endif()

if(CMAKE_SYSTEM_NAME MATCHES "Linux")
	add_definitions(-D_DEFAULT_SOURCE)
	add_definitions(-D_BSD_SOURCE)
	add_definitions(-D_POSIX_SOURCE)
	add_definitions(-D_GNU_SOURCE)

endif()

if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
	set(BUILD_NC false)
endif()

if(WIN32)
	set(BUILD_NC false)
endif()

if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
	if(CMAKE_C_COMPILER MATCHES "gcc")
		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")
	else()
		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off")
	endif()
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT")

endif()

if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic")

endif()

add_definitions(-DLIBRESSL_INTERNAL)
add_definitions(-DOPENSSL_NO_HW_PADLOCK)
add_definitions(-D__BEGIN_HIDDEN_DECLS=)
add_definitions(-D__END_HIDDEN_DECLS=)

set(CMAKE_POSITION_INDEPENDENT_CODE true)

if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
	add_definitions(-Wno-pointer-sign)
endif()

if(WIN32)
	add_definitions(-Drestrict)
	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
	add_definitions(-DWIN32_LEAN_AND_MEAN)
	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)

endif()

if(MSVC)
	add_definitions(-Dinline=__inline)
	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
		set(MSVC_DISABLED_WARNINGS_LIST

			set(HOST_ASM_ELF_X86_64 true)
		endif()
	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
		set(HOST_ASM_MACOSX_X86_64 true)
	endif()
endif()

set(OPENSSL_LIBS tls ssl crypto)

# Add additional required libs
if(WIN32)
	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
endif()
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
endif()
if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
endif()
if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
endif()

if(CMAKE_SYSTEM_NAME MATCHES "Linux")
	# Check if we need -lrt to get clock_gettime on Linux
	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
	if (HAVE_CLOCK_GETTIME)
		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
	endif()
else()
	# Otherwise, simply check if it exists
	check_function_exists(clock_gettime HAVE_CLOCK_GETTIME)
endif()
if(HAVE_CLOCK_GETTIME)
	add_definitions(-DHAVE_CLOCK_GETTIME)
endif()

check_type_size(time_t SIZEOF_TIME_T)
if(SIZEOF_TIME_T STREQUAL "4")
	set(SMALL_TIME_T true)
	add_definitions(-DSMALL_TIME_T)
	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
	                " ** It will behave incorrectly when handling valid RFC5280 dates")
endif()
add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})



add_subdirectory(crypto)
add_subdirectory(ssl)
if(LIBRESSL_APPS)
	add_subdirectory(apps)
endif()
add_subdirectory(tls)

if(NOT MSVC)
	# Create pkgconfig files.
	set(prefix      ${CMAKE_INSTALL_PREFIX})
	set(exec_prefix \${prefix})
	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
	set(includedir  \${prefix}/include)

	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
	foreach(file ${OPENSSL_PKGCONFIGS})
		get_filename_component(filename ${file} NAME)
		string(REPLACE ".in" "" new_file "${filename}")
		configure_file(${filename} pkgconfig/${new_file} @ONLY)
	endforeach()

The portable bits of the project are largely maintained out-of-tree, and their
history is also available from Git.

	https://github.com/libressl-portable/portable

LibreSSL Portable Release Notes:































































































































2.7.4 - Security fixes

	* Avoid a timing side-channel leak when generating DSA and ECDSA
	  signatures. This is caused by an attempt to do fast modular
	  arithmetic, which introduces branches that leak information
	  regarding secret values. Issue identified and reported by Keegan
	  Ryan of NCC Group.

	* Added Application-Layer Protocol Negotiation (ALPN) support.

	* Removed GOST R 34.10-94 signature authentication.

	* Removed nonfunctional Netscape browser-hang workaround code.

	* Simplfied and refactored SSL/DTLS handshake code.

	* Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.

	* Hide timing info about padding errors during handshakes.

	* Improved libtls support for non-blocking sockets, added randomized
	  session ID contexts. Work is ongoing with this library - feedback

2.7.4

if(BUILD_NC)

include_directories(
	.
	./compat
	../../include
	../../include/compat
)

set(
	NC_SRC
	atomicio.c
	netcat.c
	socks.c
	compat/socket.c
)

if(NOT "${OPENSSLDIR}" STREQUAL "")
	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
else()
	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
endif()

add_executable(nc ${NC_SRC})

target_link_libraries(nc tls ${OPENSSL_LIBS})

if(ENABLE_NC)
	if(ENABLE_LIBRESSL_INSTALL)
		install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
		install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
	endif(ENABLE_LIBRESSL_INSTALL)
endif()

endif()

.\"     $OpenBSD: nc.1,v 1.88 2017/11/28 16:59:10 jsing Exp $
.\"
.\" Copyright (c) 1996 David Sacerdote
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:

.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: November 28 2017 $
.Dt NC 1
.Os
.Sh NAME
.Nm nc
.Nd arbitrary TCP and UDP connections and listens
.Sh SYNOPSIS
.Nm nc

.It
and much, much more
.El
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 4
Forces
.Nm
to use IPv4 addresses only.
.It Fl 6
Forces
.Nm
to use IPv6 addresses only.
.It Fl C Ar certfile
Specifies the filename from which the public key part of the TLS

certificate is loaded, in PEM format.
May only be used with TLS.


.It Fl c
If using a TCP socket to connect or listen, use TLS.

Illegal if not using TCP sockets.
.It Fl D
Enable debugging on the socket.
.It Fl d
Do not attempt to read from stdin.
.It Fl e Ar name
Specify the name that must be present in the peer certificate when using TLS.



Illegal if not using TLS.


.It Fl F
Pass the first connected socket using
.Xr sendmsg 2
to stdout and exit.
This is useful in conjunction with
.Fl X
to have
.Nm
perform connection setup with a proxy but then leave the rest of the
connection to another program (e.g.\&
.Xr ssh 1
using the
.Xr ssh_config 5
.Cm ProxyUseFdpass
option).




.It Fl H Ar hash
Specifies the required hash string of the peer certificate when using TLS.
The string format required is that used by
.Xr tls_peer_cert_hash 3 .




Illegal if not using TLS, and may not be used with -T noverify.

.It Fl h
Prints out
.Nm
help.
.It Fl I Ar length
Specifies the size of the TCP receive buffer.
.It Fl i Ar interval


Specifies a delay time interval between lines of text sent and received.
Also causes a delay time between connections to multiple ports.
.It Fl K Ar keyfile
Specifies the filename from which the private key

is loaded in PEM format.
May only be used with TLS.


.It Fl k
Forces
.Nm
to stay listening for another connection after its current connection
is completed.
It is an error to use this option without the

.Fl l
option.
When used together with the
.Fl u
option, the server socket is not connected and it can receive UDP datagrams from
multiple hosts.
.It Fl l
Used to specify that
.Nm
should listen for an incoming connection rather than initiate a
connection to a remote host.
It is an error to use this option in conjunction with the
.Fl p ,
.Fl s ,
or
.Fl z
options.
Additionally, any timeouts specified with the
.Fl w
option are ignored.
.It Fl M Ar ttl
Set the TTL / hop limit of outgoing packets.
.It Fl m Ar minttl
Ask the kernel to drop incoming packets whose TTL / hop limit is under
.Ar minttl .
.It Fl N
.Xr shutdown 2
the network socket after EOF on the input.
Some servers require this to finish their work.
.It Fl n
Do not do any DNS or service lookups on any specified addresses,
hostnames or ports.
.It Fl O Ar length
Specifies the size of the TCP send buffer.
.It Fl o Ar staplefile
Specifies the filename from which to load data to be stapled
during the TLS handshake.

The file is expected to contain an OCSP response from an OCSP server in
DER format.
May only be used with TLS and when a certificate is being used.



.It Fl P Ar proxy_username
Specifies a username to present to a proxy server that requires authentication.
If no username is specified then authentication will not be attempted.
Proxy authentication is only supported for HTTP CONNECT proxies at present.
.It Fl p Ar source_port
Specifies the source port
.Nm
should use, subject to privilege restrictions and availability.
It is an error to use this option in conjunction with the
.Fl l
option.
.It Fl R Ar CAfile
Specifies the filename from which the root CA bundle for certificate

verification is loaded, in PEM format.
Illegal if not using TLS.
The default is
.Pa /etc/ssl/cert.pem .


.It Fl r
Specifies that source and/or destination ports should be chosen randomly
instead of sequentially within a range or in the order that the system
assigns them.
.It Fl S
Enables the RFC 2385 TCP MD5 signature option.
.It Fl s Ar source
Specifies the IP of the interface which is used to send the packets.


For
.Ux Ns -domain
datagram sockets, specifies the local temporary socket file
to create and use so that datagrams can be received.
It is an error to use this option in conjunction with the
.Fl l
option.

.It Fl T Ar keyword
Change IPv4 TOS value or TLS options.

For TLS options
.Ar keyword
may be one of:
.Ar noverify ,
which disables certificate verification;
.Ar noname ,
which disables certificate name checking;
.Ar clientcert ,
which requires a client certificate on incoming connections; or
.Ar muststaple ,
which requires the peer to provide a valid stapled OCSP response
with the handshake.
The following TLS options specify a value in the form of a key=value pair:


.Ar ciphers ,
which allows the supported TLS ciphers to be specified (see
.Xr tls_config_set_ciphers 3
for further details);
.Ar protocols ,
which allows the supported TLS protocols to be specified (see
.Xr tls_config_parse_protocols 3
for further details).
It is illegal to specify TLS options if not using TLS.

.Pp
For IPv4 TOS value
.Ar keyword
may be one of
.Ar critical ,
.Ar inetcontrol ,
.Ar lowdelay ,
.Ar netcontrol ,
.Ar throughput ,
.Ar reliability ,
or one of the DiffServ Code Points:
.Ar ef ,
.Ar af11 ... af43 ,
.Ar cs0 ... cs7 ;
or a number in either hex or decimal.
.It Fl t
Causes
.Nm
to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests.
This makes it possible to use
.Nm
to script telnet sessions.
.It Fl U
Specifies to use
.Ux Ns -domain
sockets.


.It Fl u
Use UDP instead of the default option of TCP.




For
.Ux Ns -domain
sockets, use a datagram socket instead of a stream socket.
If a
.Ux Ns -domain
socket is used, a temporary receiving socket is created in
.Pa /tmp
unless the
.Fl s
flag is given.
.It Fl V Ar rtable
Set the routing table to be used.
.It Fl v
Have
.Nm
give more verbose output.
.It Fl W Ar recvlimit
Terminate after receiving
.Ar recvlimit
packets from the network.
.It Fl w Ar timeout
Connections which cannot be established or are idle timeout after
.Ar timeout
seconds.
The
.Fl w
flag has no effect on the
.Fl l
option, i.e.\&
.Nm
will listen forever for a connection, with or without the
.Fl w
flag.
The default is no timeout.
.It Fl X Ar proxy_protocol
Requests that
.Nm
should use the specified protocol when talking to the proxy server.
Supported protocols are
.Dq 4
(SOCKS v.4),
.Dq 5
(SOCKS v.5)
and
.Dq connect
(HTTPS proxy).
If the protocol is not specified, SOCKS version 5 is used.
.It Fl x Ar proxy_address Ns Op : Ns Ar port
Requests that
.Nm
should connect to
.Ar destination
using a proxy at
.Ar proxy_address
and
.Ar port .
If
.Ar port
is not specified, the well-known port for the proxy protocol is used (1080
for SOCKS, 3128 for HTTPS).
An IPv6 address can be specified unambiguously by enclosing
.Ar proxy_address
in square brackets.


.It Fl Z Ar peercertfile
Specifies the filename in which the peer supplied certificates will be saved

in PEM format.
May only be used with TLS.


.It Fl z
Specifies that
.Nm
should just scan for listening daemons, without sending any data to them.
It is an error to use this option in conjunction with the

.Fl l
option.
.El
.Pp
.Ar destination
can be a numerical IP address or a symbolic hostname
(unless the
.Fl n
option is given).

sockets, a destination is required and is the socket path to connect to
(or listen on if the
.Fl l
option is given).
.Pp
.Ar port
can be a specified as a numeric port number, or as a service name.
Ports may be specified in a range of the form nn-mm.

In general,
a destination port must be specified,
unless the
.Fl U
option is given.
.Sh CLIENT/SERVER MODEL
It is quite simple to build a very basic client/server model using

if the proxy requires it:
.Pp
.Dl $ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
.Sh SEE ALSO
.Xr cat 1 ,
.Xr ssh 1
.Sh AUTHORS
Original implementation by *Hobbit*
.Aq Mt hobbit@avian.org .
.br
Rewritten with IPv6 support by
.An Eric Jackson Aq Mt ericj@monkey.org .
.Sh CAVEATS
UDP port scans using the
.Fl uz
combination of flags will always report success irrespective of

/* $OpenBSD: netcat.c,v 1.190 2018/03/19 16:35:29 jsing Exp $ */
/*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:

int ttl = -1;
int minttl = -1;

void	atelnet(int, unsigned char *, unsigned int);
int	strtoport(char *portstr, int udp);
void	build_ports(char *);
void	help(void) __attribute__((noreturn));
int	local_listen(char *, char *, struct addrinfo);
void	readwrite(int, struct tls *);
void	fdpass(int nfd) __attribute__((noreturn));
int	remote_connect(const char *, const char *, struct addrinfo);
int	timeout_tls(int, struct tls *, int (*)(struct tls *));
int	timeout_connect(int, const struct sockaddr *, socklen_t);
int	socks_connect(const char *, const char *, struct addrinfo,
	    const char *, const char *, struct addrinfo, int, const char *);

#ifdef SO_RTABLE
	if (rtableid >= 0)
		if (setrtable(rtableid) == -1)
			err(1, "setrtable");
#endif

	if (family == AF_UNIX) {
		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
			err(1, "pledge");
	} else if (Fflag && Pflag) {
		if (pledge("stdio inet dns sendfd tty", NULL) == -1)
			err(1, "pledge");
	} else if (Fflag) { 
		if (pledge("stdio inet dns sendfd", NULL) == -1)
			err(1, "pledge");
	} else if (Pflag && usetls) {
		if (pledge("stdio rpath inet dns tty", NULL) == -1)
			err(1, "pledge");
	} else if (Pflag) {
		if (pledge("stdio inet dns tty", NULL) == -1)
			err(1, "pledge");
	} else if (usetls) {
		if (pledge("stdio rpath inet dns", NULL) == -1)
			err(1, "pledge");
	} else if (pledge("stdio inet dns", NULL) == -1)
		err(1, "pledge");

