LOCAL_SHORT_COMMANDS := true

LOCAL_MODULE := libcrypto_tls

LOCAL_SHARED_LIBRARIES :=

LOCAL_SRC_FILES := \
	crypto/mem_dbg.c \
	crypto/dsa/dsa_asn1.c \
	crypto/dsa/dsa_sign.c \
	crypto/dsa/dsa_lib.c \
	crypto/dsa/dsa_gen.c \
	crypto/dsa/dsa_vrf.c \
	crypto/dsa/dsa_err.c \
	crypto/dsa/dsa_key.c \
	crypto/dsa/dsa_depr.c \
	crypto/dsa/dsa_pmeth.c \
	crypto/dsa/dsa_ossl.c \
	crypto/dsa/dsa_prn.c \
	crypto/dsa/dsa_ameth.c \
	crypto/poly1305/poly1305.c \
	crypto/md4/md4_one.c \
	crypto/md4/md4_dgst.c \
	crypto/cryptlib.c \
	crypto/comp/comp_err.c \
	crypto/comp/c_rle.c \
	crypto/comp/comp_lib.c \
	crypto/comp/c_zlib.c \
	crypto/mem_clr.c \

	crypto/dh/dh_prn.c \
	crypto/dh/dh_key.c \

























































































































































	crypto/dh/dh_pmeth.c \













	crypto/dh/dh_asn1.c \


	crypto/dh/dh_depr.c \






	crypto/dh/dh_gen.c \










	crypto/dh/dh_ameth.c \
	crypto/dh/dh_check.c \
	crypto/dh/dh_lib.c \
	crypto/dh/dh_err.c \
	crypto/modes/ccm128.c \
	crypto/modes/cfb128.c \
	crypto/modes/xts128.c \
	crypto/modes/cts128.c \
	crypto/modes/ofb128.c \
	crypto/modes/cbc128.c \
	crypto/modes/ctr128.c \
	crypto/modes/gcm128.c \
	crypto/lhash/lh_stats.c \
	crypto/lhash/lhash.c \
	crypto/rc4/rc4_skey.c \
	crypto/rc4/rc4_enc.c \
	crypto/pem/pem_oth.c \
	crypto/pem/pem_lib.c \
	crypto/pem/pem_sign.c \
	crypto/pem/pem_err.c \
	crypto/pem/pem_xaux.c \
	crypto/pem/pem_all.c \
	crypto/pem/pem_x509.c \
	crypto/pem/pem_seal.c \
	crypto/pem/pem_pk8.c \
	crypto/pem/pvkfmt.c \
	crypto/pem/pem_info.c \
	crypto/pem/pem_pkey.c \
	crypto/ecdh/ech_lib.c \
	crypto/ecdh/ech_key.c \
	crypto/ecdh/ech_err.c \
	crypto/ts/ts_rsp_verify.c \
	crypto/ts/ts_rsp_print.c \
	crypto/ts/ts_verify_ctx.c \
	crypto/ts/ts_req_utils.c \
	crypto/ts/ts_rsp_utils.c \
	crypto/ts/ts_rsp_sign.c \
	crypto/ts/ts_asn1.c \
	crypto/ts/ts_conf.c \
	crypto/ts/ts_req_print.c \
	crypto/ts/ts_lib.c \
	crypto/ts/ts_err.c \
	crypto/ex_data.c \
	crypto/dso/dso_openssl.c \
	crypto/dso/dso_err.c \
	crypto/dso/dso_lib.c \
	crypto/dso/dso_dlfcn.c \
	crypto/dso/dso_null.c \








	crypto/rc2/rc2_skey.c \












































	crypto/rc2/rc2ofb64.c \









	crypto/rc2/rc2_cbc.c \




	crypto/rc2/rc2cfb64.c \





























	crypto/rc2/rc2_ecb.c \
	crypto/o_init.c \



















































	crypto/objects/obj_err.c \
	crypto/objects/obj_lib.c \
	crypto/objects/obj_xref.c \
	crypto/objects/o_names.c \
	crypto/objects/obj_dat.c \
	crypto/cversion.c \
	crypto/ec/ec2_mult.c \
	crypto/ec/ec_oct.c \
	crypto/ec/ec_lib.c \
	crypto/ec/ec_curve.c \
	crypto/ec/ecp_nistp521.c \
	crypto/ec/ec_check.c \
	crypto/ec/ecp_nistp224.c \
	crypto/ec/ecp_nistp256.c \
	crypto/ec/ec2_oct.c \
	crypto/ec/ec_err.c \
	crypto/ec/ec_mult.c \
	crypto/ec/eck_prn.c \
	crypto/ec/ec_ameth.c \
	crypto/ec/ecp_nist.c \
	crypto/ec/ec_print.c \
	crypto/ec/ec_pmeth.c \
	crypto/ec/ec_key.c \
	crypto/ec/ecp_oct.c \
	crypto/ec/ecp_nistputil.c \
	crypto/ec/ecp_smpl.c \
	crypto/ec/ecp_mont.c \
	crypto/ec/ec_asn1.c \
	crypto/ec/ec_cvt.c \
	crypto/ec/ec2_smpl.c \
	crypto/pkcs12/p12_p8d.c \
	crypto/pkcs12/p12_crpt.c \
	crypto/pkcs12/p12_kiss.c \
	crypto/pkcs12/p12_crt.c \
	crypto/pkcs12/p12_npas.c \
	crypto/pkcs12/p12_key.c \
	crypto/pkcs12/p12_p8e.c \
	crypto/pkcs12/p12_init.c \
	crypto/pkcs12/p12_mutl.c \
	crypto/pkcs12/p12_decr.c \
	crypto/pkcs12/p12_asn.c \
	crypto/pkcs12/p12_add.c \
	crypto/pkcs12/p12_utl.c \
	crypto/pkcs12/p12_attr.c \
	crypto/pkcs12/pk12err.c \
	crypto/bf/bf_enc.c \
	crypto/bf/bf_skey.c \
	crypto/bf/bf_ecb.c \
	crypto/bf/bf_cfb64.c \
	crypto/bf/bf_ofb64.c \
	crypto/x509/x509_v3.c \
	crypto/x509/x509_cmp.c \
	crypto/x509/x509_vpm.c \
	crypto/x509/by_file.c \
	crypto/x509/x509_lu.c \
	crypto/x509/x509_err.c \
	crypto/x509/x509_set.c \
	crypto/x509/x509_ext.c \
	crypto/x509/x509_vfy.c \
	crypto/x509/x509_def.c \
	crypto/x509/x509_d2.c \
	crypto/x509/x509_req.c \
	crypto/x509/x509_trs.c \
	crypto/x509/x509rset.c \
	crypto/x509/x509_r2x.c \
	crypto/x509/x509name.c \
	crypto/x509/by_mem.c \
	crypto/x509/x509_txt.c \
	crypto/x509/by_dir.c \
	crypto/x509/x_all.c \
	crypto/x509/x509cset.c \
	crypto/x509/x509_obj.c \
	crypto/x509/x509_att.c \
	crypto/x509/x509type.c \
	crypto/x509/x509spki.c \
	crypto/stack/stack.c \
	crypto/cast/c_ofb64.c \
	crypto/cast/c_skey.c \
	crypto/cast/c_enc.c \
	crypto/cast/c_cfb64.c \
	crypto/cast/c_ecb.c \
	crypto/malloc-wrapper.c \
	crypto/pkcs7/bio_pk7.c \
	crypto/pkcs7/pk7_doit.c \
	crypto/pkcs7/pk7_lib.c \
	crypto/pkcs7/pk7_asn1.c \
	crypto/pkcs7/pk7_mime.c \
	crypto/pkcs7/pk7_smime.c \
	crypto/pkcs7/pkcs7err.c \
	crypto/pkcs7/pk7_attr.c \
	crypto/evp/names.c \
	crypto/evp/m_dss1.c \
	crypto/evp/m_md5_sha1.c \
	crypto/evp/evp_aead.c \
	crypto/evp/p_sign.c \
	crypto/evp/m_wp.c \
	crypto/evp/evp_key.c \
	crypto/evp/pmeth_lib.c \
	crypto/evp/evp_pkey.c \
	crypto/evp/m_md5.c \
	crypto/evp/e_chacha.c \
	crypto/evp/e_old.c \
	crypto/evp/p_enc.c \
	crypto/evp/e_camellia.c \
	crypto/evp/m_gost2814789.c \
	crypto/evp/m_sigver.c \
	crypto/evp/e_null.c \
	crypto/evp/e_des.c \
	crypto/evp/e_rc4.c \
	crypto/evp/p_seal.c \
	crypto/evp/p_lib.c \
	crypto/evp/encode.c \
	crypto/evp/evp_enc.c \
	crypto/evp/m_ecdsa.c \
	crypto/evp/m_md4.c \
	crypto/evp/e_cast.c \
	crypto/evp/e_aes_cbc_hmac_sha1.c \
	crypto/evp/pmeth_gn.c \
	crypto/evp/e_gost2814789.c \
	crypto/evp/m_dss.c \
	crypto/evp/evp_pbe.c \
	crypto/evp/p5_crpt.c \
	crypto/evp/e_aes.c \
	crypto/evp/e_rc4_hmac_md5.c \
	crypto/evp/p_verify.c \
	crypto/evp/bio_enc.c \
	crypto/evp/e_bf.c \
	crypto/evp/m_gostr341194.c \
	crypto/evp/bio_b64.c \
	crypto/evp/p_dec.c \
	crypto/evp/m_sha1.c \
	crypto/evp/e_rc2.c \
	crypto/evp/m_ripemd.c \
	crypto/evp/c_all.c \
	crypto/evp/evp_lib.c \
	crypto/evp/digest.c \
	crypto/evp/bio_md.c \
	crypto/evp/e_xcbc_d.c \
	crypto/evp/e_idea.c \
	crypto/evp/p_open.c \
	crypto/evp/e_des3.c \
	crypto/evp/m_null.c \
	crypto/evp/p5_crpt2.c \
	crypto/evp/pmeth_fn.c \
	crypto/evp/m_streebog.c \
	crypto/evp/e_chacha20poly1305.c \
	crypto/evp/evp_err.c \
	crypto/aes/aes_ecb.c \
	crypto/aes/aes_cfb.c \
	crypto/aes/aes_misc.c \
	crypto/aes/aes_cbc.c \
	crypto/aes/aes_ofb.c \
	crypto/aes/aes_wrap.c \
	crypto/aes/aes_ctr.c \
	crypto/aes/aes_ige.c \
	crypto/aes/aes_core.c \
	crypto/bn/bn_div.c \
	crypto/bn/bn_kron.c \
	crypto/bn/bn_shift.c \
	crypto/bn/bn_mpi.c \
	crypto/bn/bn_asm.c \
	crypto/bn/bn_mul.c \
	crypto/bn/bn_err.c \
	crypto/bn/bn_const.c \
	crypto/bn/bn_depr.c \
	crypto/bn/bn_add.c \
	crypto/bn/bn_blind.c \
	crypto/bn/bn_exp2.c \
	crypto/bn/bn_mont.c \
	crypto/bn/bn_x931p.c \
	crypto/bn/bn_rand.c \
	crypto/bn/bn_print.c \
	crypto/bn/bn_exp.c \
	crypto/bn/bn_nist.c \
	crypto/bn/bn_ctx.c \
	crypto/bn/bn_mod.c \
	crypto/bn/bn_prime.c \
	crypto/bn/bn_sqrt.c \
	crypto/bn/bn_lib.c \
	crypto/bn/bn_gf2m.c \
	crypto/bn/bn_recp.c \
	crypto/bn/bn_sqr.c \
	crypto/bn/bn_gcd.c \
	crypto/bn/bn_word.c \
	crypto/chacha/chacha-merged.c \
	crypto/chacha/chacha.c \
	crypto/ui/ui_openssl.c \
	crypto/ui/ui_util.c \
	crypto/ui/ui_err.c \
	crypto/ui/ui_lib.c \
	crypto/x509v3/v3_skey.c \
	crypto/x509v3/v3_genn.c \
	crypto/x509v3/v3_pci.c \
	crypto/x509v3/v3_ia5.c \
	crypto/x509v3/v3_sxnet.c \
	crypto/x509v3/v3_utl.c \
	crypto/x509v3/pcy_cache.c \
	crypto/x509v3/v3_enum.c \
	crypto/x509v3/v3err.c \
	crypto/x509v3/v3_ncons.c \
	crypto/x509v3/v3_lib.c \
	crypto/x509v3/v3_conf.c \
	crypto/x509v3/v3_bcons.c \
	crypto/x509v3/v3_akeya.c \
	crypto/x509v3/v3_purp.c \
	crypto/x509v3/v3_pcons.c \
	crypto/x509v3/v3_ocsp.c \
	crypto/x509v3/v3_cpols.c \
	crypto/x509v3/v3_info.c \
	crypto/x509v3/v3_alt.c \
	crypto/x509v3/v3_crld.c \
	crypto/x509v3/pcy_lib.c \
	crypto/x509v3/pcy_map.c \
	crypto/x509v3/v3_pcia.c \
	crypto/x509v3/v3_extku.c \
	crypto/x509v3/v3_int.c \
	crypto/x509v3/v3_pku.c \
	crypto/x509v3/pcy_tree.c \
	crypto/x509v3/v3_pmaps.c \
	crypto/x509v3/v3_prn.c \
	crypto/x509v3/v3_bitst.c \
	crypto/x509v3/pcy_node.c \
	crypto/x509v3/v3_akey.c \
	crypto/x509v3/pcy_data.c \
	crypto/rsa/rsa_pk1.c \
	crypto/rsa/rsa_x931.c \
	crypto/rsa/rsa_ameth.c \
	crypto/rsa/rsa_gen.c \
	crypto/rsa/rsa_oaep.c \
	crypto/rsa/rsa_saos.c \
	crypto/rsa/rsa_pss.c \
	crypto/rsa/rsa_sign.c \
	crypto/rsa/rsa_lib.c \
	crypto/rsa/rsa_pmeth.c \
	crypto/rsa/rsa_depr.c \
	crypto/rsa/rsa_asn1.c \
	crypto/rsa/rsa_none.c \
	crypto/rsa/rsa_chk.c \
	crypto/rsa/rsa_prn.c \
	crypto/rsa/rsa_eay.c \
	crypto/rsa/rsa_err.c \
	crypto/rsa/rsa_ssl.c \
	crypto/rsa/rsa_crpt.c \
	crypto/engine/eng_dyn.c \
	crypto/engine/tb_cipher.c \
	crypto/engine/tb_dh.c \
	crypto/engine/tb_rsa.c \
	crypto/engine/tb_digest.c \
	crypto/engine/eng_err.c \
	crypto/engine/eng_table.c \
	crypto/engine/tb_rand.c \
	crypto/engine/tb_ecdsa.c \
	crypto/engine/eng_init.c \
	crypto/engine/eng_all.c \
	crypto/engine/eng_pkey.c \
	crypto/engine/eng_lib.c \
	crypto/engine/tb_dsa.c \
	crypto/engine/eng_fat.c \
	crypto/engine/tb_pkmeth.c \
	crypto/engine/eng_openssl.c \
	crypto/engine/tb_store.c \
	crypto/engine/eng_list.c \
	crypto/engine/eng_ctrl.c \
	crypto/engine/tb_asnmth.c \
	crypto/engine/eng_cnf.c \
	crypto/engine/tb_ecdh.c \
	crypto/bio/bss_log.c \
	crypto/bio/b_sock.c \
	crypto/bio/bio_err.c \
	crypto/bio/bio_lib.c \
	crypto/bio/bss_conn.c \
	crypto/bio/b_dump.c \
	crypto/bio/bss_null.c \
	crypto/bio/bss_dgram.c \
	crypto/bio/bio_cb.c \
	crypto/bio/bss_fd.c \
	crypto/bio/b_posix.c \
	crypto/bio/bss_sock.c \
	crypto/bio/bss_mem.c \
	crypto/bio/bss_file.c \
	crypto/bio/bss_acpt.c \
	crypto/bio/bss_bio.c \
	crypto/bio/bf_null.c \
	crypto/bio/bf_nbio.c \
	crypto/bio/b_print.c \
	crypto/bio/bf_buff.c \
	crypto/hmac/hm_pmeth.c \
	crypto/hmac/hmac.c \
	crypto/hmac/hm_ameth.c \
	crypto/md5/md5_dgst.c \
	crypto/md5/md5_one.c \
	crypto/ocsp/ocsp_vfy.c \
	crypto/ocsp/ocsp_prn.c \
	crypto/ocsp/ocsp_lib.c \
	crypto/ocsp/ocsp_ht.c \
	crypto/ocsp/ocsp_ext.c \
	crypto/ocsp/ocsp_cl.c \
	crypto/ocsp/ocsp_srv.c \
	crypto/ocsp/ocsp_asn.c \
	crypto/ocsp/ocsp_err.c \
	crypto/compat/timingsafe_memcmp.c \
	crypto/compat/reallocarray.c \
	crypto/compat/timingsafe_bcmp.c \
	crypto/compat/recallocarray.c \
	crypto/compat/arc4random_uniform.c \
	crypto/compat/bsd-asprintf.c \
	crypto/compat/explicit_bzero.c \
	crypto/compat/timegm.c \
	crypto/err/err_all.c \
	crypto/err/err.c \
	crypto/err/err_prn.c \
	crypto/rand/rand_err.c \
	crypto/rand/rand_lib.c \
	crypto/rand/randfile.c \


























