23 files changed, 223 insertions, 347 deletions
diff --git a/ChangeLog b/ChangeLog
index 8a70b14..24de35e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,192 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
+3.2.2 - Stable release
+        * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
+        * Start replacing the existing TLSv1.2 record layer.
+        * Send alert on ssl_get_prev_session() failure.
+        * Simplify return codes for tls1_process_ticket() and
+          tls_decrypt_ticket().
+        * Simplify tls_decrypt_ticket() exit path.
+        * Copy the session id directly in ssl_get_prev_session() instead of
+          handing it through several functions for copying.
+        * Split session retrieval out of ssl_get_prev_session().
+        * Zero out variable on the stack to avoid leaving garbage in the tail
+          of short session ids.
+        * Remove unnecessary zeroing after recallocarray() in
+          ASN1_BIT_STRING_set_bit().
+        * Rewrite X509_INFO_{new,free}() more idiomatically.
+        * Import commented versions of the latest OPENSSL_NO_* flags from
+          OpenSSL 1.1.1g.
+        * Document return value from EC_KEY_get0_public_key(3).
+        * Set alpn_selected_len = 0 whenever alpn_selected is NULL.
+        * Add option type OPTION_UL_VALUE_OR to openssl(1) option parser.
+        * Convert openssl(1) ocsp option handling.
+        * Major style cleanup in ocsp.c.
+        * Assorted ciphers related cleanup in ssl_lib.c.
+        * Add issuer cache in preparation for changes to the validation code.
+        * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
+          code.
+        * Rename ssl_cipher_is_permitted() to the more accurate and specific
+          ssl_cipher_allowed_in_version_range().
+        * Simplify SSL_get_ciphers().
+        * Remove cipher_list_by_id.
+        * Add a new implementation of X509 name constraints with regression
+          tests.
+        * Fix and re-enable cert and cipher interop tests.
+        * Include machine/endian.h gost2814789.c in order to pick up the
+          __STRICT_ALIGNMENT define.
+        * Enable the new X509 name constraints verification.
+        * Avoid an out-of-bounds write in BN_rand().
+        * Simplify tls1_set_ec_id().
+        * Use uint16_t for curve_id.
+        * Improve the handling of BIO_read()/BIO_write() failures in the
+          TLSv1.3 stack.
+        * Add a new certificate chain validator.
+          The new validator finds multiple validated chains to handle the
+          modern PKI cases which may frequently have multiple paths via
+          different intermediates to different roots. It is loosely based on
+          golang's X509 validator.
+          This includes integration so that the new validator can be used via
+          X509_verify_cert() as well as a new API x509_verify() which will
+          return multiple chains (similar to go).
+          The new public API is not yet exposed, and will be finalized and
+          exposed with a man page and a library minor bump later.
+        * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not
+          yet public API and will be enabled in a future release.
+        * Enable the use of the new X509 chain validator by default.
+        * Fix double frees and a NULL dereference introduced on review of the
+          new validator.
+        * Remove various unused variables in the X509 code.
+        * Fix memory leaks in x509_constraints_chain() and
+          X509V3_ext_add_alias().
+        * Add initial manual page for the x509_verify() chain validator which
+          will be installed once the new API is publically exposed.
+        * Avoid NULL deref in SSL_{,CTX_}set_ciphersuites().
+        * Clean up and simplify SSL_set_session().
+        * Move state initialization from SSL_clear() to ssl3_clear() to ensure
+          that it gets correctly reinitialized across a SSL_set_ssl_method()
+          call.
+        * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1
+          servers.
+        * Mop up the get_ssl_method function pointer.
+        * Clean up and simplify SSL_set_ssl_method().
+        * Deduplicate the time validation code between the legacy and the new
+          verification code.
+        * Set error_depth and current_cert to avoid problems in legacy
+          callbacks that don't do proper error checking.
+        * Correct a failure case in tls12_record_layer_seal_record_protected().
+        * Do not destroy an existing cipher list when ssl_parse_ciphersuites()
+          fails to match the behavior of ssl_create_cipher_list() and
+          SSL_set_ciphersuites() of OpenSSL.
+        * Split the tls12_record_layer_write_mac() for future reuse on the
+          read side.
+        * Dedup code in x509_verify_ctx_new_from_xsc().
+        * Make check in x509_verify_ctx_set_max_signatures() consistent with
+          others.
+        * Avoid memset() before memcpy() for CBS_add_bytes().
+        * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
+        * Simplify SSL method lookups.
+        * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API.
+          This will be finished in an upcoming release.
+        * Fix an overflow in the CN subject line parsing.
+        * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
+        * Fix memory leaks in x509_constraints_extract_names().