	/* Cruft to make sure options are clean, and used properly. */
	if (argv[0] && !argv[1] && family == AF_UNIX) {
		host = argv[0];
		uport = NULL;
	} else if (argv[0] && !argv[1]) {
		if (!lflag)
			usage(1);
		uport = argv[0];
		host = NULL;
	} else if (argv[0] && argv[1]) {
		host = argv[0];
		uport = argv[1];
	} else
		usage(1);













































	if (lflag && sflag)
		errx(1, "cannot use -s and -l");
	if (lflag && pflag)
		errx(1, "cannot use -p and -l");
	if (lflag && zflag)
		errx(1, "cannot use -z and -l");
	if (!lflag && kflag)

		if (Pflag) {
			if (pledge("stdio inet dns tty", NULL) == -1)
				err(1, "pledge");
		} else if (pledge("stdio inet dns", NULL) == -1)
			err(1, "pledge");
	}
	if (lflag) {
		struct tls *tls_cctx = NULL;
		int connfd;
		ret = 0;

		if (family == AF_UNIX) {
			if (uflag)
				s = unix_bind(host, 0);
			else
				s = unix_listen(host);
		}

		if (usetls) {
			tls_config_verify_client_optional(tls_cfg);
			if ((tls_ctx = tls_server()) == NULL)
				errx(1, "tls server creation failed");
			if (tls_configure(tls_ctx, tls_cfg) == -1)
				errx(1, "tls configuration failed (%s)",
				    tls_error(tls_ctx));
		}
		/* Allow only one connection at a time, but stay alive. */
		for (;;) {
			if (family != AF_UNIX)


				s = local_listen(host, uport, hints);

			if (s < 0)
				err(1, NULL);
			if (uflag && kflag) {
				/*
				 * For UDP and -k, don't connect the socket,
				 * let it receive datagrams from multiple
				 * socket pairs.

					err(1, "connect");

				if (vflag)
					report_connect((struct sockaddr *)&z, len, NULL);

				readwrite(s, NULL);
			} else {



				len = sizeof(cliaddr);
				connfd = accept4(s, (struct sockaddr *)&cliaddr,
				    &len, SOCK_NONBLOCK);
				if (connfd == -1) {
					/* For now, all errnos are fatal */
					err(1, "accept");
				}
				if (vflag)
					report_connect((struct sockaddr *)&cliaddr, len,
					    family == AF_UNIX ? host : NULL);
				if ((usetls) &&
				    (tls_cctx = tls_setup_server(tls_ctx, connfd, host)))
					readwrite(connfd, tls_cctx);
				if (!usetls)
					readwrite(connfd, NULL);
				if (tls_cctx) {
					timeout_tls(s, tls_cctx, tls_close);

					tls_free(tls_cctx);
					tls_cctx = NULL;
				}
				close(connfd);
			}
			if (family != AF_UNIX)
				close(s);
			else if (uflag) {
				if (connect(s, NULL, 0) < 0)
					err(1, "connect");
			}

			if (!kflag)
				break;
		}

		/* Construct the portlist[] array. */
		build_ports(uport);

		/* Cycle through portlist, connecting to each port. */
		for (s = -1, i = 0; portlist[i] != NULL; i++) {
			if (s != -1)
				close(s);



			if (usetls) {
				if ((tls_ctx = tls_client()) == NULL)
					errx(1, "tls client creation failed");
				if (tls_configure(tls_ctx, tls_cfg) == -1)
					errx(1, "tls configuration failed (%s)",
					    tls_error(tls_ctx));

			if (Fflag)
				fdpass(s);
			else {
				if (usetls)
					tls_setup_client(tls_ctx, s, host);
				if (!zflag)
					readwrite(s, tls_ctx);
				if (tls_ctx) {
					timeout_tls(s, tls_ctx, tls_close);
					tls_free(tls_ctx);
					tls_ctx = NULL;
				}
			}
		}
	}

	if (s != -1)
		close(s);

	tls_config_free(tls_cfg);

	return ret;
}

/*
 * unix_bind()

/*
 * local_listen()
 * Returns a socket listening on a local port, binds to specified source
 * address. Returns -1 on failure.
 */
int
local_listen(char *host, char *port, struct addrinfo hints)
{
	struct addrinfo *res, *res0;
	int s = -1, save_errno;
#ifdef SO_REUSEPORT
	int ret, x = 1;
#endif
	int error;

/*	$OpenBSD: socks.c,v 1.24 2016/06/27 14:43:04 deraadt Exp $	*/

/*
 * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
 * Copyright (c) 2004, 2005 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions

			break;
		}
		off++;
	}
	return (off);
}

static const char *
getproxypass(const char *proxyuser, const char *proxyhost)

{
	char prompt[512];
	static char pw[256];

	snprintf(prompt, sizeof(prompt), "Proxy password for %s@%s: ",
	   proxyuser, proxyhost);
	if (readpassphrase(prompt, pw, sizeof(pw), RPP_REQUIRE_TTY) == NULL)
		errx(1, "Unable to read proxy passphrase");
	return (pw);
}

/*
 * Error strings adapted from the generally accepted SOCKSv4 spec:
 *
 * http://ftp.icm.edu.pl/packages/socks/socks4/SOCKS4.protocol
 */

	size_t hlen, wlen;
	unsigned char buf[1024];
	size_t cnt;
	struct sockaddr_storage addr;
	struct sockaddr_in *in4 = (struct sockaddr_in *)&addr;
	struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&addr;
	in_port_t serverport;
	const char *proxypass = NULL;

	if (proxyport == NULL)
		proxyport = (socksv == -1) ? HTTP_PROXY_PORT : SOCKS_PORT;

	/* Abuse API to lookup port */
	if (decode_addrport("0.0.0.0", port, (struct sockaddr *)&addr,
	    sizeof(addr), 1, 1) == -1)

		r = strlen(buf);

		cnt = atomicio(vwrite, proxyfd, buf, r);
		if (cnt != r)
			err(1, "write failed (%zu/%d)", cnt, r);

		if (authretry > 1) {

			char resp[1024];

			proxypass = getproxypass(proxyuser, proxyhost);

			r = snprintf(buf, sizeof(buf), "%s:%s",
			    proxyuser, proxypass);

			if (r == -1 || (size_t)r >= sizeof(buf) ||
			    b64_ntop(buf, strlen(buf), resp,
			    sizeof(resp)) == -1)
				errx(1, "Proxy username/password too long");
			r = snprintf(buf, sizeof(buf), "Proxy-Authorization: "
			    "Basic %s\r\n", resp);
			if (r == -1 || (size_t)r >= sizeof(buf))
				errx(1, "Proxy auth response too long");
			r = strlen(buf);
			if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r)
				err(1, "write failed (%zu/%d)", cnt, r);


		}

		/* Terminate headers */
		if ((cnt = atomicio(vwrite, proxyfd, "\r\n", 2)) != 2)
			err(1, "write failed (%zu/2)", cnt);

		/* Read status reply */

if(NOT MSVC)

include_directories(
	.
	./compat
	../../include
	../../include/compat
)

set(
	OCSPCHECK_SRC
	http.c
	ocspcheck.c
)

check_function_exists(memmem HAVE_MEMMEM)
if(HAVE_MEMMEM)
        add_definitions(-DHAVE_MEMMEM)
else()
        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c)
endif()

if(NOT "${OPENSSLDIR}" STREQUAL "")
	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
else()
	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
endif()

add_executable(ocspcheck ${OCSPCHECK_SRC})

target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})

if(ENABLE_LIBRESSL_INSTALL)
	install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
	install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)

endif(ENABLE_LIBRESSL_INSTALL)

endif()

include_directories(
	.
	../../include
	../../include/compat
)

set(
	OPENSSL_SRC
	apps.c
	asn1pars.c
	ca.c
	ciphers.c
	crl.c

if(HAVE_STRTONUM)
	add_definitions(-DHAVE_STRTONUM)
else()
	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
endif()

add_executable(openssl ${OPENSSL_SRC})

target_link_libraries(openssl ${OPENSSL_LIBS})

if(ENABLE_LIBRESSL_INSTALL)
	install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
	install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
endif(ENABLE_LIBRESSL_INSTALL)

/* $OpenBSD: apps.c,v 1.47 2018/02/07 08:57:25 jsing Exp $ */
/*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *

	BIO_printf(out, "Require explicit Policy: %s\n",
	    explicit_policy ? "True" : "False");

	nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
	nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));


	BIO_free(out);
}

/*
 * next_protos_parse parses a comma separated list of strings into a string
 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
 *   outlen: (output) set to the length of the resulting buffer on success.
 *   err: (maybe NULL) on failure, an error message line is written to this BIO.

/* $OpenBSD: apps.h,v 1.20 2017/12/05 15:02:06 jca Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#define APP_PASS_LEN	1024

#define SERIAL_RAND_BITS	64

int app_isdir(const char *);

#define TM_START	0
#define TM_STOP		1
double app_timer_real(int stop);
double app_timer_user(int stop);

#define OPENSSL_NO_SSL_INTERN

struct option {
	const char *name;
	const char *argname;
	const char *desc;

#include <sys/time.h>

#include <time.h>

#include "apps.h"

double
app_timer_real(int stop)
{
	static struct timespec start;
	struct timespec elapsed, now;

	clock_gettime(CLOCK_MONOTONIC, &now);
	if (stop) {
		timespecsub(&now, &start, &elapsed);
		return elapsed.tv_sec + elapsed.tv_nsec / 1000000000.0;
	}
	start = now;
	return 0.0;
}

double
app_timer_user(int stop)
{
	static struct timeval start;
	struct timeval elapsed;
	struct rusage now;

	getrusage(RUSAGE_SELF, &now);
	if (stop) {
		timersub(&now.ru_utime, &start, &elapsed);
		return elapsed.tv_sec + elapsed.tv_usec / 1000000.0;
	}
	start = now.ru_utime;
	return 0.0;
}

/*
 * Public domain
 *
 * Dongsheng Song <dongsheng.song@gmail.com>
 * Brent Cook <bcook@openbsd.org>
 */

#include <windows.h>

#include <io.h>
#include <fcntl.h>

#include "apps.h"















double
app_timer_user(int stop)
{
	static unsigned __int64 tmstart;
	union {
		unsigned __int64 u64;

# $OpenBSD: cert.pem,v 1.16 2018/03/21 15:26:09 sthen Exp $
### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068

=== /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6047274297262753887 (0x53ec3beefbb2485f)

A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOy
WL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ
1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3wW30
6gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT
91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml
e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p
TpPDpFQUWw==
-----END CERTIFICATE-----

### T\DCRKTRUST Bilgi \U0130leti\U015Fim ve Bili\U015Fim G\FCvenli\U011Fi Hizmetleri A.\U015E.

=== /C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E./CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 156233699172481 (0x8e17fe242081)
    Signature Algorithm: sha256WithRSAEncryption
        Validity
            Not Before: Apr 30 08:07:01 2013 GMT
            Not After : Apr 28 08:07:01 2023 GMT
        Subject: C=TR, L=Ankara, O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E., CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                56:99:07:1E:D3:AC:0C:69:64:B4:0C:50:47:DE:43:2C:BE:20:C0:FB
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
SHA1 Fingerprint=C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB
SHA256 Fingerprint=49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgIHAI4X/iQggTANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UE
BhMCVFIxDzANBgNVBAcMBkFua2FyYTFNMEsGA1UECgxEVMOcUktUUlVTVCBCaWxn
aSDEsGxldGnFn2ltIHZlIEJpbGnFn2ltIEfDvHZlbmxpxJ9pIEhpem1ldGxlcmkg
QS7Fni4xQjBABgNVBAMMOVTDnFJLVFJVU1QgRWxla3Ryb25payBTZXJ0aWZpa2Eg
SGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSBINTAeFw0xMzA0MzAwODA3MDFaFw0yMzA0
MjgwODA3MDFaMIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0wSwYD
VQQKDERUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8
dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBF
bGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg1MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApCUZ4WWe60ghUEoI5RHwWrom
/4NZzkQqL/7hzmAD/I0Dpe3/a6i6zDQGn1k19uwsu537jVJp45wnEFPzpALFp/kR
Gml1bsMdi9GYjZOHp3GXDSHHmflS0yxjXVW86B8BSLlg/kJK9siArs1mep5Fimh3
4khon6La8eHBEJ/rPCmBp+EyCNSgBbGM+42WAA4+Jd9ThiI7/PS98wl+d+yG6w8z
5UNP9FR1bSmZLmZaQ9/LXMrI5Tjxfjs1nQ/0xVqhzPMggCTTV+wVunUlm+hkS7M0
hO8EuPbJbKoCPrZV4jI3X/xml1/N1p7HIL9Nxqw/dV8c7TKcfGkAaZHjIxhT6QID
AQABo0IwQDAdBgNVHQ4EFgQUVpkHHtOsDGlktAxQR95DLL4gwPswDgYDVR0PAQH/
BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJ5FdnsX
SDLyOIspve6WSk6BGLFRRyDN0GSxDsnZAdkJzsiZ3GglE9Rc8qPoBP5yCccLqh0l
VX6Wmle3usURehnmp349hQ71+S4pL+f5bFgWV1Al9j4uPqrtd3GqqpmWRgqujuwq
URawXs3qZwQcWDD1YIq9pr1N5Za0/EKJAWv2cMhQOQwt1WbZyNKzMrcbGW3LM/nf
peYVhDfwwvJllpKQd/Ct9JDpEXjXk4nAPQu6KfTomZ1yju2dL+6SfaHx/126M2CF
Yv4HAqGEVka+lgqaE9chTLd8B59OTj+RdPsnnRHM3eaxynFNExc5JsUpISuTKWqW
+qtB4Uu2NQvAmxU=
-----END CERTIFICATE-----

### TAIWAN-CA

=== /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
Certificate:
    Data:

.\" $OpenBSD: openssl.1,v 1.89 2018/03/22 19:24:18 jmc Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"

.\" SUCH DAMAGE.
.\"
.\" The licence and distribution terms for any publically available version or
.\" derivative of this code cannot be changed.  i.e. this code cannot simply be
.\" copied and put under another distribution licence
.\" [including the GNU Public Licence.]
.\"
.\" OPENSSL
.\"
.Dd $Mdocdate: March 22 2018 $
.Dt OPENSSL 1
.Os
.Sh NAME
.Nm openssl
.Nd OpenSSL command line tool
.Sh SYNOPSIS
.Nm
.Cm command
.Op Ar command_opts
.Op Ar command_args
.Pp
.Nm
.Cm list-standard-commands |
.Cm list-message-digest-commands |
.Cm list-cipher-commands |

.El
.Sh CA
.nr nS 1
.Nm "openssl ca"
.Op Fl batch
.Op Fl cert Ar file
.Op Fl config Ar file

.Op Fl crl_CA_compromise Ar time
.Op Fl crl_compromise Ar time
.Op Fl crl_hold Ar instruction
.Op Fl crl_reason Ar reason
.Op Fl crldays Ar days
.Op Fl crlexts Ar section
.Op Fl crlhours Ar hours
.Op Fl days Ar arg
.Op Fl enddate Ar date
.Op Fl extensions Ar section
.Op Fl extfile Ar section
.Op Fl gencrl
.Op Fl in Ar file
.Op Fl infiles
.Op Fl key Ar keyfile
.Op Fl keyfile Ar arg
.Op Fl keyform Ar pem
.Op Fl md Ar arg
.Op Fl msie_hack

.Op Fl name Ar section
.Op Fl noemailDN
.Op Fl notext
.Op Fl out Ar file
.Op Fl outdir Ar dir
.Op Fl passin Ar arg
.Op Fl policy Ar arg
.Op Fl preserveDN
.Op Fl revoke Ar file

.Op Fl spkac Ar file
.Op Fl ss_cert Ar file
.Op Fl startdate Ar date
.Op Fl status Ar serial
.Op Fl subj Ar arg
.Op Fl updatedb

.Op Fl verbose
.nr nS 0
.Pp
The
.Nm ca
command is a minimal certificate authority (CA) application.
It can be used to sign certificate requests in a variety of forms
and generate certificate revocation lists (CRLs).
It also maintains a text database of issued certificates and their status.
.Pp
The options relevant to CAs are as follows:
.Bl -tag -width "XXXX"
.It Fl batch
Batch mode.
In this mode no questions will be asked
and all certificates will be certified automatically.
.It Fl cert Ar file
The CA certificate file.
.It Fl config Ar file
Specify an alternative configuration file.