	crypto/sha/sha1dgst.c \
	crypto/sha/sha256.c \
	crypto/sha/sha1_one.c \
	crypto/sha/sha512.c \
	crypto/cpt_err.c \
	crypto/camellia/cmll_cbc.c \
	crypto/camellia/cmll_ecb.c \
	crypto/camellia/camellia.c \
	crypto/camellia/cmll_misc.c \
	crypto/camellia/cmll_cfb.c \
	crypto/camellia/cmll_ofb.c \
	crypto/camellia/cmll_ctr.c \
	crypto/asn1/x_bignum.c \
	crypto/asn1/i2d_pu.c \
	crypto/asn1/a_bitstr.c \
	crypto/asn1/x_pubkey.c \
	crypto/asn1/x_req.c \
	crypto/asn1/x_val.c \
	crypto/asn1/a_time_tm.c \
	crypto/asn1/a_dup.c \
	crypto/asn1/p5_pbev2.c \
	crypto/asn1/asn1_lib.c \
	crypto/asn1/a_time.c \
	crypto/asn1/t_req.c \
	crypto/asn1/asn1_err.c \
	crypto/asn1/p5_pbe.c \
	crypto/asn1/x_attrib.c \
	crypto/asn1/bio_asn1.c \
	crypto/asn1/x_nx509.c \
	crypto/asn1/asn_moid.c \
	crypto/asn1/a_type.c \
	crypto/asn1/tasn_dec.c \
	crypto/asn1/tasn_new.c \
	crypto/asn1/i2d_pr.c \
	crypto/asn1/a_d2i_fp.c \
	crypto/asn1/x_crl.c \
	crypto/asn1/d2i_pu.c \
	crypto/asn1/f_int.c \
	crypto/asn1/p8_pkey.c \
	crypto/asn1/evp_asn1.c \
	crypto/asn1/f_string.c \
	crypto/asn1/x_spki.c \
	crypto/asn1/t_x509a.c \
	crypto/asn1/asn1_par.c \
	crypto/asn1/f_enum.c \
	crypto/asn1/n_pkey.c \
	crypto/asn1/x_sig.c \
	crypto/asn1/tasn_fre.c \
	crypto/asn1/x_pkey.c \
	crypto/asn1/a_print.c \
	crypto/asn1/asn_pack.c \
	crypto/asn1/a_bool.c \
	crypto/asn1/tasn_typ.c \
	crypto/asn1/a_object.c \
	crypto/asn1/a_strex.c \
	crypto/asn1/asn1_gen.c \
	crypto/asn1/a_octet.c \
	crypto/asn1/ameth_lib.c \
	crypto/asn1/t_bitst.c \
	crypto/asn1/tasn_enc.c \
	crypto/asn1/a_sign.c \
	crypto/asn1/a_int.c \
	crypto/asn1/x_exten.c \
	crypto/asn1/tasn_prn.c \
	crypto/asn1/x_info.c \
	crypto/asn1/bio_ndef.c \
	crypto/asn1/t_x509.c \
	crypto/asn1/a_i2d_fp.c \
	crypto/asn1/nsseq.c \
	crypto/asn1/a_verify.c \
	crypto/asn1/a_utf8.c \
	crypto/asn1/t_spki.c \
	crypto/asn1/tasn_utl.c \
	crypto/asn1/a_enum.c \
	crypto/asn1/x_long.c \
	crypto/asn1/asn_mime.c \
	crypto/asn1/t_crl.c \
	crypto/asn1/x_x509.c \
	crypto/asn1/a_strnid.c \
	crypto/asn1/a_mbstr.c \
	crypto/asn1/a_set.c \
	crypto/asn1/a_bytes.c \
	crypto/asn1/t_pkey.c \
	crypto/asn1/x_algor.c \
	crypto/asn1/x_name.c \
	crypto/asn1/a_digest.c \
	crypto/asn1/x_x509a.c \
	crypto/asn1/d2i_pr.c \
	crypto/ecdsa/ecs_ossl.c \
	crypto/ecdsa/ecs_vrf.c \
	crypto/ecdsa/ecs_asn1.c \
	crypto/ecdsa/ecs_err.c \
	crypto/ecdsa/ecs_sign.c \
	crypto/ecdsa/ecs_lib.c \
	crypto/conf/conf_mall.c \
	crypto/conf/conf_def.c \
	crypto/conf/conf_api.c \
	crypto/conf/conf_err.c \
	crypto/conf/conf_lib.c \
	crypto/conf/conf_sap.c \
	crypto/conf/conf_mod.c \
	crypto/gost/gost89_params.c \
	crypto/gost/gostr341194.c \
	crypto/gost/gostr341001_params.c \
	crypto/gost/gost_asn1.c \
	crypto/gost/gostr341001_pmeth.c \
	crypto/gost/gostr341001.c \
	crypto/gost/gost89_keywrap.c \
	crypto/gost/gost89imit_ameth.c \
	crypto/gost/streebog.c \
	crypto/gost/gostr341001_ameth.c \
	crypto/gost/gost2814789.c \
	crypto/gost/gost_err.c \
	crypto/gost/gost89imit_pmeth.c \
	crypto/gost/gostr341001_key.c \
	crypto/ripemd/rmd_dgst.c \
	crypto/ripemd/rmd_one.c \
	crypto/cmac/cmac.c \
	crypto/cmac/cm_pmeth.c \
	crypto/cmac/cm_ameth.c \
	crypto/txt_db/txt_db.c \
	crypto/o_str.c \
	crypto/idea/i_ofb64.c \
	crypto/idea/i_cfb64.c \
	crypto/idea/i_ecb.c \
	crypto/idea/i_cbc.c \
	crypto/idea/i_skey.c \
	crypto/whrlpool/wp_dgst.c \
	crypto/whrlpool/wp_block.c \
	crypto/buffer/buf_err.c \
	crypto/buffer/buf_str.c \
	crypto/buffer/buffer.c \
	crypto/o_time.c \
	crypto/curve25519/curve25519.c \



	crypto/curve25519/curve25519-generic.c \
	crypto/des/pcbc_enc.c \
	crypto/des/enc_writ.c \
	crypto/des/qud_cksm.c \
	crypto/des/ecb_enc.c \


	crypto/des/cbc_enc.c \
	crypto/des/xcbc_enc.c \






	crypto/des/str2key.c \




	crypto/des/cfb_enc.c \

	crypto/des/des_enc.c \
	crypto/des/cfb64enc.c \
	crypto/des/enc_read.c \
	crypto/des/ofb64enc.c \

	crypto/des/ofb_enc.c \
	crypto/des/rand_key.c \




	crypto/des/ecb3_enc.c \

	crypto/des/fcrypt.c \
	crypto/des/fcrypt_b.c \


	crypto/des/ede_cbcm_enc.c \


	crypto/des/cfb64ede.c \

	crypto/des/ofb64ede.c \
	crypto/des/set_key.c \



	crypto/des/cbc_cksm.c

LOCAL_C_INCLUDES := $(LOCAL_PATH)/include \
	$(LOCAL_PATH)/include/compat \
	$(LOCAL_PATH)/crypto \
	$(LOCAL_PATH)/crypto/compat \
	$(LOCAL_PATH)/crypto/asn1 \
	$(LOCAL_PATH)/crypto/bn \
	$(LOCAL_PATH)/crypto/evp \
	$(LOCAL_PATH)/crypto/modes

LOCAL_CFLAGS := \
	-DLIBRESSL_INTERNAL \
	-DOPENSSL_NO_HW_PADLOCK \
	-DOPENSSL_NO_ASM \
	-DSIZE_MAX=UINT32_MAX \
	-DHAVE_INET_NTOP=1 -DHAVE_INET_PTON=1 \
	-D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= \
	-O2

include $(BUILD_SHARED_LIBRARY)

####################################
#
# libssl_tls

	ssl/d1_enc.c \
	ssl/d1_lib.c \
	ssl/d1_meth.c \
	ssl/d1_pkt.c \
	ssl/d1_srtp.c \
	ssl/d1_srvr.c \
	ssl/pqueue.c \





	ssl/s3_cbc.c \

	ssl/s3_lib.c \


	ssl/ssl_algs.c \
	ssl/ssl_asn1.c \
	ssl/ssl_both.c \
	ssl/ssl_cert.c \
	ssl/ssl_ciph.c \
	ssl/ssl_clnt.c \
	ssl/ssl_err.c \
	ssl/ssl_lib.c \
	ssl/ssl_packet.c \
	ssl/ssl_pkt.c \
	ssl/ssl_rsa.c \
	ssl/ssl_sess.c \
	ssl/ssl_srvr.c \
	ssl/ssl_stat.c \
	ssl/ssl_txt.c \
	ssl/ssl_versions.c \
	ssl/t1_clnt.c \
	ssl/t1_enc.c \
	ssl/t1_hash.c \
	ssl/t1_lib.c \
	ssl/t1_meth.c \
	ssl/t1_reneg.c \
	ssl/t1_srvr.c

LOCAL_C_INCLUDES := $(LOCAL_PATH)/include \
	$(LOCAL_PATH)/include/compat \
	$(LOCAL_PATH)/ssl \
	$(LOCAL_PATH)/crypto/compat

LOCAL_CFLAGS := \
	-DLIBRESSL_INTERNAL \
	-DOPENSSLDIR="\"/system/lib/ssl\"" \
	-DHAVE_INET_NTOP=1 -DHAVE_INET_PTON=1 \
	-D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= \
	-O2

include $(BUILD_SHARED_LIBRARY)

cmake_minimum_required (VERSION 2.8.8)
include(CheckFunctionExists)
include(CheckLibraryExists)
include(CheckIncludeFiles)
include(CheckTypeSize)

set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH})
include(cmake_export_symbol)
include(GNUInstallDirs)

project (LibreSSL C)

enable_testing()

file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
string(STRIP ${SSL_VERSION} SSL_VERSION)
string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})

file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})

file(READ ${CMAKE_CURRENT_SOURCE_DIR}/tls/VERSION TLS_VERSION)
string(STRIP ${TLS_VERSION} TLS_VERSION)
string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})

option(ENABLE_ASM "Enable assembly" ON)
option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF)
option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF)
option(ENABLE_VSTEST "Enable test on Visual Studio" OFF)
set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE)

set(BUILD_NC true)

if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
	add_definitions(-fno-common)
endif()

	add_definitions(-D_GNU_SOURCE)
endif()

if(CMAKE_SYSTEM_NAME MATCHES "MINGW")
	set(BUILD_NC false)
endif()

if(WIN32)
	set(BUILD_NC false)
endif()

if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
	if(CMAKE_C_COMPILER MATCHES "gcc")
		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing")
		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64")

	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP")
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic -m64")
endif()

add_definitions(-DLIBRESSL_INTERNAL)
add_definitions(-DOPENSSL_NO_HW_PADLOCK)
add_definitions(-D__BEGIN_HIDDEN_DECLS=)
add_definitions(-D__END_HIDDEN_DECLS=)

set(CMAKE_POSITION_INDEPENDENT_CODE true)

if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
	add_definitions(-Wno-pointer-sign)
endif()

if(WIN32)

	add_definitions(-Drestrict)
	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0501)
	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
endif()

if(MSVC)
	add_definitions(-Dinline=__inline)
	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
		set(MSVC_DISABLED_WARNINGS_LIST
			"C4057" # C4057: 'initializing' : 'unsigned char *' differs in
		        	# indirection to slightly different base types from 'char [2]'
			"C4100" # 'exarg' : unreferenced formal parameter
			"C4127" # conditional expression is constant
			"C4242" # 'function' : conversion from 'int' to 'uint8_t',
			        # possible loss of data
			"C4244" # 'function' : conversion from 'int' to 'uint8_t',
			        # possible loss of data
			"C4267" # conversion from 'size_t' to 'some type that is almost
				# certainly safe to convert a size_t to'.
			"C4706" # assignment within conditional expression
			"C4820" # 'bytes' bytes padding added after construct 'member_name'
			"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
			        # use the ISO C++ conformant name: _read.
		)
	elseif(CMAKE_C_COMPILER_ID MATCHES "Intel")
		add_definitions(-D_CRT_SUPPRESS_RESTRICT)
		set(MSVC_DISABLED_WARNINGS_LIST
			"C111"  # Unreachable statement
			"C128"  # Unreachable loop
			"C167"  # Unexplict casting unsigned to signed
			"C186"  # Pointless comparison of unsigned int with zero
			"C188"  # Enumerated type mixed with another type
			"C344"  # Redeclared type
			"C556"  # Unexplict casting signed to unsigned
			"C869"  # Unreferenced parameters
			"C1786" # Deprecated functions
			"C2545" # Empty else statement
			"C2557" # Comparing signed to unsigned
			"C2722" # List init syntax is c++11 feature
			"C3280" # Declaration hides variable
		)
	endif()
	string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
		${MSVC_DISABLED_WARNINGS_LIST})
	string(REGEX REPLACE "[/-]W[1234][ ]?" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -MP -W4 ${MSVC_DISABLED_WARNINGS_STR}")
endif()

check_function_exists(asprintf HAVE_ASPRINTF)
if(HAVE_ASPRINTF)
	add_definitions(-DHAVE_ASPRINTF)
endif()

endif()

check_function_exists(strndup HAVE_STRNDUP)
if(HAVE_STRNDUP)
	add_definitions(-DHAVE_STRNDUP)
endif()

if(WIN32)
	set(HAVE_STRNLEN true)
	add_definitions(-DHAVE_STRNLEN)
else()
	check_function_exists(strnlen HAVE_STRNLEN)
	if(HAVE_STRNLEN)
		add_definitions(-DHAVE_STRNLEN)
	endif()

	add_definitions(-DHAVE_GETAUXVAL)
endif()

check_function_exists(getentropy HAVE_GETENTROPY)
if(HAVE_GETENTROPY)
	add_definitions(-DHAVE_GETENTROPY)
endif()

check_function_exists(getpagesize HAVE_GETPAGESIZE)
if(HAVE_GETPAGESIZE)
	add_definitions(-DHAVE_GETPAGESIZE)
endif()

check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP)
if(HAVE_TIMINGSAFE_BCMP)
	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
endif()

check_function_exists(timingsafe_memcmp HAVE_TIMINGSAFE_MEMCMP)

			set(HOST_ASM_ELF_X86_64 true)
		endif()
	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
		set(HOST_ASM_MACOSX_X86_64 true)
	endif()
endif()

if(NOT (CMAKE_SYSTEM_NAME MATCHES "(Darwin|CYGWIN)"))
	set(BUILD_SHARED true)
endif()

# USE_SHARED builds applications (e.g. openssl) using shared LibreSSL.
# By default, applications use LibreSSL static library to avoid dependencies.
# USE_SHARED isn't set by default; use -DUSE_SHARED=ON with CMake to enable.
# Can be helpful for debugging; don't use for public releases.
if(NOT BUILD_SHARED)
	set(USE_SHARED off)
endif()

if(USE_SHARED)
	set(OPENSSL_LIBS tls-shared ssl-shared crypto-shared)
else()
	set(OPENSSL_LIBS tls ssl crypto)
endif()

if(CMAKE_HOST_WIN32)
	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
endif()
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
	if (HAVE_CLOCK_GETTIME)
		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
	endif()
endif()
if(CMAKE_SYSTEM_NAME MATCHES "HP-UX")
	set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread)
endif()
if(CMAKE_SYSTEM_NAME MATCHES "SunOS")
	set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket)
endif()





check_type_size(time_t SIZEOF_TIME_T)
if(SIZEOF_TIME_T STREQUAL "4")
	set(SMALL_TIME_T true)
	message(WARNING " ** Warning, this system is unable to represent times past 2038\n"
	                " ** It will behave incorrectly when handling valid RFC5280 dates")
endif()
add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})

add_subdirectory(crypto)
add_subdirectory(ssl)
add_subdirectory(apps)
add_subdirectory(tls)
add_subdirectory(include)
if(NOT MSVC)
	add_subdirectory(man)
endif()
if(NOT MSVC OR ENABLE_VSTEST)
	add_subdirectory(tests)
endif()

configure_file(
	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
	IMMEDIATE @ONLY)

add_custom_target(uninstall
	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)

The portable bits of the project are largely maintained out-of-tree, and their
history is also available from Git.

	https://github.com/libressl-portable/portable

LibreSSL Portable Release Notes:

2.5.5 - Bug fixes
	* Distinguish between self-issued certificates and self-signed
	  certificates. The certificate verification code has special cases
	  for self-signed certificates and without this change, self-issued
	  certificates (which it seems are common place with
	  openvpn/easyrsa) were also being included in this category.

	* Fix a bug caused by the return value being set early to signal
	  successful DTLS cookie validation. This can mask a later failure and
	  result in a positive return value being returned from
	  ssl3_get_client_hello(), when it should return a negative value to
	  propagate the error.

	* Added getpagesize fallback, needed for Android bionic libc.

2.5.4 - Security Updates

	* Revert a previous change that forced consistency between return
	  value and error code when specifing a certificate verification
	  callback, since this breaks the documented API. When a user supplied
	  callback always returns 1, and later code checks the error code to
	  potentially abort post verification, this will result in incorrect
	  successul certificate verification.

	* Switched Linux getrandom() usage to non-blocking mode, continuing to
	  use fallback mechanims if unsuccessful. This works around a design
	  flaw in Linux getrandom(2) where early boot usage in a library makes
	  it impossible to recover if getrandom(2) is not yet initialized.

	* Fixed a bug caused by the return value being set early to signal
	  successful DTLS cookie validation. This can mask a later failure and
	  result in a positive return value being returned from
	  ssl3_get_client_hello(), when it should return a negative value to
	  propagate the error.

	* Fixed a build error on non-x86/x86_64 systems running Solaris.

2.5.3 - OpenBSD 6.1 Release

	* Documentation updates

	* Improved ocspcheck(1) error handling

2.5.2 - Security features and bugfixes

	* Added the recallocarray(3) memory allocation function, and converted
	  various places in the library to use it, such as CBB and BUF_MEM_grow.
	  recallocarray(3) is similar to reallocarray. Newly allocated memory
	  is cleared similar to calloc(3). Memory that becomes unallocated
	  while shrinking or moving existing allocations is explicitly
	  discarded by unmapping or clearing to 0

	* Added new root CAs from SECOM Trust Systems / Security Communication
	  of Japan.

	* Added EVP interface for MD5+SHA1 hashes.

	* Fixed DTLS client failures when the server sends a certificate
	  request.

	* Correct handling of padding when upgrading an SSLv2 challenge into
	  an SSLv3/TLS connection.

	* Allow protocols and ciphers to be set on a TLS config object in
	  libtls.

	* Improved nc(1) TLS handshake CPU usage and server-side error
	  reporting.

2.5.1 - Bug and security fixes, new features, documentation updates

	* X509_cmp_time() now passes a malformed GeneralizedTime field as an
	  error. Reported by Theofilos Petsios.

	* Detect zero-length encrypted session data early, instead of when
	  malloc(0) fails or the HMAC check fails. Noted independently by
	  jsing@ and Kurt Cancemi.

	* Check for and handle failure of HMAC_{Update,Final} or
	  EVP_DecryptUpdate().

	* Massive update and normalization of manpages, conversion to
	  mandoc format. Many pages were rewritten for clarity and accuracy.
	  Portable doc links are up-to-date with a new conversion tool.

	* Curve25519 Key Exchange support.

	* Support for alternate chains for certificate verification.

	* Code cleanups, CBS conversions, further unification of DTLS/SSL
	  handshake code, further ASN1 macro expansion and removal.

	* Private symbol are now hidden in libssl and libcryto.

	* Friendly certificate verification error messages in libtls, peer
	  verification is now always enabled.

	* Added OCSP stapling support to libtls and netcat.

	* Added ocspcheck utility to validate a certificate against its OCSP
	  responder and save the reply for stapling

	* Enhanced regression tests and error handling for libtls.

	* Added explicit constant and non-constant time BN functions,
	  defaulting to constant time wherever possible.

	* Moved many leaked implementation details in public structs behind
	  opaque pointers.

	* Added ticket support to libtls.

	* Added support for setting the supported EC curves via
	  SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
	  SSL{_CTX}_set1_curves{_list} names. This also changes the default
	  list of curves to be X25519, P-256 and P-384. All other curves must
	  be manually enabled.

	* Added -groups option to openssl(1) s_client for specifying the curves
	  to be used in a colon-separated list.

	* Merged client/server version negotiation code paths into one,
	  reducing much duplicate code.

	* Removed error function codes from libssl and libcrypto.

	* Fixed an issue where a truncated packet could crash via an OOB read.

	* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
	  client-initiated renegotiation. This is the default for libtls
	  servers.

	* Avoid a side-channel cache-timing attack that can leak the ECDSA
	  private keys when signing. This is due to BN_mod_inverse() being
	  used without the constant time flag being set. Reported by Cesar

	  Pereida Garcia and Billy Brumley (Tampere University of Technology).
	  The fix was developed by Cesar Pereida Garcia.


	* iOS and MacOS compatibility updates from Simone Basso and Jacob
	  Berkman.


2.5.0 - New APIs, bug fixes and improvements

	* libtls now supports ALPN and SNI

	* libtls adds a new callback interface for integrating custom IO
	  functions. Thanks to Tobias Pape.

	* libtls now handles 4 cipher suite groups:
	    "secure" (TLSv1.2+AEAD+PFS)
	    "compat" (HIGH:!aNULL)
	    "legacy" (HIGH:MEDIUM:!aNULL)
	    "insecure" (ALL:!aNULL:!eNULL)

	    This allows for flexibility and finer grained control, rather than
	    having two extremes (an issue raised by Marko Kreen some time ago).

	* Tightened error handling for tls_config_set_ciphers().

	* libtls now always loads CA, key and certificate files at the time the
	  configuration function is called. This simplifies code and results in
	  a single memory based code path being used to provide data to libssl.

	* Add support for OCSP intermediate certificates.

	* Added functions used by stunnel and exim from BoringSSL - this
	  brings in X509_check_host, X509_check_email, X509_check_ip, and
	  X509_check_ip_asc.

	* Added initial support for iOS, thanks to Jacob Berkman.

	* Improved behavior of arc4random on Windows when using memory leak
	  analysis software.

