl(s, F_SETFD, flags | FD_CLOEXEC);
+       }
+
+       if (type & SOCK_NONBLOCK) {
+               flags = fcntl(s, F_GETFL);
+               fcntl(s, F_SETFL, flags | O_NONBLOCK);
+       }
+       return s;
+}
+
+#endif
diff --git a/crypto/libressl/apps/nc/compat/strtonum.c b/crypto/libressl/apps/nc/compat/strtonum.c
new file mode 100644 (file)
index 0000000..1aeee34
--- /dev/null
@@ -0,0 +1,65 @@
+/*     $OpenBSD: strtonum.c,v 1.7 2013/04/17 18:40:58 tedu Exp $       */
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define        INVALID         1
+#define        TOOSMALL        2
+#define        TOOLARGE        3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+       long long ll = 0;
+       int error = 0;
+       char *ep;
+       struct errval {
+               const char *errstr;
+               int err;
+       } ev[4] = {
+               { NULL,         0 },
+               { "invalid",    EINVAL },
+               { "too small",  ERANGE },
+               { "too large",  ERANGE },
+       };
+
+       ev[0].err = errno;
+       errno = 0;
+       if (minval > maxval) {
+               error = INVALID;
+       } else {
+               ll = strtoll(numstr, &ep, 10);
+               if (numstr == ep || *ep != '\0')
+                       error = INVALID;
+               else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+                       error = TOOSMALL;
+               else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+                       error = TOOLARGE;
+       }
+       if (errstrp != NULL)
+               *errstrp = ev[error].errstr;
+       errno = ev[error].err;
+       if (error)
+               ll = 0;
+
+       return (ll);
+}
diff --git a/crypto/libressl/apps/nc/compat/sys/socket.h b/crypto/libressl/apps/nc/compat/sys/socket.h
new file mode 100644 (file)
index 0000000..13eb380
--- /dev/null
@@ -0,0 +1,31 @@
+/*
+ * Public domain
+ * sys/socket.h compatibility shim
+ */
+
+#ifndef _WIN32
+#include_next <sys/socket.h>
+
+#if !defined(SOCK_NONBLOCK) || !defined(SOCK_CLOEXEC)
+#define NEED_SOCKET_FLAGS
+int _socket(int domain, int type, int protocol);
+#ifndef SOCKET_FLAGS_PRIV
+#define socket(d, t, p) _socket(d, t, p)
+#endif
+#endif
+
+#ifndef SOCK_NONBLOCK
+#define        SOCK_NONBLOCK           0x4000  /* set O_NONBLOCK */
+#endif
+
+#ifndef SOCK_CLOEXEC
+#define        SOCK_CLOEXEC            0x8000  /* set FD_CLOEXEC */
+#endif
+
+#ifndef HAVE_ACCEPT4
+int accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags);
+#endif
+
+#else
+#include <win32netcompat.h>
+#endif
diff --git a/crypto/libressl/apps/nc/nc.1 b/crypto/libressl/apps/nc/nc.1
new file mode 100644 (file)
index 0000000..e9d3499
--- /dev/null
@@ -0,0 +1,533 @@
+.\"     $OpenBSD: nc.1,v 1.73 2016/06/28 17:35:14 jca Exp $
+.\"
+.\" Copyright (c) 1996 David Sacerdote
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: June 28 2016 $
+.Dt NC 1
+.Os
+.Sh NAME
+.Nm nc
+.Nd arbitrary TCP and UDP connections and listens
+.Sh SYNOPSIS
+.Nm nc
+.Op Fl 46cDdFhklNnrStUuvz
+.Op Fl C Ar certfile
+.Op Fl e Ar name
+.Op Fl H Ar hash
+.Op Fl I Ar length
+.Op Fl i Ar interval
+.Op Fl K Ar keyfile
+.Op Fl M Ar ttl
+.Op Fl m Ar minttl
+.Op Fl O Ar length
+.Op Fl P Ar proxy_username
+.Op Fl p Ar source_port
+.Op Fl R Ar CAfile
+.Op Fl s Ar source
+.Op Fl T Ar keyword
+.Op Fl V Ar rtable
+.Op Fl w Ar timeout
+.Op Fl X Ar proxy_protocol
+.Op Fl x Ar proxy_address Ns Op : Ns Ar port
+.Op Ar destination
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+(or
+.Nm netcat )
+utility is used for just about anything under the sun involving TCP,
+UDP, or
+.Ux Ns -domain
+sockets.
+It can open TCP connections, send UDP packets, listen on arbitrary
+TCP and UDP ports, do port scanning, and deal with both IPv4 and
+IPv6.
+Unlike
+.Xr telnet 1 ,
+.Nm
+scripts nicely, and separates error messages onto standard error instead
+of sending them to standard output, as
+.Xr telnet 1
+does with some.
+.Pp
+Common uses include:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+simple TCP proxies
+.It
+shell-script based HTTP clients and servers
+.It
+network daemon testing
+.It
+a SOCKS or HTTP ProxyCommand for
+.Xr ssh 1
+.It
+and much, much more
+.El
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.It Fl C Ar certfile
+Specifies the filename from which the public key part of the TLS
+certificate is loaded, in PEM format.
+May only be used with TLS.
+.It Fl c
+If using a TCP socket to connect or listen, use TLS.
+Illegal if not using TCP sockets.
+.It Fl D
+Enable debugging on the socket.
+.It Fl d
+Do not attempt to read from stdin.
+.It Fl e Ar name
+Specify the name that must be present in the peer certificate when using TLS.
+Illegal if not using TLS.
+.It Fl F
+Pass the first connected socket using
+.Xr sendmsg 2
+to stdout and exit.
+This is useful in conjunction with
+.Fl X
+to have
+.Nm
+perform connection setup with a proxy but then leave the rest of the
+connection to another program (e.g.\&
+.Xr ssh 1
+using the
+.Xr ssh_config 5
+.Cm ProxyUseFdpass
+option).
+.It Fl H Ar hash
+Specifies the required hash string of the peer certificate when using TLS.
+The string format required is that used by
+.Xr tls_peer_cert_hash 3 .
+Illegal if not using TLS, and may not be used with -T noverify.
+.It Fl h
+Prints out
+.Nm
+help.
+.It Fl I Ar length
+Specifies the size of the TCP receive buffer.
+.It Fl i Ar interval
+Specifies a delay time interval between lines of text sent and received.
+Also causes a delay time between connections to multiple ports.
+.It Fl K Ar keyfile
+Specifies the filename from which the private key
+is loaded in PEM format.
+May only be used with TLS.
+.It Fl k
+Forces
+.Nm
+to stay listening for another connection after its current connection
+is completed.
+It is an error to use this option without the
+.Fl l
+option.
+When used together with the
+.Fl u
+option, the server socket is not connected and it can receive UDP datagrams from
+multiple hosts.
+.It Fl l
+Used to specify that
+.Nm
+should listen for an incoming connection rather than initiate a
+connection to a remote host.
+It is an error to use this option in conjunction with the
+.Fl p ,
+.Fl s ,
+or
+.Fl z
+options.
+Additionally, any timeouts specified with the
+.Fl w
+option are ignored.
+.It Fl M Ar ttl
+Set the TTL / hop limit of outgoing packets.
+.It Fl m Ar minttl
+Ask the kernel to drop incoming packets whose TTL / hop limit is under
+.Ar minttl .
+.It Fl N
+.Xr shutdown 2
+the network socket after EOF on the input.
+Some servers require this to finish their work.
+.It Fl n
+Do not do any DNS or service lookups on any specified addresses,
+hostnames or ports.
+.It Fl O Ar length
+Specifies the size of the TCP send buffer.
+.It Fl P Ar proxy_username
+Specifies a username to present to a proxy server that requires authentication.
+If no username is specified then authentication will not be attempted.
+Proxy authentication is only supported for HTTP CONNECT proxies at present.
+.It Fl p Ar source_port
+Specifies the source port
+.Nm
+should use, subject to privilege restrictions and availability.
+It is an error to use this option in conjunction with the
+.Fl l
+option.
+.It Fl R Ar CAfile
+Specifies the filename from which the root CA bundle for certificate
+verification is loaded, in PEM format.
+Illegal if not using TLS.
+The default is
+.Pa /etc/ssl/cert.pem .
+.It Fl r
+Specifies that source and/or destination ports should be chosen randomly
+instead of sequentially within a range or in the order that the system
+assigns them.
+.It Fl S
+Enables the RFC 2385 TCP MD5 signature option.
+.It Fl s Ar source
+Specifies the IP of the interface which is used to send the packets.
+For
+.Ux Ns -domain
+datagram sockets, specifies the local temporary socket file
+to create and use so that datagrams can be received.
+It is an error to use this option in conjunction with the
+.Fl l
+option.
+.It Fl T Ar keyword
+Change IPv4 TOS value or TLS options.
+For TLS options
+.Ar keyword
+may be one of
+.Ar tlslegacy ,
+which allows legacy TLS protocols;
+.Ar noverify ,
+which disables certificate verification;
+.Ar noname ,
+which disables certificate name checking; or
+.Ar clientcert ,
+which requires a client certificate on incoming connections.
+It is illegal to specify TLS options if not using TLS.
+.Pp
+For IPv4 TOS value
+.Ar keyword
+may be one of
+.Ar critical ,
+.Ar inetcontrol ,
+.Ar lowdelay ,
+.Ar netcontrol ,
+.Ar throughput ,
+.Ar reliability ,
+or one of the DiffServ Code Points:
+.Ar ef ,
+.Ar af11 ... af43 ,
+.Ar cs0 ... cs7 ;
+or a number in either hex or decimal.
+.It Fl t
+Causes
+.Nm
+to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
+This makes it possible to use
+.Nm
+to script telnet sessions.
+.It Fl U
+Specifies to use
+.Ux Ns -domain
+sockets.
+.It Fl u
+Use UDP instead of the default option of TCP.
+For
+.Ux Ns -domain
+sockets, use a datagram socket instead of a stream socket.
+If a
+.Ux Ns -domain
+socket is used, a temporary receiving socket is created in
+.Pa /tmp
+unless the
+.Fl s
+flag is given.
+.It Fl V Ar rtable
+Set the routing table to be used.
+.It Fl v
+Have
+.Nm
+give more verbose output.
+.It Fl w Ar timeout
+Connections which cannot be established or are idle timeout after
+.Ar timeout
+seconds.
+The
+.Fl w
+flag has no effect on the
+.Fl l
+option, i.e.\&
+.Nm
+will listen forever for a connection, with or without the
+.Fl w
+flag.
+The default is no timeout.
+.It Fl X Ar proxy_protocol
+Requests that
+.Nm
+should use the specified protocol when talking to the proxy server.
+Supported protocols are
+.Dq 4
+(SOCKS v.4),
+.Dq 5
+(SOCKS v.5)
+and
+.Dq connect
+(HTTPS proxy).
+If the protocol is not specified, SOCKS version 5 is used.