.It Fl days Ar arg
The number of days to certify the certificate for.
.It Fl enddate Ar date
Set the expiry date.
The format of the date is [YY]YYMMDDHHMMSSZ,
with all four year digits required for dates from 2050 onwards.
.It Fl extensions Ar section
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to
.Cm x509_extensions
unless the
.Fl extfile
option is used).
If no extension section is present, a V1 certificate is created.
If the extension section is present
.Pq even if it is empty ,
then a V3 certificate is created.



.It Fl extfile Ar file
An additional configuration
.Ar file
to read certificate extensions from
(using the default section unless the
.Fl extensions
option is also used).
.It Fl in Ar file
An input
.Ar file
containing a single certificate request to be signed by the CA.
.It Fl infiles
If present, this should be the last option; all subsequent arguments
are assumed to be the names of files containing certificate requests.
.It Fl key Ar keyfile


The password used to encrypt the private key.
Since on some systems the command line arguments are visible,
this option should be used with caution.
.It Fl keyfile Ar file
The private key to sign requests with.
.It Fl keyform Ar pem
Private key file format.


.It Fl md Ar alg
The message digest to use.
Possible values include
.Ar md5
and
.Ar sha1 .
This option also applies to CRLs.
.It Fl msie_hack
This is a legacy option to make
.Nm ca
work with very old versions of the IE certificate enrollment control
.Qq certenr3 .
It used UniversalStrings for almost everything.
Since the old control has various security bugs,
its use is strongly discouraged.
The newer control
.Qq Xenroll
does not need this option.










.It Fl name Ar section
Specifies the configuration file
.Ar section
to use (overrides
.Cm default_ca
in the
.Cm ca

.Ar email_in_dn
keyword can be used in the configuration file to enable this behaviour.
.It Fl notext
Don't output the text form of a certificate to the output file.
.It Fl out Ar file
The output file to output certificates to.
The default is standard output.
The certificate details will also be printed out to this file.



.It Fl outdir Ar directory
The
.Ar directory
to output certificates to.
The certificate will be written to a file consisting of the
serial number in hex with
.Qq .pem

Normally, the DN order of a certificate is the same as the order of the
fields in the relevant policy section.
When this option is set, the order is the same as the request.
This is largely for compatibility with the older IE enrollment control
which would only accept certificates if their DNs matched the order of the
request.
This is not needed for Xenroll.





















.It Fl spkac Ar file
A file containing a single Netscape signed public key and challenge,
and additional field values to be signed by the CA.
This will usually come from the
KEYGEN tag in an HTML form to create a new private key.
It is, however, possible to create SPKACs using the
.Nm spkac
utility.
.Pp
The file should contain the variable SPKAC set to the value of
the SPKAC and also the required DN components as name value pairs.
If it's necessary to include the same component twice,
then it can be preceded by a number and a
.Sq \&. .
.It Fl ss_cert Ar file
A single self-signed certificate to be signed by the CA.
.It Fl startdate Ar date
Set the start date.
The format of the date is [YY]YYMMDDHHMMSSZ,
with all four year digits required for dates from 2050 onwards.
.It Fl status Ar serial
Show the status of the certificate with serial number

.Ar serial .









.It Fl updatedb
Update database for expired certificates.



.It Fl verbose
Print extra details about the operations being performed.
.El
.Pp
The options relevant to CRLs are as follows:
.Bl -tag -width "XXXX"
.It Fl crl_CA_compromise Ar time

of the configuration file containing CRL extensions to include.
If no CRL extension section is present then a V1 CRL is created;
if the CRL extension section is present
(even if it is empty)
then a V2 CRL is created.
The CRL extensions specified are CRL extensions and not CRL entry extensions.
It should be noted that some software can't handle V2 CRLs.



.It Fl crlhours Ar num
The number of hours before the next CRL is due.
.It Fl gencrl
Generate a CRL based on information in the index file.
.It Fl revoke Ar file
A
.Ar file
containing a certificate to revoke.
.It Fl subj Ar arg
Supersedes the subject name given in the request.
The
.Ar arg
must be formatted as
.Ar /type0=value0/type1=value1/type2=... ;
characters may be escaped by
.Sq \e
.Pq backslash ,
no spaces are skipped.

.El
.Pp
Many of the options can be set in the
.Cm ca
section of the configuration file
(or in the default section of the configuration file),
specified using

For example, if a certificate request contains a
.Cm basicConstraints
extension with CA:TRUE and the
.Cm copy_extensions
value is set to
.Cm copyall
and the user does not spot
this when the certificate is displayed, then this will hand the requestor
a valid CA certificate.
.Pp
This situation can be avoided by setting
.Cm copy_extensions
to
.Cm copy
and including

.It Cm x509_extensions
The same as
.Fl extensions .
.El
.Sh CIPHERS
.Nm openssl ciphers
.Op Fl hVv
.Op Fl tls1
.Op Ar cipherlist
.Pp
The
.Nm ciphers
command converts
.Nm openssl


cipher lists into ordered SSL cipher preference lists.




It can be used as a way to determine the appropriate cipher list.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl h , \&?
Print a brief usage message.
.It Fl tls1
Only include TLS v1 ciphers.
.It Fl V
Verbose.

List ciphers with a complete description of protocol version,
key exchange, authentication, encryption and mac algorithms,
any key size restrictions,
and cipher suite codes (hex format).
.It Fl v
Like
.Fl V ,
but without cipher suite codes.
.It Ar cipherlist
A cipher list to convert to a cipher preference list.
If it is not included, the default cipher list will be used.
.Pp
The cipher list consists of one or more cipher strings
separated by colons.
Commas or spaces are also acceptable separators, but colons are normally used.
.Pp
The actual cipher string can take several different forms:
.Pp
It can consist of a single cipher suite, such as RC4-SHA.
.Pp
It can represent a list of cipher suites containing a certain algorithm,
or cipher suites of a certain type.
For example SHA1 represents all cipher suites using the digest algorithm SHA1.
.Pp
Lists of cipher suites can be combined in a single cipher string using the
.Sq +
character
(logical AND operation).
For example, SHA1+DES represents all cipher suites
containing the SHA1 and DES algorithms.
.Pp
Each cipher string can be optionally preceded by the characters
.Sq \&! ,
.Sq - ,
or
.Sq + .
If
.Sq !\&
is used, then the ciphers are permanently deleted from the list.
The ciphers deleted can never reappear in the list even if they are
explicitly stated.
If
.Sq -
is used, then the ciphers are deleted from the list, but some or
all of the ciphers can be added again by later options.
If
.Sq +
is used, then the ciphers are moved to the end of the list.
This option doesn't add any new ciphers, it just moves matching existing ones.
.Pp
If none of these characters is present, the string is just interpreted
as a list of ciphers to be appended to the current preference list.
If the list includes any ciphers already present, they will be ignored;
that is, they will not be moved to the end of the list.
.Pp
Additionally, the cipher string
.Cm @STRENGTH
can be used at any point to sort the current cipher list in order of
encryption algorithm key length.
.El
.Pp
The following is a list of all permitted cipher strings and their meanings.
.Bl -tag -width "XXXX"
.It Cm DEFAULT
The default cipher list.
This is determined at compile time and is currently
.Cm ALL:!aNULL:!eNULL:!SSLv2 .
This must be the first cipher string specified.
.It Cm COMPLEMENTOFDEFAULT
The ciphers included in
.Cm ALL ,
but not enabled by default.
Currently this is
.Cm ADH .
Note that this rule does not cover
.Cm eNULL ,
which is not included by
.Cm ALL
(use
.Cm COMPLEMENTOFALL
if necessary).
.It Cm ALL
All cipher suites except the
.Cm eNULL
ciphers, which must be explicitly enabled.
.It Cm COMPLEMENTOFALL
The cipher suites not enabled by
.Cm ALL ,
currently being
.Cm eNULL .
.It Cm HIGH
.Qq High
encryption cipher suites.
This currently means those with key lengths larger than 128 bits.
.It Cm MEDIUM
.Qq Medium
encryption cipher suites, currently those using 128-bit encryption.
.It Cm LOW
.Qq Low
encryption cipher suites, currently those using 64- or 56-bit encryption
algorithms.
.It Cm eNULL , NULL
The
.Qq NULL
ciphers; that is, those offering no encryption.
Because these offer no encryption at all and are a security risk,
they are disabled unless explicitly included.
.It Cm aNULL
The cipher suites offering no authentication.
This is currently the anonymous DH algorithms.
These cipher suites are vulnerable to a
.Qq man in the middle
attack, so their use is normally discouraged.
.It Cm kRSA , RSA
Cipher suites using RSA key exchange.
.It Cm kEDH
Cipher suites using ephemeral DH key agreement.
.It Cm aRSA
Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
.It Cm aDSS , DSS
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
.It Cm TLSv1
TLS v1.0 cipher suites.
.It Cm DH
Cipher suites using DH, including anonymous DH.
.It Cm ADH
Anonymous DH cipher suites.
.It Cm AES
Cipher suites using AES.
.It Cm 3DES
Cipher suites using triple DES.
.It Cm DES
Cipher suites using DES
.Pq not triple DES .
.It Cm RC4
Cipher suites using RC4.
.It Cm CAMELLIA
Cipher suites using Camellia.
.It Cm CHACHA20
Cipher suites using ChaCha20.
.It Cm IDEA
Cipher suites using IDEA.
.It Cm MD5
Cipher suites using MD5.
.It Cm SHA1 , SHA
Cipher suites using SHA1.
.El
.Sh CRL
.nr nS 1
.Nm "openssl crl"
.Op Fl CAfile Ar file
.Op Fl CApath Ar dir
.Op Fl fingerprint

preceded by their subject and issuer names in a one-line format.
.It Fl text
Print certificate details in full rather than just subject and issuer names.
.El
.Sh PKCS8
.nr nS 1
.Nm "openssl pkcs8"
.Op Fl embed
.Op Fl in Ar file
.Op Fl inform Cm der | pem
.Op Fl nocrypt
.Op Fl noiter
.Op Fl nooct
.Op Fl nsdb
.Op Fl out Ar file
.Op Fl outform Cm der | pem
.Op Fl passin Ar arg
.Op Fl passout Ar arg
.Op Fl topk8
.Op Fl v1 Ar alg
.Op Fl v2 Ar alg

with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
The default encryption is only 56 bits;
keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
are more secure.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl embed
Generate DSA keys in a broken format.
The DSA parameters are embedded inside the PrivateKey structure.
In this form the OCTET STRING contains an ASN.1 SEQUENCE consisting of
two structures:
a SEQUENCE containing the parameters and an ASN.1 INTEGER containing
the private key.
.It Fl in Ar file
The input file to read from,
or standard input if not specified.
If the key is encrypted, a pass phrase will be prompted for.
.It Fl inform Cm der | pem
The input format.
.It Fl nocrypt
Generate an unencrypted PrivateKeyInfo structure.
This option does not encrypt private keys at all
and should only be used when absolutely necessary.
.It Fl noiter
Use an iteration count of 1.
See the
.Sx PKCS12
section below for a detailed explanation of this option.
.It Fl nooct
Generate RSA private keys in a broken format that some software uses.
Specifically the private key should be enclosed in an OCTET STRING,
but some software just includes the structure itself without the
surrounding OCTET STRING.
.It Fl nsdb
Generate DSA keys in a broken format compatible with Netscape
private key databases.
The PrivateKey contains a SEQUENCE
consisting of the public and private keys, respectively.
.It Fl out Ar file
The output file to write to,
or standard output if none is specified.
If any encryption options are set, a pass phrase will be prompted for.
.It Fl outform Cm der | pem
The output format.
.It Fl passin Ar arg

Default configuration file for
.Nm x509
certificates.
.El
.Sh SEE ALSO
.Xr acme-client 1 ,
.Xr nc 1 ,


.Xr ssl 8 ,
.Xr starttls 8
.Sh STANDARDS
.Rs
.%A T. Dierks
.%A C. Allen
.%D January 1999

/* $OpenBSD: pkcs8.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999-2004.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

	const EVP_CIPHER *cipher;
	char *infile;
	int informat;
	int iter;
	int nocrypt;
	char *outfile;
	int outformat;
	int p8_broken;
	char *passargin;
	char *passargout;
	int pbe_nid;
	int topk8;
} pkcs8_config;

static int

	}

	return (0);
}

static struct option pkcs8_options[] = {
	{
		.name = "embed",
		.desc = "Generate DSA keys in a broken format",
		.type = OPTION_VALUE,
		.value = PKCS8_EMBEDDED_PARAM,
		.opt.value = &pkcs8_config.p8_broken,
	},
	{
		.name = "in",
		.argname = "file",
		.desc = "Input file (default stdin)",
		.type = OPTION_ARG,
		.opt.arg = &pkcs8_config.infile,
	},
	{
		.name = "inform",
		.argname = "format",
		.desc = "Input format (DER or PEM (default))",
		.type = OPTION_ARG_FORMAT,
		.opt.value = &pkcs8_config.informat,
	},
	{
		.name = "nocrypt",
		.desc = "Use or expect unencrypted private key",
		.type = OPTION_FLAG,
		.opt.flag = &pkcs8_config.nocrypt,
	},
	{
		.name = "noiter",
		.desc = "Use 1 as iteration count",
		.type = OPTION_VALUE,
		.value = 1,
		.opt.value = &pkcs8_config.iter,
	},
	{
		.name = "nooct",
		.desc = "Generate RSA keys in a broken format (no octet)",
		.type = OPTION_VALUE,
		.value = PKCS8_NO_OCTET,
		.opt.value = &pkcs8_config.p8_broken,
	},
	{
		.name = "nsdb",
		.desc = "Generate DSA keys in the broken Netscape DB format",
		.type = OPTION_VALUE,
		.value = PKCS8_NS_DB,
		.opt.value = &pkcs8_config.p8_broken,
	},
	{
		.name = "out",
		.argname = "file",
		.desc = "Output file (default stdout)",
		.type = OPTION_ARG,
		.opt.arg = &pkcs8_config.outfile,
	},
	{
		.name = "outform",
		.argname = "format",
		.desc = "Output format (DER or PEM (default))",
		.type = OPTION_ARG_FORMAT,
		.opt.value = &pkcs8_config.outformat,
	},
	{
		.name = "passin",
		.argname = "source",
		.desc = "Input file passphrase source",