	* Correctly handle an EOF that occurs prior to the TLS handshake
	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
	  Kreen.

	* Limit the support of the "backward compatible" ssl2 handshake to
	  only be used if TLS 1.0 is enabled.

	* Fix incorrect results in certain cases on 64-bit systems when
	  BN_mod_word() can return incorrect results. BN_mod_word() now can
	  return an error condition. Thanks to Brian Smith.

	* Added constant-time updates to address CVE-2016-0702

	* Fixed undefined behavior in BN_GF2m_mod_arr()

	* Removed unused Cryptographic Message Support (CMS)

	* More conversions of long long idioms to time_t

	* Improved compatibility by avoiding printing NULL strings with
	  printf.

	* Reverted change that cleans up the EVP cipher context in
	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
	  previous behaviour.

	* Avoid unbounded memory growth in libssl, which can be triggered by a
	  TLS client repeatedly renegotiating and sending OCSP Status Request
	  TLS extensions.

	* Avoid falling back to a weak digest for (EC)DH when using SNI with
	  libssl.

2.4.2 - Bug fixes and improvements

	* Fixed loading default certificate locations with openssl s_client.

	* Ensured OCSP only uses and compares GENERALIZEDTIME values as per
	  RFC6960. Also added fixes for OCSP to work with intermediate
	  certificates provided in responses.

	* Improved behavior of arc4random on Windows to not appear to leak
	  memory in debug tools, reduced privileges of allocated memory.

	* Fixed incorrect results from BN_mod_word() when the modulus is too

SUBDIRS = crypto ssl tls include apps tests man
ACLOCAL_AMFLAGS = -I m4

pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc

EXTRA_DIST = README.md README.windows VERSION config scripts
EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in

.PHONY: install_sw
install_sw: install

AM_CFLAGS =
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
AM_CPPFLAGS += -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS=

ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libcrypto.pc.in \
	$(srcdir)/libssl.pc.in $(srcdir)/libtls.pc.in \
	$(srcdir)/openssl.pc.in COPYING ChangeLog compile config.guess \
	config.sub install-sh ltmain.sh missing tap-driver.sh
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
  if test -d "$(distdir)"; then \
    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
      && rm -rf "$(distdir)" \

ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
HOSTARCH = @HOSTARCH@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@

top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
SUBDIRS = crypto ssl tls include apps tests man
ACLOCAL_AMFLAGS = -I m4
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
EXTRA_DIST = README.md README.windows VERSION config scripts \
	CMakeLists.txt cmake_export_symbol.cmake \
	cmake_uninstall.cmake.in
all: all-recursive

.SUFFIXES:
am--refresh: Makefile
	@:
$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
	@for dep in $?; do \

building LibreSSL. Please try it with a recent toolchain if you encounter
troubles. Cygwin provides an easy method of installing the latest mingw-w64
cross compilers on Windows.

To configure and build LibreSSL for a 32-bit system, use the following
build steps:

 CC=i686-w64-mingw32-gcc CPPFLAGS=-D__MINGW_USE_VC2005_COMPAT \
 ./configure --host=i686-w64-mingw32
 make
 make check

For 64-bit builds, use these instead:

 CC=x86_64-w64-mingw32-gcc ./configure --host=x86_64-w64-mingw32
 make
 make check

# Why the -D__MINGW_USE_VC2005_COMPAT flag on 32-bit systems?

An ABI change introduced with Microsoft Visual C++ 2005 (also known as
Visual C++ 8.0) switched time_t from 32-bit to 64-bit. It is important to
build LibreSSL with 64-bit time_t whenever possible, because 32-bit time_t
is unable to represent times past 2038 (this is commonly known as the
Y2K38 problem).

If LibreSSL is built with 32-bit time_t, when verifying a certificate whose
expiry date is set past 19 January 2038, it will be unable to tell if the
certificate has expired or not, and thus take the safe stance and reject it.

In order to avoid this, you need to build LibreSSL (and everything that links
with it) with the -D__MINGW_USE_VC2005_COMPAT flag. This tells mingw-w64 to
use the new ABI.

64-bit systems always have a 64-bit time_t and are not affected by this
problem.

# Using Libressl with Visual Studio

A script for generating ready-to-use .DLL and static .LIB files is included in
the source repository at
https://github.com/libressl-portable/portable/blob/master/dist-win.sh

2.5.5

add_subdirectory(ocspcheck)
add_subdirectory(openssl)
add_subdirectory(nc)

include $(top_srcdir)/Makefile.am.common

SUBDIRS = ocspcheck openssl nc

EXTRA_DIST = CMakeLists.txt

        fi; \
        dir0="$$dir0"/"$$first"; \
      fi; \
    fi; \
    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
  done; \
  reldir="$$dir2"
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCAS = @CCAS@
CCASDEPMODE = @CCASDEPMODE@
CCASFLAGS = @CCASFLAGS@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@

ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
HOSTARCH = @HOSTARCH@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@

srcdir = @srcdir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AM_CFLAGS = 
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \
	-DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \
	-D__END_HIDDEN_DECLS=
SUBDIRS = ocspcheck openssl nc
EXTRA_DIST = CMakeLists.txt
all: all-recursive

.SUFFIXES:
$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(am__configure_deps)
	@for dep in $?; do \
	  case '$(am__configure_deps)' in \

	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
endif()

add_executable(nc ${NC_SRC})
target_link_libraries(nc tls ${OPENSSL_LIBS})

if(ENABLE_NC)
	install(TARGETS nc DESTINATION ${CMAKE_INSTALL_BINDIR})
	install(FILES nc.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
endif()

endif()

include $(top_srcdir)/Makefile.am.common

if BUILD_NC

if ENABLE_NC
bin_PROGRAMS = nc
dist_man_MANS = nc.1
else
noinst_PROGRAMS = nc
endif

EXTRA_DIST = nc.1
EXTRA_DIST += CMakeLists.txt


nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
nc_LDADD += $(abs_top_builddir)/tls/libtls.la
nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)

AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat






nc_SOURCES = atomicio.c
nc_SOURCES += netcat.c
nc_SOURCES += socks.c
noinst_HEADERS = atomicio.h
noinst_HEADERS += compat/sys/socket.h

PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@BUILD_NC_TRUE@@ENABLE_NC_TRUE@bin_PROGRAMS = nc$(EXEEXT)
@BUILD_NC_TRUE@@ENABLE_NC_FALSE@noinst_PROGRAMS = nc$(EXEEXT)
@BUILD_NC_TRUE@am__append_1 = -I$(top_srcdir)/apps/nc/compat


@BUILD_NC_TRUE@@HAVE_B64_NTOP_FALSE@am__append_2 = compat/base64.c
@BUILD_NC_TRUE@@HAVE_ACCEPT4_FALSE@am__append_3 = compat/accept4.c
@BUILD_NC_TRUE@@HAVE_READPASSPHRASE_FALSE@am__append_4 = compat/readpassphrase.c
@BUILD_NC_TRUE@@HAVE_STRTONUM_FALSE@am__append_5 = compat/strtonum.c
subdir = apps/nc
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \
	$(top_srcdir)/m4/check-libc.m4 \
	$(top_srcdir)/m4/check-os-options.m4 \
	$(top_srcdir)/m4/disable-compiler-warnings.m4 \
	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
	$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__noinst_HEADERS_DIST) \
	$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
am__nc_SOURCES_DIST = atomicio.c netcat.c socks.c compat/socket.c \
	compat/base64.c compat/accept4.c compat/readpassphrase.c \
	compat/strtonum.c
am__dirstamp = $(am__leading_dot)dirstamp
@BUILD_NC_TRUE@@HAVE_B64_NTOP_FALSE@am__objects_1 =  \
@BUILD_NC_TRUE@@HAVE_B64_NTOP_FALSE@	compat/base64.$(OBJEXT)
@BUILD_NC_TRUE@@HAVE_ACCEPT4_FALSE@am__objects_2 =  \
@BUILD_NC_TRUE@@HAVE_ACCEPT4_FALSE@	compat/accept4.$(OBJEXT)
@BUILD_NC_TRUE@@HAVE_READPASSPHRASE_FALSE@am__objects_3 = compat/readpassphrase.$(OBJEXT)
@BUILD_NC_TRUE@@HAVE_STRTONUM_FALSE@am__objects_4 =  \
@BUILD_NC_TRUE@@HAVE_STRTONUM_FALSE@	compat/strtonum.$(OBJEXT)
@BUILD_NC_TRUE@am_nc_OBJECTS = atomicio.$(OBJEXT) netcat.$(OBJEXT) \
@BUILD_NC_TRUE@	socks.$(OBJEXT) compat/socket.$(OBJEXT) \
@BUILD_NC_TRUE@	$(am__objects_1) $(am__objects_2) \
@BUILD_NC_TRUE@	$(am__objects_3) $(am__objects_4)
nc_OBJECTS = $(am_nc_OBJECTS)
am__DEPENDENCIES_1 =
@BUILD_NC_TRUE@nc_DEPENDENCIES =  \

@BUILD_NC_TRUE@	$(abs_top_builddir)/crypto/libcrypto.la \
@BUILD_NC_TRUE@	$(abs_top_builddir)/ssl/libssl.la \
@BUILD_NC_TRUE@	$(abs_top_builddir)/tls/libtls.la \
@BUILD_NC_TRUE@	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 = 
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false

SOURCES = $(nc_SOURCES)
DIST_SOURCES = $(am__nc_SOURCES_DIST)
am__can_run_installinfo = \
  case $$AM_UPDATE_INFO_DIR in \
    n|no|NO) false;; \
    *) (install-info --version) >/dev/null 2>&1;; \
  esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
    *) f=$$p;; \
  esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
  for p in $$list; do echo "$$p $$p"; done | \
  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
    if (++n[$$2] == $(am__install_max)) \
      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
    END { for (dir in files) print dir, files[dir] }'
am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
  test -z "$$files" \
    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
         $(am__cd) "$$dir" && rm -f $$files; }; \
  }
man1dir = $(mandir)/man1
NROFF = nroff
MANS = $(dist_man_MANS)
am__noinst_HEADERS_DIST = atomicio.h compat/sys/socket.h
HEADERS = $(noinst_HEADERS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates.  Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\

am__define_uniq_tagged_files = \
  list='$(am__tagged_files)'; \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \
	$(top_srcdir)/Makefile.am.common $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCAS = @CCAS@
CCASDEPMODE = @CCASDEPMODE@
CCASFLAGS = @CCASFLAGS@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@

ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
HOSTARCH = @HOSTARCH@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@

sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AM_CFLAGS = 
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \
	-DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \
	-D__END_HIDDEN_DECLS= $(am__append_1)
@BUILD_NC_TRUE@@ENABLE_NC_TRUE@dist_man_MANS = nc.1
@BUILD_NC_TRUE@EXTRA_DIST = nc.1 CMakeLists.txt
@BUILD_NC_TRUE@nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la \
@BUILD_NC_TRUE@	$(abs_top_builddir)/ssl/libssl.la \
@BUILD_NC_TRUE@	$(abs_top_builddir)/tls/libtls.la \
@BUILD_NC_TRUE@	$(PLATFORM_LDADD) $(PROG_LDADD)
@BUILD_NC_TRUE@nc_SOURCES = atomicio.c netcat.c socks.c \
@BUILD_NC_TRUE@	compat/socket.c $(am__append_2) $(am__append_3) \
@BUILD_NC_TRUE@	$(am__append_4) $(am__append_5)
@BUILD_NC_TRUE@noinst_HEADERS = atomicio.h compat/sys/socket.h
all: all-am

.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(am__configure_deps)
	@for dep in $?; do \

@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<

mostlyclean-libtool:
	-rm -f *.lo

clean-libtool:
	-rm -rf .libs _libs
install-man1: $(dist_man_MANS)
	@$(NORMAL_INSTALL)
	@list1=''; \
	list2='$(dist_man_MANS)'; \
	test -n "$(man1dir)" \
	  && test -n "`echo $$list1$$list2`" \
	  || exit 0; \
	echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
	$(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
	{ for i in $$list1; do echo "$$i"; done;  \
	if test -n "$$list2"; then \
	  for i in $$list2; do echo "$$i"; done \
	    | sed -n '/\.1[a-z]*$$/p'; \
	fi; \
	} | while read p; do \
	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
	  echo "$$d$$p"; echo "$$p"; \
	done | \
	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
	sed 'N;N;s,\n, ,g' | { \
	list=; while read file base inst; do \
	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
	  fi; \
	done; \
	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
	while read files; do \
	  test -z "$$files" || { \
	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
	done; }

uninstall-man1:
	@$(NORMAL_UNINSTALL)
	@list=''; test -n "$(man1dir)" || exit 0; \
	files=`{ for i in $$list; do echo "$$i"; done; \
	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
	  sed -n '/\.1[a-z]*$$/p'; \
	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
	dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)

ID: $(am__tagged_files)
	$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags

tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)

	    test -f "$(distdir)/$$file" \
	    || cp -p $$d/$$file "$(distdir)/$$file" \
	    || exit 1; \
	  fi; \
	done
check-am: all-am
check: check-am
all-am: Makefile $(PROGRAMS) $(MANS) $(HEADERS)
installdirs:
	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
	done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am

html-am:

info: info-am

info-am:

install-data-am: install-man

install-dvi: install-dvi-am

install-dvi-am:

install-exec-am: install-binPROGRAMS

install-html: install-html-am

install-html-am:

install-info: install-info-am

install-info-am:

install-man: install-man1

install-pdf: install-pdf-am

install-pdf-am:

install-ps: install-ps-am

pdf-am:

ps: ps-am

ps-am:

uninstall-am: uninstall-binPROGRAMS uninstall-man

uninstall-man: uninstall-man1

.MAKE: install-am install-strip

.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
	clean-binPROGRAMS clean-generic clean-libtool \
	clean-noinstPROGRAMS cscopelist-am ctags ctags-am distclean \
	distclean-compile distclean-generic distclean-libtool \
	distclean-tags distdir dvi dvi-am html html-am info info-am \
	install install-am install-binPROGRAMS install-data \
	install-data-am install-dvi install-dvi-am install-exec \
	install-exec-am install-html install-html-am install-info \
	install-info-am install-man install-man1 install-pdf \
	install-pdf-am install-ps install-ps-am install-strip \
	installcheck installcheck-am installdirs maintainer-clean \
	maintainer-clean-generic mostlyclean mostlyclean-compile \
	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
	tags tags-am uninstall uninstall-am uninstall-binPROGRAMS \
	uninstall-man uninstall-man1

.PRECIOUS: Makefile


# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

/* $OpenBSD: atomicio.c,v 1.11 2012/12/04 02:24:47 deraadt Exp $ */
/*
 * Copyright (c) 2006 Damien Miller. All rights reserved.
 * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
 * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

/* $OpenBSD: atomicio.h,v 1.2 2007/09/07 14:50:44 tobias Exp $ */

/*
 * Copyright (c) 2006 Damien Miller.  All rights reserved.
 * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without

/*	$OpenBSD: strtonum.c,v 1.8 2015/09/13 08:31:48 guenther Exp $	*/

/*
 * Copyright (c) 2004 Ted Unangst and Todd Miller
 * All rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above

.\"     $OpenBSD: nc.1,v 1.82 2017/02/09 20:15:59 jca Exp $
.\"
.\" Copyright (c) 1996 David Sacerdote
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:

.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: February 9 2017 $
.Dt NC 1
.Os
.Sh NAME
.Nm nc
.Nd arbitrary TCP and UDP connections and listens
.Sh SYNOPSIS
.Nm nc
.Op Fl 46cDdFhklNnrStUuvz
.Op Fl C Ar certfile
.Op Fl e Ar name
.Op Fl H Ar hash
.Op Fl I Ar length
.Op Fl i Ar interval
.Op Fl K Ar keyfile
.Op Fl M Ar ttl
.Op Fl m Ar minttl
.Op Fl O Ar length
.Op Fl o Ar staplefile
.Op Fl P Ar proxy_username
.Op Fl p Ar source_port
.Op Fl R Ar CAfile
.Op Fl s Ar source
.Op Fl T Ar keyword
.Op Fl V Ar rtable
.Op Fl w Ar timeout

the network socket after EOF on the input.
Some servers require this to finish their work.
.It Fl n
Do not do any DNS or service lookups on any specified addresses,
hostnames or ports.
.It Fl O Ar length
Specifies the size of the TCP send buffer.
.It Fl o Ar staplefile
Specifies the filename from which to load data to be stapled
during the TLS handshake.
The file is expected to contain an OCSP response from an OCSP server in
DER format.
May only be used with TLS and when a certificate is being used.
.It Fl P Ar proxy_username
Specifies a username to present to a proxy server that requires authentication.
If no username is specified then authentication will not be attempted.
Proxy authentication is only supported for HTTP CONNECT proxies at present.
.It Fl p Ar source_port
Specifies the source port
.Nm

.Fl l
option.
.It Fl T Ar keyword
Change IPv4 TOS value or TLS options.
For TLS options
.Ar keyword
may be one of
.Ar tlsall ;
which allows the use of all supported TLS protocols and ciphers,
.Ar noverify ;
which disables certificate verification;
.Ar noname ,
which disables certificate name checking;
.Ar clientcert ,
which requires a client certificate on incoming connections; or
.Ar muststaple ,
which requires the peer to provide a valid stapled OCSP response
with the handshake.
It is illegal to specify TLS options if not using TLS.
.Pp
For IPv4 TOS value
.Ar keyword
may be one of
.Ar critical ,
.Ar inetcontrol ,

.Ar proxy_address
and
.Ar port .
If
.Ar port
is not specified, the well-known port for the proxy protocol is used (1080
for SOCKS, 3128 for HTTPS).
An IPv6 address can be specified unambiguously by enclosing
.Ar proxy_address
in square brackets.
.It Fl z
Specifies that
.Nm
should just scan for listening daemons, without sending any data to them.
It is an error to use this option in conjunction with the
.Fl l
option.