+.It Fl x Ar proxy_address Ns Op : Ns Ar port
+Requests that
+.Nm
+should connect to
+.Ar destination
+using a proxy at
+.Ar proxy_address
+and
+.Ar port .
+If
+.Ar port
+is not specified, the well-known port for the proxy protocol is used (1080
+for SOCKS, 3128 for HTTPS).
+.It Fl z
+Specifies that
+.Nm
+should just scan for listening daemons, without sending any data to them.
+It is an error to use this option in conjunction with the
+.Fl l
+option.
+.El
+.Pp
+.Ar destination
+can be a numerical IP address or a symbolic hostname
+(unless the
+.Fl n
+option is given).
+In general, a destination must be specified,
+unless the
+.Fl l
+option is given
+(in which case the local host is used).
+For
+.Ux Ns -domain
+sockets, a destination is required and is the socket path to connect to
+(or listen on if the
+.Fl l
+option is given).
+.Pp
+.Ar port
+can be a specified as a numeric port number, or as a service name.
+Ports may be specified in a range of the form nn-mm.
+In general,
+a destination port must be specified,
+unless the
+.Fl U
+option is given.
+.Sh CLIENT/SERVER MODEL
+It is quite simple to build a very basic client/server model using
+.Nm .
+On one console, start
+.Nm
+listening on a specific port for a connection.
+For example:
+.Pp
+.Dl $ nc -l 1234
+.Pp
+.Nm
+is now listening on port 1234 for a connection.
+On a second console
+.Pq or a second machine ,
+connect to the machine and port being listened on:
+.Pp
+.Dl $ nc 127.0.0.1 1234
+.Pp
+There should now be a connection between the ports.
+Anything typed at the second console will be concatenated to the first,
+and vice-versa.
+After the connection has been set up,
+.Nm
+does not really care which side is being used as a
+.Sq server
+and which side is being used as a
+.Sq client .
+The connection may be terminated using an
+.Dv EOF
+.Pq Sq ^D .
+.Sh DATA TRANSFER
+The example in the previous section can be expanded to build a
+basic data transfer model.
+Any information input into one end of the connection will be output
+to the other end, and input and output can be easily captured in order to
+emulate file transfer.
+.Pp
+Start by using
+.Nm
+to listen on a specific port, with output captured into a file:
+.Pp
+.Dl $ nc -l 1234 \*(Gt filename.out
+.Pp
+Using a second machine, connect to the listening
+.Nm
+process, feeding it the file which is to be transferred:
+.Pp
+.Dl $ nc -N host.example.com 1234 \*(Lt filename.in
+.Pp
+After the file has been transferred, the connection will close automatically.
+.Sh TALKING TO SERVERS
+It is sometimes useful to talk to servers
+.Dq by hand
+rather than through a user interface.
+It can aid in troubleshooting,
+when it might be necessary to verify what data a server is sending
+in response to commands issued by the client.
+For example, to retrieve the home page of a web site:
+.Bd -literal -offset indent
+$ printf "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
+.Ed
+.Pp
+Note that this also displays the headers sent by the web server.
+They can be filtered, using a tool such as
+.Xr sed 1 ,
+if necessary.
+.Pp
+More complicated examples can be built up when the user knows the format
+of requests required by the server.
+As another example, an email may be submitted to an SMTP server using:
+.Bd -literal -offset indent
+$ nc localhost 25 \*(Lt\*(Lt EOF
+HELO host.example.com
+MAIL FROM:\*(Ltuser@host.example.com\*(Gt
+RCPT TO:\*(Ltuser2@host.example.com\*(Gt
+DATA
+Body of email.
+\&.
+QUIT
+EOF
+.Ed
+.Sh PORT SCANNING
+It may be useful to know which ports are open and running services on
+a target machine.
+The
+.Fl z
+flag can be used to tell
+.Nm
+to report open ports,
+rather than initiate a connection.
+For example:
+.Bd -literal -offset indent
+$ nc -z host.example.com 20-30
+Connection to host.example.com 22 port [tcp/ssh] succeeded!
+Connection to host.example.com 25 port [tcp/smtp] succeeded!
+.Ed
+.Pp
+The port range was specified to limit the search to ports 20 \- 30.
+.Pp
+Alternatively, it might be useful to know which server software
+is running, and which versions.
+This information is often contained within the greeting banners.
+In order to retrieve these, it is necessary to first make a connection,
+and then break the connection when the banner has been retrieved.
+This can be accomplished by specifying a small timeout with the
+.Fl w
+flag, or perhaps by issuing a
+.Qq Dv QUIT
+command to the server:
+.Bd -literal -offset indent
+$ echo "QUIT" | nc host.example.com 20-30
+SSH-1.99-OpenSSH_3.6.1p2
+Protocol mismatch.
+220 host.example.com IMS SMTP Receiver Version 0.84 Ready
+.Ed
+.Sh EXAMPLES
+Open a TCP connection to port 42 of host.example.com, using port 31337 as
+the source port, with a timeout of 5 seconds:
+.Pp
+.Dl $ nc -p 31337 -w 5 host.example.com 42
+.Pp
+Open a TCP connection to port 443 of www.google.ca, and negotiate TLS.
+Check for a different name in the certificate for validation.
+.Pp
+.Dl $  nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
+.Pp
+Open a UDP connection to port 53 of host.example.com:
+.Pp
+.Dl $ nc -u host.example.com 53
+.Pp
+Open a TCP connection to port 42 of host.example.com using 10.1.2.3 as the
+IP for the local end of the connection:
+.Pp
+.Dl $ nc -s 10.1.2.3 host.example.com 42
+.Pp
+Create and listen on a
+.Ux Ns -domain
+stream socket:
+.Pp
+.Dl $ nc -lU /var/tmp/dsocket
+.Pp
+Connect to port 42 of host.example.com via an HTTP proxy at 10.2.3.4,
+port 8080.
+This example could also be used by
+.Xr ssh 1 ;
+see the
+.Cm ProxyCommand
+directive in
+.Xr ssh_config 5
+for more information.
+.Pp
+.Dl $ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
+.Pp
+The same example again, this time enabling proxy authentication with username
+.Dq ruser
+if the proxy requires it:
+.Pp
+.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
+.Sh SEE ALSO
+.Xr cat 1 ,
+.Xr ssh 1
+.Sh AUTHORS
+Original implementation by *Hobbit*
+.Aq Mt hobbit@avian.org .
+.br
+Rewritten with IPv6 support by
+.An Eric Jackson Aq Mt ericj@monkey.org .
+.Sh CAVEATS
+UDP port scans using the
+.Fl uz
+combination of flags will always report success irrespective of
+the target machine's state.
+However,
+in conjunction with a traffic sniffer either on the target machine
+or an intermediary device,
+the
+.Fl uz
+combination could be useful for communications diagnostics.
+Note that the amount of UDP traffic generated may be limited either
+due to hardware resources and/or configuration settings.
diff --git a/crypto/libressl/apps/nc/netcat.c b/crypto/libressl/apps/nc/netcat.c
new file mode 100644 (file)
index 0000000..cdb2db2
--- /dev/null
@@ -0,0 +1,1676 @@
+/* $OpenBSD: netcat.c,v 1.159 2016/07/07 14:09:44 jsing Exp $ */
+/*
+ * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
+ * Copyright (c) 2015 Bob Beck.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Re-written nc(1) for OpenBSD. Original implementation by
+ * *Hobbit* <hobbit@avian.org>.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <arpa/telnet.h>
+
+#include <err.h>
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <poll.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+#include <tls.h>
+#include "atomicio.h"
+
+#define PORT_MAX       65535
+#define UNIX_DG_TMP_SOCKET_SIZE        19
+
+#define POLL_STDIN 0
+#define POLL_NETOUT 1
+#define POLL_NETIN 2
+#define POLL_STDOUT 3
+#define BUFSIZE 16384
+#ifndef DEFAULT_CA_FILE
+#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
+#endif
+
+#define TLS_LEGACY     (1 << 1)
+#define TLS_NOVERIFY   (1 << 2)
+#define TLS_NONAME     (1 << 3)
+#define TLS_CCERT      (1 << 4)
+
+/* Command Line Options */
+int    dflag;                                  /* detached, no stdin */
+int    Fflag;                                  /* fdpass sock to stdout */
+unsigned int iflag;                            /* Interval Flag */
+int    kflag;                                  /* More than one connect */
+int    lflag;                                  /* Bind to local port */
+int    Nflag;                                  /* shutdown() network socket */
+int    nflag;                                  /* Don't do name look up */
+char   *Pflag;                                 /* Proxy username */
+char   *pflag;                                 /* Localport flag */
+int    rflag;                                  /* Random ports flag */
+char   *sflag;                                 /* Source Address */
+int    tflag;                                  /* Telnet Emulation */
+int    uflag;                                  /* UDP - Default to TCP */
+int    vflag;                                  /* Verbosity */
+int    xflag;                                  /* Socks proxy */
+int    zflag;                                  /* Port Scan Flag */
+int    Dflag;                                  /* sodebug */
+int    Iflag;                                  /* TCP receive buffer size */
+int    Oflag;                                  /* TCP send buffer size */
+#ifdef TCP_MD5SIG
+int    Sflag;                                  /* TCP MD5 signature option */
+#endif
+int    Tflag = -1;                             /* IP Type of Service */
+#ifdef SO_RTABLE
+int    rtableid = -1;
+#endif
+
+int    usetls;                                 /* use TLS */
+char    *Cflag;                                        /* Public cert file */
+char    *Kflag;                                        /* Private key file */
+char    *Rflag = DEFAULT_CA_FILE;              /* Root CA file */
+int    tls_cachanged;                          /* Using non-default CA file */
+int     TLSopt;                                        /* TLS options */
+char   *tls_expectname;                        /* required name in peer cert */
+char   *tls_expecthash;                        /* required hash of peer cert */
+uint8_t *cacert;
+size_t  cacertlen;
+uint8_t *privkey;
+size_t  privkeylen;
+uint8_t *pubcert;
+size_t  pubcertlen;
+
+int timeout = -1;
+int family = AF_UNSPEC;
+char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
+int ttl = -1;
+int minttl = -1;
+
+void   atelnet(int, unsigned char *, unsigned int);
+void   build_ports(char *);
+void   help(void);
+int    local_listen(char *, char *, struct addrinfo);
+void   readwrite(int, struct tls *);
+void   fdpass(int nfd) __attribute__((noreturn));
+int    remote_connect(const char *, const char *, struct addrinfo);
+int    timeout_connect(int, const struct sockaddr *, socklen_t);
+int    socks_connect(const char *, const char *, struct addrinfo,
+           const char *, const char *, struct addrinfo, int, const char *);
+int    udptest(int);
+int    unix_bind(char *, int);
+int    unix_connect(char *);
+int    unix_listen(char *);
+void   set_common_sockopts(int, int);
+int    map_tos(char *, int *);
+int    map_tls(char *, int *);
+void   report_connect(const struct sockaddr *, socklen_t, char *);
+void   report_tls(struct tls *tls_ctx, char * host, char *tls_expectname);
+void   usage(int);
+ssize_t drainbuf(int, unsigned char *, size_t *, struct tls *);
+ssize_t fillbuf(int, unsigned char *, size_t *, struct tls *);
+void   tls_setup_client(struct tls *, int, char *);
+struct tls *tls_setup_server(struct tls *, int, char *);
+
+int
+main(int argc, char *argv[])
+{
+       int ch, s = -1, ret, socksv;
+       char *host, *uport;
+       struct addrinfo hints;
+       struct servent *sv;
+       socklen_t len;
+       struct sockaddr_storage cliaddr;
+       char *proxy = NULL;
+       const char *errstr, *proxyhost = "", *proxyport = NULL;
+       struct addrinfo proxyhints;
+       char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
+       struct tls_config *tls_cfg = NULL;
+       struct tls *tls_ctx = NULL;
+
+       ret = 1;
+       socksv = 5;
+       host = NULL;
+       uport = NULL;
+       sv = NULL;
+
+       signal(SIGPIPE, SIG_IGN);
+
+       while ((ch = getopt(argc, argv,
+           "46C:cDde:FH:hI:i:K:klM:m:NnO:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
+               switch (ch) {
+               case '4':
+                       family = AF_INET;
+                       break;
+               case '6':
+                       family = AF_INET6;
+                       break;
+               case 'U':
+                       family = AF_UNIX;
+                       break;
+               case 'X':
+                       if (strcasecmp(optarg, "connect") == 0)
+                               socksv = -1; /* HTTP proxy CONNECT */
+                       else if (strcmp(optarg, "4") == 0)
+                               socksv = 4; /* SOCKS v.4 */
+                       else if (strcmp(optarg, "5") == 0)
+                               socksv = 5; /* SOCKS v.5 */
+                       else
+                               errx(1, "unsupported proxy protocol");
+                       break;
+               case 'C':
+                       Cflag = optarg;
+                       break;
+               case 'c':
+                       usetls = 1;
+                       break;
+               case 'd':
+                       dflag = 1;
+                       break;
+               case 'e':
+                       tls_expectname = optarg;
+                       break;