	},
	{ NULL },
};

static void
pkcs8_usage()
{
	fprintf(stderr, "usage: pkcs8 [-embed] [-in file] "
	    "[-inform fmt] [-nocrypt]\n"
	    "    [-noiter] [-nooct] [-nsdb] [-out file] [-outform fmt] "
	    "[-passin src]\n"
	    "    [-passout src] [-topk8] [-v1 alg] [-v2 alg]\n\n");
	options_usage(pkcs8_options);
}

int
pkcs8_main(int argc, char **argv)
{
	BIO *in = NULL, *out = NULL;

	}

	memset(&pkcs8_config, 0, sizeof(pkcs8_config));

	pkcs8_config.iter = PKCS12_DEFAULT_ITER;
	pkcs8_config.informat = FORMAT_PEM;
	pkcs8_config.outformat = FORMAT_PEM;
	pkcs8_config.p8_broken = PKCS8_OK;
	pkcs8_config.pbe_nid = -1;

	if (options_parse(argc, argv, pkcs8_options, NULL, NULL) != 0) {
		pkcs8_usage();
		return (1);
	}

		out = BIO_new_fp(stdout, BIO_NOCLOSE);
	}
	if (pkcs8_config.topk8) {
		pkey = load_key(bio_err, pkcs8_config.infile,
		    pkcs8_config.informat, 1, passin, "key");
		if (!pkey)
			goto end;
		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey,
		    pkcs8_config.p8_broken))) {
			BIO_printf(bio_err, "Error converting key\n");
			ERR_print_errors(bio_err);
			goto end;
		}
		if (pkcs8_config.nocrypt) {
			if (pkcs8_config.outformat == FORMAT_PEM)
				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);

		goto end;
	}
	if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
		BIO_printf(bio_err, "Error converting key\n");
		ERR_print_errors(bio_err);
		goto end;
	}
	if (p8inf->broken) {
		BIO_printf(bio_err, "Warning: broken key encoding: ");
		switch (p8inf->broken) {
		case PKCS8_NO_OCTET:
			BIO_printf(bio_err, "No Octet String in PrivateKey\n");
			break;

		case PKCS8_EMBEDDED_PARAM:
			BIO_printf(bio_err,
			    "DSA parameters included in PrivateKey\n");
			break;

		case PKCS8_NS_DB:
			BIO_printf(bio_err,
			    "DSA public key include in PrivateKey\n");
			break;

		case PKCS8_NEG_PRIVKEY:
			BIO_printf(bio_err, "DSA private key value is negative\n");
			break;

		default:
			BIO_printf(bio_err, "Unknown broken type\n");
			break;
		}
	}
	if (pkcs8_config.outformat == FORMAT_PEM)
		PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL,
		    passout);
	else if (pkcs8_config.outformat == FORMAT_ASN1)
		i2d_PrivateKey_bio(out, pkey);
	else {
		BIO_printf(bio_err, "Bad format specified for key\n");

/* $OpenBSD: s_apps.h,v 1.4 2016/12/30 17:25:48 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

    size_t len, SSL *ssl, void *arg);
void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
    int len, void *arg);
#endif

int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
    unsigned int *cookie_len);
int verify_cookie_callback(SSL *ssl, unsigned char *cookie,
    unsigned int cookie_len);

/* $OpenBSD: s_cb.c,v 1.9 2018/01/15 11:02:07 inoguchi Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	memcpy(cookie, result, resultlength);
	*cookie_len = resultlength;

	return 1;
}

int
verify_cookie_callback(SSL * ssl, unsigned char *cookie, unsigned int cookie_len)

{
	unsigned char *buffer, result[EVP_MAX_MD_SIZE];
	unsigned int length, resultlength;
	union {
		struct sockaddr sa;
		struct sockaddr_in s4;
		struct sockaddr_in6 s6;

/* $OpenBSD: s_socket.c,v 1.9 2018/02/07 05:47:55 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

			return (0);
		}

		h2 = gethostbyname(*host);
		if (h2 == NULL) {
			BIO_printf(bio_err, "gethostbyname failure\n");
			close(ret);

			return (0);
		}
		if (h2->h_addrtype != AF_INET) {
			BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
			close(ret);

			return (0);
		}
	}

 end:
	*sock = ret;
	return (1);

/* $OpenBSD: s_time.c,v 1.23 2018/02/07 05:47:55 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#define MYBUFSIZ 1024*8

#define SECONDS	30
extern int verify_depth;

static void s_time_usage(void);

static SSL *doConnection(SSL * scon);


static SSL_CTX *tm_ctx = NULL;
static const SSL_METHOD *s_time_meth = NULL;
static long bytes_read = 0;

struct {
	int bugs;

	    "[-bugs] [-CAfile file] [-CApath directory] [-cert file]\n"
	    "    [-cipher cipherlist] [-connect host:port] [-key keyfile]\n"
	    "    [-nbio] [-new] [-no_shutdown] [-reuse] [-time seconds]\n"
	    "    [-verify depth] [-www page]\n\n");
	options_usage(s_time_options);
}

/***********************************************************************
 * TIME - time functions
 */
#define START	0
#define STOP	1

static double
tm_Time_F(int op)
{
	return app_timer_user(op);
}

/***********************************************************************
 * MAIN - main processing area for client
 *			real name depends on MONOLITH
 */
int
s_time_main(int argc, char **argv)
{
	double totalTime = 0.0;
	int nConn = 0;
	SSL *scon = NULL;
	time_t finishtime;
	int ret = 1;
	char buf[1024 * 8];
	int ver;

	if (single_execution) {
		if (pledge("stdio rpath inet dns", NULL) == -1) {
			perror("pledge");
			exit(1);
		}
	}

	s_time_meth = SSLv23_client_method();

	verify_depth = 0;

	memset(&s_time_config, 0, sizeof(s_time_config));

	s_time_config.host = SSL_CONNECT_NAME;
	s_time_config.maxtime = SECONDS;

		 * BIO_printf(bio_err,"error setting default verify
		 * locations\n");
		 */
		ERR_print_errors(bio_err);
		/* goto end; */
	}


	if (!(s_time_config.perform & 1))
		goto next;
	printf("Collecting connection statistics for %lld seconds\n",
	    (long long)s_time_config.maxtime);

	/* Loop and time how long it takes to make connections */

	bytes_read = 0;
	finishtime = time(NULL) + s_time_config.maxtime;
	tm_Time_F(START);
	for (;;) {
		if (finishtime < time(NULL))
			break;
		if ((scon = doConnection(NULL)) == NULL)
			goto end;

		if (s_time_config.www_path != NULL) {
			int i, retval = snprintf(buf, sizeof buf,
			    "GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
			if ((size_t)retval >= sizeof buf) {
				fprintf(stderr, "URL too long\n");
				goto end;
			}
			SSL_write(scon, buf, strlen(buf));
			while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
				bytes_read += i;
		}
		if (s_time_config.no_shutdown)
			SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN |
			    SSL_RECEIVED_SHUTDOWN);
		else
			SSL_shutdown(scon);

		nConn += 1;
		if (SSL_session_reused(scon))
			ver = 'r';
		else {
			ver = SSL_version(scon);
			if (ver == TLS1_VERSION)
				ver = 't';
			else if (ver == SSL3_VERSION)
				ver = '3';
			else if (ver == SSL2_VERSION)
				ver = '2';
			else
				ver = '*';
		}
		fputc(ver, stdout);
		fflush(stdout);

		SSL_free(scon);
		scon = NULL;
	}
	totalTime += tm_Time_F(STOP);	/* Add the time for this iteration */

	printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
	    nConn, totalTime, ((double) nConn / totalTime), bytes_read);
	printf("%d connections in %lld real seconds, %ld bytes read per connection\n",
	    nConn,
	    (long long)(time(NULL) - finishtime + s_time_config.maxtime),
	    bytes_read / nConn);

	/*
	 * Now loop and time connections using the same session id over and
	 * over
	 */

 next:
	if (!(s_time_config.perform & 2))
		goto end;
	printf("\n\nNow timing with session id reuse.\n");

	/* Get an SSL object so we can reuse the session id */
	if ((scon = doConnection(NULL)) == NULL) {
		fprintf(stderr, "Unable to get connection\n");
		goto end;
	}
	if (s_time_config.www_path != NULL) {
		int retval = snprintf(buf, sizeof buf,
		    "GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
		if ((size_t)retval >= sizeof buf) {
			fprintf(stderr, "URL too long\n");
			goto end;
		}
		SSL_write(scon, buf, strlen(buf));
		while (SSL_read(scon, buf, sizeof(buf)) > 0);
	}
	if (s_time_config.no_shutdown)
		SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN |
		    SSL_RECEIVED_SHUTDOWN);
	else
		SSL_shutdown(scon);

	nConn = 0;
	totalTime = 0.0;

	finishtime = time(NULL) + s_time_config.maxtime;

	printf("starting\n");
	bytes_read = 0;
	tm_Time_F(START);

	for (;;) {
		if (finishtime < time(NULL))
			break;
		if ((doConnection(scon)) == NULL)
			goto end;

		if (s_time_config.www_path) {
			int i, retval = snprintf(buf, sizeof buf,
			    "GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
			if ((size_t)retval >= sizeof buf) {
				fprintf(stderr, "URL too long\n");
				goto end;
			}
			SSL_write(scon, buf, strlen(buf));
			while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
				bytes_read += i;
		}
		if (s_time_config.no_shutdown)
			SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN |
			    SSL_RECEIVED_SHUTDOWN);
		else
			SSL_shutdown(scon);

		nConn += 1;
		if (SSL_session_reused(scon))
			ver = 'r';
		else {
			ver = SSL_version(scon);
			if (ver == TLS1_VERSION)
				ver = 't';
			else if (ver == SSL3_VERSION)
				ver = '3';
			else if (ver == SSL2_VERSION)
				ver = '2';
			else
				ver = '*';
		}
		fputc(ver, stdout);
		fflush(stdout);
	}
	totalTime += tm_Time_F(STOP);	/* Add the time for this iteration */

	printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double) nConn / totalTime), bytes_read);
	printf("%d connections in %lld real seconds, %ld bytes read per connection\n",
	    nConn,
	    (long long)(time(NULL) - finishtime + s_time_config.maxtime),
	    bytes_read / nConn);

	ret = 0;
 end:
	SSL_free(scon);

	if (tm_ctx != NULL) {
		SSL_CTX_free(tm_ctx);
		tm_ctx = NULL;
	}

	return (ret);
}

/***********************************************************************
 * doConnection - make a connection

 * Args:
 *		scon	= earlier ssl connection for session id, or NULL
 * Returns:
 *		SSL *	= the connection pointer.
 */
static SSL *
doConnection(SSL * scon)
{

	struct pollfd pfd[1];
	SSL *serverCon;
	BIO *conn;
	long verify_error;
	int i;

	if ((conn = BIO_new(BIO_s_connect())) == NULL)
		return (NULL);

/*	BIO_set_conn_port(conn,port);*/
	BIO_set_conn_hostname(conn, s_time_config.host);

	if (scon == NULL)
		serverCon = SSL_new(tm_ctx);
	else {
		serverCon = scon;
		SSL_set_connect_state(serverCon);
	}

	SSL_set_bio(serverCon, conn, conn);

	/* ok, lets connect */
	for (;;) {
		i = SSL_connect(serverCon);
		if (BIO_sock_should_retry(i)) {
			BIO_printf(bio_err, "DELAY\n");

			i = SSL_get_fd(serverCon);
			pfd[0].fd = i;
			pfd[0].events = POLLIN;
			poll(pfd, 1, -1);
			continue;
		}
		break;
	}
	if (i <= 0) {
		BIO_printf(bio_err, "ERROR\n");
		verify_error = SSL_get_verify_result(serverCon);
		if (verify_error != X509_V_OK)
			BIO_printf(bio_err, "verify error:%s\n",
			    X509_verify_cert_error_string(verify_error));
		else
			ERR_print_errors(bio_err);




































































		if (scon == NULL)








			SSL_free(serverCon);
		return NULL;
	}













	return serverCon;
}

/* $OpenBSD: speed.c,v 1.22 2018/02/07 05:47:55 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

static void
sig_done(int sig)
{
	signal(SIGALRM, sig_done);
	run = 0;
}

#define START	0
#define STOP	1


static double
Time_F(int s)
{
	if (usertime)
		return app_timer_user(s);

#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for libressl 2.7.4.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
#
#
# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.

subdirs=
MFLAGS=
MAKEFLAGS=

# Identity of this package.
PACKAGE_NAME='libressl'
PACKAGE_TARNAME='libressl'
PACKAGE_VERSION='2.7.4'
PACKAGE_STRING='libressl 2.7.4'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''

# Factoring default headers for most tests.
ac_includes_default="\
#include <stdio.h>
#ifdef HAVE_SYS_TYPES_H

#
# Report the --help message.
#
if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
\`configure' configures libressl 2.7.4 to adapt to many kinds of systems.