/* $OpenBSD: netcat.c,v 1.178 2017/03/09 13:58:00 bluhm Exp $ */
/*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:

#define POLL_NETIN 2
#define POLL_STDOUT 3
#define BUFSIZE 16384
#ifndef DEFAULT_CA_FILE
#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
#endif

#define TLS_ALL	(1 << 1)
#define TLS_NOVERIFY	(1 << 2)
#define TLS_NONAME	(1 << 3)
#define TLS_CCERT	(1 << 4)
#define TLS_MUSTSTAPLE	(1 << 5)

/* Command Line Options */
int	dflag;					/* detached, no stdin */
int	Fflag;					/* fdpass sock to stdout */
unsigned int iflag;				/* Interval Flag */
int	kflag;					/* More than one connect */
int	lflag;					/* Bind to local port */

#ifdef SO_RTABLE
int	rtableid = -1;
#endif

int	usetls;					/* use TLS */
char    *Cflag;					/* Public cert file */
char    *Kflag;					/* Private key file */
char    *oflag;					/* OCSP stapling file */
char    *Rflag = DEFAULT_CA_FILE;		/* Root CA file */
int	tls_cachanged;				/* Using non-default CA file */
int     TLSopt;					/* TLS options */
char	*tls_expectname;			/* required name in peer cert */
char	*tls_expecthash;			/* required hash of peer cert */







int timeout = -1;
int family = AF_UNSPEC;
char *portlist[PORT_MAX+1];
char *unix_dg_tmp_socket;
int ttl = -1;
int minttl = -1;

void	atelnet(int, unsigned char *, unsigned int);
void	build_ports(char *);
void	help(void);
int	local_listen(char *, char *, struct addrinfo);
void	readwrite(int, struct tls *);
void	fdpass(int nfd) __attribute__((noreturn));
int	remote_connect(const char *, const char *, struct addrinfo);
int	timeout_tls(int, struct tls *, int (*)(struct tls *));
int	timeout_connect(int, const struct sockaddr *, socklen_t);
int	socks_connect(const char *, const char *, struct addrinfo,
	    const char *, const char *, struct addrinfo, int, const char *);
int	udptest(int);
int	unix_bind(char *, int);
int	unix_connect(char *);
int	unix_listen(char *);

{
	int ch, s = -1, ret, socksv;
	char *host, *uport;
	struct addrinfo hints;
	struct servent *sv;
	socklen_t len;
	struct sockaddr_storage cliaddr;
	char *proxy = NULL, *proxyport = NULL;
	const char *errstr;
	struct addrinfo proxyhints;
	char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
	struct tls_config *tls_cfg = NULL;
	struct tls *tls_ctx = NULL;

	ret = 1;
	socksv = 5;
	host = NULL;
	uport = NULL;
	sv = NULL;

	signal(SIGPIPE, SIG_IGN);

	while ((ch = getopt(argc, argv,
	    "46C:cDde:FH:hI:i:K:klM:m:NnO:o:P:p:R:rSs:T:tUuV:vw:X:x:z")) != -1) {
		switch (ch) {
		case '4':
			family = AF_INET;
			break;
		case '6':
			family = AF_INET6;
			break;

			break;
		case 'O':
			Oflag = strtonum(optarg, 1, 65536 << 14, &errstr);
			if (errstr != NULL)
				errx(1, "TCP send window %s: %s",
				    errstr, optarg);
			break;
		case 'o':
			oflag = optarg;
			break;
#ifdef TCP_MD5SIG
		case 'S':
			Sflag = 1;
			break;
#endif
		case 'T':
			errstr = NULL;

		errx(1, "cannot use -c and -F");
	if (TLSopt && !usetls)
		errx(1, "you must specify -c to use TLS options");
	if (Cflag && !usetls)
		errx(1, "you must specify -c to use -C");
	if (Kflag && !usetls)
		errx(1, "you must specify -c to use -K");
	if (oflag && !Cflag)
		errx(1, "you must specify -C to use -o");
	if (tls_cachanged && !usetls)
		errx(1, "you must specify -c to use -R");
	if (tls_expecthash && !usetls)
		errx(1, "you must specify -c to use -H");
	if (tls_expectname && !usetls)
		errx(1, "you must specify -c to use -e");

		if (lflag)
			errx(1, "no proxy support for listen");

		if (family == AF_UNIX)
			errx(1, "no proxy support for unix sockets");


		if (sflag)
			errx(1, "no proxy support for local source address");

		if (*proxy == '[') {
			++proxy;
			proxyport = strchr(proxy, ']');
			if (proxyport == NULL)
				errx(1, "missing closing bracket in proxy");
			*proxyport++ = '\0';
			if (*proxyport == '\0')
				/* Use default proxy port. */
				proxyport = NULL;
			else {
				if (*proxyport == ':')
					++proxyport;
				else
					errx(1, "garbage proxy port delimiter");
			}
		} else {
			proxyport = strrchr(proxy, ':');
			if (proxyport != NULL)
				*proxyport++ = '\0';
		}

		memset(&proxyhints, 0, sizeof(struct addrinfo));
		proxyhints.ai_family = family;
		proxyhints.ai_socktype = SOCK_STREAM;
		proxyhints.ai_protocol = IPPROTO_TCP;
		if (nflag)
			proxyhints.ai_flags |= AI_NUMERICHOST;
	}

	if (usetls) {







		if (Pflag) {
			if (pledge("stdio inet dns tty rpath", NULL) == -1)
				err(1, "pledge");
		} else if (pledge("stdio inet dns rpath", NULL) == -1)
			err(1, "pledge");

		if (tls_init() == -1)
			errx(1, "unable to initialize TLS");
		if ((tls_cfg = tls_config_new()) == NULL)
			errx(1, "unable to allocate TLS config");
		if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1)
			errx(1, "%s", tls_config_error(tls_cfg));
		if (Cflag && tls_config_set_cert_file(tls_cfg, Cflag) == -1)
			errx(1, "%s", tls_config_error(tls_cfg));
		if (Kflag && tls_config_set_key_file(tls_cfg, Kflag) == -1)
			errx(1, "%s", tls_config_error(tls_cfg));
		if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
			errx(1, "%s", tls_config_error(tls_cfg));
		if (TLSopt & TLS_ALL) {
			if (tls_config_set_protocols(tls_cfg,
			    TLS_PROTOCOLS_ALL) != 0)
				errx(1, "%s", tls_config_error(tls_cfg));
			if (tls_config_set_ciphers(tls_cfg, "all") != 0)
				errx(1, "%s", tls_config_error(tls_cfg));
		}
		if (!lflag && (TLSopt & TLS_CCERT))
			errx(1, "clientcert is only valid with -l");
		if (TLSopt & TLS_NONAME)
			tls_config_insecure_noverifyname(tls_cfg);
		if (TLSopt & TLS_NOVERIFY) {
			if (tls_expecthash != NULL)
				errx(1, "-H and -T noverify may not be used"
				    "together");
			tls_config_insecure_noverifycert(tls_cfg);

		}
		if (TLSopt & TLS_MUSTSTAPLE)
			tls_config_ocsp_require_stapling(tls_cfg);

		if (Pflag) {
			if (pledge("stdio inet dns tty", NULL) == -1)
				err(1, "pledge");
		} else if (pledge("stdio inet dns", NULL) == -1)
			err(1, "pledge");
	}
	if (lflag) {
		struct tls *tls_cctx = NULL;
		int connfd;
		ret = 0;

		if (family == AF_UNIX) {

					    family == AF_UNIX ? host : NULL);
				if ((usetls) &&
				    (tls_cctx = tls_setup_server(tls_ctx, connfd, host)))
					readwrite(connfd, tls_cctx);
				if (!usetls)
					readwrite(connfd, NULL);
				if (tls_cctx) {

					timeout_tls(s, tls_cctx, tls_close);




					tls_free(tls_cctx);
					tls_cctx = NULL;
				}
				close(connfd);
			}
			if (family != AF_UNIX)
				close(s);
			else if (uflag) {
				if (connect(s, NULL, 0) < 0)
					err(1, "connect");
			}

			if (!kflag)
				break;
		}
	} else if (family == AF_UNIX) {
		ret = 0;

		if ((s = unix_connect(host)) > 0) {
			if (!zflag)
				readwrite(s, NULL);
			close(s);
		} else
			ret = 1;

		if (uflag)
			unlink(unix_dg_tmp_socket);
		exit(ret);

					errx(1, "tls client creation failed");
				if (tls_configure(tls_ctx, tls_cfg) == -1)
					errx(1, "tls configuration failed (%s)",
					    tls_error(tls_ctx));
			}
			if (xflag)
				s = socks_connect(host, portlist[i], hints,
				    proxy, proxyport, proxyhints, socksv,
				    Pflag);
			else
				s = remote_connect(host, portlist[i], hints);

			if (s == -1)
				continue;

				fdpass(s);
			else {
				if (usetls)
					tls_setup_client(tls_ctx, s, host);
				if (!zflag)
					readwrite(s, tls_ctx);
				if (tls_ctx) {



					timeout_tls(s, tls_ctx, tls_close);


					tls_free(tls_ctx);
					tls_ctx = NULL;
				}
			}
		}
	}

		save_errno = errno;
		close(s);
		errno = save_errno;
		return (-1);
	}
	return (s);
}

int
timeout_tls(int s, struct tls *tls_ctx, int (*func)(struct tls *))
{
	struct pollfd pfd;
	int ret;

	while ((ret = (*func)(tls_ctx)) != 0) {
		if (ret == TLS_WANT_POLLIN)
			pfd.events = POLLIN;
		else if (ret == TLS_WANT_POLLOUT)
			pfd.events = POLLOUT;
		else
			break;
		pfd.fd = s;
		if ((ret = poll(&pfd, 1, timeout)) == 1)
			continue;
		else if (ret == 0) {
			errno = ETIMEDOUT;
			ret = -1;
			break;
		} else
			err(1, "poll failed");
	}

	return (ret);
}

void
tls_setup_client(struct tls *tls_ctx, int s, char *host)
{
	const char *errstr;

	if (tls_connect_socket(tls_ctx, s,
		tls_expectname ? tls_expectname : host) == -1) {
		errx(1, "tls connection failed (%s)",
		    tls_error(tls_ctx));
	}
	if (timeout_tls(s, tls_ctx, tls_handshake) == -1) {
		if ((errstr = tls_error(tls_ctx)) == NULL)
			errstr = strerror(errno);
		errx(1, "tls handshake failed (%s)", errstr);


	}
	if (vflag)
		report_tls(tls_ctx, host, tls_expectname);
	if (tls_expecthash && tls_peer_cert_hash(tls_ctx) &&
	    strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
		errx(1, "peer certificate is not %s", tls_expecthash);
}

struct tls *
tls_setup_server(struct tls *tls_ctx, int connfd, char *host)
{
	struct tls *tls_cctx;
	const char *errstr;

	if (tls_accept_socket(tls_ctx, &tls_cctx, connfd) == -1) {

		warnx("tls accept failed (%s)", tls_error(tls_ctx));
	} else if (timeout_tls(connfd, tls_cctx, tls_handshake) == -1) {
		if ((errstr = tls_error(tls_cctx)) == NULL)



			errstr = strerror(errno);


		warnx("tls handshake failed (%s)", errstr);


	} else {

		int gotcert = tls_peer_cert_provided(tls_cctx);

		if (vflag && gotcert)
			report_tls(tls_cctx, host, tls_expectname);
		if ((TLSopt & TLS_CCERT) && !gotcert)
			warnx("No client certificate provided");
		else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash &&

 * Returns a socket connected to a remote host. Properly binds to a local
 * port or source address if needed. Returns -1 on failure.
 */
int
remote_connect(const char *host, const char *port, struct addrinfo hints)
{
	struct addrinfo *res, *res0;
	int s = -1, error, save_errno;
#ifdef SO_BINDANY
	int on = 1;
#endif

	if ((error = getaddrinfo(host, port, &hints, &res0)))
		errx(1, "getaddrinfo for host \"%s\" port %s: %s", host,
		    port, gai_strerror(error));

	for (res = res0; res; res = res->ai_next) {

		if ((s = socket(res->ai_family, res->ai_socktype |
		    SOCK_NONBLOCK, res->ai_protocol)) < 0)
			continue;

		/* Bind to a local port or source address if specified. */
		if (sflag || pflag) {
			struct addrinfo ahints, *ares;

#ifdef SO_BINDANY
			/* try SO_BINDANY, but don't insist */
			setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on));
#endif
			memset(&ahints, 0, sizeof(struct addrinfo));
			ahints.ai_family = res->ai_family;
			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
			ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
			ahints.ai_flags = AI_PASSIVE;
			if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
				errx(1, "getaddrinfo: %s", gai_strerror(error));

			if (bind(s, (struct sockaddr *)ares->ai_addr,
			    ares->ai_addrlen) < 0)
				err(1, "bind failed");
			freeaddrinfo(ares);
		}

		set_common_sockopts(s, res->ai_family);

		if (timeout_connect(s, res->ai_addr, res->ai_addrlen) == 0)
			break;
		if (vflag)
			warn("connect to %s port %s (%s) failed", host, port,
			    uflag ? "udp" : "tcp");

		save_errno = errno;
		close(s);
		errno = save_errno;
		s = -1;

	}

	freeaddrinfo(res0);

	return (s);
}

int
timeout_connect(int s, const struct sockaddr *name, socklen_t namelen)
{

 * Returns a socket listening on a local port, binds to specified source
 * address. Returns -1 on failure.
 */
int
local_listen(char *host, char *port, struct addrinfo hints)
{
	struct addrinfo *res, *res0;
	int s = -1, save_errno;
#ifdef SO_REUSEPORT
	int ret, x = 1;
#endif
	int error;

	/* Allow nodename to be null. */
	hints.ai_flags |= AI_PASSIVE;

	/*
	 * In the case of binding to a wildcard address
	 * default to binding to an ipv4 address.
	 */
	if (host == NULL && hints.ai_family == AF_UNSPEC)
		hints.ai_family = AF_INET;

	if ((error = getaddrinfo(host, port, &hints, &res0)))
		errx(1, "getaddrinfo: %s", gai_strerror(error));

	for (res = res0; res; res = res->ai_next) {

		if ((s = socket(res->ai_family, res->ai_socktype,
		    res->ai_protocol)) < 0)
			continue;

#ifdef SO_REUSEPORT
		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
		if (ret == -1)
			err(1, NULL);
#endif

		set_common_sockopts(s, res->ai_family);

		if (bind(s, (struct sockaddr *)res->ai_addr,
		    res->ai_addrlen) == 0)
			break;

		save_errno = errno;
		close(s);
		errno = save_errno;
		s = -1;

	}

	if (!uflag && s != -1) {
		if (listen(s, 1) < 0)
			err(1, "listen");
	}

	freeaddrinfo(res0);

	return (s);
}

/*
 * readwrite()
 * Loop that polls on the network file descriptor and stdin.

	/* stdout */
	pfd[POLL_STDOUT].fd = stdout_fd;
	pfd[POLL_STDOUT].events = 0;

	while (1) {
		/* both inputs are gone, buffers are empty, we are done */
		if (pfd[POLL_STDIN].fd == -1 && pfd[POLL_NETIN].fd == -1 &&
		    stdinbufpos == 0 && netinbufpos == 0)

			return;

		/* both outputs are gone, we can't continue */
		if (pfd[POLL_NETOUT].fd == -1 && pfd[POLL_STDOUT].fd == -1)

			return;

		/* listen and net in gone, queues empty, done */
		if (lflag && pfd[POLL_NETIN].fd == -1 &&
		    stdinbufpos == 0 && netinbufpos == 0)

			return;


		/* help says -i is for "wait between lines sent". We read and
		 * write arbitrary amounts of data, and we don't want to start
		 * scanning for newlines, so this is as good as it gets */
		if (iflag)
			sleep(iflag);

		/* poll */
		num_fds = poll(pfd, 4, timeout);

		/* treat poll errors */
		if (num_fds == -1)

			err(1, "polling error");


		/* timeout happened */
		if (num_fds == 0)
			return;

		/* treat socket error conditions */
		for (n = 0; n < 4; n++) {

int
map_tls(char *s, int *val)
{
	const struct tlskeywords {
		const char	*keyword;
		int		 val;
	} *t, tlskeywords[] = {
		{ "tlsall",		TLS_ALL },
		{ "noverify",		TLS_NOVERIFY },
		{ "noname",		TLS_NONAME },
		{ "clientcert",		TLS_CCERT},
		{ "muststaple",		TLS_MUSTSTAPLE},
		{ NULL,			-1 },
	};

	for (t = tlskeywords; t->keyword != NULL; t++) {
		if (strcmp(s, t->keyword) == 0) {
			*val |= t->val;
			return (1);
		}
	}
	return (0);
}

void
report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
{
	time_t t;
	const char *ocsp_url;

	fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
	    tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
	fprintf(stderr, "Peer name: %s\n",
	    tls_expectname ? tls_expectname : host);
	if (tls_peer_cert_subject(tls_ctx))
		fprintf(stderr, "Subject: %s\n",
		    tls_peer_cert_subject(tls_ctx));
	if (tls_peer_cert_issuer(tls_ctx))
		fprintf(stderr, "Issuer: %s\n",
		    tls_peer_cert_issuer(tls_ctx));
	if ((t = tls_peer_cert_notbefore(tls_ctx)) != -1)
		fprintf(stderr, "Valid From: %s", ctime(&t));
	if ((t = tls_peer_cert_notafter(tls_ctx)) != -1)
		fprintf(stderr, "Valid Until: %s", ctime(&t));
	if (tls_peer_cert_hash(tls_ctx))
		fprintf(stderr, "Cert Hash: %s\n",
		    tls_peer_cert_hash(tls_ctx));
	ocsp_url = tls_peer_ocsp_url(tls_ctx);
	if (ocsp_url != NULL)
		fprintf(stderr, "OCSP URL: %s\n", ocsp_url);
	switch (tls_peer_ocsp_response_status(tls_ctx)) {
	case TLS_OCSP_RESPONSE_SUCCESSFUL:
		fprintf(stderr, "OCSP Stapling: %s\n",
		    tls_peer_ocsp_result(tls_ctx) == NULL ?  "" :
		    tls_peer_ocsp_result(tls_ctx));
		fprintf(stderr,
		    "  response_status=%d cert_status=%d crl_reason=%d\n",
		    tls_peer_ocsp_response_status(tls_ctx),
		    tls_peer_ocsp_cert_status(tls_ctx),
		    tls_peer_ocsp_crl_reason(tls_ctx));
		t = tls_peer_ocsp_this_update(tls_ctx);
		fprintf(stderr, "  this update: %s",
		    t != -1 ? ctime(&t) : "\n");
		t =  tls_peer_ocsp_next_update(tls_ctx);
		fprintf(stderr, "  next update: %s",
		    t != -1 ? ctime(&t) : "\n");
		t =  tls_peer_ocsp_revocation_time(tls_ctx);
		fprintf(stderr, "  revocation: %s",
		    t != -1 ? ctime(&t) : "\n");
		break;
	case -1:
		break;
	default:
		fprintf(stderr, "OCSP Stapling:  failure - response_status %d (%s)\n",
		    tls_peer_ocsp_response_status(tls_ctx),
		    tls_peer_ocsp_result(tls_ctx) == NULL ?  "" :
		    tls_peer_ocsp_result(tls_ctx));
		break;

	}
}

void
report_connect(const struct sockaddr *sa, socklen_t salen, char *path)
{
	char remote_host[NI_MAXHOST];
	char remote_port[NI_MAXSERV];

	\t-k		Keep inbound sockets open for multiple connects\n\
	\t-l		Listen mode, for inbound connects\n\
	\t-M ttl		Outgoing TTL / Hop Limit\n\
	\t-m minttl	Minimum incoming TTL / Hop Limit\n\
	\t-N		Shutdown the network socket after EOF on stdin\n\
	\t-n		Suppress name/port resolutions\n\
	\t-O length	TCP send buffer length\n\
	\t-o staplefile	Staple file\n\
	\t-P proxyuser\tUsername for proxy authentication\n\
	\t-p port\t	Specify local port for remote connects\n\
	\t-R CAfile	CA bundle\n\
	\t-r		Randomize remote ports\n"
#ifdef TCP_MD5SIG
	"\
	\t-S		Enable the TCP MD5 signature option\n"
#endif
	"\
	\t-s source	Local source address\n\
	\t-T keyword	TOS value or TLS options\n\
	\t-t		Answer TELNET negotiation\n\
	\t-U		Use UNIX domain socket\n\
	\t-u		UDP mode\n"
#ifdef SO_RTABLE
	"\
	\t-V rtable	Specify alternate routing table\n"
#endif
	"\
	\t-v		Verbose\n\
	\t-w timeout	Timeout for connects and final net reads\n\
	\t-X proto	Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
	\t-x addr[:port]\tSpecify proxy address and port\n\
	\t-z		Zero-I/O mode [used for scanning]\n\
	Port numbers can be individual or ranges: lo-hi [inclusive]\n");
	exit(1);
}

void
usage(int ret)
{
	fprintf(stderr,
	    "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] "
	    "[-H hash] [-I length]\n"
	    "\t  [-i interval] [-K keyfile] [-M ttl] [-m minttl] [-O length]\n"
	    "\t  [-o staplefile] [-P proxy_username] [-p source_port] "
	    "[-R CAfile]\n"
	    "\t  [-s source] [-T keyword] [-V rtable] [-w timeout] "
	    "[-X proxy_protocol]\n"
	    "\t  [-x proxy_address[:port]] [destination] [port]\n");
	if (ret)
		exit(1);
}

/*	$OpenBSD: socks.c,v 1.24 2016/06/27 14:43:04 deraadt Exp $	*/

/*
 * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
 * Copyright (c) 2004, 2005 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions

if(NOT MSVC)

include_directories(
	.
	./compat
	../../include
	../../include/compat
)

set(
	OCSPCHECK_SRC
	http.c
	ocspcheck.c
)

check_function_exists(inet_ntop HAVE_INET_NTOP)
if(HAVE_INET_NTOP)
        add_definitions(-DHAVE_INET_NTOP)
else()
        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/inet_ntop.c)
endif()

check_function_exists(inet_ntop HAVE_MEMMEM)
if(HAVE_MEMMEM)
        add_definitions(-DHAVE_MEMMEM)
else()
        set(OCSPCHECK_SRC ${OCSPCHECK_SRC} compat/memmem.c)
endif()

if(NOT "${OPENSSLDIR}" STREQUAL "")
	add_definitions(-DDEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
else()
	add_definitions(-DDEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
endif()

add_executable(ocspcheck ${OCSPCHECK_SRC})
target_link_libraries(ocspcheck tls ${OPENSSL_LIBS})

install(TARGETS ocspcheck DESTINATION ${CMAKE_INSTALL_BINDIR})
install(FILES ocspcheck.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)

endif()

include $(top_srcdir)/Makefile.am.common

bin_PROGRAMS = ocspcheck

EXTRA_DIST = ocspcheck.8
EXTRA_DIST += CMakeLists.txt

ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
ocspcheck_LDADD += $(abs_top_builddir)/ssl/libssl.la
ocspcheck_LDADD += $(abs_top_builddir)/tls/libtls.la
ocspcheck_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)

ocspcheck_SOURCES = http.c
ocspcheck_SOURCES += ocspcheck.c
noinst_HEADERS = http.h

if !HAVE_INET_NTOP
ocspcheck_SOURCES += compat/inet_ntop.c
endif

if !HAVE_MEMMEM
ocspcheck_SOURCES += compat/memmem.c
endif

# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@

# Copyright (C) 1994-2014 Free Software Foundation, Inc.

# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.