+               case 'F':
+                       Fflag = 1;
+                       break;
+               case 'H':
+                       tls_expecthash = optarg;
+                       break;
+               case 'h':
+                       help();
+                       break;
+               case 'i':
+                       iflag = strtonum(optarg, 0, UINT_MAX, &errstr);
+                       if (errstr)
+                               errx(1, "interval %s: %s", errstr, optarg);
+                       break;
+               case 'K':
+                       Kflag = optarg;
+                       break;
+               case 'k':
+                       kflag = 1;
+                       break;
+               case 'l':
+                       lflag = 1;
+                       break;
+               case 'M':
+                       ttl = strtonum(optarg, 0, 255, &errstr);
+                       if (errstr)
+                               errx(1, "ttl is %s", errstr);
+                       break;
+               case 'm':
+                       minttl = strtonum(optarg, 0, 255, &errstr);
+                       if (errstr)
+                               errx(1, "minttl is %s", errstr);
+                       break;
+               case 'N':
+                       Nflag = 1;
+                       break;
+               case 'n':
+                       nflag = 1;
+                       break;
+               case 'P':
+                       Pflag = optarg;
+                       break;
+               case 'p':
+                       pflag = optarg;
+                       break;
+               case 'R':
+                       tls_cachanged = 1;
+                       Rflag = optarg;
+                       break;
+               case 'r':
+                       rflag = 1;
+                       break;
+               case 's':
+                       sflag = optarg;
+                       break;
+               case 't':
+                       tflag = 1;
+                       break;
+               case 'u':
+                       uflag = 1;
+                       break;
+#ifdef SO_RTABLE
+               case 'V':
+                       rtableid = (int)strtonum(optarg, 0,
+                           RT_TABLEID_MAX, &errstr);
+                       if (errstr)
+                               errx(1, "rtable %s: %s", errstr, optarg);
+                       break;
+#endif
+               case 'v':
+                       vflag = 1;
+                       break;
+               case 'w':
+                       timeout = strtonum(optarg, 0, INT_MAX / 1000, &errstr);
+                       if (errstr)
+                               errx(1, "timeout %s: %s", errstr, optarg);
+                       timeout *= 1000;
+                       break;
+               case 'x':
+                       xflag = 1;
+                       if ((proxy = strdup(optarg)) == NULL)
+                               err(1, NULL);
+                       break;
+               case 'z':
+                       zflag = 1;
+                       break;
+               case 'D':
+                       Dflag = 1;
+                       break;
+               case 'I':
+                       Iflag = strtonum(optarg, 1, 65536 << 14, &errstr);
+                       if (errstr != NULL)
+                               errx(1, "TCP receive window %s: %s",
+                                   errstr, optarg);
+                       break;
+               case 'O':
+                       Oflag = strtonum(optarg, 1, 65536 << 14, &errstr);
+                       if (errstr != NULL)
+                               errx(1, "TCP send window %s: %s",
+                                   errstr, optarg);
+                       break;
+#ifdef TCP_MD5SIG
+               case 'S':
+                       Sflag = 1;
+                       break;
+#endif
+               case 'T':
+                       errstr = NULL;
+                       errno = 0;
+                       if (map_tos(optarg, &Tflag))
+                               break;
+                       if (map_tls(optarg, &TLSopt))
+                               break;
+                       if (strlen(optarg) > 1 && optarg[0] == '0' &&
+                           optarg[1] == 'x')
+                               Tflag = (int)strtol(optarg, NULL, 16);
+                       else
+                               Tflag = (int)strtonum(optarg, 0, 255,
+                                   &errstr);
+                       if (Tflag < 0 || Tflag > 255 || errstr || errno)
+                               errx(1, "illegal tos/tls value %s", optarg);
+                       break;
+               default:
+                       usage(1);
+               }
+       }
+       argc -= optind;
+       argv += optind;
+
+#ifdef SO_RTABLE
+       if (rtableid >= 0)
+               if (setrtable(rtableid) == -1)
+                       err(1, "setrtable");
+#endif
+
+       if (family == AF_UNIX) {
+               if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
+                       err(1, "pledge");
+       } else if (Fflag) {
+               if (Pflag) {
+                       if (pledge("stdio inet dns sendfd tty", NULL) == -1)
+                               err(1, "pledge");
+               } else if (pledge("stdio inet dns sendfd", NULL) == -1)
+                       err(1, "pledge");
+       } else if (Pflag) {
+               if (pledge("stdio inet dns tty", NULL) == -1)
+                       err(1, "pledge");
+       } else if (usetls) {
+               if (pledge("stdio rpath inet dns", NULL) == -1)
+                       err(1, "pledge");
+       } else if (pledge("stdio inet dns", NULL) == -1)
+               err(1, "pledge");
+
+       /* Cruft to make sure options are clean, and used properly. */
+       if (argv[0] && !argv[1] && family == AF_UNIX) {
+               host = argv[0];
+               uport = NULL;
+       } else if (argv[0] && !argv[1]) {
+               if  (!lflag)
+                       usage(1);
+               uport = argv[0];
+               host = NULL;
+       } else if (argv[0] && argv[1]) {
+               host = argv[0];
+               uport = argv[1];
+       } else
+               usage(1);
+
+       if (lflag && sflag)
+               errx(1, "cannot use -s and -l");
+       if (lflag && pflag)
+               errx(1, "cannot use -p and -l");
+       if (lflag && zflag)
+               errx(1, "cannot use -z and -l");
+       if (!lflag && kflag)
+               errx(1, "must use -l with -k");
+       if (uflag && usetls)
+               errx(1, "cannot use -c and -u");
+       if ((family == AF_UNIX) && usetls)
+               errx(1, "cannot use -c and -U");
+       if ((family == AF_UNIX) && Fflag)
+               errx(1, "cannot use -F and -U");
+       if (Fflag && usetls)
+               errx(1, "cannot use -c and -F");
+       if (TLSopt && !usetls)
+               errx(1, "you must specify -c to use TLS options");
+       if (Cflag && !usetls)
+               errx(1, "you must specify -c to use -C");
+       if (Kflag && !usetls)
+               errx(1, "you must specify -c to use -K");
+       if (tls_cachanged && !usetls)
+               errx(1, "you must specify -c to use -R");
+       if (tls_expecthash && !usetls)
+               errx(1, "you must specify -c to use -H");
+       if (tls_expectname && !usetls)
+               errx(1, "you must specify -c to use -e");
+
+       /* Get name of temporary socket for unix datagram client */
+       if ((family == AF_UNIX) && uflag && !lflag) {
+               if (sflag) {
+                       unix_dg_tmp_socket = sflag;
+               } else {
+                       strlcpy(unix_dg_tmp_socket_buf, "/tmp/nc.XXXXXXXXXX",
+                           UNIX_DG_TMP_SOCKET_SIZE);
+                       if (mktemp(unix_dg_tmp_socket_buf) == NULL)
+                               err(1, "mktemp");
+                       unix_dg_tmp_socket = unix_dg_tmp_socket_buf;
+               }
+       }
+
+       /* Initialize addrinfo structure. */
+       if (family != AF_UNIX) {
+               memset(&hints, 0, sizeof(struct addrinfo));
+               hints.ai_family = family;
+               hints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
+               hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
+               if (nflag)
+                       hints.ai_flags |= AI_NUMERICHOST;
+       }
+
+       if (xflag) {
+               if (uflag)
+                       errx(1, "no proxy support for UDP mode");
+
+               if (lflag)
+                       errx(1, "no proxy support for listen");
+
+               if (family == AF_UNIX)
+                       errx(1, "no proxy support for unix sockets");
+
+               /* XXX IPv6 transport to proxy would probably work */
+               if (family == AF_INET6)
+                       errx(1, "no proxy support for IPv6");
+
+               if (sflag)
+                       errx(1, "no proxy support for local source address");
+
+               proxyhost = strsep(&proxy, ":");
+               proxyport = proxy;
+
+               memset(&proxyhints, 0, sizeof(struct addrinfo));
+               proxyhints.ai_family = family;
+               proxyhints.ai_socktype = SOCK_STREAM;
+               proxyhints.ai_protocol = IPPROTO_TCP;
+               if (nflag)
+                       proxyhints.ai_flags |= AI_NUMERICHOST;
+       }
+
+       if (usetls) {
+               if (Rflag && (cacert = tls_load_file(Rflag, &cacertlen, NULL)) == NULL)
+                       errx(1, "unable to load root CA file %s", Rflag);
+               if (Cflag && (pubcert = tls_load_file(Cflag, &pubcertlen, NULL)) == NULL)
+                       errx(1, "unable to load TLS certificate file %s", Cflag);
+               if (Kflag && (privkey = tls_load_file(Kflag, &privkeylen, NULL)) == NULL)
+                       errx(1, "unable to load TLS key file %s", Kflag);
+
+               if (Pflag) {
+                       if (pledge("stdio inet dns tty", NULL) == -1)
+                               err(1, "pledge");
+               } else if (pledge("stdio inet dns", NULL) == -1)
+                       err(1, "pledge");
+
+               if (tls_init() == -1)
+                       errx(1, "unable to initialize TLS");
+               if ((tls_cfg = tls_config_new()) == NULL)
+                       errx(1, "unable to allocate TLS config");
+               if (Rflag && tls_config_set_ca_mem(tls_cfg, cacert, cacertlen) == -1)
+                       errx(1, "unable to set root CA file %s", Rflag);
+               if (Cflag && tls_config_set_cert_mem(tls_cfg, pubcert, pubcertlen) == -1)
+                       errx(1, "unable to set TLS certificate file %s", Cflag);
+               if (Kflag && tls_config_set_key_mem(tls_cfg, privkey, privkeylen) == -1)
+                       errx(1, "unable to set TLS key file %s", Kflag);
+               if (TLSopt & TLS_LEGACY) {
+                       tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL);
+                       tls_config_set_ciphers(tls_cfg, "all");
+               }
+               if (!lflag && (TLSopt & TLS_CCERT))
+                       errx(1, "clientcert is only valid with -l");
+               if (TLSopt & TLS_NONAME)
+                       tls_config_insecure_noverifyname(tls_cfg);
+               if (TLSopt & TLS_NOVERIFY) {
+                       if (tls_expecthash != NULL)
+                               errx(1, "-H and -T noverify may not be used"
+                                   "together");
+                       tls_config_insecure_noverifycert(tls_cfg);
+               } else {
+                        if (Rflag && access(Rflag, R_OK) == -1)
+                                errx(1, "unable to find root CA file %s", Rflag);
+                }
+       }
+       if (lflag) {
+               struct tls *tls_cctx = NULL;
+               int connfd;
+               ret = 0;
+
+               if (family == AF_UNIX) {
+                       if (uflag)
+                               s = unix_bind(host, 0);
+                       else
+                               s = unix_listen(host);
+               }
+
+               if (usetls) {
+                       tls_config_verify_client_optional(tls_cfg);
+                       if ((tls_ctx = tls_server()) == NULL)
+                               errx(1, "tls server creation failed");
+                       if (tls_configure(tls_ctx, tls_cfg) == -1)
+                               errx(1, "tls configuration failed (%s)",
+                                   tls_error(tls_ctx));
+               }
+               /* Allow only one connection at a time, but stay alive. */
+               for (;;) {
+                       if (family != AF_UNIX)
+                               s = local_listen(host, uport, hints);
+                       if (s < 0)
+                               err(1, NULL);
+                       /*
+                        * For UDP and -k, don't connect the socket, let it
+                        * receive datagrams from multiple socket pairs.