Usage: $0 [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
_ACEOF
fi

if test -n "$ac_init_help"; then
  case $ac_init_help in
     short | recursive ) echo "Configuration of libressl 2.7.4:";;
   esac
  cat <<\_ACEOF

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]

    cd "$ac_pwd" || { ac_status=$?; break; }
  done
fi

test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
  cat <<\_ACEOF
libressl configure 2.7.4
generated by GNU Autoconf 2.69

Copyright (C) 2012 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
  exit

  as_fn_set_status $ac_retval

} # ac_fn_c_compute_int
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by libressl $as_me 2.7.4, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@

_ACEOF
exec 5>>config.log
{

ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu


LIBCRYPTO_VERSION=43:1:0

LIBSSL_VERSION=45:1:0

LIBTLS_VERSION=17:1:0


ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
  if test -f "$ac_dir/install-sh"; then
    ac_aux_dir=$ac_dir
    ac_install_sh="$ac_aux_dir/install-sh -c"

    CYGPATH_W=echo
  fi
fi


# Define the identity of the package.
 PACKAGE='libressl'
 VERSION='2.7.4'


cat >>confdefs.h <<_ACEOF
#define PACKAGE "$PACKAGE"
_ACEOF

		;;
	*mingw*)
		HOST_OS=win
		BUILD_NC=no
		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE -D_POSIX -D_POSIX_SOURCE -D__USE_MINGW_ANSI_STDIO"
		CPPFLAGS="$CPPFLAGS -D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS"
		CPPFLAGS="$CPPFLAGS -DWIN32_LEAN_AND_MEAN"
		CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SPEED"
		PLATFORM_LDADD='-lws2_32'

		;;
	*solaris*)
		HOST_OS=solaris
		HOST_ABI=elf

{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if .gnu.warning accepts long strings" >&5
$as_echo_n "checking if .gnu.warning accepts long strings... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

extern void SSLv3_method();
__asm__(".section .gnu.warning.SSLv3_method; .ascii \"SSLv3_method is insecure\" ; .text");
int main() {return 0;}

_ACEOF
if ac_fn_c_try_link "$LINENO"; then :


$as_echo "#define HAS_GNU_WARNING_LONG 1" >>confdefs.h

test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# Save the log message, to keep $0 and so on meaningful, and to
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by libressl $as_me 2.7.4, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
  CONFIG_HEADERS  = $CONFIG_HEADERS
  CONFIG_LINKS    = $CONFIG_LINKS
  CONFIG_COMMANDS = $CONFIG_COMMANDS
  $ $0 $@

Report bugs to the package provider."

_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
libressl config.status 2.7.4
configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"

Copyright (C) 2012 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."

	[x86_64], [HOSTARCH=intel]
)
AM_CONDITIONAL([HOST_CPU_IS_INTEL], [test "x$HOSTARCH" = "xintel"])

AC_MSG_CHECKING([if .gnu.warning accepts long strings])
AC_LINK_IFELSE([AC_LANG_SOURCE([[
extern void SSLv3_method();
__asm__(".section .gnu.warning.SSLv3_method; .ascii \"SSLv3_method is insecure\" ; .text");
int main() {return 0;}
]])], [
    AC_DEFINE(HAS_GNU_WARNING_LONG, 1, [Define if .gnu.warning accepts long strings.])
    AC_MSG_RESULT(yes)
], [
   AC_MSG_RESULT(no)
])

include_directories(
	.
	../include
	../include/compat
	asn1
	bn
	dsa
	evp
	modes
)

if(HOST_ASM_ELF_X86_64)
	set(
		ASM_X86_64_ELF_SRC
		aes/aes-elf-x86_64.S
		aes/bsaes-elf-x86_64.S
		aes/vpaes-elf-x86_64.S
		aes/aesni-elf-x86_64.S

	add_definitions(-DSHA1_ASM)
	add_definitions(-DSHA256_ASM)
	add_definitions(-DSHA512_ASM)
	add_definitions(-DWHIRLPOOL_ASM)
	add_definitions(-DOPENSSL_CPUID_OBJ)
	set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC})
	set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C)

endif()

if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64))
	set(
		CRYPTO_SRC
		${CRYPTO_SRC}
		aes/aes_cbc.c

	list(SORT EXTRA_EXPORT)
	foreach(SYM IN LISTS EXTRA_EXPORT)
		file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym "${SYM}\n")
	endforeach()
endif()

add_library(crypto ${CRYPTO_SRC})












if (BUILD_SHARED_LIBS)
	export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym)

	if (WIN32)
		target_link_libraries(crypto Ws2_32.lib)
		set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION})
	endif()
	set_target_properties(crypto PROPERTIES
		OUTPUT_NAME crypto${CRYPTO_POSTFIX}
		ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX})
	set_target_properties(crypto PROPERTIES VERSION
		${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})

43:1:0

/* $OpenBSD: a_bitstr.c,v 1.24 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

{
	ASN1_BIT_STRING *ret = NULL;
	const unsigned char *p;
	unsigned char *s;
	int i;

	if (len < 1) {
		i = ASN1_R_STRING_TOO_SHORT;
		goto err;
	}

	if ((a == NULL) || ((*a) == NULL)) {
		if ((ret = ASN1_BIT_STRING_new()) == NULL)
			return (NULL);
	} else
		ret = (*a);

	p = *pp;
	i = *(p++);






	/* We do this to preserve the settings.  If we modify
	 * the settings, via the _set_bit function, we will recalculate
	 * on output */
	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */

	if (len-- > 1) /* using one because of the bits left byte */
	{

		s = malloc(len);
		if (s == NULL) {
			i = ERR_R_MALLOC_FAILURE;
			goto err;
		}
		memcpy(s, p, len);
		s[len - 1] &= (0xff << i);
		p += len;
	} else
		s = NULL;

	ret->length = (int)len;
	free(ret->data);
	ret->data = s;

	ret->type = V_ASN1_BIT_STRING;

	if (a != NULL)
		(*a) = ret;

	*pp = p;

	return (ret);

err:
	ASN1error(i);
	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
		ASN1_BIT_STRING_free(ret);

	return (NULL);
}

/* These next 2 functions from Goetz Babin-Ebell <babinebell@trustcenter.de>
 */
int
ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
{
	int w, v, iv;
	unsigned char *c;

	w = n/8;
	v = 1 << (7 - (n & 0x07));
	iv = ~v;
	if (!value)
		v = 0;

	if (a == NULL)
		return 0;

	a->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear, set on write */

	if ((a->length < (w + 1)) || (a->data == NULL)) {
		if (!value)
			return(1); /* Don't need to set */
		c = OPENSSL_realloc_clean(a->data, a->length, w + 1);
		if (c == NULL) {
			ASN1error(ERR_R_MALLOC_FAILURE);
			return 0;
		}
		if (w + 1 - a->length > 0)
			memset(c + a->length, 0, w + 1 - a->length);
		a->data = c;
		a->length = w + 1;
	}
	a->data[w] = ((a->data[w]) & iv) | v;
	while ((a->length > 0) && (a->data[a->length - 1] == 0))
		a->length--;

	return (1);
}

int
ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
{
	int w, v;

	w = n / 8;
	v = 1 << (7 - (n & 0x07));
	if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL))
		return (0);
	return ((a->data[w] & v) != 0);
}

/*
 * Checks if the given bit string contains only bits specified by
 * the flags vector. Returns 0 if there is at least one bit set in 'a'
 * which is not specified in 'flags', 1 otherwise.
 * 'len' is the length of 'flags'.
 */
int

ASN1_BIT_STRING_check(ASN1_BIT_STRING *a, unsigned char *flags, int flags_len)
{
	int i, ok;

	/* Check if there is one bit set at all. */
	if (!a || !a->data)
		return 1;

/* $OpenBSD: a_digest.c,v 1.15 2014/07/11 08:44:47 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	int i;
	unsigned char *str = NULL;

	i = ASN1_item_i2d(asn, &str, it);
	if (!str)
		return (0);

	if (!EVP_Digest(str, i, md, len, type, NULL))

		return 0;


	free(str);
	return (1);
}

/* $OpenBSD: a_enum.c,v 1.18 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	for (k = i - 1; k >= 0; k--)
		a->data[j++] = buf[k];
	a->length = j;
	return (1);
}

long
ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
{
	int neg = 0, i;
	long r = 0;

	if (a == NULL)
		return (0L);
	i = a->type;

	}
	if (neg)
		r = -r;
	return (r);
}

ASN1_ENUMERATED *
BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
{
	ASN1_ENUMERATED *ret;
	int len, j;

	if (ai == NULL)
		ret = ASN1_ENUMERATED_new();
	else

err:
	if (ret != ai)
		ASN1_ENUMERATED_free(ret);
	return (NULL);
}

BIGNUM *
ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
{
	BIGNUM *ret;

	if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL)
		ASN1error(ASN1_R_BN_LIB);
	else if (ai->type == V_ASN1_NEG_ENUMERATED)
		BN_set_negative(ret, 1);
	return (ret);
}

/* $OpenBSD: a_object.c,v 1.30 2017/05/02 03:59:44 deraadt Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/buffer.h>
#include <openssl/objects.h>

int
i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
{
	unsigned char *p;
	int objsize;

	if ((a == NULL) || (a->data == NULL))
		return (0);

	if (tmp != ftmp)
		free(tmp);
	BN_free(bl);
	return (0);
}

int
i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
{
	return OBJ_obj2txt(buf, buf_len, a, 0);
}

int
i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
{
	char *tmp = NULL;
	size_t tlen = 256;
	int i = -1;

	if ((a == NULL) || (a->data == NULL))
		return(BIO_write(bp, "NULL", 4));

/* $OpenBSD: a_strex.c,v 1.25 2015/02/07 13:19:15 doug Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

/* "dump" a string. This is done when the type is unknown,
 * or the flags request it. We can either dump the content
 * octets or the entire DER encoding. This uses the RFC2253
 * #01234 format.
 */

static int
do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
{
	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
	 * the DER encoding to readily obtained
	 */
	ASN1_TYPE t;
	unsigned char *der_buf, *p;
	int outlen, der_len;

 * ASN1_STRING taking note of various escape
 * and display options. Returns number of
 * characters written or -1 if an error
 * occurred.
 */

static int
do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str)

{
	int outlen, len;
	int type;
	char quotes;
	unsigned char flags;

	quotes = 0;

	return 1;
}

#define FN_WIDTH_LN	25
#define FN_WIDTH_SN	10

static int
do_name_ex(char_io *io_ch, void *arg, X509_NAME *n, int indent,
    unsigned long flags)
{
	int i, prev = -1, orflags, cnt;
	int fn_opt, fn_nid;
	ASN1_OBJECT *fn;
	ASN1_STRING *val;
	X509_NAME_ENTRY *ent;

	}
	return outlen;
}

/* Wrappers round the main functions */

int
X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)

{
	if (flags == XN_FLAG_COMPAT)
		return X509_NAME_print(out, nm, indent);
	return do_name_ex(send_bio_chars, out, nm, indent, flags);
}

int
X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)

{
	if (flags == XN_FLAG_COMPAT) {
		BIO *btmp;
		int ret;
		btmp = BIO_new_fp(fp, BIO_NOCLOSE);
		if (!btmp)
			return -1;
		ret = X509_NAME_print(btmp, nm, indent);
		BIO_free(btmp);
		return ret;
	}
	return do_name_ex(send_fp_chars, fp, nm, indent, flags);
}

int
ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
{
	return do_print_ex(send_bio_chars, out, flags, str);
}

int
ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
{
	return do_print_ex(send_fp_chars, fp, flags, str);
}

/* Utility function: convert any string type to UTF8, returns number of bytes
 * in output string or a negative error code
 */

int
ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
{
	ASN1_STRING stmp, *str = &stmp;
	int mbflag, type, ret;

	if (!in)
		return -1;
	type = in->type;

/* $OpenBSD: a_time_tm.c,v 1.14 2017/08/28 17:42:47 jsing Exp $ */
/*
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *

ASN1_TIME *
ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, long offset_sec)
{
	return (ASN1_TIME_adj_internal(s, t, offset_day, offset_sec, RFC5280));
}

int
ASN1_TIME_check(ASN1_TIME *t)
{
	if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
		return (0);
	return (t->type == ASN1_time_parse(t->data, t->length, NULL, t->type));
}

ASN1_GENERALIZEDTIME *
ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
{
	ASN1_GENERALIZEDTIME *tmp = NULL;
	struct tm tm;
	char *str;

	if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
		return (NULL);

}

/*
 * ASN1_UTCTIME wrappers
 */

int
ASN1_UTCTIME_check(ASN1_UTCTIME *d)
{
	if (d->type != V_ASN1_UTCTIME)
		return (0);
	return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));
}

int

}

/*
 * ASN1_GENERALIZEDTIME wrappers
 */

int
ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
{
	if (d->type != V_ASN1_GENERALIZEDTIME)
		return (0);
	return (d->type == ASN1_time_parse(d->data, d->length, NULL, d->type));
}

int

/* $OpenBSD: a_type.c,v 1.19 2016/05/04 15:00:24 tedu Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#include <stdio.h>

#include <openssl/asn1t.h>
#include <openssl/objects.h>

int
ASN1_TYPE_get(ASN1_TYPE *a)
{
	if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
		return (a->type);
	else
		return (0);
}

		ASN1_TYPE_set(a, type, sdup);
	}
	return 1;
}

/* Returns 0 if they are equal, != 0 otherwise. */
int
ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
{
	int result = -1;

	if (!a || !b || a->type != b->type)
		return -1;

	switch (a->type) {

/* $OpenBSD: ameth_lib.c,v 1.16 2017/01/21 04:31:25 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
/* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

		*pinfo = ameth->info;
	if (ppem_str)
		*ppem_str = ameth->pem_str;
	return 1;
}

const EVP_PKEY_ASN1_METHOD*
EVP_PKEY_get0_asn1(EVP_PKEY *pkey)
{
	return pkey->ameth;
}

EVP_PKEY_ASN1_METHOD*
EVP_PKEY_asn1_new(int id, int flags, const char *pem_str, const char *info)
{
	EVP_PKEY_ASN1_METHOD *ameth;

	ameth = calloc(1, sizeof(EVP_PKEY_ASN1_METHOD));
	if (!ameth)
		return NULL;

	ameth->pkey_id = id;
	ameth->pkey_base_id = id;
	ameth->pkey_flags = flags | ASN1_PKEY_DYNAMIC;

	if (info) {
		ameth->info = strdup(info);
		if (!ameth->info)
			goto err;
	} else
		ameth->info = NULL;


	if (pem_str) {
		ameth->pem_str = strdup(pem_str);
		if (!ameth->pem_str)
			goto err;
	} else
		ameth->pem_str = NULL;

	ameth->pub_decode = 0;
	ameth->pub_encode = 0;
	ameth->pub_cmp = 0;
	ameth->pub_print = 0;

	ameth->priv_decode = 0;
	ameth->priv_encode = 0;
	ameth->priv_print = 0;

	ameth->old_priv_encode = 0;
	ameth->old_priv_decode = 0;

	ameth->item_verify = 0;
	ameth->item_sign = 0;

	ameth->pkey_size = 0;
	ameth->pkey_bits = 0;

	ameth->param_decode = 0;
	ameth->param_encode = 0;
	ameth->param_missing = 0;
	ameth->param_copy = 0;
	ameth->param_cmp = 0;
	ameth->param_print = 0;

	ameth->pkey_free = 0;
	ameth->pkey_ctrl = 0;

	return ameth;

err:
	EVP_PKEY_asn1_free(ameth);
	return NULL;
}

void
EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, const EVP_PKEY_ASN1_METHOD *src)
{

	dst->param_decode = src->param_decode;
	dst->param_encode = src->param_encode;
	dst->param_missing = src->param_missing;
	dst->param_copy = src->param_copy;
	dst->param_cmp = src->param_cmp;
	dst->param_print = src->param_print;


	dst->pkey_free = src->pkey_free;
	dst->pkey_ctrl = src->pkey_ctrl;

	dst->item_sign = src->item_sign;
	dst->item_verify = src->item_verify;
}

	ameth->pub_print = pub_print;
	ameth->pkey_size = pkey_size;
	ameth->pkey_bits = pkey_bits;
}

void
EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth,
    int (*priv_decode)(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf),
    int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk),
    int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent,
	ASN1_PCTX *pctx))
{
	ameth->priv_decode = priv_decode;
	ameth->priv_encode = priv_encode;
	ameth->priv_print = priv_print;