+        * Correct a 1 byte read overflow in x509_constraints_uri().
+        * Ensure the chain is set on the X509_STORE_CTX before triggering
+          callback.
+        * Release read and write buffers using freezero()
+        * Simplify the cleanup of init_buf via an ssl3_release_init_buffer()
+          function.
+        * Fix numerous leaks in the UI_dup_* functions.
+        * Simplify and tidy up hte code in ui_lib.c.
+        * Refactor dtls1_clear_queues() to make it NULL safe.
+        * Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on
+          failure.
+        * Have dtls1_new() call dtls1_free() on failure.
+        * Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix
+          potential memory leaks.
+        * Ensure that leaf is set up on X509_STORE_CTX before verification.
+        * Document SSL_set1_host(3).
+        * Document SSL_set_SSL_CTX(3).
+        * Make pthread_mutex static initialisation work on Windows.
+        * Get __STRICT_ALIGNMENT from machine/endian.h with portable build.
 3.2.1 - Development release
        * Propagate alerts from the read half of the TLSv1.3 record layer to I/O
diff --git a/apps/nc/Makefile.am b/apps/nc/Makefile.am
index 4b5b561..d678f1e 100644
--- a/apps/nc/Makefile.am
+++ b/apps/nc/Makefile.am
@@ -12,9 +12,9 @@ endif
 EXTRA_DIST = nc.1
 EXTRA_DIST += CMakeLists.txt
-nc_LDADD = $(abs_top_builddir)/crypto/libcrypto.la
+nc_LDFLAGS = $(abs_top_builddir)/crypto/.libs/libcrypto.a
-nc_LDADD += $(abs_top_builddir)/ssl/libssl.la
-nc_LDADD += $(abs_top_builddir)/tls/libtls.la
+nc_LDADD = $(abs_top_builddir)/tls/libtls.la
 nc_LDADD += $(PLATFORM_LDADD) $(PROG_LDADD)
 AM_CPPFLAGS += -I$(top_srcdir)/apps/nc/compat
diff --git a/configure.ac b/configure.ac
index 75b88fe..3aca617 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,8 +29,7 @@ USER_CFLAGS="$CFLAGS"
 AC_PROG_CC([cc gcc])
 AC_PROG_CC_STDC
 AM_PROG_CC_C_O
-AC_PROG_LIBTOOL
+LT_INIT([pic-only])
-LT_INIT
 CHECK_OS_OPTIONS
diff --git a/crypto/Makefile.am b/crypto/Makefile.am
index 7fcfc02..97a84e1 100644
--- a/crypto/Makefile.am
+++ b/crypto/Makefile.am
@@ -20,6 +20,7 @@ EXTRA_DIST += compat/strcasecmp.c
 BUILT_SOURCES = crypto_portable.sym
 CLEANFILES = crypto_portable.sym
+CLEANFILES += libcrypto_la_objects.mk
 crypto_portable.sym: crypto.sym  Makefile
        -echo "generating crypto_portable.sym ..."
@@ -93,8 +94,20 @@ if HOST_WIN
        -mv crypto_portable.sym.tmp crypto_portable.sym
 endif
+libcrypto_la_objects.mk: Makefile
+        @echo "libcrypto_la_objects= $(libcrypto_la_OBJECTS)" \
+          | sed 's/  */ $$\(abs_top_builddir\)\/crypto\//g' \
+          > libcrypto_la_objects.mk
+        @echo "libcompat_la_objects= $(libcompat_la_OBJECTS)" \
+          | sed 's/  */ $$\(abs_top_builddir\)\/crypto\//g' \
+          >> libcrypto_la_objects.mk
+        @echo "libcompatnoopt_la_objects= $(libcompatnoopt_la_OBJECTS)" \
+          | sed 's/  */ $$\(abs_top_builddir\)\/crypto\//g' \
+          >> libcrypto_la_objects.mk
 libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined -export-symbols crypto_portable.sym
 EXTRA_libcrypto_la_DEPENDENCIES = crypto_portable.sym
+EXTRA_libcrypto_la_DEPENDENCIES += libcrypto_la_objects.mk
 libcrypto_la_LIBADD = libcompat.la
 if !HAVE_EXPLICIT_BZERO
 libcrypto_la_LIBADD += libcompatnoopt.la
diff --git a/libtls-standalone/AUTHORS b/libtls-standalone/AUTHORS
deleted file mode 100644
index e69de29..0000000
--- a/libtls-standalone/AUTHORS
+++ /dev/null
diff --git a/libtls-standalone/COPYING b/libtls-standalone/COPYING
deleted file mode 100644
index c203efe..0000000
--- a/libtls-standalone/COPYING
+++ /dev/null
@@ -1,13 +0,0 @@
-libtls is ISC licensed as per OpenBSD's normal licensing policy.