+                        */
+                       if (uflag && kflag)
+                               readwrite(s, NULL);
+                       /*
+                        * For UDP and not -k, we will use recvfrom() initially
+                        * to wait for a caller, then use the regular functions
+                        * to talk to the caller.
+                        */
+                       else if (uflag && !kflag) {
+                               int rv, plen;
+                               char buf[16384];
+                               struct sockaddr_storage z;
+
+                               len = sizeof(z);
+                               plen = 2048;
+                               rv = recvfrom(s, buf, plen, MSG_PEEK,
+                                   (struct sockaddr *)&z, &len);
+                               if (rv < 0)
+                                       err(1, "recvfrom");
+
+                               rv = connect(s, (struct sockaddr *)&z, len);
+                               if (rv < 0)
+                                       err(1, "connect");
+
+                               if (vflag)
+                                       report_connect((struct sockaddr *)&z, len, NULL);
+
+                               readwrite(s, NULL);
+                       } else {
+                               len = sizeof(cliaddr);
+                               connfd = accept4(s, (struct sockaddr *)&cliaddr,
+                                   &len, SOCK_NONBLOCK);
+                               if (connfd == -1) {
+                                       /* For now, all errnos are fatal */
+                                       err(1, "accept");
+                               }
+                               if (vflag)
+                                       report_connect((struct sockaddr *)&cliaddr, len,
+                                           family == AF_UNIX ? host : NULL);
+                               if ((usetls) &&
+                                   (tls_cctx = tls_setup_server(tls_ctx, connfd, host)))
+                                       readwrite(connfd, tls_cctx);
+                               if (!usetls)
+                                       readwrite(connfd, NULL);
+                               if (tls_cctx) {
+                                       int i;
+
+                                       do {
+                                               i = tls_close(tls_cctx);
+                                       } while (i == TLS_WANT_POLLIN ||
+                                           i == TLS_WANT_POLLOUT);
+                                       tls_free(tls_cctx);
+                                       tls_cctx = NULL;
+                               }
+                               close(connfd);
+                       }
+                       if (family != AF_UNIX)
+                               close(s);
+                       else if (uflag) {
+                               if (connect(s, NULL, 0) < 0)
+                                       err(1, "connect");
+                       }
+
+                       if (!kflag)
+                               break;
+               }
+       } else if (family == AF_UNIX) {
+               ret = 0;
+
+               if ((s = unix_connect(host)) > 0 && !zflag) {
+                       readwrite(s, NULL);
+                       close(s);
+               } else
+                       ret = 1;
+
+               if (uflag)
+                       unlink(unix_dg_tmp_socket);
+               exit(ret);
+
+       } else {
+               int i = 0;
+
+               /* Construct the portlist[] array. */
+               build_ports(uport);
+
+               /* Cycle through portlist, connecting to each port. */
+               for (s = -1, i = 0; portlist[i] != NULL; i++) {
+                       if (s != -1)
+                               close(s);
+
+                       if (usetls) {
+                               if ((tls_ctx = tls_client()) == NULL)
+                                       errx(1, "tls client creation failed");
+                               if (tls_configure(tls_ctx, tls_cfg) == -1)
+                                       errx(1, "tls configuration failed (%s)",
+                                           tls_error(tls_ctx));
+                       }
+                       if (xflag)
+                               s = socks_connect(host, portlist[i], hints,
+                                   proxyhost, proxyport, proxyhints, socksv,
+                                   Pflag);
+                       else
+                               s = remote_connect(host, portlist[i], hints);
+
+                       if (s == -1)
+                               continue;
+
+                       ret = 0;
+                       if (vflag || zflag) {
+                               /* For UDP, make sure we are connected. */
+                               if (uflag) {
+                                       if (udptest(s) == -1) {
+                                               ret = 1;
+                                               continue;
+                                       }
+                               }
+
+                               /* Don't look up port if -n. */
+                               if (nflag)
+                                       sv = NULL;
+                               else {
+                                       sv = getservbyport(
+                                           ntohs(atoi(portlist[i])),
+                                           uflag ? "udp" : "tcp");
+                               }
+
+                               fprintf(stderr,
+                                   "Connection to %s %s port [%s/%s] "
+                                   "succeeded!\n", host, portlist[i],
+                                   uflag ? "udp" : "tcp",
+                                   sv ? sv->s_name : "*");
+                       }
+                       if (Fflag)
+                               fdpass(s);
+                       else {
+                               if (usetls)
+                                       tls_setup_client(tls_ctx, s, host);
+                               if (!zflag)
+                                       readwrite(s, tls_ctx);
+                               if (tls_ctx) {
+                                       int j;
+
+                                       do {
+                                               j = tls_close(tls_ctx);
+                                       } while (j == TLS_WANT_POLLIN ||
+                                           j == TLS_WANT_POLLOUT);
+                                       tls_free(tls_ctx);
+                                       tls_ctx = NULL;
+                               }
+                       }
+               }
+       }
+
+       if (s != -1)
+               close(s);
+
+       tls_config_free(tls_cfg);
+
+       exit(ret);
+}
+
+/*
+ * unix_bind()
+ * Returns a unix socket bound to the given path
+ */
+int
+unix_bind(char *path, int flags)
+{
+       struct sockaddr_un s_un;
+       int s, save_errno;
+
+       /* Create unix domain socket. */
+       if ((s = socket(AF_UNIX, flags | (uflag ? SOCK_DGRAM : SOCK_STREAM),
+           0)) < 0)
+               return (-1);
+
+       memset(&s_un, 0, sizeof(struct sockaddr_un));
+       s_un.sun_family = AF_UNIX;
+
+       if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >=
+           sizeof(s_un.sun_path)) {
+               close(s);
+               errno = ENAMETOOLONG;
+               return (-1);
+       }
+
+       if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) {
+               save_errno = errno;
+               close(s);
+               errno = save_errno;
+               return (-1);
+       }
+       return (s);
+}
+
+void
+tls_setup_client(struct tls *tls_ctx, int s, char *host)
+{
+       int i;
+
+       if (tls_connect_socket(tls_ctx, s,
+               tls_expectname ? tls_expectname : host) == -1) {
+               errx(1, "tls connection failed (%s)",
+                   tls_error(tls_ctx));
+       }
+       do {
+               if ((i = tls_handshake(tls_ctx)) == -1)
+                       errx(1, "tls handshake failed (%s)",
+                           tls_error(tls_ctx));
+       } while (i == TLS_WANT_POLLIN || i == TLS_WANT_POLLOUT);
+       if (vflag)
+               report_tls(tls_ctx, host, tls_expectname);
+       if (tls_expecthash && tls_peer_cert_hash(tls_ctx) &&
+           strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
+               errx(1, "peer certificate is not %s", tls_expecthash);
+}
+
+struct tls *
+tls_setup_server(struct tls *tls_ctx, int connfd, char *host)
+{
+       struct tls *tls_cctx;
+
+       if (tls_accept_socket(tls_ctx, &tls_cctx,
+               connfd) == -1) {
+               warnx("tls accept failed (%s)",
+                   tls_error(tls_ctx));
+               tls_cctx = NULL;
+       } else {
+               int i;
+
+               do {
+                       if ((i = tls_handshake(tls_cctx)) == -1)
+                               warnx("tls handshake failed (%s)",
+                                   tls_error(tls_cctx));
+               } while(i == TLS_WANT_POLLIN || i == TLS_WANT_POLLOUT);
+       }
+       if (tls_cctx) {
+               int gotcert = tls_peer_cert_provided(tls_cctx);
+
+               if (vflag && gotcert)
+                       report_tls(tls_cctx, host, tls_expectname);
+               if ((TLSopt & TLS_CCERT) && !gotcert)
+                       warnx("No client certificate provided");
+               else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash &&
+                   strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
+                       warnx("peer certificate is not %s", tls_expecthash);
+               else if (gotcert && tls_expectname &&
+                   (!tls_peer_cert_contains_name(tls_cctx, tls_expectname)))
+                       warnx("name (%s) not found in client cert",
+                           tls_expectname);
+               else {
+                       return tls_cctx;
+               }
+       }
+       return NULL;
+}
+
+/*
+ * unix_connect()
+ * Returns a socket connected to a local unix socket. Returns -1 on failure.