@SET_MAKE@


VPATH = @srcdir@
am__is_gnu_make = { \
  if test -z '$(MAKELEVEL)'; then \
    false; \
  elif test -n '$(MAKE_HOST)'; then \
    true; \
  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
    true; \
  else \
    false; \
  fi; \
}
am__make_running_with_option = \
  case $${target_option-} in \
      ?) ;; \
      *) echo "am__make_running_with_option: internal error: invalid" \
              "target option '$${target_option-}' specified" >&2; \
         exit 1;; \
  esac; \
  has_opt=no; \
  sane_makeflags=$$MAKEFLAGS; \
  if $(am__is_gnu_make); then \
    sane_makeflags=$$MFLAGS; \
  else \
    case $$MAKEFLAGS in \
      *\\[\ \	]*) \
        bs=\\; \
        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
    esac; \
  fi; \
  skip_next=no; \
  strip_trailopt () \
  { \
    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
  }; \
  for flg in $$sane_makeflags; do \
    test $$skip_next = yes && { skip_next=no; continue; }; \
    case $$flg in \
      *=*|--*) continue;; \
        -*I) strip_trailopt 'I'; skip_next=yes;; \
      -*I?*) strip_trailopt 'I';; \
        -*O) strip_trailopt 'O'; skip_next=yes;; \
      -*O?*) strip_trailopt 'O';; \
        -*l) strip_trailopt 'l'; skip_next=yes;; \
      -*l?*) strip_trailopt 'l';; \
      -[dEDm]) skip_next=yes;; \
      -[JT]) skip_next=yes;; \
    esac; \
    case $$flg in \
      *$$target_option*) has_opt=yes; break;; \
    esac; \
  done; \
  test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
bin_PROGRAMS = ocspcheck$(EXEEXT)
@HAVE_INET_NTOP_FALSE@am__append_1 = compat/inet_ntop.c
@HAVE_MEMMEM_FALSE@am__append_2 = compat/memmem.c
subdir = apps/ocspcheck
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \
	$(top_srcdir)/m4/check-libc.m4 \
	$(top_srcdir)/m4/check-os-options.m4 \
	$(top_srcdir)/m4/disable-compiler-warnings.m4 \
	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
	$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \
	$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
am__ocspcheck_SOURCES_DIST = http.c ocspcheck.c compat/inet_ntop.c \
	compat/memmem.c
am__dirstamp = $(am__leading_dot)dirstamp
@HAVE_INET_NTOP_FALSE@am__objects_1 = compat/inet_ntop.$(OBJEXT)
@HAVE_MEMMEM_FALSE@am__objects_2 = compat/memmem.$(OBJEXT)
am_ocspcheck_OBJECTS = http.$(OBJEXT) ocspcheck.$(OBJEXT) \
	$(am__objects_1) $(am__objects_2)
ocspcheck_OBJECTS = $(am_ocspcheck_OBJECTS)
am__DEPENDENCIES_1 =
ocspcheck_DEPENDENCIES = $(abs_top_builddir)/crypto/libcrypto.la \
	$(abs_top_builddir)/ssl/libssl.la \
	$(abs_top_builddir)/tls/libtls.la $(am__DEPENDENCIES_1) \
	$(am__DEPENDENCIES_1)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 = 
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo "  GEN     " $@;
am__v_GEN_1 = 
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 = 
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
	$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo "  CC      " $@;
am__v_CC_1 = 
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
	$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo "  CCLD    " $@;
am__v_CCLD_1 = 
SOURCES = $(ocspcheck_SOURCES)
DIST_SOURCES = $(am__ocspcheck_SOURCES_DIST)
am__can_run_installinfo = \
  case $$AM_UPDATE_INFO_DIR in \
    n|no|NO) false;; \
    *) (install-info --version) >/dev/null 2>&1;; \
  esac
HEADERS = $(noinst_HEADERS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates.  Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
  BEGIN { nonempty = 0; } \
  { items[$$0] = 1; nonempty = 1; } \
  END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique.  This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
  list='$(am__tagged_files)'; \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
am__DIST_COMMON = $(srcdir)/Makefile.in \
	$(top_srcdir)/Makefile.am.common $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCAS = @CCAS@
CCASDEPMODE = @CCASDEPMODE@
CCASFLAGS = @CCASFLAGS@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
HOSTARCH = @HOSTARCH@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBCRYPTO_VERSION = @LIBCRYPTO_VERSION@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBSSL_VERSION = @LIBSSL_VERSION@
LIBTLS_VERSION = @LIBTLS_VERSION@
LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OPENSSLDIR = @OPENSSLDIR@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PLATFORM_LDADD = @PLATFORM_LDADD@
PROG_LDADD = @PROG_LDADD@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AM_CFLAGS = 
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \
	-DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \
	-D__END_HIDDEN_DECLS=
EXTRA_DIST = ocspcheck.8 CMakeLists.txt
ocspcheck_LDADD = $(abs_top_builddir)/crypto/libcrypto.la \
	$(abs_top_builddir)/ssl/libssl.la \
	$(abs_top_builddir)/tls/libtls.la $(PLATFORM_LDADD) \
	$(PROG_LDADD)
ocspcheck_SOURCES = http.c ocspcheck.c $(am__append_1) $(am__append_2)
noinst_HEADERS = http.h
all: all-am

.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(am__configure_deps)
	@for dep in $?; do \
	  case '$(am__configure_deps)' in \
	    *$$dep*) \
	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
	        && { if test -f $@; then exit 0; else break; fi; }; \
	      exit 1;; \
	  esac; \
	done; \
	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign apps/ocspcheck/Makefile'; \
	$(am__cd) $(top_srcdir) && \
	  $(AUTOMAKE) --foreign apps/ocspcheck/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
	@case '$?' in \
	  *config.status*) \
	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
	  *) \
	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
	esac;
$(top_srcdir)/Makefile.am.common $(am__empty):

$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh

$(top_srcdir)/configure:  $(am__configure_deps)
	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-binPROGRAMS: $(bin_PROGRAMS)
	@$(NORMAL_INSTALL)
	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
	if test -n "$$list"; then \
	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
	fi; \
	for p in $$list; do echo "$$p $$p"; done | \
	sed 's/$(EXEEXT)$$//' | \
	while read p p1; do if test -f $$p \
	 || test -f $$p1 \
	  ; then echo "$$p"; echo "$$p"; else :; fi; \
	done | \
	sed -e 'p;s,.*/,,;n;h' \
	    -e 's|.*|.|' \
	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
	sed 'N;N;N;s,\n, ,g' | \
	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
	    else { print "f", $$3 "/" $$4, $$1; } } \
	  END { for (d in files) print "f", d, files[d] }' | \
	while read type dir files; do \
	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
	    test -z "$$files" || { \
	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
	    } \
	; done

uninstall-binPROGRAMS:
	@$(NORMAL_UNINSTALL)
	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
	files=`for p in $$list; do echo "$$p"; done | \
	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
	      -e 's/$$/$(EXEEXT)/' \
	`; \
	test -n "$$list" || exit 0; \
	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
	cd "$(DESTDIR)$(bindir)" && rm -f $$files

clean-binPROGRAMS:
	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
	echo " rm -f" $$list; \
	rm -f $$list || exit $$?; \
	test -n "$(EXEEXT)" || exit 0; \
	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
	echo " rm -f" $$list; \
	rm -f $$list
compat/$(am__dirstamp):
	@$(MKDIR_P) compat
	@: > compat/$(am__dirstamp)
compat/$(DEPDIR)/$(am__dirstamp):
	@$(MKDIR_P) compat/$(DEPDIR)
	@: > compat/$(DEPDIR)/$(am__dirstamp)
compat/inet_ntop.$(OBJEXT): compat/$(am__dirstamp) \
	compat/$(DEPDIR)/$(am__dirstamp)
compat/memmem.$(OBJEXT): compat/$(am__dirstamp) \
	compat/$(DEPDIR)/$(am__dirstamp)

ocspcheck$(EXEEXT): $(ocspcheck_OBJECTS) $(ocspcheck_DEPENDENCIES) $(EXTRA_ocspcheck_DEPENDENCIES) 
	@rm -f ocspcheck$(EXEEXT)
	$(AM_V_CCLD)$(LINK) $(ocspcheck_OBJECTS) $(ocspcheck_LDADD) $(LIBS)

mostlyclean-compile:
	-rm -f *.$(OBJEXT)
	-rm -f compat/*.$(OBJEXT)

distclean-compile:
	-rm -f *.tab.c

@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspcheck.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@compat/$(DEPDIR)/inet_ntop.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@compat/$(DEPDIR)/memmem.Po@am__quote@

.c.o:
@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<

.c.obj:
@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`

.c.lo:
@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<

mostlyclean-libtool:
	-rm -f *.lo

clean-libtool:
	-rm -rf .libs _libs

ID: $(am__tagged_files)
	$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags

tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
	set x; \
	here=`pwd`; \
	$(am__define_uniq_tagged_files); \
	shift; \
	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
	  test -n "$$unique" || unique=$$empty_fix; \
	  if test $$# -gt 0; then \
	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
	      "$$@" $$unique; \
	  else \
	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
	      $$unique; \
	  fi; \
	fi
ctags: ctags-am

CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
	$(am__define_uniq_tagged_files); \
	test -z "$(CTAGS_ARGS)$$unique" \
	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
	     $$unique

GTAGS:
	here=`$(am__cd) $(top_builddir) && pwd` \
	  && $(am__cd) $(top_srcdir) \
	  && gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am

cscopelist-am: $(am__tagged_files)
	list='$(am__tagged_files)'; \
	case "$(srcdir)" in \
	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
	  *) sdir=$(subdir)/$(srcdir) ;; \
	esac; \
	for i in $$list; do \
	  if test -f "$$i"; then \
	    echo "$(subdir)/$$i"; \
	  else \
	    echo "$$sdir/$$i"; \
	  fi; \
	done >> $(top_builddir)/cscope.files

distclean-tags:
	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags

distdir: $(DISTFILES)
	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
	list='$(DISTFILES)'; \
	  dist_files=`for file in $$list; do echo $$file; done | \
	  sed -e "s|^$$srcdirstrip/||;t" \
	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
	case $$dist_files in \
	  */*) $(MKDIR_P) `echo "$$dist_files" | \
			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
			   sort -u` ;; \
	esac; \
	for file in $$dist_files; do \
	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
	  if test -d $$d/$$file; then \
	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
	    if test -d "$(distdir)/$$file"; then \
	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
	    fi; \
	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
	    fi; \
	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
	  else \
	    test -f "$(distdir)/$$file" \
	    || cp -p $$d/$$file "$(distdir)/$$file" \
	    || exit 1; \
	  fi; \
	done
check-am: all-am
check: check-am
all-am: Makefile $(PROGRAMS) $(HEADERS)
installdirs:
	for dir in "$(DESTDIR)$(bindir)"; do \
	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
	done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am

install-am: all-am
	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am

installcheck: installcheck-am
install-strip:
	if test -z '$(STRIP)'; then \
	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
	      install; \
	else \
	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
	fi
mostlyclean-generic:

clean-generic:

distclean-generic:
	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
	-rm -f compat/$(DEPDIR)/$(am__dirstamp)
	-rm -f compat/$(am__dirstamp)

maintainer-clean-generic:
	@echo "This command is intended for maintainers to use"
	@echo "it deletes files that may require special tools to rebuild."
clean: clean-am

clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am

distclean: distclean-am
	-rm -rf ./$(DEPDIR) compat/$(DEPDIR)
	-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
	distclean-tags

dvi: dvi-am

dvi-am:

html: html-am

html-am:

info: info-am

info-am:

install-data-am:

install-dvi: install-dvi-am

install-dvi-am:

install-exec-am: install-binPROGRAMS

install-html: install-html-am

install-html-am:

install-info: install-info-am

install-info-am:

install-man:

install-pdf: install-pdf-am

install-pdf-am:

install-ps: install-ps-am

install-ps-am:

installcheck-am:

maintainer-clean: maintainer-clean-am
	-rm -rf ./$(DEPDIR) compat/$(DEPDIR)
	-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic

mostlyclean: mostlyclean-am

mostlyclean-am: mostlyclean-compile mostlyclean-generic \
	mostlyclean-libtool

pdf: pdf-am

pdf-am:

ps: ps-am

ps-am:

uninstall-am: uninstall-binPROGRAMS

.MAKE: install-am install-strip

.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
	clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
	ctags ctags-am distclean distclean-compile distclean-generic \
	distclean-libtool distclean-tags distdir dvi dvi-am html \
	html-am info info-am install install-am install-binPROGRAMS \
	install-data install-data-am install-dvi install-dvi-am \
	install-exec install-exec-am install-html install-html-am \
	install-info install-info-am install-man install-pdf \
	install-pdf-am install-ps install-ps-am install-strip \
	installcheck installcheck-am installdirs maintainer-clean \
	maintainer-clean-generic mostlyclean mostlyclean-compile \
	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
	tags tags-am uninstall uninstall-am uninstall-binPROGRAMS

.PRECIOUS: Makefile


# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

/*	$OpenBSD: inet_ntop.c,v 1.13 2016/09/21 04:38:56 guenther Exp $	*/

/* Copyright (c) 1996 by Internet Software Consortium.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
 * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
 * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 * SOFTWARE.
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>

/*
 * WARNING: Don't even consider trying to compile this on a system where
 * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
 */

static const char *inet_ntop4(const u_char *src, char *dst, size_t size);
static const char *inet_ntop6(const u_char *src, char *dst, size_t size);

/* const char *
 * inet_ntop(af, src, dst, size)
 *	convert a network format address to presentation format.
 * return:
 *	pointer to presentation format address (`dst'), or NULL (see errno).
 * author:
 *	Paul Vixie, 1996.
 */
const char *
inet_ntop(int af, const void *src, char *dst, socklen_t size)
{
	switch (af) {
	case AF_INET:
		return (inet_ntop4(src, dst, size));
	case AF_INET6:
		return (inet_ntop6(src, dst, size));
	default:
		errno = EAFNOSUPPORT;
		return (NULL);
	}
	/* NOTREACHED */
}

/* const char *
 * inet_ntop4(src, dst, size)
 *	format an IPv4 address, more or less like inet_ntoa()
 * return:
 *	`dst' (as a const)
 * notes:
 *	(1) uses no statics
 *	(2) takes a u_char* not an in_addr as input
 * author:
 *	Paul Vixie, 1996.
 */
static const char *
inet_ntop4(const u_char *src, char *dst, size_t size)
{
	char tmp[sizeof "255.255.255.255"];
	int l;

	l = snprintf(tmp, sizeof(tmp), "%u.%u.%u.%u",
	    src[0], src[1], src[2], src[3]);
	if (l <= 0 || l >= size) {
		errno = ENOSPC;
		return (NULL);
	}
	strlcpy(dst, tmp, size);
	return (dst);
}

/* const char *
 * inet_ntop6(src, dst, size)
 *	convert IPv6 binary address into presentation (printable) format
 * author:
 *	Paul Vixie, 1996.
 */
static const char *
inet_ntop6(const u_char *src, char *dst, size_t size)
{
	/*
	 * Note that int32_t and int16_t need only be "at least" large enough
	 * to contain a value of the specified size.  On some systems, like
	 * Crays, there is no such thing as an integer variable with 16 bits.
	 * Keep this in mind if you think this function should have been coded
	 * to use pointer overlays.  All the world's not a VAX.
	 */
	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
	char *tp, *ep;
	struct { int base, len; } best, cur;
	u_int words[IN6ADDRSZ / INT16SZ];
	int i;
	int advance;

	/*
	 * Preprocess:
	 *	Copy the input (bytewise) array into a wordwise array.
	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
	 */
	memset(words, '\0', sizeof words);
	for (i = 0; i < IN6ADDRSZ; i++)
		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
	best.base = -1;
	cur.base = -1;
	for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++) {
		if (words[i] == 0) {
			if (cur.base == -1)
				cur.base = i, cur.len = 1;
			else
				cur.len++;
		} else {
			if (cur.base != -1) {
				if (best.base == -1 || cur.len > best.len)
					best = cur;
				cur.base = -1;
			}
		}
	}
	if (cur.base != -1) {
		if (best.base == -1 || cur.len > best.len)
			best = cur;
	}
	if (best.base != -1 && best.len < 2)
		best.base = -1;

	/*
	 * Format the result.
	 */
	tp = tmp;
	ep = tmp + sizeof(tmp);
	for (i = 0; i < (IN6ADDRSZ / INT16SZ) && tp < ep; i++) {
		/* Are we inside the best run of 0x00's? */
		if (best.base != -1 && i >= best.base &&
		    i < (best.base + best.len)) {
			if (i == best.base) {
				if (tp + 1 >= ep) {
					errno = ENOSPC;
					return (NULL);
				}
				*tp++ = ':';
			}
			continue;
		}
		/* Are we following an initial run of 0x00s or any real hex? */
		if (i != 0) {
			if (tp + 1 >= ep) {
				errno = ENOSPC;
				return (NULL);
			}
			*tp++ = ':';
		}
		/* Is this address an encapsulated IPv4? */
		if (i == 6 && best.base == 0 &&
		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
			if (!inet_ntop4(src+12, tp, ep - tp))
				return (NULL);
			tp += strlen(tp);
			break;
		}
		advance = snprintf(tp, ep - tp, "%x", words[i]);
		if (advance <= 0 || advance >= ep - tp) {
			errno = ENOSPC;
			return (NULL);
		}
		tp += advance;
	}
	/* Was it a trailing run of 0x00's? */
	if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ)) {
		if (tp + 1 >= ep) {
			errno = ENOSPC;
			return (NULL);
		}
		*tp++ = ':';
	}
	if (tp + 1 >= ep) {
		errno = ENOSPC;
		return (NULL);
	}
	*tp++ = '\0';

	/*
	 * Check for overflow, copy, and we're done.
	 */
	if ((size_t)(tp - tmp) > size) {
		errno = ENOSPC;
		return (NULL);
	}
	strlcpy(dst, tmp, size);
	return (dst);
}