/* $OpenBSD: asn1_err.c,v 1.20 2017/01/29 17:49:22 beck Exp $ */
/* ====================================================================
 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *

	{ERR_REASON(ASN1_R_MIME_SIG_PARSE_ERROR) , "mime sig parse error"},
	{ERR_REASON(ASN1_R_MISSING_EOC)          , "missing eoc"},
	{ERR_REASON(ASN1_R_MISSING_SECOND_NUMBER), "missing second number"},
	{ERR_REASON(ASN1_R_MISSING_VALUE)        , "missing value"},
	{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"},
	{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG)    , "mstring wrong tag"},
	{ERR_REASON(ASN1_R_NESTED_ASN1_STRING)   , "nested asn1 string"},

	{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS)   , "non hex characters"},
	{ERR_REASON(ASN1_R_NOT_ASCII_FORMAT)     , "not ascii format"},
	{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA)      , "not enough data"},
	{ERR_REASON(ASN1_R_NO_CONTENT_TYPE)      , "no content type"},
	{ERR_REASON(ASN1_R_NO_DEFAULT_DIGEST)    , "no default digest"},
	{ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE), "no matching choice type"},
	{ERR_REASON(ASN1_R_NO_MULTIPART_BODY_FAILURE), "no multipart body failure"},

/* $OpenBSD: asn1_gen.c,v 1.16 2017/01/29 17:49:22 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2002.
 */
/* ====================================================================
 * Copyright (c) 2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

    int exp_constructed, int exp_pad, int imp_ok);
static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass);
static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf);
static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
static int asn1_str2tag(const char *tagstr, int len);

ASN1_TYPE *
ASN1_generate_nconf(char *str, CONF *nconf)
{
	X509V3_CTX cnf;

	if (!nconf)
		return ASN1_generate_v3(str, NULL);

	X509V3_set_nconf(&cnf, nconf);
	return ASN1_generate_v3(str, &cnf);
}

ASN1_TYPE *
ASN1_generate_v3(char *str, X509V3_CTX *cnf)
{
	ASN1_TYPE *ret;
	tag_exp_arg asn1_tags;
	tag_exp_type *etmp;

	int i, len;

/* $OpenBSD: asn1_lib.c,v 1.40 2018/02/14 16:46:04 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

void
ASN1_STRING_length_set(ASN1_STRING *x, int len)
{
	x->length = len;
}

int
ASN1_STRING_type(ASN1_STRING *x)
{
	return (x->type);
}

unsigned char *
ASN1_STRING_data(ASN1_STRING *x)
{

/* $OpenBSD: asn1_locl.h,v 1.10 2017/08/27 01:39:26 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
/* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

	int (*pub_decode)(EVP_PKEY *pk, X509_PUBKEY *pub);
	int (*pub_encode)(X509_PUBKEY *pub, const EVP_PKEY *pk);
	int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b);
	int (*pub_print)(BIO *out, const EVP_PKEY *pkey, int indent,
	    ASN1_PCTX *pctx);

	int (*priv_decode)(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf);
	int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
	int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent,
	    ASN1_PCTX *pctx);

	int (*pkey_size)(const EVP_PKEY *pk);
	int (*pkey_bits)(const EVP_PKEY *pk);

/* $OpenBSD: asn_pack.c,v 1.16 2017/01/29 17:49:22 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

		ASN1_STRING_free(octmp);
	return NULL;
}

/* Extract an ASN1 object from an ASN1_STRING */

void *
ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
{
	const unsigned char *p;
	void *ret;

	p = oct->data;
	if (!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
		ASN1error(ASN1_R_DECODE_ERROR);
	return ret;
}

/* $OpenBSD: bio_asn1.c,v 1.12 2015/12/23 01:46:33 mmcc Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
/* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size);
static int asn1_bio_flush_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
    asn1_ps_func *cleanup, asn1_bio_state_t next);
static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
    asn1_ps_func *setup, asn1_bio_state_t ex_state,
    asn1_bio_state_t other_state);

static BIO_METHOD methods_asn1 = {
	.type = BIO_TYPE_ASN1,
	.name = "asn1",
	.bwrite = asn1_bio_write,
	.bread = asn1_bio_read,
	.bputs = asn1_bio_puts,
	.bgets = asn1_bio_gets,
	.ctrl = asn1_bio_ctrl,
	.create = asn1_bio_new,
	.destroy = asn1_bio_free,
	.callback_ctrl = asn1_bio_callback_ctrl
};

BIO_METHOD *
BIO_f_asn1(void)
{
	return (&methods_asn1);
}

static int
asn1_bio_new(BIO *b)

/* $OpenBSD: d2i_pr.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

		if ((ret = EVP_PKEY_new()) == NULL) {
			ASN1error(ERR_R_EVP_LIB);
			return (NULL);
		}
	} else {
		ret = *a;
#ifndef OPENSSL_NO_ENGINE
		if (ret->engine) {
			ENGINE_finish(ret->engine);
			ret->engine = NULL;
		}
#endif
	}

	if (!EVP_PKEY_set_type(ret, type)) {
		ASN1error(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
		goto err;
	}

/* $OpenBSD: evp_asn1.c,v 1.20 2017/11/28 16:51:21 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

		return (0);
	}
	ASN1_TYPE_set(a, V_ASN1_OCTET_STRING, os);
	return (1);
}

int
ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len)
{
	int ret, num;
	unsigned char *p;

	if ((a->type != V_ASN1_OCTET_STRING) ||
	    (a->value.octet_string == NULL)) {
		ASN1error(ASN1_R_DATA_IS_WRONG);

	ASN1_item_free((ASN1_VALUE *)ios, &ASN1_INT_OCTETSTRING_it);
	ASN1_STRING_free(sp);

	return ret;
}

int
ASN1_TYPE_get_int_octetstring(ASN1_TYPE *at, long *num, unsigned char *data,
    int max_len)
{
	ASN1_STRING *sp = at->value.sequence;
	ASN1_int_octetstring *ios = NULL;
	int ret = -1;
	int len;

/* $OpenBSD: f_enum.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#include <openssl/asn1.h>
#include <openssl/buffer.h>
#include <openssl/err.h>

/* Based on a_int.c: equivalent ENUMERATED functions */

int
i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
{
	int i, n = 0;
	static const char h[] = "0123456789ABCDEF";
	char buf[2];

	if (a == NULL)
		return (0);

/* $OpenBSD: f_int.c,v 1.18 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#include <stdio.h>

#include <openssl/asn1.h>
#include <openssl/buffer.h>
#include <openssl/err.h>

int
i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
{
	int i, n = 0;
	static const char h[] = "0123456789ABCDEF";
	char buf[2];

	if (a == NULL)
		return (0);

		i -= again;
		if (i % 2 != 0) {
			ASN1error(ASN1_R_ODD_NUMBER_OF_CHARS);
			goto err;
		}
		i /= 2;
		if (num + i > slen) {
			sp = OPENSSL_realloc_clean(s, slen, num + i);
			if (sp == NULL) {
				ASN1error(ERR_R_MALLOC_FAILURE);
				goto err;
			}
			s = sp;
			slen = num + i;
		}
		for (j = 0; j < i; j++, k += 2) {

/* $OpenBSD: f_string.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#include <stdio.h>

#include <openssl/asn1.h>
#include <openssl/buffer.h>
#include <openssl/err.h>

int
i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type)
{
	int i, n = 0;
	static const char h[] = "0123456789ABCDEF";
	char buf[2];

	if (a == NULL)
		return (0);

/* $OpenBSD: n_pkey.c,v 1.31 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	i2d_RSAPrivateKey(a, &zz);

	if ((zz = malloc(pkeylen)) == NULL) {
		ASN1error(ERR_R_MALLOC_FAILURE);
		goto err;
	}


	if (!ASN1_STRING_set(enckey->os, "private-key", -1)) {
		ASN1error(ERR_R_MALLOC_FAILURE);
		goto err;
	}
	enckey->enckey->digest->data = zz;
	i2d_NETSCAPE_PKEY(pkey, &zz);

	/* Wipe the private key encoding */
	explicit_bzero(pkey->private_key->data, rsalen);

	if (cb == NULL)
		cb = EVP_read_pw_string;

/* $OpenBSD: p8_pkey.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

/* Minor tweak to operation: zero private key data */
static int
pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
{
	/* Since the structure must still be valid use ASN1_OP_FREE_PRE */
	if (operation == ASN1_OP_FREE_PRE) {
		PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
		if (key->pkey != NULL &&
		    key->pkey->type == V_ASN1_OCTET_STRING &&
		    key->pkey->value.octet_string != NULL)
			explicit_bzero(key->pkey->value.octet_string->data,
			    key->pkey->value.octet_string->length);
	}
	return 1;
}

static const ASN1_AUX PKCS8_PRIV_KEY_INFO_aux = {
	.asn1_cb = pkey_cb,
};

		.offset = offsetof(PKCS8_PRIV_KEY_INFO, pkeyalg),
		.field_name = "pkeyalg",
		.item = &X509_ALGOR_it,
	},
	{
		.offset = offsetof(PKCS8_PRIV_KEY_INFO, pkey),
		.field_name = "pkey",
		.item = &ASN1_ANY_it,
	},
	{
		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL,
		.offset = offsetof(PKCS8_PRIV_KEY_INFO, attributes),
		.field_name = "attributes",
		.item = &X509_ATTRIBUTE_it,
	},

	ASN1_item_free((ASN1_VALUE *)a, &PKCS8_PRIV_KEY_INFO_it);
}

int
PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, int version,
    int ptype, void *pval, unsigned char *penc, int penclen)
{
	unsigned char **ppenc = NULL;

	if (version >= 0) {
		if (!ASN1_INTEGER_set(priv->version, version))
			return 0;
	}


	if (penc) {
		int pmtype;
		ASN1_OCTET_STRING *oct;
		oct = ASN1_OCTET_STRING_new();
		if (!oct)
			return 0;

		oct->data = penc;




		ppenc = &oct->data;
		oct->length = penclen;
		if (priv->broken == PKCS8_NO_OCTET)
			pmtype = V_ASN1_SEQUENCE;
		else
			pmtype = V_ASN1_OCTET_STRING;
		ASN1_TYPE_set(priv->pkey, pmtype, oct);
	}
	if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval)) {
		/* If call fails do not swallow 'enc' */
		if (ppenc)
			*ppenc = NULL;
		return 0;
	}




	return 1;
}

int
PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen,
    X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8)

{
	if (ppkalg)
		*ppkalg = p8->pkeyalg->algorithm;
	if (p8->pkey->type == V_ASN1_OCTET_STRING) {
		p8->broken = PKCS8_OK;
		if (pk) {
			*pk = p8->pkey->value.octet_string->data;
			*ppklen = p8->pkey->value.octet_string->length;
		}
	} else if (p8->pkey->type == V_ASN1_SEQUENCE) {
		p8->broken = PKCS8_NO_OCTET;
		if (pk) {
			*pk = p8->pkey->value.sequence->data;
			*ppklen = p8->pkey->value.sequence->length;
		}
	} else
		return 0;
	if (pa)
		*pa = p8->pkeyalg;
	return 1;
}

/* $OpenBSD: t_bitst.c,v 1.7 2014/07/11 08:44:47 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

		}
	}
	BIO_puts(out, "\n");
	return 1;
}

int
ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
    BIT_STRING_BITNAME *tbl)
{
	int bitnum;

	bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
	if (bitnum < 0)
		return 0;
	if (bs) {
		if (!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
			return 0;
	}
	return 1;
}

int
ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
{
	BIT_STRING_BITNAME *bnam;

	for (bnam = tbl; bnam->lname; bnam++) {
		if (!strcmp(bnam->sname, name) ||
		    !strcmp(bnam->lname, name))
			return bnam->bitnum;
	}
	return -1;
}

/* $OpenBSD: t_x509.c,v 1.28 2017/04/03 15:52:59 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	ret = 1;

err:
	free(m);
	return (ret);
}


int X509_ocspid_print (BIO *bp, X509 *x)
{
	unsigned char *der = NULL;
	unsigned char *dertmp;
	int derlen;
	int i;
	unsigned char SHA1md[SHA_DIGEST_LENGTH];

	if (BIO_write(bp, "\n", 1) != 1)
		return 0;

	return 1;
}

int
X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
{
	int sig_nid;
	if (BIO_puts(bp, "    Signature Algorithm: ") <= 0)
		return 0;
	if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0)
		return 0;

	if (tm->type == V_ASN1_GENERALIZEDTIME)
		return ASN1_GENERALIZEDTIME_print(bp, tm);
	BIO_write(bp, "Bad time value", 14);
	return (0);
}

static const char *mon[12] = {
	"Jan", "Feb", "Mar", "Apr", "May", "Jun", 
	"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
};

int
ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
{
	char *v;

err:
	BIO_write(bp, "Bad time value", 14);
	return (0);
}

int
X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
{
	char *s, *c, *b;
	int ret = 0, l, i;

	l = 80 - 2 - obase;

	b = X509_NAME_oneline(name, NULL, 0);

/* $OpenBSD: tasn_dec.c,v 1.34 2017/01/29 17:49:22 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

#include <stddef.h>
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/objects.h>
#include <openssl/buffer.h>
#include <openssl/err.h>







static int asn1_check_eoc(const unsigned char **in, long len);
static int asn1_find_end(const unsigned char **in, long len, char inf);

static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
    char inf, int tag, int aclass, int depth);

static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);

static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
    char *inf, char *cst, const unsigned char **in, long len, int exptag,
    int expclass, char opt, ASN1_TLC *ctx);

static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
    long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in,
    long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in,
    long len, const ASN1_ITEM *it, int tag, int aclass, char opt,
    ASN1_TLC *ctx);

/* Table to convert tags to bit values, used for MSTRING type */
static const unsigned long tag2bit[32] = {
	0,	0,	0,	B_ASN1_BIT_STRING,	/* tags  0 -  3 */

int
ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    const ASN1_TEMPLATE *tt)
{
	ASN1_TLC c;

	asn1_tlc_clear_nc(&c);
	return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
}


/* Decode an item, taking care of IMPLICIT tagging, if any.
 * If 'opt' set and tag mismatch return -1 to handle OPTIONAL
 */

int
ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx)