+ */
+int
+unix_connect(char *path)
+{
+       struct sockaddr_un s_un;
+       int s, save_errno;
+
+       if (uflag) {
+               if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) < 0)
+                       return (-1);
+       } else {
+               if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0)
+                       return (-1);
+       }
+
+       memset(&s_un, 0, sizeof(struct sockaddr_un));
+       s_un.sun_family = AF_UNIX;
+
+       if (strlcpy(s_un.sun_path, path, sizeof(s_un.sun_path)) >=
+           sizeof(s_un.sun_path)) {
+               close(s);
+               errno = ENAMETOOLONG;
+               return (-1);
+       }
+       if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) {
+               save_errno = errno;
+               close(s);
+               errno = save_errno;
+               return (-1);
+       }
+       return (s);
+
+}
+
+/*
+ * unix_listen()
+ * Create a unix domain socket, and listen on it.
+ */
+int
+unix_listen(char *path)
+{
+       int s;
+       if ((s = unix_bind(path, 0)) < 0)
+               return (-1);
+
+       if (listen(s, 5) < 0) {
+               close(s);
+               return (-1);
+       }
+       return (s);
+}
+
+/*
+ * remote_connect()
+ * Returns a socket connected to a remote host. Properly binds to a local
+ * port or source address if needed. Returns -1 on failure.
+ */
+int
+remote_connect(const char *host, const char *port, struct addrinfo hints)
+{
+       struct addrinfo *res, *res0;
+       int s, error, save_errno;
+#ifdef SO_BINDANY
+       int on = 1;
+#endif
+
+       if ((error = getaddrinfo(host, port, &hints, &res)))
+               errx(1, "getaddrinfo: %s", gai_strerror(error));
+
+       res0 = res;
+       do {
+               if ((s = socket(res0->ai_family, res0->ai_socktype |
+                   SOCK_NONBLOCK, res0->ai_protocol)) < 0)
+                       continue;
+
+               /* Bind to a local port or source address if specified. */
+               if (sflag || pflag) {
+                       struct addrinfo ahints, *ares;
+
+#ifdef SO_BINDANY
+                       /* try SO_BINDANY, but don't insist */
+                       setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
+#endif
+                       memset(&ahints, 0, sizeof(struct addrinfo));
+                       ahints.ai_family = res0->ai_family;
+                       ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
+                       ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
+                       ahints.ai_flags = AI_PASSIVE;
+                       if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
+                               errx(1, "getaddrinfo: %s", gai_strerror(error));
+
+                       if (bind(s, (struct sockaddr *)ares->ai_addr,
+                           ares->ai_addrlen) < 0)
+                               err(1, "bind failed");
+                       freeaddrinfo(ares);
+               }
+
+               set_common_sockopts(s, res0->ai_family);
+
+               if (timeout_connect(s, res0->ai_addr, res0->ai_addrlen) == 0)
+                       break;
+               if (vflag)
+                       warn("connect to %s port %s (%s) failed", host, port,
+                           uflag ? "udp" : "tcp");
+
+               save_errno = errno;
+               close(s);
+               errno = save_errno;
+               s = -1;
+       } while ((res0 = res0->ai_next) != NULL);
+
+       freeaddrinfo(res);
+
+       return (s);
+}
+
+int
+timeout_connect(int s, const struct sockaddr *name, socklen_t namelen)
+{
+       struct pollfd pfd;
+       socklen_t optlen;
+       int optval;
+       int ret;
+
+       if ((ret = connect(s, name, namelen)) != 0 && errno == EINPROGRESS) {
+               pfd.fd = s;
+               pfd.events = POLLOUT;
+               if ((ret = poll(&pfd, 1, timeout)) == 1) {
+                       optlen = sizeof(optval);
+                       if ((ret = getsockopt(s, SOL_SOCKET, SO_ERROR,
+                           &optval, &optlen)) == 0) {
+                               errno = optval;
+                               ret = optval == 0 ? 0 : -1;
+                       }
+               } else if (ret == 0) {
+                       errno = ETIMEDOUT;
+                       ret = -1;
+               } else
+                       err(1, "poll failed");
+       }
+
+       return (ret);
+}
+
+/*
+ * local_listen()
+ * Returns a socket listening on a local port, binds to specified source
+ * address. Returns -1 on failure.
+ */
+int
+local_listen(char *host, char *port, struct addrinfo hints)
+{
+       struct addrinfo *res, *res0;
+       int s, save_errno;
+#ifdef SO_REUSEPORT
+       int ret, x = 1;
+#endif
+       int error;
+
+       /* Allow nodename to be null. */
+       hints.ai_flags |= AI_PASSIVE;
+
+       /*
+        * In the case of binding to a wildcard address
+        * default to binding to an ipv4 address.
+        */
+       if (host == NULL && hints.ai_family == AF_UNSPEC)
+               hints.ai_family = AF_INET;
+
+       if ((error = getaddrinfo(host, port, &hints, &res)))
+               errx(1, "getaddrinfo: %s", gai_strerror(error));
+
+       res0 = res;
+       do {
+               if ((s = socket(res0->ai_family, res0->ai_socktype,
+                   res0->ai_protocol)) < 0)
+                       continue;
+
+#ifdef SO_REUSEPORT
+               ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
+               if (ret == -1)
+                       err(1, NULL);
+#endif
+
+               set_common_sockopts(s, res0->ai_family);
+
+               if (bind(s, (struct sockaddr *)res0->ai_addr,
+                   res0->ai_addrlen) == 0)
+                       break;
+
+               save_errno = errno;
+               close(s);
+               errno = save_errno;
+               s = -1;
+       } while ((res0 = res0->ai_next) != NULL);
+
+       if (!uflag && s != -1) {
+               if (listen(s, 1) < 0)
+                       err(1, "listen");
+       }
+
+       freeaddrinfo(res);
+
+       return (s);
+}
+
+/*
+ * readwrite()
+ * Loop that polls on the network file descriptor and stdin.
+ */
+void
+readwrite(int net_fd, struct tls *tls_ctx)
+{
+       struct pollfd pfd[4];
+       int stdin_fd = STDIN_FILENO;
+       int stdout_fd = STDOUT_FILENO;
+       unsigned char netinbuf[BUFSIZE];
+       size_t netinbufpos = 0;
+       unsigned char stdinbuf[BUFSIZE];
+       size_t stdinbufpos = 0;
+       int n, num_fds;
+       ssize_t ret;
+
+       /* don't read from stdin if requested */
+       if (dflag)
+               stdin_fd = -1;
+
+       /* stdin */
+       pfd[POLL_STDIN].fd = stdin_fd;
+       pfd[POLL_STDIN].events = POLLIN;
+
+       /* network out */
+       pfd[POLL_NETOUT].fd = net_fd;
+       pfd[POLL_NETOUT].events = 0;
+
+       /* network in */
+       pfd[POLL_NETIN].fd = net_fd;
+       pfd[POLL_NETIN].events = POLLIN;
+
+       /* stdout */
+       pfd[POLL_STDOUT].fd = stdout_fd;
+       pfd[POLL_STDOUT].events = 0;
+
+       while (1) {
+               /* both inputs are gone, buffers are empty, we are done */
+               if (pfd[POLL_STDIN].fd == -1 && pfd[POLL_NETIN].fd == -1 &&
+                   stdinbufpos == 0 && netinbufpos == 0) {
+                       close(net_fd);
+                       return;
+               }
+               /* both outputs are gone, we can't continue */
+               if (pfd[POLL_NETOUT].fd == -1 && pfd[POLL_STDOUT].fd == -1) {
+                       close(net_fd);
+                       return;
+               }
+               /* listen and net in gone, queues empty, done */
+               if (lflag && pfd[POLL_NETIN].fd == -1 &&
+                   stdinbufpos == 0 && netinbufpos == 0) {
+                       close(net_fd);
+                       return;
+               }
+
+               /* help says -i is for "wait between lines sent". We read and
+                * write arbitrary amounts of data, and we don't want to start
+                * scanning for newlines, so this is as good as it gets */
+               if (iflag)
+                       sleep(iflag);
+
+               /* poll */
+               num_fds = poll(pfd, 4, timeout);
+
+               /* treat poll errors */
+               if (num_fds == -1) {
+                       close(net_fd);
+                       err(1, "polling error");
+               }
+
+               /* timeout happened */
+               if (num_fds == 0)
+                       return;
+
+               /* treat socket error conditions */
+               for (n = 0; n < 4; n++) {
+                       if (pfd[n].revents & (POLLERR|POLLNVAL)) {
+                               pfd[n].fd = -1;
+                       }
+               }
+               /* reading is possible after HUP */
+               if (pfd[POLL_STDIN].events & POLLIN &&
+                   pfd[POLL_STDIN].revents & POLLHUP &&
+                   !(pfd[POLL_STDIN].revents & POLLIN))
+                       pfd[POLL_STDIN].fd = -1;
+
+               if (pfd[POLL_NETIN].events & POLLIN &&
+                   pfd[POLL_NETIN].revents & POLLHUP &&
+                   !(pfd[POLL_NETIN].revents & POLLIN))
+                       pfd[POLL_NETIN].fd = -1;
+
+               if (pfd[POLL_NETOUT].revents & POLLHUP) {
+                       if (Nflag)
+                               shutdown(pfd[POLL_NETOUT].fd, SHUT_WR);
+                       pfd[POLL_NETOUT].fd = -1;
+               }
+               /* if HUP, stop watching stdout */
+               if (pfd[POLL_STDOUT].revents & POLLHUP)
+                       pfd[POLL_STDOUT].fd = -1;
+               /* if no net out, stop watching stdin */
+               if (pfd[POLL_NETOUT].fd == -1)
+                       pfd[POLL_STDIN].fd = -1;
+               /* if no stdout, stop watching net in */
+               if (pfd[POLL_STDOUT].fd == -1) {
+                       if (pfd[POLL_NETIN].fd != -1)
+                               shutdown(pfd[POLL_NETIN].fd, SHUT_RD);
+                       pfd[POLL_NETIN].fd = -1;
+               }
+
+               /* try to read from stdin */
+               if (pfd[POLL_STDIN].revents & POLLIN && stdinbufpos < BUFSIZE) {
+                       ret = fillbuf(pfd[POLL_STDIN].fd, stdinbuf,
+                           &stdinbufpos, NULL);
+                       if (ret == TLS_WANT_POLLIN)
+                               pfd[POLL_STDIN].events = POLLIN;
+                       else if (ret == TLS_WANT_POLLOUT)