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/libtls-standalone/ChangeLog b/libtls-standalone/ChangeLog
deleted file mode 100644
index e69de29..0000000
--- a/libtls-standalone/ChangeLog
+++ /dev/null
diff --git a/libtls-standalone/Makefile.am b/libtls-standalone/Makefile.am
deleted file mode 100644
index 2581717..0000000
--- a/libtls-standalone/Makefile.am
+++ /dev/null
@@ -1,7 +0,0 @@
-SUBDIRS = include compat src tests man
-ACLOCAL_AMFLAGS = -I m4
-pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libtls.pc
-EXTRA_DIST = README VERSION
diff --git a/libtls-standalone/NEWS b/libtls-standalone/NEWS
deleted file mode 100644
index e69de29..0000000
--- a/libtls-standalone/NEWS
+++ /dev/null
diff --git a/libtls-standalone/README b/libtls-standalone/README
deleted file mode 100644
index e69de29..0000000
--- a/libtls-standalone/README
+++ /dev/null
diff --git a/libtls-standalone/compat/Makefile.am b/libtls-standalone/compat/Makefile.am
deleted file mode 100644
index e1ec939..0000000
--- a/libtls-standalone/compat/Makefile.am
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# Copyright (c) 2014-2015 Brent Cook
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src
-noinst_LTLIBRARIES = libcompat.la libcompatnoopt.la
-# compatibility functions that need to be built without optimizations
-libcompatnoopt_la_CFLAGS = -O0
-libcompatnoopt_la_SOURCES =
-if !HAVE_EXPLICIT_BZERO
-libcompatnoopt_la_SOURCES += explicit_bzero.c
-endif
-# other compatibility functions
-libcompat_la_CFLAGS = $(CFLAGS) $(USER_CFLAGS)
-libcompat_la_SOURCES =
-libcompat_la_LIBADD = $(PLATFORM_LDADD)
-if !HAVE_ASPRINTF
-libcompat_la_SOURCES += bsd-asprintf.c
-endif
-if !HAVE_STRLCPY
-libcompat_la_SOURCES += strlcpy.c
-endif
-if !HAVE_STRSEP
-libcompat_la_SOURCES += strsep.c
-endif
-include Makefile.am.arc4random
diff --git a/libtls-standalone/configure.ac b/libtls-standalone/configure.ac
deleted file mode 100644
index ebdd850..0000000
--- a/libtls-standalone/configure.ac
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright (c) 2014-2015 Brent Cook
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-AC_INIT([libtls], m4_esyscmd([tr -d '\n' < VERSION]))
-AC_SUBST([LIBTLS_VERSION], m4_esyscmd([sed -e 's/\./:/g' VERSION | tr -d '\n']))
-AC_CANONICAL_HOST
-AM_INIT_AUTOMAKE([subdir-objects])
-AC_CONFIG_MACRO_DIR([m4])
-m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-# This must be called before AC_PROG_CC
-USER_CFLAGS="$CFLAGS"
-AC_PROG_CC
-AC_PROG_CC_STDC
-AM_PROG_CC_C_O
-AC_PROG_LIBTOOL
-LT_INIT
-CHECK_OS_OPTIONS
-CHECK_C_HARDENING_OPTIONS
-DISABLE_COMPILER_WARNINGS
-CHECK_LIBC_COMPAT
-CHECK_LIBC_CRYPTO_COMPAT
-AC_CONFIG_FILES([
-        Makefile
-        include/Makefile
-        compat/Makefile
-        man/Makefile
-        src/Makefile
-        tests/Makefile
-        libtls.pc
-])
-AC_OUTPUT
diff --git a/libtls-standalone/include/Makefile.am b/libtls-standalone/include/Makefile.am
deleted file mode 100644
index 0783318..0000000
--- a/libtls-standalone/include/Makefile.am
+++ /dev/null
@@ -1,5 +0,0 @@
-noinst_HEADERS = stdlib.h
-noinst_HEADERS += string.h
-noinst_HEADERS += unistd.h
-include_HEADERS = tls.h
diff --git a/libtls-standalone/include/string.h b/libtls-standalone/include/string.h
deleted file mode 100644
index 4bf7519..0000000
--- a/libtls-standalone/include/string.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Public domain
- * string.h compatibility shim
- */
-#ifndef LIBCRYPTOCOMPAT_STRING_H
-#define LIBCRYPTOCOMPAT_STRING_H
-#ifdef _MSC_VER
-#if _MSC_VER >= 1900
-#include <../ucrt/string.h>
-#else
-#include <../include/string.h>
-#endif
-#else
-#include_next <string.h>
-#endif
-#include <sys/types.h>
-#if defined(__sun) || defined(_AIX) || defined(__hpux)
-/* Some functions historically defined in string.h were placed in strings.h by
- * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX,
- * Solaris, and HPUX.