/*	$OpenBSD: memmem.c,v 1.4 2015/08/31 02:53:57 guenther Exp $ */
/*-
 * Copyright (c) 2005 Pascal Gloor <pascal.gloor@spale.com>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <string.h>

/*
 * Find the first occurrence of the byte string s in byte string l.
 */

void *
memmem(const void *l, size_t l_len, const void *s, size_t s_len)
{
	const char *cur, *last;
	const char *cl = l;
	const char *cs = s;

	/* a zero length needle should just return the haystack */
	if (s_len == 0)
		return (void *)cl;

	/* "s" must be smaller or equal to "l" */
	if (l_len < s_len)
		return NULL;

	/* special case where s_len == 1 */
	if (s_len == 1)
		return memchr(l, *cs, l_len);

	/* the last position where its possible to find "s" in "l" */
	last = cl + l_len - s_len;

	for (cur = cl; cur <= last; cur++)
		if (cur[0] == cs[0] && memcmp(cur, cs, s_len) == 0)
			return (void *)cur;

	return NULL;
}

/*	$Id: http.c,v 1.9 2017/03/26 18:41:02 deraadt Exp $ */
/*
 * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/types.h>
#include <sys/socket.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <ctype.h>
#include <err.h>
#include <limits.h>
#include <netdb.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <tls.h>
#include <unistd.h>

#include "http.h"
#include <tls.h>

#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"

/*
 * A buffer for transferring HTTP/S data.
 */
struct	httpxfer {
	char		*hbuf;    /* header transfer buffer */
	size_t		 hbufsz;  /* header buffer size */
	int		 headok;  /* header has been parsed */
	char		*bbuf;    /* body transfer buffer */
	size_t		 bbufsz;  /* body buffer size */
	int		 bodyok;  /* body has been parsed */
	char		*headbuf; /* lookaside buffer for headers */
	struct httphead	*head;    /* parsed headers */
	size_t		 headsz;  /* number of headers */
};

/*
 * An HTTP/S connection object.
 */
struct	http {
	int		   fd;     /* connected socket */
	short		   port;   /* port number */
	struct source	   src;    /* endpoint (raw) host */
	char		  *path;   /* path to request */
	char		  *host;   /* name of endpoint host */
	struct tls	  *ctx;    /* if TLS */
	writefp		   writer; /* write function */
	readfp		   reader; /* read function */
};

struct tls_config *tlscfg;

static ssize_t
dosysread(char *buf, size_t sz, const struct http *http)
{
	ssize_t	 rc;

	rc = read(http->fd, buf, sz);
	if (rc < 0)
		warn("%s: read", http->src.ip);
	return rc;
}

static ssize_t
dosyswrite(const void *buf, size_t sz, const struct http *http)
{
	ssize_t	 rc;

	rc = write(http->fd, buf, sz);
	if (rc < 0)
		warn("%s: write", http->src.ip);
	return rc;
}

static ssize_t
dotlsread(char *buf, size_t sz, const struct http *http)
{
	ssize_t	 rc;

	do {
		rc = tls_read(http->ctx, buf, sz);
	} while (rc == TLS_WANT_POLLIN || rc == TLS_WANT_POLLOUT);

	if (rc < 0)
		warnx("%s: tls_read: %s", http->src.ip,
		    tls_error(http->ctx));
	return rc;
}

static ssize_t
dotlswrite(const void *buf, size_t sz, const struct http *http)
{
	ssize_t	 rc;

	do {
		rc = tls_write(http->ctx, buf, sz);
	} while (rc == TLS_WANT_POLLIN || rc == TLS_WANT_POLLOUT);

	if (rc < 0)
		warnx("%s: tls_write: %s", http->src.ip,
		    tls_error(http->ctx));
	return rc;
}

int
http_init()
{
	if (tlscfg != NULL)
		return 0;

	if (tls_init() == -1) {
		warn("tls_init");
		goto err;
	}

	tlscfg = tls_config_new();
	if (tlscfg == NULL) {
		warn("tls_config_new");
		goto err;
	}

	if (tls_config_set_ca_file(tlscfg, DEFAULT_CA_FILE) == -1) {
		warn("tls_config_set_ca_file: %s", tls_config_error(tlscfg));
		goto err;
	}

	return 0;

 err:
	tls_config_free(tlscfg);
	tlscfg = NULL;

	return -1;
}

static ssize_t
http_read(char *buf, size_t sz, const struct http *http)
{
	ssize_t	 ssz, xfer;

	xfer = 0;
	do {
		if ((ssz = http->reader(buf, sz, http)) < 0)
			return -1;
		if (ssz == 0)
			break;
		xfer += ssz;
		sz -= ssz;
		buf += ssz;
	} while (ssz > 0 && sz > 0);

	return xfer;
}

static int
http_write(const char *buf, size_t sz, const struct http *http)
{
	ssize_t	 ssz, xfer;

	xfer = sz;
	while (sz > 0) {
		if ((ssz = http->writer(buf, sz, http)) < 0)
			return -1;
		sz -= ssz;
		buf += (size_t)ssz;
	}
	return xfer;
}

void
http_disconnect(struct http *http)
{
	int rc;

	if (http->ctx != NULL) {
		/* TLS connection. */
		do {
			rc = tls_close(http->ctx);
		} while (rc == TLS_WANT_POLLIN || rc == TLS_WANT_POLLOUT);

		if (rc < 0)
			warnx("%s: tls_close: %s", http->src.ip,
			    tls_error(http->ctx));

		tls_free(http->ctx);
	}
	if (http->fd != -1) {
		if (close(http->fd) == -1)
			warn("%s: close", http->src.ip);
	}

	http->fd = -1;
	http->ctx = NULL;
}

void
http_free(struct http *http)
{

	if (http == NULL)
		return;
	http_disconnect(http);
	free(http->host);
	free(http->path);
	free(http->src.ip);
	free(http);
}

struct http *
http_alloc(const struct source *addrs, size_t addrsz,
    const char *host, short port, const char *path)
{
	struct sockaddr_storage ss;
	int		 family, fd, c;
	socklen_t	 len;
	size_t		 cur, i = 0;
	struct http	*http;

	/* Do this while we still have addresses to connect. */
again:
	if (i == addrsz)
		return NULL;
	cur = i++;

	/* Convert to PF_INET or PF_INET6 address from string. */

	memset(&ss, 0, sizeof(struct sockaddr_storage));

	if (addrs[cur].family == 4) {
		family = PF_INET;
		((struct sockaddr_in *)&ss)->sin_family = AF_INET;
		((struct sockaddr_in *)&ss)->sin_port = htons(port);
		c = inet_pton(AF_INET, addrs[cur].ip,
		    &((struct sockaddr_in *)&ss)->sin_addr);
		len = sizeof(struct sockaddr_in);
	} else if (addrs[cur].family == 6) {
		family = PF_INET6;
		((struct sockaddr_in6 *)&ss)->sin6_family = AF_INET6;
		((struct sockaddr_in6 *)&ss)->sin6_port = htons(port);
		c = inet_pton(AF_INET6, addrs[cur].ip,
		    &((struct sockaddr_in6 *)&ss)->sin6_addr);
		len = sizeof(struct sockaddr_in6);
	} else {
		warnx("%s: unknown family", addrs[cur].ip);
		goto again;
	}

	if (c < 0) {
		warn("%s: inet_ntop", addrs[cur].ip);
		goto again;
	} else if (c == 0) {
		warnx("%s: inet_ntop", addrs[cur].ip);
		goto again;
	}

	/* Create socket and connect. */

	fd = socket(family, SOCK_STREAM, 0);
	if (fd == -1) {
		warn("%s: socket", addrs[cur].ip);
		goto again;
	} else if (connect(fd, (struct sockaddr *)&ss, len) == -1) {
		warn("%s: connect", addrs[cur].ip);
		close(fd);
		goto again;
	}

	/* Allocate the communicator. */

	http = calloc(1, sizeof(struct http));
	if (http == NULL) {
		warn("calloc");
		close(fd);
		return NULL;
	}
	http->fd = fd;
	http->port = port;
	http->src.family = addrs[cur].family;
	http->src.ip = strdup(addrs[cur].ip);
	http->host = strdup(host);
	http->path = strdup(path);
	if (http->src.ip == NULL || http->host == NULL || http->path == NULL) {
		warn("strdup");
		goto err;
	}

	/* If necessary, do our TLS setup. */

	if (port != 443) {
		http->writer = dosyswrite;
		http->reader = dosysread;
		return http;
	}

	http->writer = dotlswrite;
	http->reader = dotlsread;

	if ((http->ctx = tls_client()) == NULL) {
		warn("tls_client");
		goto err;
	} else if (tls_configure(http->ctx, tlscfg) == -1) {
		warnx("%s: tls_configure: %s",
			http->src.ip, tls_error(http->ctx));
		goto err;
	}

	if (tls_connect_socket(http->ctx, http->fd, http->host) != 0) {
		warnx("%s: tls_connect_socket: %s, %s", http->src.ip,
		    http->host, tls_error(http->ctx));
		goto err;
	}

	return http;
err:
	http_free(http);
	return NULL;
}

struct httpxfer *
http_open(const struct http *http, const void *p, size_t psz)
{
	char		*req;
	int		 c;
	struct httpxfer	*trans;

	if (p == NULL) {
		c = asprintf(&req,
		    "GET %s HTTP/1.0\r\n"
		    "Host: %s\r\n"
		    "\r\n",
		    http->path, http->host);
	} else {
		c = asprintf(&req,
		    "POST %s HTTP/1.0\r\n"
		    "Host: %s\r\n"
		    "Content-Length: %zu\r\n"
		    "\r\n",
		    http->path, http->host, psz);
	}
	if (c == -1) {
		warn("asprintf");
		return NULL;
	} else if (!http_write(req, c, http)) {
		free(req);
		return NULL;
	} else if (p != NULL && !http_write(p, psz, http)) {
		free(req);
		return NULL;
	}

	free(req);

	trans = calloc(1, sizeof(struct httpxfer));
	if (trans == NULL)
		warn("calloc");
	return trans;
}

void
http_close(struct httpxfer *x)
{

	if (x == NULL)
		return;
	free(x->hbuf);
	free(x->bbuf);
	free(x->headbuf);
	free(x->head);
	free(x);
}

/*
 * Read the HTTP body from the wire.
 * If invoked multiple times, this will return the same pointer with the
 * same data (or NULL, if the original invocation returned NULL).
 * Returns NULL if read or allocation errors occur.
 * You must not free the returned pointer.
 */
char *
http_body_read(const struct http *http, struct httpxfer *trans, size_t *sz)
{
	char		 buf[BUFSIZ];
	ssize_t		 ssz;
	void		*pp;
	size_t		 szp;

	if (sz == NULL)
		sz = &szp;

	/* Have we already parsed this? */

	if (trans->bodyok > 0) {
		*sz = trans->bbufsz;
		return trans->bbuf;
	} else if (trans->bodyok < 0)
		return NULL;

	*sz = 0;
	trans->bodyok = -1;

	do {
		/* If less than sizeof(buf), at EOF. */
		if ((ssz = http_read(buf, sizeof(buf), http)) < 0)
			return NULL;
		else if (ssz == 0)
			break;

		pp = recallocarray(trans->bbuf,
		    trans->bbufsz, trans->bbufsz + ssz, 1);
		if (pp == NULL) {
			warn("recallocarray");
			return NULL;
		}
		trans->bbuf = pp;
		memcpy(trans->bbuf + trans->bbufsz, buf, ssz);
		trans->bbufsz += ssz;
	} while (ssz == sizeof(buf));

	trans->bodyok = 1;
	*sz = trans->bbufsz;
	return trans->bbuf;
}

struct httphead *
http_head_get(const char *v, struct httphead *h, size_t hsz)
{
	size_t	 i;

	for (i = 0; i < hsz; i++) {
		if (strcmp(h[i].key, v))
			continue;
		return &h[i];
	}
	return NULL;
}

/*
 * Look through the headers and determine our HTTP code.
 * This will return -1 on failure, otherwise the code.
 */
int
http_head_status(const struct http *http, struct httphead *h, size_t sz)
{
	int		 rc;
	unsigned int	 code;
	struct httphead *st;

	if ((st = http_head_get("Status", h, sz)) == NULL) {
		warnx("%s: no status header", http->src.ip);
		return -1;
	}

	rc = sscanf(st->val, "%*s %u %*s", &code);
	if (rc < 0) {
		warn("sscanf");
		return -1;
	} else if (rc != 1) {
		warnx("%s: cannot convert status header", http->src.ip);
		return -1;
	}
	return code;
}

/*
 * Parse headers from the transfer.
 * Malformed headers are skipped.
 * A special "Status" header is added for the HTTP status line.
 * This can only happen once http_head_read has been called with
 * success.
 * This can be invoked multiple times: it will only parse the headers
 * once and after that it will just return the cache.
 * You must not free the returned pointer.
 * If the original header parse failed, or if memory allocation fails
 * internally, this returns NULL.
 */
struct httphead *
http_head_parse(const struct http *http, struct httpxfer *trans, size_t *sz)
{
	size_t		 hsz, szp;
	struct httphead	*h;
	char		*cp, *ep, *ccp, *buf;

	if (sz == NULL)
		sz = &szp;

	/*
	 * If we've already parsed the headers, return the
	 * previously-parsed buffer now.
	 * If we have errors on the stream, return NULL now.
	 */

	if (trans->head != NULL) {
		*sz = trans->headsz;
		return trans->head;
	} else if (trans->headok <= 0)
		return NULL;

	if ((buf = strdup(trans->hbuf)) == NULL) {
		warn("strdup");
		return NULL;
	}
	hsz = 0;
	cp = buf;

	do {
		if ((cp = strstr(cp, "\r\n")) != NULL)
			cp += 2;
		hsz++;
	} while (cp != NULL);

	/*
	 * Allocate headers, then step through the data buffer, parsing
	 * out headers as we have them.
	 * We know at this point that the buffer is NUL-terminated in
	 * the usual way.
	 */

	h = calloc(hsz, sizeof(struct httphead));
	if (h == NULL) {
		warn("calloc");
		free(buf);
		return NULL;
	}

	*sz = hsz;
	hsz = 0;
	cp = buf;

	do {
		if ((ep = strstr(cp, "\r\n")) != NULL) {
			*ep = '\0';
			ep += 2;
		}
		if (hsz == 0) {
			h[hsz].key = "Status";
			h[hsz++].val = cp;
			continue;
		}

		/* Skip bad headers. */
		if ((ccp = strchr(cp, ':')) == NULL) {
			warnx("%s: header without separator", http->src.ip);
			continue;
		}

		*ccp++ = '\0';
		while (isspace((int)*ccp))
			ccp++;
		h[hsz].key = cp;
		h[hsz++].val = ccp;
	} while ((cp = ep) != NULL);

	trans->headbuf = buf;
	trans->head = h;
	trans->headsz = hsz;
	return h;
}

/*
 * Read the HTTP headers from the wire.
 * If invoked multiple times, this will return the same pointer with the
 * same data (or NULL, if the original invocation returned NULL).
 * Returns NULL if read or allocation errors occur.
 * You must not free the returned pointer.
 */
char *
http_head_read(const struct http *http, struct httpxfer *trans, size_t *sz)
{
	char		 buf[BUFSIZ];
	ssize_t		 ssz;
	char		*ep;
	void		*pp;
	size_t		 szp;

	if (sz == NULL)
		sz = &szp;

	/* Have we already parsed this? */

	if (trans->headok > 0) {
		*sz = trans->hbufsz;
		return trans->hbuf;
	} else if (trans->headok < 0)
		return NULL;

	*sz = 0;
	ep = NULL;
	trans->headok = -1;

	/*
	 * Begin by reading by BUFSIZ blocks until we reach the header
	 * termination marker (two CRLFs).
	 * We might read into our body, but that's ok: we'll copy out
	 * the body parts into our body buffer afterward.
	 */

	do {
		/* If less than sizeof(buf), at EOF. */
		if ((ssz = http_read(buf, sizeof(buf), http)) < 0)
			return NULL;
		else if (ssz == 0)
			break;
		pp = realloc(trans->hbuf, trans->hbufsz + ssz);
		if (pp == NULL) {
			warn("realloc");
			return NULL;
		}
		trans->hbuf = pp;
		memcpy(trans->hbuf + trans->hbufsz, buf, ssz);
		trans->hbufsz += ssz;
		/* Search for end of headers marker. */
		ep = memmem(trans->hbuf, trans->hbufsz, "\r\n\r\n", 4);
	} while (ep == NULL && ssz == sizeof(buf));

	if (ep == NULL) {
		warnx("%s: partial transfer", http->src.ip);
		return NULL;
	}
	*ep = '\0';

	/*
	 * The header data is invalid if it has any binary characters in
	 * it: check that now.
	 * This is important because we want to guarantee that all
	 * header keys and pairs are properly NUL-terminated.
	 */

	if (strlen(trans->hbuf) != (uintptr_t)(ep - trans->hbuf)) {
		warnx("%s: binary data in header", http->src.ip);
		return NULL;
	}

	/*
	 * Copy remaining buffer into body buffer.
	 */

	ep += 4;
	trans->bbufsz = (trans->hbuf + trans->hbufsz) - ep;
	trans->bbuf = malloc(trans->bbufsz);
	if (trans->bbuf == NULL) {
		warn("malloc");
		return NULL;
	}
	memcpy(trans->bbuf, ep, trans->bbufsz);

	trans->headok = 1;
	*sz = trans->hbufsz;
	return trans->hbuf;
}

void
http_get_free(struct httpget *g)
{

	if (g == NULL)
		return;
	http_close(g->xfer);
	http_free(g->http);
	free(g);
}

struct httpget *
http_get(const struct source *addrs, size_t addrsz, const char *domain,
    short port, const char *path, const void *post, size_t postsz)
{
	struct http	*h;
	struct httpxfer	*x;
	struct httpget	*g;
	struct httphead	*head;
	size_t		 headsz, bodsz, headrsz;
	int		 code;
	char		*bod, *headr;

	h = http_alloc(addrs, addrsz, domain, port, path);
	if (h == NULL)
		return NULL;

	if ((x = http_open(h, post, postsz)) == NULL) {
		http_free(h);
		return NULL;
	} else if ((headr = http_head_read(h, x, &headrsz)) == NULL) {
		http_close(x);
		http_free(h);
		return NULL;
	} else if ((bod = http_body_read(h, x, &bodsz)) == NULL) {
		http_close(x);
		http_free(h);
		return NULL;
	}

	http_disconnect(h);

	if ((head = http_head_parse(h, x, &headsz)) == NULL) {
		http_close(x);
		http_free(h);
		return NULL;
	} else if ((code = http_head_status(h, head, headsz)) < 0) {
		http_close(x);
		http_free(h);
		return NULL;
	}

	if ((g = calloc(1, sizeof(struct httpget))) == NULL) {
		warn("calloc");
		http_close(x);
		http_free(h);
		return NULL;
	}

	g->headpart = headr;
	g->headpartsz = headrsz;
	g->bodypart = bod;
	g->bodypartsz = bodsz;
	g->head = head;
	g->headsz = headsz;
	g->code = code;
	g->xfer = x;
	g->http = h;
	return g;
}

#if 0
int
main(void)
{
	struct httpget	*g;
	struct httphead	*httph;
	size_t		 i, httphsz;
	struct source	 addrs[2];
	size_t		 addrsz;

#if 0
	addrs[0].ip = "127.0.0.1";
	addrs[0].family = 4;
	addrsz = 1;
#else
	addrs[0].ip = "2a00:1450:400a:806::2004";
	addrs[0].family = 6;
	addrs[1].ip = "193.135.3.123";
	addrs[1].family = 4;
	addrsz = 2;
#endif

	if (http_init() == -1)
		errx(EXIT_FAILURE, "http_init");