+                               pfd[POLL_STDIN].events = POLLOUT;
+                       else if (ret == 0 || ret == -1)
+                               pfd[POLL_STDIN].fd = -1;
+                       /* read something - poll net out */
+                       if (stdinbufpos > 0)
+                               pfd[POLL_NETOUT].events = POLLOUT;
+                       /* filled buffer - remove self from polling */
+                       if (stdinbufpos == BUFSIZE)
+                               pfd[POLL_STDIN].events = 0;
+               }
+               /* try to write to network */
+               if (pfd[POLL_NETOUT].revents & POLLOUT && stdinbufpos > 0) {
+                       ret = drainbuf(pfd[POLL_NETOUT].fd, stdinbuf,
+                           &stdinbufpos, tls_ctx);
+                       if (ret == TLS_WANT_POLLIN)
+                               pfd[POLL_NETOUT].events = POLLIN;
+                       else if (ret == TLS_WANT_POLLOUT)
+                               pfd[POLL_NETOUT].events = POLLOUT;
+                       else if (ret == -1)
+                               pfd[POLL_NETOUT].fd = -1;
+                       /* buffer empty - remove self from polling */
+                       if (stdinbufpos == 0)
+                               pfd[POLL_NETOUT].events = 0;
+                       /* buffer no longer full - poll stdin again */
+                       if (stdinbufpos < BUFSIZE)
+                               pfd[POLL_STDIN].events = POLLIN;
+               }
+               /* try to read from network */
+               if (pfd[POLL_NETIN].revents & POLLIN && netinbufpos < BUFSIZE) {
+                       ret = fillbuf(pfd[POLL_NETIN].fd, netinbuf,
+                           &netinbufpos, tls_ctx);
+                       if (ret == TLS_WANT_POLLIN)
+                               pfd[POLL_NETIN].events = POLLIN;
+                       else if (ret == TLS_WANT_POLLOUT)
+                               pfd[POLL_NETIN].events = POLLOUT;
+                       else if (ret == -1)
+                               pfd[POLL_NETIN].fd = -1;
+                       /* eof on net in - remove from pfd */
+                       if (ret == 0) {
+                               shutdown(pfd[POLL_NETIN].fd, SHUT_RD);
+                               pfd[POLL_NETIN].fd = -1;
+                       }
+                       /* read something - poll stdout */
+                       if (netinbufpos > 0)
+                               pfd[POLL_STDOUT].events = POLLOUT;
+                       /* filled buffer - remove self from polling */
+                       if (netinbufpos == BUFSIZE)
+                               pfd[POLL_NETIN].events = 0;
+                       /* handle telnet */
+                       if (tflag)
+                               atelnet(pfd[POLL_NETIN].fd, netinbuf,
+                                   netinbufpos);
+               }
+               /* try to write to stdout */
+               if (pfd[POLL_STDOUT].revents & POLLOUT && netinbufpos > 0) {
+                       ret = drainbuf(pfd[POLL_STDOUT].fd, netinbuf,
+                           &netinbufpos, NULL);
+                       if (ret == TLS_WANT_POLLIN)
+                               pfd[POLL_STDOUT].events = POLLIN;
+                       else if (ret == TLS_WANT_POLLOUT)
+                               pfd[POLL_STDOUT].events = POLLOUT;
+                       else if (ret == -1)
+                               pfd[POLL_STDOUT].fd = -1;
+                       /* buffer empty - remove self from polling */
+                       if (netinbufpos == 0)
+                               pfd[POLL_STDOUT].events = 0;
+                       /* buffer no longer full - poll net in again */
+                       if (netinbufpos < BUFSIZE)
+                               pfd[POLL_NETIN].events = POLLIN;
+               }
+
+               /* stdin gone and queue empty? */
+               if (pfd[POLL_STDIN].fd == -1 && stdinbufpos == 0) {
+                       if (pfd[POLL_NETOUT].fd != -1 && Nflag)
+                               shutdown(pfd[POLL_NETOUT].fd, SHUT_WR);
+                       pfd[POLL_NETOUT].fd = -1;
+               }
+               /* net in gone and queue empty? */
+               if (pfd[POLL_NETIN].fd == -1 && netinbufpos == 0) {
+                       pfd[POLL_STDOUT].fd = -1;
+               }
+       }
+}
+
+ssize_t
+drainbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls)
+{
+       ssize_t n;
+       ssize_t adjust;
+
+       if (tls)
+               n = tls_write(tls, buf, *bufpos);
+       else {
+               n = write(fd, buf, *bufpos);
+               /* don't treat EAGAIN, EINTR as error */
+               if (n == -1 && (errno == EAGAIN || errno == EINTR))
+                       n = TLS_WANT_POLLOUT;
+       }
+       if (n <= 0)
+               return n;
+       /* adjust buffer */
+       adjust = *bufpos - n;
+       if (adjust > 0)
+               memmove(buf, buf + n, adjust);
+       *bufpos -= n;
+       return n;
+}
+
+ssize_t
+fillbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls)
+{
+       size_t num = BUFSIZE - *bufpos;
+       ssize_t n;
+
+       if (tls)
+               n = tls_read(tls, buf + *bufpos, num);
+       else {
+               n = read(fd, buf + *bufpos, num);
+               /* don't treat EAGAIN, EINTR as error */
+               if (n == -1 && (errno == EAGAIN || errno == EINTR))
+                       n = TLS_WANT_POLLIN;
+       }
+       if (n <= 0)
+               return n;
+       *bufpos += n;
+       return n;
+}
+
+/*
+ * fdpass()
+ * Pass the connected file descriptor to stdout and exit.
+ */
+void
+fdpass(int nfd)
+{
+       struct msghdr mh;
+       union {
+               struct cmsghdr hdr;
+               char buf[CMSG_SPACE(sizeof(int))];
+       } cmsgbuf;
+       struct cmsghdr *cmsg;
+       struct iovec iov;
+       char c = '\0';
+       ssize_t r;
+       struct pollfd pfd;
+
+       /* Avoid obvious stupidity */
+       if (isatty(STDOUT_FILENO))
+               errx(1, "Cannot pass file descriptor to tty");
+
+       bzero(&mh, sizeof(mh));
+       bzero(&cmsgbuf, sizeof(cmsgbuf));
+       bzero(&iov, sizeof(iov));
+
+       mh.msg_control = (caddr_t)&cmsgbuf.buf;
+       mh.msg_controllen = sizeof(cmsgbuf.buf);
+       cmsg = CMSG_FIRSTHDR(&mh);
+       cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+       cmsg->cmsg_level = SOL_SOCKET;
+       cmsg->cmsg_type = SCM_RIGHTS;
+       *(int *)CMSG_DATA(cmsg) = nfd;
+
+       iov.iov_base = &c;
+       iov.iov_len = 1;
+       mh.msg_iov = &iov;
+       mh.msg_iovlen = 1;
+
+       bzero(&pfd, sizeof(pfd));
+       pfd.fd = STDOUT_FILENO;
+       pfd.events = POLLOUT;
+       for (;;) {
+               r = sendmsg(STDOUT_FILENO, &mh, 0);
+               if (r == -1) {
+                       if (errno == EAGAIN || errno == EINTR) {
+                               if (poll(&pfd, 1, -1) == -1)
+                                       err(1, "poll");
+                               continue;
+                       }
+                       err(1, "sendmsg");
+               } else if (r != 1)
+                       errx(1, "sendmsg: unexpected return value %zd", r);
+               else
+                       break;
+       }
+       exit(0);
+}
+
+/* Deal with RFC 854 WILL/WONT DO/DONT negotiation. */
+void
+atelnet(int nfd, unsigned char *buf, unsigned int size)
+{
+       unsigned char *p, *end;
+       unsigned char obuf[4];
+
+       if (size < 3)
+               return;
+       end = buf + size - 2;
+
+       for (p = buf; p < end; p++) {
+               if (*p != IAC)
+                       continue;
+
+               obuf[0] = IAC;
+               p++;
+               if ((*p == WILL) || (*p == WONT))
+                       obuf[1] = DONT;
+               else if ((*p == DO) || (*p == DONT))
+                       obuf[1] = WONT;
+               else
+                       continue;
+
+               p++;
+               obuf[2] = *p;
+               if (atomicio(vwrite, nfd, obuf, 3) != 3)
+                       warn("Write Error!");
+       }
+}
+
+
+int
+strtoport(char *portstr, int udp)
+{
+       struct servent *entry;
+       const char *errstr;
+       char *proto;
+       int port = -1;
+
+       proto = udp ? "udp" : "tcp";
+
+       port = strtonum(portstr, 1, PORT_MAX, &errstr);
+       if (errstr == NULL)
+               return port;
+       if (errno != EINVAL)
+               errx(1, "port number %s: %s", errstr, portstr);
+       if ((entry = getservbyname(portstr, proto)) == NULL)
+               errx(1, "service \"%s\" unknown", portstr);
+       return ntohs(entry->s_port);
+}
+
+/*
+ * build_ports()
+ * Build an array of ports in portlist[], listing each port
+ * that we should try to connect to.
+ */
+void
+build_ports(char *p)
+{
+       char *n;
+       int hi, lo, cp;
+       int x = 0;
+
+       if ((n = strchr(p, '-')) != NULL) {
+               *n = '\0';
+               n++;
+
+               /* Make sure the ports are in order: lowest->highest. */
+               hi = strtoport(n, uflag);
+               lo = strtoport(p, uflag);
+               if (lo > hi) {
+                       cp = hi;
+                       hi = lo;
+                       lo = cp;
+               }
+
+               /*
+                * Initialize portlist with a random permutation.  Based on
+                * Knuth, as in ip_randomid() in sys/netinet/ip_id.c.
+                */
+               if (rflag) {
+                       for (x = 0; x <= hi - lo; x++) {
+                               cp = arc4random_uniform(x + 1);
+                               portlist[x] = portlist[cp];
+                               if (asprintf(&portlist[cp], "%d", x + lo) < 0)
+                                       err(1, "asprintf");
+                       }
+               } else { /* Load ports sequentially. */
+                       for (cp = lo; cp <= hi; cp++) {
+                               if (asprintf(&portlist[x], "%d", cp) < 0)
+                                       err(1, "asprintf");
+                               x++;
+                       }
+               }
+       } else {
+               char *tmp;
+
+               hi = strtoport(p, uflag);
+               if (asprintf(&tmp, "%d", hi) != -1)
+                       portlist[0] = tmp;
+               else
+                       err(1, NULL);
+       }
+}
+
+/*
+ * udptest()
+ * Do a few writes to see if the UDP port is there.
+ * Fails once PF state table is full.