{
	const ASN1_TEMPLATE *tt, *errtt = NULL;
	const ASN1_EXTERN_FUNCS *ef;
	const ASN1_AUX *aux = it->funcs;
	ASN1_aux_cb *asn1_cb;
	const unsigned char *p = NULL, *q;
	unsigned char oclass;
	char seq_eoc, seq_nolen, cst, isopt;
	long tmplen;
	int i;
	int otag;
	int ret = 0;
	ASN1_VALUE **pchptr;
	int combine;

	combine = aclass & ASN1_TFLG_COMBINE;
	aclass &= ~ASN1_TFLG_COMBINE;

	if (!pval)
		return 0;

	if (aux && aux->asn1_cb)
		asn1_cb = aux->asn1_cb;
	else


		asn1_cb = 0;


	switch (it->itype) {
	case ASN1_ITYPE_PRIMITIVE:
		if (it->templates) {
			/* tagging or OPTIONAL is currently illegal on an item
			 * template because the flags can't get passed down.
			 * In practice this isn't a problem: we include the
			 * relevant flags from the item template in the
			 * template itself.
			 */
			if ((tag != -1) || opt) {
				ASN1error(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
				goto err;
			}
			return asn1_template_ex_d2i(pval, in, len,
			    it->templates, opt, ctx);
		}
		return asn1_d2i_ex_primitive(pval, in, len, it,
		    tag, aclass, opt, ctx);
		break;

	case ASN1_ITYPE_MSTRING:
		p = *in;

		/* CHOICE type, try each possibility in turn */
		p = *in;
		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
			pchptr = asn1_get_field_ptr(pval, tt);
			/* We mark field as OPTIONAL so its absence
			 * can be recognised.
			 */
			ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);

			/* If field not present, try the next one */
			if (ret == -1)
				continue;
			/* If positive return, read OK, break loop */
			if (ret > 0)
				break;
			/* Otherwise must be an ASN1 parsing error */

				isopt = 0;
			else
				isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
			/* attempt to read in field, allowing each to be
			 * OPTIONAL */

			ret = asn1_template_ex_d2i(pseqval, &p, len,
			    seqtt, isopt, ctx);
			if (!ret) {
				errtt = seqtt;
				goto err;
			} else if (ret == -1) {
				/* OPTIONAL component absent.
				 * Free and zero the field.
				 */

	if (errtt)
		ERR_asprintf_error_data("Field=%s, Type=%s", errtt->field_name,
		    it->sname);
	else
		ERR_asprintf_error_data("Type=%s", it->sname);
	return 0;
}








/* Templates are handled with two separate functions.
 * One handles any EXPLICIT tag and the other handles the rest.
 */

static int
asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen,
    const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
{
	int flags, aclass;
	int ret;
	long len;
	const unsigned char *p, *q;
	char exp_eoc;

		} else if (ret == -1)
			return -1;
		if (!cst) {
			ASN1error(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
			return 0;
		}
		/* We've found the field so it can't be OPTIONAL now */
		ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
		if (!ret) {
			ASN1error(ERR_R_NESTED_ASN1_ERROR);
			return 0;
		}
		/* We read the field in OK so update length */
		len -= p - q;
		if (exp_eoc) {

			 * an error */
			if (len) {
				ASN1error(ASN1_R_EXPLICIT_LENGTH_MISMATCH);
				goto err;
			}
		}
	} else
		return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);


	*in = p;
	return 1;

err:
	ASN1_template_free(val, tt);
	return 0;
}

static int
asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len,
    const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
{
	int flags, aclass;
	int ret;
	const unsigned char *p, *q;

	if (!val)
		return 0;

					goto err;
				}
				len -= p - q;
				sk_eoc = 0;
				break;
			}
			skfield = NULL;
			if (!ASN1_item_ex_d2i(&skfield, &p, len,
			    tt->item, -1, 0, 0, ctx)) {
				ASN1error(ERR_R_NESTED_ASN1_ERROR);
				goto err;
			}
			len -= p - q;
			if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val,
			    skfield)) {
				ASN1error(ERR_R_MALLOC_FAILURE);
				goto err;
			}
		}
		if (sk_eoc) {
			ASN1error(ASN1_R_MISSING_EOC);
			goto err;
		}
	} else if (flags & ASN1_TFLG_IMPTAG) {
		/* IMPLICIT tagging */
		ret = ASN1_item_ex_d2i(val, &p, len,
		    tt->item, tt->tag, aclass, opt, ctx);
		if (!ret) {
			ASN1error(ERR_R_NESTED_ASN1_ERROR);
			goto err;
		} else if (ret == -1)
			return -1;
	} else {
		/* Nothing special */
		ret = ASN1_item_ex_d2i(val, &p, len, tt->item,
		    -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
		if (!ret) {
			ASN1error(ERR_R_NESTED_ASN1_ERROR);
			goto err;
		} else if (ret == -1)
			return -1;
	}

/* $OpenBSD: tasn_fre.c,v 1.15 2016/12/30 16:04:34 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

{
	const ASN1_TEMPLATE *tt = NULL, *seqtt;
	const ASN1_EXTERN_FUNCS *ef;
	const ASN1_AUX *aux = it->funcs;
	ASN1_aux_cb *asn1_cb = NULL;
	int i;

	if (pval == NULL || *pval == NULL)



		return;

	if (aux != NULL && aux->asn1_cb != NULL)
		asn1_cb = aux->asn1_cb;

	switch (it->itype) {
	case ASN1_ITYPE_PRIMITIVE:

/* $OpenBSD: tasn_prn.c,v 1.16 2017/01/29 17:49:22 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 2000,2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

void
ASN1_PCTX_free(ASN1_PCTX *p)
{
	free(p);
}

unsigned long
ASN1_PCTX_get_flags(ASN1_PCTX *p)
{
	return p->flags;
}

void
ASN1_PCTX_set_flags(ASN1_PCTX *p, unsigned long flags)
{
	p->flags = flags;
}

unsigned long
ASN1_PCTX_get_nm_flags(ASN1_PCTX *p)
{
	return p->nm_flags;
}

void
ASN1_PCTX_set_nm_flags(ASN1_PCTX *p, unsigned long flags)
{
	p->nm_flags = flags;
}

unsigned long
ASN1_PCTX_get_cert_flags(ASN1_PCTX *p)
{
	return p->cert_flags;
}

void
ASN1_PCTX_set_cert_flags(ASN1_PCTX *p, unsigned long flags)
{
	p->cert_flags = flags;
}

unsigned long
ASN1_PCTX_get_oid_flags(ASN1_PCTX *p)
{
	return p->oid_flags;
}

void
ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags)
{
	p->oid_flags = flags;
}

unsigned long
ASN1_PCTX_get_str_flags(ASN1_PCTX *p)
{
	return p->str_flags;
}

void
ASN1_PCTX_set_str_flags(ASN1_PCTX *p, unsigned long flags)
{

/* $OpenBSD: x_algor.c,v 1.21 2015/07/24 15:09:52 jsing Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

		}
	} else
		ASN1_TYPE_set(alg->parameter, ptype, pval);
	return 1;
}

void
X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
    X509_ALGOR *algor)
{
	if (paobj)
		*paobj = algor->algorithm;
	if (pptype) {
		if (algor->parameter == NULL) {
			*pptype = V_ASN1_UNDEF;
			return;

/* $OpenBSD: x_crl.c,v 1.30 2018/03/17 14:33:20 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	m->flags = X509_CRL_METHOD_DYNAMIC;
	return m;
}

void
X509_CRL_METHOD_free(X509_CRL_METHOD *m)
{


	if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
		return;
	free(m);
}

void
X509_CRL_set_meth_data(X509_CRL *crl, void *dat)

}

const STACK_OF(X509_EXTENSION) *
X509_CRL_get0_extensions(const X509_CRL *crl)
{
	return crl->crl->extensions;
}







const ASN1_TIME *
X509_CRL_get0_lastUpdate(const X509_CRL *crl)
{






	return crl->crl->lastUpdate;
}

const ASN1_TIME *
X509_CRL_get0_nextUpdate(const X509_CRL *crl)
{
	return crl->crl->nextUpdate;
}



















void
X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
    const X509_ALGOR **palg)
{
	if (psig != NULL)
		*psig = crl->signature;
	if (palg != NULL)
		*palg = crl->sig_alg;
}

/* $OpenBSD: x_x509a.c,v 1.14 2015/02/14 15:28:39 miod Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

		return NULL;
	if (!x->aux && !(x->aux = X509_CERT_AUX_new()))
		return NULL;
	return x->aux;
}

int
X509_alias_set1(X509 *x, unsigned char *name, int len)
{
	X509_CERT_AUX *aux;
	if (!name) {
		if (!x || !x->aux || !x->aux->alias)
			return 1;
		ASN1_UTF8STRING_free(x->aux->alias);
		x->aux->alias = NULL;
		return 1;
	}
	if (!(aux = aux_get(x)))
		return 0;
	if (!aux->alias && !(aux->alias = ASN1_UTF8STRING_new()))
		return 0;
	return ASN1_STRING_set(aux->alias, name, len);
}

int
X509_keyid_set1(X509 *x, unsigned char *id, int len)
{
	X509_CERT_AUX *aux;
	if (!id) {
		if (!x || !x->aux || !x->aux->keyid)
			return 1;
		ASN1_OCTET_STRING_free(x->aux->keyid);
		x->aux->keyid = NULL;

		return NULL;
	if (len)
		*len = x->aux->keyid->length;
	return x->aux->keyid->data;
}

int
X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj)
{
	X509_CERT_AUX *aux;
	ASN1_OBJECT *objtmp;
	int rc;

	if (!(objtmp = OBJ_dup(obj)))
		return 0;

err:
	ASN1_OBJECT_free(objtmp);
	return 0;
}

int
X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
{
	X509_CERT_AUX *aux;
	ASN1_OBJECT *objtmp;
	int rc;

	if (!(objtmp = OBJ_dup(obj)))
		return 0;

/* $OpenBSD: bf_buff.c,v 1.24 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

static int buffer_gets(BIO *h, char *str, int size);
static long buffer_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int buffer_new(BIO *h);
static int buffer_free(BIO *data);
static long buffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
#define DEFAULT_BUFFER_SIZE	4096

static BIO_METHOD methods_buffer = {
	.type = BIO_TYPE_BUFFER,
	.name = "buffer",
	.bwrite = buffer_write,
	.bread = buffer_read,
	.bputs = buffer_puts,
	.bgets = buffer_gets,
	.ctrl = buffer_ctrl,
	.create = buffer_new,
	.destroy = buffer_free,
	.callback_ctrl = buffer_callback_ctrl
};

BIO_METHOD *
BIO_f_buffer(void)
{
	return (&methods_buffer);
}

static int
buffer_new(BIO *bi)

/* $OpenBSD: bf_nbio.c,v 1.19 2015/02/07 13:19:15 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

typedef struct nbio_test_st {
	/* only set if we sent a 'should retry' error */
	int lrn;
	int lwn;
} NBIO_TEST;

static BIO_METHOD methods_nbiof = {
	.type = BIO_TYPE_NBIO_TEST,
	.name = "non-blocking IO test filter",
	.bwrite = nbiof_write,
	.bread = nbiof_read,
	.bputs = nbiof_puts,
	.bgets = nbiof_gets,
	.ctrl = nbiof_ctrl,
	.create = nbiof_new,
	.destroy = nbiof_free,
	.callback_ctrl = nbiof_callback_ctrl
};

BIO_METHOD *
BIO_f_nbio_test(void)
{
	return (&methods_nbiof);
}

static int
nbiof_new(BIO *bi)

/* $OpenBSD: bf_null.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

static int nullf_puts(BIO *h, const char *str);
static int nullf_gets(BIO *h, char *str, int size);
static long nullf_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int nullf_new(BIO *h);
static int nullf_free(BIO *data);
static long nullf_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);

static BIO_METHOD methods_nullf = {
	.type = BIO_TYPE_NULL_FILTER,
	.name = "NULL filter",
	.bwrite = nullf_write,
	.bread = nullf_read,
	.bputs = nullf_puts,
	.bgets = nullf_gets,
	.ctrl = nullf_ctrl,
	.create = nullf_new,
	.destroy = nullf_free,
	.callback_ctrl = nullf_callback_ctrl
};

BIO_METHOD *
BIO_f_null(void)
{
	return (&methods_nullf);
}

static int
nullf_new(BIO *bi)

/* $OpenBSD: bio_lib.c,v 1.27 2018/02/22 16:38:43 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	if (index > 255)
		return -1;

	return index;
}

BIO *
BIO_new(BIO_METHOD *method)
{
	BIO *ret = NULL;

	ret = malloc(sizeof(BIO));
	if (ret == NULL) {
		BIOerror(ERR_R_MALLOC_FAILURE);
		return (NULL);
	}
	if (!BIO_set(ret, method)) {
		free(ret);
		ret = NULL;
	}
	return (ret);
}

int
BIO_set(BIO *bio, BIO_METHOD *method)
{
	bio->method = method;
	bio->callback = NULL;
	bio->cb_arg = NULL;
	bio->init = 0;
	bio->shutdown = 1;
	bio->flags = 0;

/*	$OpenBSD: bio_meth.c,v 1.5 2018/02/20 18:51:35 tb Exp $	*/
/*
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *

void
BIO_meth_free(BIO_METHOD *biom)
{
	free(biom);
}

int
(*BIO_meth_get_write(BIO_METHOD *biom))(BIO *, const char *, int)
{
	return biom->bwrite;
}

int
BIO_meth_set_write(BIO_METHOD *biom, int (*write)(BIO *, const char *, int))
{
	biom->bwrite = write;
	return 1;
}

int
(*BIO_meth_get_read(BIO_METHOD *biom))(BIO *, char *, int)
{
	return biom->bread;
}

int
BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int))
{
	biom->bread = read;
	return 1;
}

int
(*BIO_meth_get_puts(BIO_METHOD *biom))(BIO *, const char *)
{
	return biom->bputs;
}

int
BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *))
{
	biom->bputs = puts;
	return 1;
}

int
(*BIO_meth_get_gets(BIO_METHOD *biom))(BIO *, char *, int)
{
	return biom->bgets;
}

int
BIO_meth_set_gets(BIO_METHOD *biom, int (*gets)(BIO *, char *, int))
{
	biom->bgets = gets;
	return 1;
}

long
(*BIO_meth_get_ctrl(BIO_METHOD *biom))(BIO *, int, long, void *)
{
	return biom->ctrl;
}

int
BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl)(BIO *, int, long, void *))
{
	biom->ctrl = ctrl;
	return 1;
}

int
(*BIO_meth_get_create(BIO_METHOD *biom))(BIO *)
{
	return biom->create;
}

int
BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *))
{
	biom->create = create;
	return 1;
}

int
(*BIO_meth_get_destroy(BIO_METHOD *biom))(BIO *)
{
	return biom->destroy;
}

int
BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *))
{
	biom->destroy = destroy;
	return 1;
}

long
(*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))(BIO *, int, BIO_info_cb *)
{
	return
	    (long (*)(BIO *, int, BIO_info_cb *))biom->callback_ctrl; /* XXX */
}

int
BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
    long (*callback_ctrl)(BIO *, int, BIO_info_cb *))
{
	biom->callback_ctrl =
	    (long (*)(BIO *, int, bio_info_cb *))callback_ctrl;	/* XXX */
	return 1;
}

/* $OpenBSD: bss_acpt.c,v 1.27 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static BIO_ACCEPT *BIO_ACCEPT_new(void );
static void BIO_ACCEPT_free(BIO_ACCEPT *a);

#define ACPT_S_BEFORE			1
#define ACPT_S_GET_ACCEPT_SOCKET	2
#define ACPT_S_OK			3

static BIO_METHOD methods_acceptp = {
	.type = BIO_TYPE_ACCEPT,
	.name = "socket accept",
	.bwrite = acpt_write,
	.bread = acpt_read,
	.bputs = acpt_puts,
	.ctrl = acpt_ctrl,
	.create = acpt_new,
	.destroy = acpt_free
};

BIO_METHOD *
BIO_s_accept(void)
{
	return (&methods_acceptp);
}

static int
acpt_new(BIO *bi)

	n = strlen(str);
	ret = acpt_write(bp, str, n);
	return (ret);
}

BIO *
BIO_new_accept(char *str)
{
	BIO *ret;

	ret = BIO_new(BIO_s_accept());
	if (ret == NULL)
		return (NULL);
	if (BIO_set_accept_port(ret, str))

/* $OpenBSD: bss_bio.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */
/* ====================================================================
 * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *

static int bio_write(BIO *bio, const char *buf, int num);
static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr);
static int bio_puts(BIO *bio, const char *str);

static int bio_make_pair(BIO *bio1, BIO *bio2);
static void bio_destroy_pair(BIO *bio);

static BIO_METHOD methods_biop = {
	.type = BIO_TYPE_BIO,
	.name = "BIO pair",
	.bwrite = bio_write,
	.bread = bio_read,
	.bputs = bio_puts,
	.ctrl = bio_ctrl,
	.create = bio_new,
	.destroy = bio_free
};

BIO_METHOD *
BIO_s_bio(void)
{
	return &methods_biop;
}

struct bio_bio_st {
	BIO *peer;	/* NULL if buf == NULL.