#if 0
	g = http_get(addrs, addrsz, "localhost", 80, "/index.html");
#else
	g = http_get(addrs, addrsz, "www.google.ch", 80, "/index.html",
	    NULL, 0);
#endif

	if (g == NULL)
		errx(EXIT_FAILURE, "http_get");

	httph = http_head_parse(g->http, g->xfer, &httphsz);
	warnx("code: %d", g->code);

	for (i = 0; i < httphsz; i++)
		warnx("head: [%s]=[%s]", httph[i].key, httph[i].val);

	http_get_free(g);
	return (EXIT_SUCCESS);
}
#endif

/*	$Id: http.h,v 1.3 2017/01/25 13:52:53 inoguchi Exp $ */
/*
 * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
#ifndef HTTP_H
#define HTTP_H

struct	source {
	int	 family; /* 4 (PF_INET) or 6 (PF_INET6) */
	char	*ip; /* IPV4 or IPV6 address */
};

struct	http;

/*
 * Write and read callbacks to allow HTTP and HTTPS.
 * Both of these return the number of bytes read (or written) or -1 on
 * failure.
 * 0 bytes read means that the connection has closed.
 */
typedef	ssize_t (*writefp)(const void *, size_t, const struct http *);
typedef	ssize_t (*readfp)(char *, size_t, const struct http *);

/*
 * HTTP/S header pair.
 * There's also a cooked-up pair, "Status", with the status code.
 * Both strings are NUL-terminated.
 */
struct	httphead {
	const char	*key;
	const char	*val;
};

/*
 * Grab all information from a transfer.
 * DO NOT free any parts of this, and editing the parts (e.g., changing
 * the underlying strings) will persist; so in short, don't.
 * All of these values will be set upon http_get() success.
 */
struct	httpget {
	struct httpxfer	*xfer; /* underlying transfer */
	struct http	*http; /* underlying connection */
	int		 code; /* return code */
	struct httphead	*head; /* headers */
	size_t		 headsz; /* number of headers */
	char		*headpart; /* header buffer */
	size_t		 headpartsz; /* size of headpart */
	char		*bodypart; /* body buffer */
	size_t		 bodypartsz; /* size of bodypart */
};

int		 http_init(void);

/* Convenience functions. */
struct httpget	*http_get(const struct source *, size_t,
			const char *, short, const char *,
			const void *, size_t);
void		 http_get_free(struct httpget *);

/* Allocation and release. */
struct http	*http_alloc(const struct source *, size_t,
			const char *, short, const char *);
void		 http_free(struct http *);
struct httpxfer	*http_open(const struct http *, const void *, size_t);
void		 http_close(struct httpxfer *);
void		 http_disconnect(struct http *);

/* Access. */
char		*http_head_read(const struct http *,
			struct httpxfer *, size_t *);
struct httphead	*http_head_parse(const struct http *,
			struct httpxfer *, size_t *);
char		*http_body_read(const struct http *,
			struct httpxfer *, size_t *);
int		 http_head_status(const struct http *,
			struct httphead *, size_t);
struct httphead	*http_head_get(const char *,
			struct httphead *, size_t);

#endif /* HTTP_H */

.\"	$OpenBSD: ocspcheck.8,v 1.6 2017/01/26 22:59:55 jmc Exp $
.\"
.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: January 26 2017 $
.Dt OCSPCHECK 8
.Os
.Sh NAME
.Nm ocspcheck
.Nd check a certificate for validity against its OCSP responder
.Sh SYNOPSIS
.Nm
.Op Fl Nv
.Op Fl C Ar CAfile
.Op Fl o Ar staplefile
.Ar file
.Sh DESCRIPTION
The
.Nm
utility validates a PEM format certificate against the OCSP responder
encoded in the certificate specified by the
.Ar file
argument.
Normally it should be used for checking server certificates
and maintaining saved OCSP responses to be used for OCSP stapling.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl C Ar CAfile
Specify a PEM format root certificate bundle to use for the validation of
requests.
By default no certificates are used beyond those in the
certificate chain provided by the
.Ar file
argument.
.It Fl N
Do not use a nonce value in the OCSP request, or validate that the
nonce was returned in the OCSP response.
By default a nonce is always used and validated.
The use of this flag is a security risk as it will allow OCSP
responses to be replayed.
It should not be used unless the OCSP server does not support the
use of OCSP nonces.
.It Fl o Ar staplefile
Specify an output filename where the DER encoded response from the
OCSP server will be written, if the OCSP response validates.
A filename
of
.Sq -
will write the response to standard output.
By default the response is not saved.
.It Fl v
Increase verbosity.
This flag may be specified multiple times to get more verbose output.
The default behaviour is to be silent unless something goes wrong.
.El
.Sh EXIT STATUS
The
.Nm
utility exits 0 if the OCSP response validates for the certificate in
.Ar file
and all output is successfully written out.
.Nm
exits >0 if an error occurs or the OCSP response fails to validate.
.Sh SEE ALSO
.Xr nc 1 ,
.Xr tls_config_set_ocsp_staple_file 3 ,
.Xr tls_config_set_ocsp_staple_mem 3 ,
.Xr httpd 8
.Sh AUTHORS
.Nm
was written by
.An Bob Beck .
.Sh CAVEATS
While
.Nm
could possibly be used in scripts to query responders for server
certificates seen on client connections, this is almost always a bad
idea.
God kills a kitten every time you make an OCSP query from the
client side of a TLS connection.
.Sh BUGS
.Nm
will create the output file if it does not exist.
On failure a newly created output file will not be removed.

/* $OpenBSD: ocspcheck.c,v 1.20 2017/03/27 23:59:08 deraadt Exp $ */

/*
 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/stat.h>

#include <err.h>
#include <fcntl.h>
#include <limits.h>
#include <netdb.h>
#include <poll.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>

#include <openssl/err.h>
#include <openssl/ocsp.h>
#include <openssl/ssl.h>

#include "http.h"

#define MAXAGE_SEC (14*24*60*60)
#define JITTER_SEC (60)

typedef struct ocsp_request {
	STACK_OF(X509) *fullchain;
	OCSP_REQUEST *req;
	char *url;
	unsigned char *data;
	size_t size;
	int nonce;
} ocsp_request;

int verbose;
#define vspew(fmt, ...) \
	do { if (verbose >= 1) fprintf(stderr, fmt, __VA_ARGS__); } while (0)
#define dspew(fmt, ...) \
	do { if (verbose >= 2) fprintf(stderr, fmt, __VA_ARGS__); } while (0)

#define MAX_SERVERS_DNS 8

struct addr {
	int	 family; /* 4 for PF_INET, 6 for PF_INET6 */
	char	 ip[INET6_ADDRSTRLEN];
};

static ssize_t
host_dns(const char *s, struct addr vec[MAX_SERVERS_DNS])
{
	struct addrinfo		 hints, *res0, *res;
	int			 error;
	ssize_t			 vecsz;
	struct sockaddr		*sa;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_DGRAM; /* DUMMY */

	error = getaddrinfo(s, NULL, &hints, &res0);

	if (error == EAI_AGAIN ||
#ifdef EAI_NODATA
	    error == EAI_NODATA ||
#endif
	    error == EAI_NONAME)
		return 0;

	if (error) {
		warnx("%s: parse error: %s", s, gai_strerror(error));
		return -1;
	}

	for (vecsz = 0, res = res0;
	    res != NULL && vecsz < MAX_SERVERS_DNS;
	    res = res->ai_next) {
		if (res->ai_family != AF_INET &&
		    res->ai_family != AF_INET6)
			continue;

		sa = res->ai_addr;

		if (res->ai_family == AF_INET) {
			vec[vecsz].family = 4;
			inet_ntop(AF_INET,
			    &(((struct sockaddr_in *)sa)->sin_addr),
				vec[vecsz].ip, INET6_ADDRSTRLEN);
		} else {
			vec[vecsz].family = 6;
			inet_ntop(AF_INET6,
			    &(((struct sockaddr_in6 *)sa)->sin6_addr),
			    vec[vecsz].ip, INET6_ADDRSTRLEN);
		}

		dspew("DNS returns %s for %s\n", vec[vecsz].ip, s);
		vecsz++;
		break;
	}

	freeaddrinfo(res0);
	return vecsz;
}

/*
 * Extract the domain and port from a URL.
 * The url must be formatted as schema://address[/stuff].
 * This returns NULL on failure.
 */
static char *
url2host(const char *host, short *port, char **path)
{
	char	*url, *ep;

	/* We only understand HTTP and HTTPS. */

	if (strncmp(host, "https://", 8) == 0) {
		*port = 443;
		if ((url = strdup(host + 8)) == NULL) {
			warn("strdup");
			return (NULL);
		}
	} else if (strncmp(host, "http://", 7) == 0) {
		*port = 80;
		if ((url = strdup(host + 7)) == NULL) {
			warn("strdup");
			return (NULL);
		}
	} else {
		warnx("%s: unknown schema", host);
		return (NULL);
	}

	/* Terminate path part. */

	if ((ep = strchr(url, '/')) != NULL) {
		*path = strdup(ep);
		*ep = '\0';
	} else
		*path = strdup("");

	if (*path == NULL) {
		warn("strdup");
		free(url);
		return (NULL);
	}

	return (url);
}

static time_t
parse_ocsp_time(ASN1_GENERALIZEDTIME *gt)
{
	struct tm tm;
	time_t rv = -1;

	if (gt == NULL)
		return -1;
	/* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
	if (ASN1_time_parse(gt->data, gt->length, &tm,
		V_ASN1_GENERALIZEDTIME) == -1)
		return -1;
	if ((rv = timegm(&tm)) == -1)
		return -1;
	return rv;
}

static X509_STORE *
read_cacerts(char *file)
{
	X509_STORE *store;
	X509_LOOKUP *lookup;

	if ((store = X509_STORE_new()) == NULL) {
		warnx("Malloc failed");
		goto end;
	}
	if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) ==
	    NULL) {
		warnx("Unable to load CA certs from file %s", file);
		goto end;
	}
	if (file) {
		if (!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
			warnx("Unable to load CA certs from file %s", file);
			goto end;
		}
	} else
		X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);

	if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) ==
	    NULL) {
		warnx("Unable to load CA certs from file %s", file);
		goto end;
	}
	X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
	ERR_clear_error();
	return store;

end:
	X509_STORE_free(store);
	return NULL;
}

static STACK_OF(X509) *
read_fullchain(const char *file, int *count)
{
	int i;
	BIO *bio;
	STACK_OF(X509_INFO) *xis = NULL;
	X509_INFO *xi;
	STACK_OF(X509) *rv = NULL;

	*count = 0;

	if ((bio = BIO_new_file(file, "r")) == NULL) {
		warn("Unable to read a certificate from %s", file);
		return NULL;
	}
	if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) {
		warnx("Unable to read PEM format from %s", file);
		return NULL;
	}
	BIO_free(bio);

	if (sk_X509_INFO_num(xis) <= 0) {
		warnx("No certificates in file %s", file);
		goto end;
	}
	if ((rv = sk_X509_new_null()) == NULL) {
		warnx("malloc failed");
		goto end;
	}

	for (i = 0; i < sk_X509_INFO_num(xis); i++) {
		xi = sk_X509_INFO_value(xis, i);
		if (xi->x509 == NULL)
			continue;
		if (!sk_X509_push(rv, xi->x509)) {
			warnx("unable to build x509 chain");
			sk_X509_pop_free(rv, X509_free);
			rv = NULL;
			goto end;
		}
		xi->x509 = NULL;
		(*count)++;
	}
end:
	sk_X509_INFO_pop_free(xis, X509_INFO_free);
	return rv;
}

static inline X509 *
cert_from_chain(STACK_OF(X509) *fullchain)
{
	return sk_X509_value(fullchain, 0);
}

static X509 *
issuer_from_chain(STACK_OF(X509) *fullchain)
{
	X509 *cert, *issuer;
	X509_NAME *issuer_name;

	cert = cert_from_chain(fullchain);
	if ((issuer_name = X509_get_issuer_name(cert)) == NULL)
		return NULL;

	issuer = X509_find_by_subject(fullchain, issuer_name);
	return issuer;
}

static ocsp_request *
ocsp_request_new_from_cert(char *file, int nonce)
{
	X509 *cert = NULL;
	int count = 0;
	OCSP_CERTID *id;
	ocsp_request *request;
	const EVP_MD *cert_id_md = NULL;
	X509 *issuer = NULL;
	STACK_OF(OPENSSL_STRING) *urls;

	if ((request = calloc(1, sizeof(ocsp_request))) == NULL) {
		warn("malloc");
		return NULL;
	}

	if ((request->req = OCSP_REQUEST_new()) == NULL)
		return NULL;

	request->fullchain = read_fullchain(file, &count);
	/* Drop rpath from pledge, we don't need to read anymore */
	if (pledge("stdio inet dns", NULL) == -1)
		err(1, "pledge");

	if (request->fullchain == NULL)
		return NULL;
	if (count <= 1) {
		warnx("File %s does not contain a cert chain", file);
		return NULL;
	}
	if ((cert = cert_from_chain(request->fullchain)) == NULL) {
		warnx("No certificate found in %s", file);
		return NULL;
	}
	if ((issuer = issuer_from_chain(request->fullchain)) == NULL) {
		warnx("Unable to find issuer for cert in %s", file);
		return NULL;
	}

	urls = X509_get1_ocsp(cert);
	if (urls == NULL || sk_OPENSSL_STRING_num(urls) <= 0) {
		warnx("Certificate in %s contains no OCSP url", file);
		return NULL;
	}
	if ((request->url = strdup(sk_OPENSSL_STRING_value(urls, 0))) == NULL)
		return NULL;
	X509_email_free(urls);

	cert_id_md = EVP_sha1(); /* XXX. This sucks but OCSP is poopy */
	if ((id = OCSP_cert_to_id(cert_id_md, cert, issuer)) == NULL) {
		warnx("Unable to get certificate id from cert in %s", file);
		return NULL;
	}
	if (OCSP_request_add0_id(request->req, id) == NULL) {
		warnx("Unable to add certificate id to request");
		return NULL;
	}

	request->nonce = nonce;
	if (request->nonce)
		OCSP_request_add1_nonce(request->req, NULL, -1);

	if ((request->size = i2d_OCSP_REQUEST(request->req,
	    &request->data)) <= 0) {
		warnx("Unable to encode ocsp request");
		return NULL;
	}
	if (request->data == NULL) {
		warnx("Unable to allocte memory");
		return NULL;
	}
	return (request);
}


int
validate_response(char *buf, size_t size, ocsp_request *request,
    X509_STORE *store, char *host, char *file)
{
	ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL;
	const unsigned char **p = (const unsigned char **)&buf;
	int status, cert_status=0, crl_reason=0;
	time_t now, rev_t = -1, this_t, next_t;
	OCSP_RESPONSE *resp;
	OCSP_BASICRESP *bresp;
	OCSP_CERTID *cid;
	X509 *cert, *issuer;

	if ((cert = cert_from_chain(request->fullchain)) == NULL) {
		warnx("No certificate found in %s", file);
		return 0;
	}
	if ((issuer = issuer_from_chain(request->fullchain)) == NULL) {
		warnx("Unable to find certificate issuer for cert in %s", file);
		return 0;
	}
	if ((cid = OCSP_cert_to_id(NULL, cert, issuer)) == NULL) {
		warnx("Unable to get issuer cert/CID in %s", file);
		return 0;
	}

	if ((resp = d2i_OCSP_RESPONSE(NULL, p, size)) == NULL) {
		warnx("OCSP response unserializable from host %s", host);
		return 0;
	}

	if ((bresp = OCSP_response_get1_basic(resp)) == NULL) {
		warnx("Failed to load OCSP response from %s", host);
		return 0;
	}

	if (OCSP_basic_verify(bresp, request->fullchain, store,
		OCSP_TRUSTOTHER) != 1) {
		warnx("OCSP verify failed from %s", host);
		return 0;
	}
	dspew("OCSP response signature validated from %s\n", host);

	status = OCSP_response_status(resp);
	if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
		warnx("OCSP Failure: code %d (%s) from host %s",
		    status, OCSP_response_status_str(status), host);
		return 0;
	}
	dspew("OCSP response status %d from host %s\n", status, host);

	/* Check the nonce if we sent one */

	if (request->nonce) {
		if (OCSP_check_nonce(request->req, bresp) <= 0) {
			warnx("No OCSP nonce, or mismatch, from host %s", host);
			return 0;
		}
	}

	if (OCSP_resp_find_status(bresp, cid, &cert_status, &crl_reason,
	    &revtime, &thisupd, &nextupd) != 1) {
		warnx("OCSP verify failed: no result for cert");
		return 0;
	}

	if (revtime && (rev_t = parse_ocsp_time(revtime)) == -1) {
		warnx("Unable to parse revocation time in OCSP reply");
		return 0;
	}
	/*
	 * Belt and suspenders, Treat it as revoked if there is either
	 * a revocation time, or status revoked.
	 */
	if (rev_t != -1 || cert_status == V_OCSP_CERTSTATUS_REVOKED) {
		warnx("Invalid OCSP reply: certificate is revoked");
		if (rev_t != -1)
			warnx("Certificate revoked at: %s", ctime(&rev_t));
		return 0;
	}
	if ((this_t = parse_ocsp_time(thisupd)) == -1) {
		warnx("unable to parse this update time in OCSP reply");
		return 0;
	}
	if ((next_t = parse_ocsp_time(nextupd)) == -1) {
		warnx("unable to parse next update time in OCSP reply");
		return 0;
	}

	/* Don't allow this update to precede next update */
	if (this_t >= next_t) {
		warnx("Invalid OCSP reply: this update >= next update");
		return 0;
	}

	now = time(NULL);
	/*
	 * Check that this update is not more than JITTER seconds
	 * in the future.
	 */
	if (this_t > now + JITTER_SEC) {
		warnx("Invalid OCSP reply: this update is in the future (%s)",
		    ctime(&this_t));
		return 0;
	}

	/*
	 * Check that this update is not more than MAXSEC
	 * in the past.
	 */
	if (this_t < now - MAXAGE_SEC) {
		warnx("Invalid OCSP reply: this update is too old (%s)",
		    ctime(&this_t));
		return 0;
	}

	/*
	 * Check that next update is still valid
	 */
	if (next_t < now - JITTER_SEC) {
		warnx("Invalid OCSP reply: reply has expired (%s)",
		    ctime(&next_t));
		return 0;
	}

	vspew("OCSP response validated from %s\n", host);
	vspew("	   This Update: %s", ctime(&this_t));
	vspew("	   Next Update: %s", ctime(&next_t));
	return 1;
}

static void
usage(void)
{
	fprintf(stderr,
	    "usage: ocspcheck [-Nv] [-C CAfile] [-o staplefile] file\n");
	exit(1);
}

int
main(int argc, char **argv)
{
	char *host = NULL, *path = "/", *certfile = NULL, *outfile = NULL,
	    *cafile = NULL;
	struct addr addrs[MAX_SERVERS_DNS] = {{0}};
	struct source sources[MAX_SERVERS_DNS];
	int i, ch, staplefd = -1, nonce = 1;
	ocsp_request *request = NULL;
	size_t rescount, httphsz;
	struct httphead	*httph;
	struct httpget *hget;
	X509_STORE *castore;
	ssize_t written, w;
	short port;

	while ((ch = getopt(argc, argv, "C:No:v")) != -1) {
		switch (ch) {
		case 'C':
			cafile = optarg;
			break;
		case 'N':
			nonce = 0;
			break;
		case 'o':
			outfile = optarg;
			break;
		case 'v':
			verbose++;
			break;
		default:
			usage();
		}
	}
	argc -= optind;
	argv += optind;

	if ((certfile = argv[0]) == NULL)
		usage();

	if (outfile != NULL) {
		if (strcmp(outfile, "-") == 0)
			staplefd = STDOUT_FILENO;
		else
			staplefd = open(outfile, O_WRONLY|O_CREAT,
			    S_IWUSR|S_IRUSR|S_IRGRP|S_IROTH);
		if (staplefd < 0)
			err(1, "Unable to open output file %s", outfile);
	}

	if (pledge("stdio inet rpath dns", NULL) == -1)
		err(1, "pledge");