+ */
+int
+udptest(int s)
+{
+       int i, ret;
+
+       for (i = 0; i <= 3; i++) {
+               if (write(s, "X", 1) == 1)
+                       ret = 1;
+               else
+                       ret = -1;
+       }
+       return (ret);
+}
+
+void
+set_common_sockopts(int s, int af)
+{
+       int x = 1;
+
+#ifdef TCP_MD5SIG
+       if (Sflag) {
+               if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG,
+                       &x, sizeof(x)) == -1)
+                       err(1, NULL);
+       }
+#endif
+       if (Dflag) {
+               if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
+                       &x, sizeof(x)) == -1)
+                       err(1, NULL);
+       }
+       if (Tflag != -1) {
+               if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+                   IP_TOS, &Tflag, sizeof(Tflag)) == -1)
+                       err(1, "set IP ToS");
+
+               else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+                   IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
+                       err(1, "set IPv6 traffic class");
+       }
+       if (Iflag) {
+               if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
+                   &Iflag, sizeof(Iflag)) == -1)
+                       err(1, "set TCP receive buffer size");
+       }
+       if (Oflag) {
+               if (setsockopt(s, SOL_SOCKET, SO_SNDBUF,
+                   &Oflag, sizeof(Oflag)) == -1)
+                       err(1, "set TCP send buffer size");
+       }
+
+       if (ttl != -1) {
+               if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+                   IP_TTL, &ttl, sizeof(ttl)))
+                       err(1, "set IP TTL");
+
+               else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+                   IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)))
+                       err(1, "set IPv6 unicast hops");
+       }
+
+       if (minttl != -1) {
+#ifdef IP_MINTTL
+               if (af == AF_INET && setsockopt(s, IPPROTO_IP,
+                   IP_MINTTL, &minttl, sizeof(minttl)))
+                       err(1, "set IP min TTL");
+#endif
+
+#ifdef IPV6_MINHOPCOUNT
+               if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
+                   IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)))
+                       err(1, "set IPv6 min hop count");
+#endif
+       }
+}
+
+int
+map_tos(char *s, int *val)
+{
+       /* DiffServ Codepoints and other TOS mappings */
+       const struct toskeywords {
+               const char      *keyword;
+               int              val;
+       } *t, toskeywords[] = {
+               { "af11",               IPTOS_DSCP_AF11 },
+               { "af12",               IPTOS_DSCP_AF12 },
+               { "af13",               IPTOS_DSCP_AF13 },
+               { "af21",               IPTOS_DSCP_AF21 },
+               { "af22",               IPTOS_DSCP_AF22 },
+               { "af23",               IPTOS_DSCP_AF23 },
+               { "af31",               IPTOS_DSCP_AF31 },
+               { "af32",               IPTOS_DSCP_AF32 },
+               { "af33",               IPTOS_DSCP_AF33 },
+               { "af41",               IPTOS_DSCP_AF41 },
+               { "af42",               IPTOS_DSCP_AF42 },
+               { "af43",               IPTOS_DSCP_AF43 },
+               { "critical",           IPTOS_PREC_CRITIC_ECP },
+               { "cs0",                IPTOS_DSCP_CS0 },
+               { "cs1",                IPTOS_DSCP_CS1 },
+               { "cs2",                IPTOS_DSCP_CS2 },
+               { "cs3",                IPTOS_DSCP_CS3 },
+               { "cs4",                IPTOS_DSCP_CS4 },
+               { "cs5",                IPTOS_DSCP_CS5 },
+               { "cs6",                IPTOS_DSCP_CS6 },
+               { "cs7",                IPTOS_DSCP_CS7 },
+               { "ef",                 IPTOS_DSCP_EF },
+               { "inetcontrol",        IPTOS_PREC_INTERNETCONTROL },
+               { "lowdelay",           IPTOS_LOWDELAY },
+               { "netcontrol",         IPTOS_PREC_NETCONTROL },
+               { "reliability",        IPTOS_RELIABILITY },
+               { "throughput",         IPTOS_THROUGHPUT },
+               { NULL,                 -1 },
+       };
+
+       for (t = toskeywords; t->keyword != NULL; t++) {
+               if (strcmp(s, t->keyword) == 0) {
+                       *val = t->val;
+                       return (1);
+               }
+       }
+
+       return (0);
+}
+
+int
+map_tls(char *s, int *val)
+{
+       const struct tlskeywords {
+               const char      *keyword;
+               int              val;
+       } *t, tlskeywords[] = {
+               { "tlslegacy",          TLS_LEGACY },
+               { "noverify",           TLS_NOVERIFY },
+               { "noname",             TLS_NONAME },
+               { "clientcert",         TLS_CCERT},
+               { NULL,                 -1 },
+       };
+
+       for (t = tlskeywords; t->keyword != NULL; t++) {
+               if (strcmp(s, t->keyword) == 0) {
+                       *val |= t->val;
+                       return (1);
+               }
+       }
+       return (0);
+}
+
+void
+report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
+{
+       time_t t;
+       fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
+           tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
+       fprintf(stderr, "Peer name: %s\n",
+           tls_expectname ? tls_expectname : host);
+       if (tls_peer_cert_subject(tls_ctx))
+               fprintf(stderr, "Subject: %s\n",
+                   tls_peer_cert_subject(tls_ctx));
+       if (tls_peer_cert_issuer(tls_ctx))
+               fprintf(stderr, "Issuer: %s\n",
+                   tls_peer_cert_issuer(tls_ctx));
+       if ((t = tls_peer_cert_notbefore(tls_ctx)) != -1)
+               fprintf(stderr, "Valid From: %s", ctime(&t));
+       if ((t = tls_peer_cert_notafter(tls_ctx)) != -1)
+               fprintf(stderr, "Valid Until: %s", ctime(&t));
+       if (tls_peer_cert_hash(tls_ctx))
+               fprintf(stderr, "Cert Hash: %s\n",
+                   tls_peer_cert_hash(tls_ctx));
+}
+
+void
+report_connect(const struct sockaddr *sa, socklen_t salen, char *path)
+{
+       char remote_host[NI_MAXHOST];
+       char remote_port[NI_MAXSERV];
+       int herr;
+       int flags = NI_NUMERICSERV;
+
+       if (path != NULL) {
+               fprintf(stderr, "Connection on %s received!\n", path);
+               return;
+       }
+
+       if (nflag)
+               flags |= NI_NUMERICHOST;
+
+       if ((herr = getnameinfo(sa, salen,
+           remote_host, sizeof(remote_host),
+           remote_port, sizeof(remote_port),
+           flags)) != 0) {
+               if (herr == EAI_SYSTEM)
+                       err(1, "getnameinfo");
+               else
+                       errx(1, "getnameinfo: %s", gai_strerror(herr));
+       }
+
+       fprintf(stderr,
+           "Connection from %s %s "
+           "received!\n", remote_host, remote_port);
+}
+
+void
+help(void)
+{
+       usage(0);
+       fprintf(stderr, "\tCommand Summary:\n\
+       \t-4            Use IPv4\n\
+       \t-6            Use IPv6\n\
+       \t-C certfile   Public key file\n\
+       \t-c            Use TLS\n\
+       \t-D            Enable the debug socket option\n\
+       \t-d            Detach from stdin\n\
+       \t-e name\t     Required name in peer certificate\n\
+       \t-F            Pass socket fd\n\
+       \t-H hash\t     Hash string of peer certificate\n\
+       \t-h            This help text\n\
+       \t-I length     TCP receive buffer length\n\
+       \t-i interval   Delay interval for lines sent, ports scanned\n\
+       \t-K keyfile    Private key file\n\
+       \t-k            Keep inbound sockets open for multiple connects\n\
+       \t-l            Listen mode, for inbound connects\n\
+       \t-M ttl                Outgoing TTL / Hop Limit\n\
+       \t-m minttl     Minimum incoming TTL / Hop Limit\n\
+       \t-N            Shutdown the network socket after EOF on stdin\n\
+       \t-n            Suppress name/port resolutions\n\
+       \t-O length     TCP send buffer length\n\
+       \t-P proxyuser\tUsername for proxy authentication\n\
+       \t-p port\t     Specify local port for remote connects\n\
+       \t-R CAfile     CA bundle\n\
+       \t-r            Randomize remote ports\n"
+#ifdef TCP_MD5SIG
+        "\
+       \t-S            Enable the TCP MD5 signature option\n"
+#endif
+        "\
+       \t-s source     Local source address\n\
+       \t-T keyword    TOS value or TLS options\n\
+       \t-t            Answer TELNET negotiation\n\
+       \t-U            Use UNIX domain socket\n\
+       \t-u            UDP mode\n"
+#ifdef SO_RTABLE
+        "\
+       \t-V rtable     Specify alternate routing table\n"
+#endif
+        "\
+       \t-v            Verbose\n\
+       \t-w timeout    Timeout for connects and final net reads\n\
+       \t-X proto      Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
+       \t-x addr[:port]\tSpecify proxy address and port\n\
+       \t-z            Zero-I/O mode [used for scanning]\n\
+       Port numbers can be individual or ranges: lo-hi [inclusive]\n");
+       exit(1);
+}
+
+void
+usage(int ret)
+{
+       fprintf(stderr,
+           "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] "
+           "[-H hash] [-I length]\n"
+           "\t  [-i interval] [-K keyfile] [-M ttl] [-m minttl] [-O length]\n"
+           "\t  [-P proxy_username] [-p source_port] [-R CAfile] [-s source]\n"
+           "\t  [-T keyword] [-V rtable] [-w timeout] [-X proxy_protocol]\n"
+           "\t  [-x proxy_address[:port]] [destination] [port]\n");
+       if (ret)
+               exit(1);
+}
diff --git a/crypto/libressl/apps/nc/socks.c b/crypto/libressl/apps/nc/socks.c
new file mode 100644 (file)
index 0000000..8935e5b
--- /dev/null
@@ -0,0 +1,396 @@
+/*     $OpenBSD: socks.c,v 1.23 2015/12/10 18:31:52 mmcc Exp $ */
+
+/*
+ * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2004, 2005 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <err.h>
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <resolv.h>
+#include <readpassphrase.h>
+#include "atomicio.h"
+
+#define SOCKS_PORT     "1080"
+#define HTTP_PROXY_PORT        "3128"
+#define HTTP_MAXHDRS   64
+#define SOCKS_V5       5
+#define SOCKS_V4       4
+#define SOCKS_NOAUTH   0
+#define SOCKS_NOMETHOD 0xff
+#define SOCKS_CONNECT  1
+#define SOCKS_IPV4     1
+#define SOCKS_DOMAIN   3
+#define SOCKS_IPV6     4
+
+int    remote_connect(const char *, const char *, struct addrinfo);
+int    socks_connect(const char *, const char *, struct addrinfo,
+           const char *, const char *, struct addrinfo, int,
+           const char *);
+
+static int
+decode_addrport(const char *h, const char *p, struct sockaddr *addr,
+    socklen_t addrlen, int v4only, int numeric)
+{
+       int r;
+       struct addrinfo hints, *res;
+
+       bzero(&hints, sizeof(hints));
+       hints.ai_family = v4only ? PF_INET : PF_UNSPEC;
+       hints.ai_flags = numeric ? AI_NUMERICHOST : 0;
+       hints.ai_socktype = SOCK_STREAM;
+       r = getaddrinfo(h, p, &hints, &res);
+       /* Don't fatal when attempting to convert a numeric address */
+       if (r != 0) {
+               if (!numeric) {
+                       errx(1, "getaddrinfo(\"%.64s\", \"%.64s\"): %s", h, p,
+                           gai_strerror(r));
+               }
+               return (-1);
+       }
+       if (addrlen < res->ai_addrlen) {
+               freeaddrinfo(res);
+               errx(1, "internal error: addrlen < res->ai_addrlen");
+       }
+       memcpy(addr, res->ai_addr, res->ai_addrlen);
+       freeaddrinfo(res);
+       return (0);
+}
+
+static int
+proxy_read_line(int fd, char *buf, size_t bufsz)
+{
+       size_t off;
+
+       for(off = 0;;) {
+               if (off >= bufsz)
+                       errx(1, "proxy read too long");
+               if (atomicio(read, fd, buf + off, 1) != 1)
+                       err(1, "proxy read");
+               /* Skip CR */
+               if (buf[off] == '\r')
+                       continue;
+               if (buf[off] == '\n') {
+                       buf[off] = '\0';
+                       break;
+               }
+               off++;
+       }
+       return (off);
+}
+
+static const char *
+getproxypass(const char *proxyuser, const char *proxyhost)
+{
+       char prompt[512];
+       static char pw[256];
+
+       snprintf(prompt, sizeof(prompt), "Proxy password for %s@%s: ",
+          proxyuser, proxyhost);
+       if (readpassphrase(prompt, pw, sizeof(pw), RPP_REQUIRE_TTY) == NULL)
+               errx(1, "Unable to read proxy passphrase");
+       return (pw);
+}
+
+/*
+ * Error strings adapted from the generally accepted SOCKSv4 spec:
+ *
+ * http://ftp.icm.edu.pl/packages/socks/socks4/SOCKS4.protocol
+ */
+static const char *
+socks4_strerror(int e)
+{
+       switch (e) {
+       case 90:
+               return "Succeeded";
+       case 91:
+               return "Request rejected or failed";
+       case 92:
+               return "SOCKS server cannot connect to identd on the client";
+       case 93:
+               return "Client program and identd report different user-ids";
+       default:
+               return "Unknown error";
+       }
+}
+
+/*
+ * Error strings taken almost directly from RFC 1928.