/* $OpenBSD: bss_conn.c,v 1.33 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static long conn_callback_ctrl(BIO *h, int cmd, bio_info_cb *);

static int conn_state(BIO *b, BIO_CONNECT *c);
static void conn_close_socket(BIO *data);
BIO_CONNECT *BIO_CONNECT_new(void);
void BIO_CONNECT_free(BIO_CONNECT *a);

static BIO_METHOD methods_connectp = {
	.type = BIO_TYPE_CONNECT,
	.name = "socket connect",
	.bwrite = conn_write,
	.bread = conn_read,
	.bputs = conn_puts,
	.ctrl = conn_ctrl,
	.create = conn_new,

		return;

	free(a->param_hostname);
	free(a->param_port);
	free(a);
}

BIO_METHOD *
BIO_s_connect(void)
{
	return (&methods_connectp);
}

static int
conn_new(BIO *bi)

	n = strlen(str);
	ret = conn_write(bp, str, n);
	return (ret);
}

BIO *
BIO_new_connect(char *str)
{
	BIO *ret;

	ret = BIO_new(BIO_s_connect());
	if (ret == NULL)
		return (NULL);
	if (BIO_set_conn_hostname(ret, str))

/* $OpenBSD: bss_dgram.c,v 1.41 2015/07/20 23:15:28 doug Exp $ */
/* 
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
 */
/* ====================================================================
 * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *

static int dgram_new(BIO *h);
static int dgram_free(BIO *data);
static int dgram_clear(BIO *bio);


static int BIO_dgram_should_retry(int s);

static BIO_METHOD methods_dgramp = {
	.type = BIO_TYPE_DGRAM,
	.name = "datagram socket",
	.bwrite = dgram_write,
	.bread = dgram_read,
	.bputs = dgram_puts,
	.ctrl = dgram_ctrl,
	.create = dgram_new,

	unsigned int _errno;
	unsigned int mtu;
	struct timeval next_timeout;
	struct timeval socket_timeout;
} bio_dgram_data;


BIO_METHOD *
BIO_s_datagram(void)
{
	return (&methods_dgramp);
}

BIO *
BIO_new_dgram(int fd, int close_flag)

/* $OpenBSD: bss_fd.c,v 1.18 2015/02/12 03:54:07 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static int fd_puts(BIO *h, const char *str);
static int fd_gets(BIO *h, char *buf, int size);
static long fd_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int fd_new(BIO *h);
static int fd_free(BIO *data);
int BIO_fd_should_retry(int s);

static BIO_METHOD methods_fdp = {
	.type = BIO_TYPE_FD,
	.name = "file descriptor",
	.bwrite = fd_write,
	.bread = fd_read,
	.bputs = fd_puts,
	.bgets = fd_gets,
	.ctrl = fd_ctrl,
	.create = fd_new,
	.destroy = fd_free
};

BIO_METHOD *
BIO_s_fd(void)
{
	return (&methods_fdp);
}

BIO *
BIO_new_fd(int fd, int close_flag)

/* $OpenBSD: bss_file.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static int file_read(BIO *h, char *buf, int size);
static int file_puts(BIO *h, const char *str);
static int file_gets(BIO *h, char *str, int size);
static long file_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int file_new(BIO *h);
static int file_free(BIO *data);

static BIO_METHOD methods_filep = {
	.type = BIO_TYPE_FILE,
	.name = "FILE pointer",
	.bwrite = file_write,
	.bread = file_read,
	.bputs = file_puts,
	.bgets = file_gets,
	.ctrl = file_ctrl,

	if ((ret = BIO_new(BIO_s_file())) == NULL)
		return (NULL);

	BIO_set_fp(ret, stream, close_flag);
	return (ret);
}

BIO_METHOD *
BIO_s_file(void)
{
	return (&methods_filep);
}

static int
file_new(BIO *bi)

/* $OpenBSD: bss_log.c,v 1.21 2014/07/11 08:44:47 jsing Exp $ */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *

static long slg_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int slg_new(BIO *h);
static int slg_free(BIO *data);
static void xopenlog(BIO* bp, char* name, int level);
static void xsyslog(BIO* bp, int priority, const char* string);
static void xcloselog(BIO* bp);

static BIO_METHOD methods_slg = {
	.type = BIO_TYPE_MEM,
	.name = "syslog",
	.bwrite = slg_write,
	.bputs = slg_puts,
	.ctrl = slg_ctrl,
	.create = slg_new,
	.destroy = slg_free
};

BIO_METHOD *
BIO_s_log(void)
{
	return (&methods_slg);
}

static int
slg_new(BIO *bi)

/* $OpenBSD: bss_mem.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static int mem_read(BIO *h, char *buf, int size);
static int mem_puts(BIO *h, const char *str);
static int mem_gets(BIO *h, char *str, int size);
static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int mem_new(BIO *h);
static int mem_free(BIO *data);

static BIO_METHOD mem_method = {
	.type = BIO_TYPE_MEM,
	.name = "memory buffer",
	.bwrite = mem_write,
	.bread = mem_read,
	.bputs = mem_puts,
	.bgets = mem_gets,
	.ctrl = mem_ctrl,
	.create = mem_new,
	.destroy = mem_free
};

/* bio->num is used to hold the value to return on 'empty', if it is
 * 0, should_retry is not set */

BIO_METHOD *
BIO_s_mem(void)
{
	return (&mem_method);
}

BIO *
BIO_new_mem_buf(void *buf, int len)
{
	BIO *ret;
	BUF_MEM *b;
	size_t sz;

	if (!buf) {
		BIOerror(BIO_R_NULL_PARAMETER);
		return NULL;
	}
	sz = (len < 0) ? strlen(buf) : (size_t)len;
	if (!(ret = BIO_new(BIO_s_mem())))
		return NULL;
	b = (BUF_MEM *)ret->ptr;
	b->data = buf;
	b->length = sz;
	b->max = sz;
	ret->flags |= BIO_FLAGS_MEM_RDONLY;
	/* Since this is static data retrying wont help */
	ret->num = 0;
	return ret;
}

/* $OpenBSD: bss_null.c,v 1.10 2014/07/11 08:44:47 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static int null_read(BIO *h, char *buf, int size);
static int null_puts(BIO *h, const char *str);
static int null_gets(BIO *h, char *str, int size);
static long null_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int null_new(BIO *h);
static int null_free(BIO *data);

static BIO_METHOD null_method = {
	.type = BIO_TYPE_NULL,
	.name = "NULL",
	.bwrite = null_write,
	.bread = null_read,
	.bputs = null_puts,
	.bgets = null_gets,
	.ctrl = null_ctrl,
	.create = null_new,
	.destroy = null_free
};

BIO_METHOD *
BIO_s_null(void)
{
	return (&null_method);
}

static int
null_new(BIO *bi)

/* $OpenBSD: bss_sock.c,v 1.23 2014/07/11 08:44:47 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 

static int sock_read(BIO *h, char *buf, int size);
static int sock_puts(BIO *h, const char *str);
static long sock_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int sock_new(BIO *h);
static int sock_free(BIO *data);
int BIO_sock_should_retry(int s);

static BIO_METHOD methods_sockp = {
	.type = BIO_TYPE_SOCKET,
	.name = "socket",
	.bwrite = sock_write,
	.bread = sock_read,
	.bputs = sock_puts,
	.ctrl = sock_ctrl,
	.create = sock_new,
	.destroy = sock_free
};

BIO_METHOD *
BIO_s_socket(void)
{
	return (&methods_sockp);
}

BIO *
BIO_new_socket(int fd, int close_flag)

/* $OpenBSD: bn_add.c,v 1.11 2017/01/29 17:49:22 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

#include <stdio.h>

#include <openssl/err.h>

#include "bn_lcl.h"

/* r can == a or b */
int
BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
{
	const BIGNUM *tmp;
	int a_neg = a->neg, ret;

	bn_check_top(a);
	bn_check_top(b);

	/*  a +  b	a+b
	 *  a + -b	a-b
	 * -a +  b	b-a
	 * -a + -b	-(a+b)
	 */
	if (a_neg ^ b->neg) {
		/* only one is negative */
		if (a_neg)
				{ tmp = a;
			a = b;
			b = tmp;
		}

		/* we are now a - b */

		if (BN_ucmp(a, b) < 0) {

			if (!BN_usub(r, b, a))
				return (0);
			r->neg = 1;
		} else {
			if (!BN_usub(r, a, b))
				return (0);
			r->neg = 0;


		}
		return (1);
	}

	ret = BN_uadd(r, a, b);
	r->neg = a_neg;
	bn_check_top(r);
	return ret;
}

/* unsigned add of b to a */
int
BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
{
	int max, min, dif;
	BN_ULONG *ap, *bp, *rp, carry, t1, t2;
	const BIGNUM *tmp;

	bn_check_top(a);
	bn_check_top(b);

	if (a->top < b->top) {


		tmp = a;
		a = b;
		b = tmp;
	}
	max = a->top;
	min = b->top;
	dif = max - min;

	if (bn_wexpand(r, max + 1) == NULL)
		return 0;

	r->top = max;

	ap = a->d;
	bp = b->d;
	rp = r->d;

	carry = bn_add_words(rp, ap, bp, min);
	rp += min;
	ap += min;
	bp += min;

	if (carry) {
		while (dif) {
			dif--;
			t1 = *(ap++);
			t2 = (t1 + 1) & BN_MASK2;
			*(rp++) = t2;
			if (t2) {
				carry = 0;
				break;
			}
		}
		if (carry) {
			/* carry != 0 => dif == 0 */
			*rp = 1;
			r->top++;
		}
	}
	if (dif && rp != ap)
		while (dif--)
			/* copy remaining words if ap != rp */
			*(rp++) = *(ap++);
	r->neg = 0;
	bn_check_top(r);
	return 1;
}

/* unsigned subtraction of b from a, a must be larger than b. */
int
BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
{
	int max, min, dif;

	BN_ULONG t1, t2, *ap, *bp, *rp;
	int i, carry;

	bn_check_top(a);
	bn_check_top(b);

	max = a->top;
	min = b->top;
	dif = max - min;

	if (dif < 0)	/* hmm... should not be happening */
	{
		BNerror(BN_R_ARG2_LT_ARG3);
		return (0);
	}

	if (bn_wexpand(r, max) == NULL)
		return (0);

	ap = a->d;
	bp = b->d;
	rp = r->d;

#if 1
	carry = 0;
	for (i = min; i != 0; i--) {
		t1= *(ap++);
		t2= *(bp++);
		if (carry) {
			carry = (t1 <= t2);
			t1 = (t1 - t2 - 1)&BN_MASK2;
		} else {
			carry = (t1 < t2);
			t1 = (t1 - t2)&BN_MASK2;
		}
		*(rp++) = t1&BN_MASK2;
	}
#else
	carry = bn_sub_words(rp, ap, bp, min);
	ap += min;
	bp += min;
	rp += min;
#endif
	if (carry) /* subtracted */
	{
		if (!dif)
			/* error: a < b */
			return 0;
		while (dif) {
			dif--;
			t1 = *(ap++);
			t2 = (t1 - 1)&BN_MASK2;
			*(rp++) = t2;
			if (t1)
				break;
		}
	}
#if 0
	memcpy(rp, ap, sizeof(*rp)*(max - i));
#else
	if (rp != ap) {
		for (;;) {
			if (!dif--)
				break;
			rp[0] = ap[0];
			if (!dif--)
				break;
			rp[1] = ap[1];
			if (!dif--)
				break;
			rp[2] = ap[2];
			if (!dif--)
				break;
			rp[3] = ap[3];
			rp += 4;
			ap += 4;
		}
	}
#endif

	r->top = max;
	r->neg = 0;
	bn_correct_top(r);
	return (1);
}

int
BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
{
	int max;
	int add = 0, neg = 0;
	const BIGNUM *tmp;

	bn_check_top(a);
	bn_check_top(b);

	/*  a -  b	a-b
	 *  a - -b	a+b
	 * -a -  b	-(a+b)
	 * -a - -b	b-a
	 */
	if (a->neg) {
		if (b->neg) {
			tmp = a;
			a = b;
			b = tmp;
		} else {
			add = 1;
			neg = 1;
		}



	} else {
		if (b->neg) {
			add = 1;

			neg = 0;
		}
	}

	if (add) {
		if (!BN_uadd(r, a, b))
			return (0);
		r->neg = neg;
		return (1);
	}

	/* We are actually doing a - b :-) */

	max = (a->top > b->top) ? a->top : b->top;
	if (bn_wexpand(r, max) == NULL)
		return (0);
	if (BN_ucmp(a, b) < 0) {
		if (!BN_usub(r, b, a))
			return (0);
		r->neg = 1;
	} else {
		if (!BN_usub(r, a, b))
			return (0);
		r->neg = 0;
	}
	bn_check_top(r);
	return (1);
}