	/*
	 * Load our certificate and keystore, and build up an
	 * OCSP request based on the full certificate chain
	 * we have been given to check.
	 */
	if ((castore = read_cacerts(cafile)) == NULL)
		exit(1);
	if ((request = ocsp_request_new_from_cert(certfile, nonce)) == NULL)
		exit(1);

	dspew("Built an %ld byte ocsp request\n", request->size);

	if ((host = url2host(request->url, &port, &path)) == NULL)
		errx(1, "Invalid OCSP url %s from %s", request->url,
		    certfile);
	if (*path == '\0')
		path = "/";
	vspew("Using %s to host %s, port %d, path %s\n",
	    port == 443 ? "https" : "http", host, port, path);

	rescount = host_dns(host, addrs);
	for (i = 0; i < rescount; i++) {
		sources[i].ip = addrs[i].ip;
		sources[i].family = addrs[i].family;
	}

	/*
	 * Do an HTTP post to send our request to the OCSP
	 * server, and hopefully get an answer back
	 */
	hget = http_get(sources, rescount, host, port, path,
	    request->data, request->size);
	if (hget == NULL)
		errx(1, "http_get");

	/*
	 * Pledge minimally before fiddling with libcrypto init
	 * routines and parsing untrusted input from someone's OCSP
	 * server.
	 */
	if (pledge("stdio", NULL) == -1)
		err(1, "pledge");

	httph = http_head_parse(hget->http, hget->xfer, &httphsz);
	dspew("Server at %s returns:\n", host);
	for (i = 0; i < httphsz; i++)
		dspew("	  [%s]=[%s]\n", httph[i].key, httph[i].val);
	dspew("	  [Body]=[%ld bytes]\n", hget->bodypartsz);
	if (hget->bodypartsz <= 0)
		errx(1, "No body in reply from %s", host);

	if (hget->code != 200)
		errx(1, "http reply code %d from %s", hget->code, host);

	/*
	 * Validate the OCSP response we got back
	 */
	OPENSSL_add_all_algorithms_noconf();
	if (!validate_response(hget->bodypart, hget->bodypartsz,
	    request, castore, host, certfile))
		exit(1);

	/*
	 * If we have been given a place to save a staple,
	 * write out the DER format response to the staplefd
	 */
	if (staplefd >= 0) {
		(void) ftruncate(staplefd, 0);
		w = 0;
		written = 0;
		while (written < hget->bodypartsz) {
			w = write(staplefd, hget->bodypart + written,
			    hget->bodypartsz - written);
			if (w == -1) {
				if (errno != EINTR && errno != EAGAIN)
					err(1, "Write of OCSP response failed");
			} else
				written += w;
		}
		close(staplefd);
	}
	exit(0);
}

include_directories(
	.
	../../include
	../../include/compat
)

set(
	OPENSSL_SRC
	apps.c
	asn1pars.c
	ca.c
	ciphers.c

	crl.c
	crl2p7.c
	dgst.c
	dh.c
	dhparam.c
	dsa.c
	dsaparam.c

else()
	set(OPENSSL_SRC ${OPENSSL_SRC} compat/strtonum.c)
endif()

add_executable(openssl ${OPENSSL_SRC})
target_link_libraries(openssl ${OPENSSL_LIBS})

install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR})
install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)

if(NOT "${OPENSSLDIR}" STREQUAL "")
	set(CONF_DIR "${OPENSSLDIR}")
else()
	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
endif()
install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
install(DIRECTORY DESTINATION ${CONF_DIR}/cert)

include $(top_srcdir)/Makefile.am.common

bin_PROGRAMS = openssl

dist_man_MANS = openssl.1


openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la
openssl_LDADD += $(abs_top_builddir)/crypto/libcrypto.la
openssl_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)

openssl_SOURCES = apps.c
openssl_SOURCES += asn1pars.c
openssl_SOURCES += ca.c
openssl_SOURCES += ciphers.c

openssl_SOURCES += crl.c
openssl_SOURCES += crl2p7.c
openssl_SOURCES += dgst.c
openssl_SOURCES += dh.c
openssl_SOURCES += dhparam.c
openssl_SOURCES += dsa.c
openssl_SOURCES += dsaparam.c

EXTRA_DIST = cert.pem
EXTRA_DIST += openssl.cnf
EXTRA_DIST += x509v3.cnf
EXTRA_DIST += CMakeLists.txt

install-exec-hook:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
	fi; \
	mkdir -p "$$OPENSSLDIR/certs"; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
		else \
			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
		fi \
	done

uninstall-local:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
	fi; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
			rm -f "$$OPENSSLDIR/$$i"; \
		fi \
	done

DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \
	$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"
PROGRAMS = $(bin_PROGRAMS)
am__openssl_SOURCES_DIST = apps.c asn1pars.c ca.c ciphers.c crl.c \
	crl2p7.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c \
	enc.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c \
	ocsp.c openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c \
	pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
	s_cb.c s_client.c s_server.c s_socket.c s_time.c sess_id.c \
	smime.c speed.c spkac.c ts.c verify.c version.c x509.c \
	certhash.c certhash_win.c apps_win.c apps_posix.c \
	compat/poll_win.c compat/strtonum.c
@BUILD_CERTHASH_TRUE@am__objects_1 = certhash.$(OBJEXT)
@BUILD_CERTHASH_FALSE@am__objects_2 = certhash_win.$(OBJEXT)
@HOST_WIN_TRUE@am__objects_3 = apps_win.$(OBJEXT)
@HOST_WIN_FALSE@am__objects_4 = apps_posix.$(OBJEXT)
am__dirstamp = $(am__leading_dot)dirstamp
@HAVE_POLL_FALSE@@HOST_WIN_TRUE@am__objects_5 =  \
@HAVE_POLL_FALSE@@HOST_WIN_TRUE@	compat/poll_win.$(OBJEXT)
@HAVE_STRTONUM_FALSE@am__objects_6 = compat/strtonum.$(OBJEXT)
am_openssl_OBJECTS = apps.$(OBJEXT) asn1pars.$(OBJEXT) ca.$(OBJEXT) \
	ciphers.$(OBJEXT) crl.$(OBJEXT) crl2p7.$(OBJEXT) \
	dgst.$(OBJEXT) dh.$(OBJEXT) dhparam.$(OBJEXT) dsa.$(OBJEXT) \
	dsaparam.$(OBJEXT) ec.$(OBJEXT) ecparam.$(OBJEXT) \
	enc.$(OBJEXT) errstr.$(OBJEXT) gendh.$(OBJEXT) \
	gendsa.$(OBJEXT) genpkey.$(OBJEXT) genrsa.$(OBJEXT) \
	nseq.$(OBJEXT) ocsp.$(OBJEXT) openssl.$(OBJEXT) \
	passwd.$(OBJEXT) pkcs12.$(OBJEXT) pkcs7.$(OBJEXT) \
	pkcs8.$(OBJEXT) pkey.$(OBJEXT) pkeyparam.$(OBJEXT) \
	pkeyutl.$(OBJEXT) prime.$(OBJEXT) rand.$(OBJEXT) req.$(OBJEXT) \
	rsa.$(OBJEXT) rsautl.$(OBJEXT) s_cb.$(OBJEXT) \
	s_client.$(OBJEXT) s_server.$(OBJEXT) s_socket.$(OBJEXT) \
	s_time.$(OBJEXT) sess_id.$(OBJEXT) smime.$(OBJEXT) \
	speed.$(OBJEXT) spkac.$(OBJEXT) ts.$(OBJEXT) verify.$(OBJEXT) \
	version.$(OBJEXT) x509.$(OBJEXT) $(am__objects_1) \
	$(am__objects_2) $(am__objects_3) $(am__objects_4) \
	$(am__objects_5) $(am__objects_6)
openssl_OBJECTS = $(am_openssl_OBJECTS)
am__DEPENDENCIES_1 =

openssl_DEPENDENCIES = $(abs_top_builddir)/ssl/libssl.la \
	$(abs_top_builddir)/crypto/libcrypto.la $(am__DEPENDENCIES_1) \
	$(am__DEPENDENCIES_1)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 = 
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false

    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \
	$(top_srcdir)/Makefile.am.common $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCAS = @CCAS@
CCASDEPMODE = @CCASDEPMODE@
CCASFLAGS = @CCASFLAGS@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@

ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
HOSTARCH = @HOSTARCH@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@

srcdir = @srcdir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AM_CFLAGS = 
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat \
	-DLIBRESSL_INTERNAL -D__BEGIN_HIDDEN_DECLS= \
	-D__END_HIDDEN_DECLS=
dist_man_MANS = openssl.1

openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la \
	$(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD) \
	$(PROG_LDADD)
openssl_SOURCES = apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \
	dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c \
	errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c \
	openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \
	pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c \
	s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \
	speed.c spkac.c ts.c verify.c version.c x509.c $(am__append_1) \
	$(am__append_2) $(am__append_3) $(am__append_4) \
	$(am__append_5) $(am__append_6)
noinst_HEADERS = apps.h progs.h s_apps.h testdsa.h testrsa.h \
	timeouts.h
EXTRA_DIST = cert.pem openssl.cnf x509v3.cnf CMakeLists.txt
all: all-am

.SUFFIXES:
.SUFFIXES: .c .lo .o .obj

@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/apps_posix.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/apps_win.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1pars.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certhash.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certhash_win.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ciphers.Po@am__quote@

@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl2p7.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dgst.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhparam.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsaparam.Po@am__quote@

	uninstall-man uninstall-man1

.PRECIOUS: Makefile


install-exec-hook:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
	fi; \
	mkdir -p "$$OPENSSLDIR/certs"; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
		else \
			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
		fi \
	done

uninstall-local:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
	fi; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
			rm -f "$$OPENSSLDIR/$$i"; \
		fi \
	done

# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

/* $OpenBSD: apps.c,v 1.42 2017/01/21 09:29:09 deraadt Exp $ */
/*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *

		}
	}

	if (format == FORMAT_ASN1)
		x = d2i_X509_bio(cert, NULL);
	else if (format == FORMAT_NETSCAPE) {
		NETSCAPE_X509 *nx;
		nx = ASN1_item_d2i_bio(&NETSCAPE_X509_it,
		    cert, NULL);
		if (nx == NULL)
			goto end;

		if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data,
		    nx->header->length) != 0)) {
			NETSCAPE_X509_free(nx);

}

static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)



BIGNUM *
load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
{
	BIO *in = NULL;
	BIGNUM *ret = NULL;
	char buf[1024];
	ASN1_INTEGER *ai = NULL;

			goto err;
		} else {
			ret = BN_new();
			if (ret == NULL || !rand_serial(ret, ai))
				BIO_printf(bio_err, "Out of memory\n");
		}
	} else {
		if (!a2i_ASN1_INTEGER(in, ai, buf, sizeof buf)) {
			BIO_printf(bio_err, "unable to load number from %s\n",
			    serialfile);
			goto err;
		}
		ret = ASN1_INTEGER_to_BN(ai, NULL);
		if (ret == NULL) {
			BIO_printf(bio_err,

	return (ret);
}

int
save_serial(char *serialfile, char *suffix, BIGNUM *serial,
    ASN1_INTEGER **retai)
{
	char serialpath[PATH_MAX];
	BIO *out = NULL;
	int ret = 0, n;
	ASN1_INTEGER *ai = NULL;


	if (suffix == NULL)








		n = strlcpy(serialpath, serialfile, sizeof serialpath);
	else
		n = snprintf(serialpath, sizeof serialpath, "%s.%s",
		    serialfile, suffix);
	if (n == -1 || n >= sizeof(serialpath)) {
		BIO_printf(bio_err, "serial too long\n");
		goto err;
	}
	out = BIO_new(BIO_s_file());
	if (out == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	if (BIO_write_filename(out, serialpath) <= 0) {
		perror(serialfile);
		goto err;
	}
	if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
		BIO_printf(bio_err,
		    "error converting serial to ASN.1 format\n");
		goto err;

		ASN1_INTEGER_free(ai);
	return (ret);
}

int
rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
{
	char opath[PATH_MAX], npath[PATH_MAX];


	if (snprintf(npath, sizeof npath, "%s.%s", serialfile,
	    new_suffix) >= sizeof npath) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}

	if (snprintf(opath, sizeof opath, "%s.%s", serialfile,
	    old_suffix) >= sizeof opath) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}




	if (rename(serialfile, opath) < 0 &&
	    errno != ENOENT && errno != ENOTDIR) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    serialfile, opath);
		perror("reason");
		goto err;
	}


	if (rename(npath, serialfile) < 0) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    npath, serialfile);
		perror("reason");
		if (rename(opath, serialfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    opath, serialfile);
			perror("reason");
		}
		goto err;
	}
	return 1;

err:

CA_DB *
load_index(char *dbfile, DB_ATTR *db_attr)
{
	CA_DB *retdb = NULL;
	TXT_DB *tmpdb = NULL;
	BIO *in = BIO_new(BIO_s_file());
	CONF *dbattr_conf = NULL;
	char attrpath[PATH_MAX];
	long errorline = -1;

	if (in == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	if (BIO_read_filename(in, dbfile) <= 0) {
		perror(dbfile);
		BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
		goto err;
	}
	if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
		goto err;

	if (snprintf(attrpath, sizeof attrpath, "%s.attr", dbfile)
	    >= sizeof attrpath) {
		BIO_printf(bio_err, "attr filename too long\n");
		goto err;
	}

	dbattr_conf = NCONF_new(NULL);
	if (NCONF_load(dbattr_conf, attrpath, &errorline) <= 0) {
		if (errorline > 0) {
			BIO_printf(bio_err,
			    "error on line %ld of db attribute file '%s'\n",
			    errorline, attrpath);
			goto err;
		} else {
			NCONF_free(dbattr_conf);
			dbattr_conf = NULL;
		}
	}
	if ((retdb = malloc(sizeof(CA_DB))) == NULL) {

		    db->db->error, db->db->arg1, db->db->arg2);
		return 0;
	}
	return 1;
}

int
save_index(const char *file, const char *suffix, CA_DB *db)
{
	char attrpath[PATH_MAX], dbfile[PATH_MAX];
	BIO *out = BIO_new(BIO_s_file());
	int j;

	if (out == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	if (snprintf(attrpath, sizeof attrpath, "%s.attr.%s",
	    file, suffix) >= sizeof attrpath) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}
	if (snprintf(dbfile, sizeof dbfile, "%s.%s",
	    file, suffix) >= sizeof dbfile) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}





	if (BIO_write_filename(out, dbfile) <= 0) {
		perror(dbfile);
		BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
		goto err;
	}
	j = TXT_DB_write(out, db->db);
	if (j <= 0)
		goto err;

	BIO_free(out);

	out = BIO_new(BIO_s_file());


	if (BIO_write_filename(out, attrpath) <= 0) {
		perror(attrpath);
		BIO_printf(bio_err, "unable to open '%s'\n", attrpath);
		goto err;
	}
	BIO_printf(out, "unique_subject = %s\n",
	    db->attributes.unique_subject ? "yes" : "no");
	BIO_free(out);

	return 1;

err:
	return 0;
}

int
rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix)
{
	char attrpath[PATH_MAX], nattrpath[PATH_MAX], oattrpath[PATH_MAX];
	char dbpath[PATH_MAX], odbpath[PATH_MAX];



	if (snprintf(attrpath, sizeof attrpath, "%s.attr",

	    dbfile) >= sizeof attrpath) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}

	if (snprintf(nattrpath, sizeof nattrpath, "%s.attr.%s",
	    dbfile, new_suffix) >= sizeof nattrpath) {
		BIO_printf(bio_err, "file name too long\n");

		goto err;
	}
	if (snprintf(oattrpath, sizeof oattrpath, "%s.attr.%s",
	    dbfile, old_suffix) >= sizeof oattrpath) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}
	if (snprintf(dbpath, sizeof dbpath, "%s.%s",
	    dbfile, new_suffix) >= sizeof dbpath) {
		BIO_printf(bio_err, "file name too long\n");


		goto err;
	}
	if (snprintf(odbpath, sizeof odbpath, "%s.%s",
	    dbfile, old_suffix) >= sizeof odbpath) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}

	if (rename(dbfile, odbpath) < 0 && errno != ENOENT && errno != ENOTDIR) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    dbfile, odbpath);
		perror("reason");
		goto err;
	}

	if (rename(dbpath, dbfile) < 0) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    dbpath, dbfile);
		perror("reason");
		if (rename(odbpath, dbfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    odbpath, dbfile);
			perror("reason");
		}
		goto err;
	}


	if (rename(attrpath, oattrpath) < 0 && errno != ENOENT && errno != ENOTDIR) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    attrpath, oattrpath);
		perror("reason");
		if (rename(dbfile, dbpath) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    dbfile, dbpath);
			perror("reason");
		}
		if (rename(odbpath, dbfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    odbpath, dbfile);
			perror("reason");
		}
		goto err;
	}

	if (rename(nattrpath, attrpath) < 0) {

		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    nattrpath, attrpath);
		perror("reason");
		if (rename(oattrpath, attrpath) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    oattrpath, attrpath);
			perror("reason");
		}
		if (rename(dbfile, dbpath) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    dbfile, dbpath);
			perror("reason");
		}
		if (rename(odbpath, dbfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    odbpath, dbfile);
			perror("reason");
		}
		goto err;
	}
	return 1;

err:

		if (opt->name == NULL && opt->type == 0)
			goto unknown;

		if (opt->type == OPTION_ARG ||
		    opt->type == OPTION_ARG_FORMAT ||
		    opt->type == OPTION_ARG_FUNC ||
		    opt->type == OPTION_ARG_INT ||
		    opt->type == OPTION_ARG_LONG ||
		    opt->type == OPTION_ARG_TIME) {
			if (++i >= argc) {
				fprintf(stderr, "missing %s argument for -%s\n",
				    opt->argname, opt->name);
				return (1);
			}
		}

			if (errstr != NULL) {
				fprintf(stderr, "%s %s argument for -%s\n",
				    errstr, opt->argname, opt->name);
				return (1);
			}
			*opt->opt.lvalue = (long)val;
			break;

		case OPTION_ARG_TIME:
			val = strtonum(argv[i], 0, LLONG_MAX, &errstr);
			if (errstr != NULL) {
				fprintf(stderr, "%s %s argument for -%s\n",
				    errstr, opt->argname, opt->name);
				return (1);
			}
			*opt->opt.tvalue = val;
			break;

		case OPTION_DISCARD:
			break;

		case OPTION_FUNC:
			if (opt->opt.func() != 0)
				return (1);

/* $OpenBSD: apps.h,v 1.19 2016/08/30 14:34:59 deraadt Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *

	enum {
		OPTION_ARG,
		OPTION_ARGV_FUNC,
		OPTION_ARG_FORMAT,
		OPTION_ARG_FUNC,
		OPTION_ARG_INT,
		OPTION_ARG_LONG,
		OPTION_ARG_TIME,
		OPTION_DISCARD,
		OPTION_FUNC,
		OPTION_FLAG,
		OPTION_FLAG_ORD,
		OPTION_VALUE,
		OPTION_VALUE_AND,
		OPTION_VALUE_OR,
	} type;
	union {
		char **arg;
		int (*argfunc)(char *arg);
		int (*argvfunc)(int argc, char **argv, int *argsused);
		int *flag;
		int (*func)(void);
		long *lvalue;
		int *value;
		time_t *tvalue;
	} opt;
	const int value;
};

void options_usage(struct option *opts);
int options_parse(int argc, char **argv, struct option *opts, char **unnamed,
    int *argsused);

#endif