+ */
+static const char *
+socks5_strerror(int e)
+{
+       switch (e) {
+       case 0:
+               return "Succeeded";
+       case 1:
+               return "General SOCKS server failure";
+       case 2:
+               return "Connection not allowed by ruleset";
+       case 3:
+               return "Network unreachable";
+       case 4:
+               return "Host unreachable";
+       case 5:
+               return "Connection refused";
+       case 6:
+               return "TTL expired";
+       case 7:
+               return "Command not supported";
+       case 8:
+               return "Address type not supported";
+       default:
+               return "Unknown error";
+       }
+}
+
+int
+socks_connect(const char *host, const char *port,
+    struct addrinfo hints __attribute__ ((__unused__)),
+    const char *proxyhost, const char *proxyport, struct addrinfo proxyhints,
+    int socksv, const char *proxyuser)
+{
+       int proxyfd, r, authretry = 0;
+       size_t hlen, wlen;
+       unsigned char buf[1024];
+       size_t cnt;
+       struct sockaddr_storage addr;
+       struct sockaddr_in *in4 = (struct sockaddr_in *)&addr;
+       struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&addr;
+       in_port_t serverport;
+       const char *proxypass = NULL;
+
+       if (proxyport == NULL)
+               proxyport = (socksv == -1) ? HTTP_PROXY_PORT : SOCKS_PORT;
+
+       /* Abuse API to lookup port */
+       if (decode_addrport("0.0.0.0", port, (struct sockaddr *)&addr,
+           sizeof(addr), 1, 1) == -1)
+               errx(1, "unknown port \"%.64s\"", port);
+       serverport = in4->sin_port;
+
+ again:
+       if (authretry++ > 3)
+               errx(1, "Too many authentication failures");
+
+       proxyfd = remote_connect(proxyhost, proxyport, proxyhints);
+
+       if (proxyfd < 0)
+               return (-1);
+
+       if (socksv == 5) {
+               if (decode_addrport(host, port, (struct sockaddr *)&addr,
+                   sizeof(addr), 0, 1) == -1)
+                       addr.ss_family = 0; /* used in switch below */
+
+               /* Version 5, one method: no authentication */
+               buf[0] = SOCKS_V5;
+               buf[1] = 1;
+               buf[2] = SOCKS_NOAUTH;
+               cnt = atomicio(vwrite, proxyfd, buf, 3);
+               if (cnt != 3)
+                       err(1, "write failed (%zu/3)", cnt);
+
+               cnt = atomicio(read, proxyfd, buf, 2);
+               if (cnt != 2)
+                       err(1, "read failed (%zu/3)", cnt);
+
+               if (buf[1] == SOCKS_NOMETHOD)
+                       errx(1, "authentication method negotiation failed");
+
+               switch (addr.ss_family) {
+               case 0:
+                       /* Version 5, connect: domain name */
+
+                       /* Max domain name length is 255 bytes */
+                       hlen = strlen(host);
+                       if (hlen > 255)
+                               errx(1, "host name too long for SOCKS5");
+                       buf[0] = SOCKS_V5;
+                       buf[1] = SOCKS_CONNECT;
+                       buf[2] = 0;
+                       buf[3] = SOCKS_DOMAIN;
+                       buf[4] = hlen;
+                       memcpy(buf + 5, host, hlen);
+                       memcpy(buf + 5 + hlen, &serverport, sizeof serverport);
+                       wlen = 7 + hlen;
+                       break;
+               case AF_INET:
+                       /* Version 5, connect: IPv4 address */
+                       buf[0] = SOCKS_V5;
+                       buf[1] = SOCKS_CONNECT;
+                       buf[2] = 0;
+                       buf[3] = SOCKS_IPV4;
+                       memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
+                       memcpy(buf + 8, &in4->sin_port, sizeof in4->sin_port);
+                       wlen = 10;
+                       break;
+               case AF_INET6:
+                       /* Version 5, connect: IPv6 address */
+                       buf[0] = SOCKS_V5;
+                       buf[1] = SOCKS_CONNECT;
+                       buf[2] = 0;
+                       buf[3] = SOCKS_IPV6;
+                       memcpy(buf + 4, &in6->sin6_addr, sizeof in6->sin6_addr);
+                       memcpy(buf + 20, &in6->sin6_port,
+                           sizeof in6->sin6_port);
+                       wlen = 22;
+                       break;
+               default:
+                       errx(1, "internal error: silly AF");
+               }
+
+               cnt = atomicio(vwrite, proxyfd, buf, wlen);
+               if (cnt != wlen)
+                       err(1, "write failed (%zu/%zu)", cnt, wlen);
+
+               cnt = atomicio(read, proxyfd, buf, 4);
+               if (cnt != 4)
+                       err(1, "read failed (%zu/4)", cnt);
+               if (buf[1] != 0) {
+                       errx(1, "connection failed, SOCKSv5 error: %s",
+                           socks5_strerror(buf[1]));
+               }
+               switch (buf[3]) {
+               case SOCKS_IPV4:
+                       cnt = atomicio(read, proxyfd, buf + 4, 6);
+                       if (cnt != 6)
+                               err(1, "read failed (%zu/6)", cnt);
+                       break;
+               case SOCKS_IPV6:
+                       cnt = atomicio(read, proxyfd, buf + 4, 18);
+                       if (cnt != 18)
+                               err(1, "read failed (%zu/18)", cnt);
+                       break;
+               default:
+                       errx(1, "connection failed, unsupported address type");
+               }
+       } else if (socksv == 4) {
+               /* This will exit on lookup failure */
+               decode_addrport(host, port, (struct sockaddr *)&addr,
+                   sizeof(addr), 1, 0);
+
+               /* Version 4 */
+               buf[0] = SOCKS_V4;
+               buf[1] = SOCKS_CONNECT; /* connect */
+               memcpy(buf + 2, &in4->sin_port, sizeof in4->sin_port);
+               memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
+               buf[8] = 0;     /* empty username */
+               wlen = 9;
+
+               cnt = atomicio(vwrite, proxyfd, buf, wlen);
+               if (cnt != wlen)
+                       err(1, "write failed (%zu/%zu)", cnt, wlen);
+
+               cnt = atomicio(read, proxyfd, buf, 8);
+               if (cnt != 8)
+                       err(1, "read failed (%zu/8)", cnt);
+               if (buf[1] != 90) {
+                       errx(1, "connection failed, SOCKSv4 error: %s",
+                           socks4_strerror(buf[1]));
+               }
+       } else if (socksv == -1) {
+               /* HTTP proxy CONNECT */
+
+               /* Disallow bad chars in hostname */
+               if (strcspn(host, "\r\n\t []:") != strlen(host))
+                       errx(1, "Invalid hostname");
+
+               /* Try to be sane about numeric IPv6 addresses */
+               if (strchr(host, ':') != NULL) {
+                       r = snprintf(buf, sizeof(buf),
+                           "CONNECT [%s]:%d HTTP/1.0\r\n",
+                           host, ntohs(serverport));
+               } else {
+                       r = snprintf(buf, sizeof(buf),
+                           "CONNECT %s:%d HTTP/1.0\r\n",
+                           host, ntohs(serverport));
+               }
+               if (r == -1 || (size_t)r >= sizeof(buf))
+                       errx(1, "hostname too long");
+               r = strlen(buf);
+
+               cnt = atomicio(vwrite, proxyfd, buf, r);
+               if (cnt != r)
+                       err(1, "write failed (%zu/%d)", cnt, r);
+
+               if (authretry > 1) {
+                       char resp[1024];
+
+                       proxypass = getproxypass(proxyuser, proxyhost);
+                       r = snprintf(buf, sizeof(buf), "%s:%s",
+                           proxyuser, proxypass);
+                       if (r == -1 || (size_t)r >= sizeof(buf) ||
+                           b64_ntop(buf, strlen(buf), resp,
+                           sizeof(resp)) == -1)
+                               errx(1, "Proxy username/password too long");
+                       r = snprintf(buf, sizeof(buf), "Proxy-Authorization: "
+                           "Basic %s\r\n", resp);
+                       if (r == -1 || (size_t)r >= sizeof(buf))
+                               errx(1, "Proxy auth response too long");
+                       r = strlen(buf);
+                       if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r)
+                               err(1, "write failed (%zu/%d)", cnt, r);
+               }
+
+               /* Terminate headers */
+               if ((cnt = atomicio(vwrite, proxyfd, "\r\n", 2)) != 2)
+                       err(1, "write failed (%zu/2)", cnt);
+
+               /* Read status reply */
+               proxy_read_line(proxyfd, buf, sizeof(buf));
+               if (proxyuser != NULL &&
+                   strncmp(buf, "HTTP/1.0 407 ", 12) == 0) {
+                       if (authretry > 1) {
+                               fprintf(stderr, "Proxy authentication "
+                                   "failed\n");
+                       }
+                       close(proxyfd);
+                       goto again;
+               } else if (strncmp(buf, "HTTP/1.0 200 ", 12) != 0 &&
+                   strncmp(buf, "HTTP/1.1 200 ", 12) != 0)
+                       errx(1, "Proxy error: \"%s\"", buf);
+
+               /* Headers continue until we hit an empty line */
+               for (r = 0; r < HTTP_MAXHDRS; r++) {
+                       proxy_read_line(proxyfd, buf, sizeof(buf));
+                       if (*buf == '\0')
+                               break;
+               }
+             &