- */
-#include <strings.h>
-#endif
-#ifndef HAVE_STRCASECMP
-int strcasecmp(const char *s1, const char *s2);
-int strncasecmp(const char *s1, const char *s2, size_t len);
-#endif
-#ifndef HAVE_STRLCPY
-size_t strlcpy(char *dst, const char *src, size_t siz);
-#endif
-#ifndef HAVE_STRLCAT
-size_t strlcat(char *dst, const char *src, size_t siz);
-#endif
-#ifndef HAVE_STRNDUP
-char * strndup(const char *str, size_t maxlen);
-/* the only user of strnlen is strndup, so only build it if needed */
-#ifndef HAVE_STRNLEN
-size_t strnlen(const char *str, size_t maxlen);
-#endif
-#endif
-#ifndef HAVE_STRSEP
-char *strsep(char **stringp, const char *delim);
-#endif
-#ifndef HAVE_EXPLICIT_BZERO
-void explicit_bzero(void *, size_t);
-#endif
-#ifndef HAVE_TIMINGSAFE_BCMP
-int timingsafe_bcmp(const void *b1, const void *b2, size_t n);
-#endif
-#ifndef HAVE_TIMINGSAFE_MEMCMP
-int timingsafe_memcmp(const void *b1, const void *b2, size_t len);
-#endif
-#ifndef HAVE_MEMMEM
-void * memmem(const void *big, size_t big_len, const void *little,
-        size_t little_len);
-#endif
-#ifdef _WIN32
-#include <errno.h>
-static inline char  *
-posix_strerror(int errnum)
-{
-        if (errnum == ECONNREFUSED) {
-                return "Connection refused";
-        }
-        return strerror(errnum);
-}
-#define strerror(errnum) posix_strerror(errnum)
-#endif
-#endif
diff --git a/libtls-standalone/libtls.pc.in b/libtls-standalone/libtls.pc.in
deleted file mode 100644
index 64d7457..0000000
--- a/libtls-standalone/libtls.pc.in
+++ /dev/null
@@ -1,16 +0,0 @@
-#libtls pkg-config source file
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-Name: LibreSSL-libtls
-Description: Secure communications using the TLS socket protocol.
-Version: @LIBTLS_VERSION@
-Requires:
-Requires.private: libcrypto libssl
-Conflicts:
-Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl
-Cflags: -I${includedir}
diff --git a/libtls-standalone/src/Makefile.am b/libtls-standalone/src/Makefile.am
deleted file mode 100644
index 5f8f55f..0000000
--- a/libtls-standalone/src/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-AM_CFLAGS = -I$(top_srcdir)/include
-lib_LTLIBRARIES = libtls.la
-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
-libtls_la_LIBADD = -lcrypto -lssl -lcrypto $(PLATFORM_LDADD)
-libtls_la_LIBADD += $(top_builddir)/compat/libcompat.la
-libtls_la_LIBADD += $(top_builddir)/compat/libcompatnoopt.la
-libtls_la_SOURCES = tls.c
-libtls_la_SOURCES += tls_bio_cb.c
-libtls_la_SOURCES += tls_client.c
-libtls_la_SOURCES += tls_config.c
-libtls_la_SOURCES += tls_server.c
-libtls_la_SOURCES += tls_util.c
-libtls_la_SOURCES += tls_verify.c
-noinst_HEADERS = tls_internal.h
diff --git a/libtls-standalone/tests/Makefile.am b/libtls-standalone/tests/Makefile.am
deleted file mode 100644
index 1a08aef..0000000
--- a/libtls-standalone/tests/Makefile.am
+++ /dev/null
@@ -1,7 +0,0 @@
-AM_CFLAGS = -I$(top_srcdir)/include
-check_PROGRAMS = test
-TESTS = test
-test_SOURCES = test.c
-test_LDADD = -lcrypto -lssl $(top_builddir)/src/libtls.la
diff --git a/libtls-standalone/tests/test.c b/libtls-standalone/tests/test.c
deleted file mode 100644
index 4069332..0000000
--- a/libtls-standalone/tests/test.c
+++ /dev/null
@@ -1,51 +0,0 @@
-#include <stdio.h>
-#include <tls.h>
-int main()
-{
-        struct tls *tls;
-        struct tls_config *tls_config;
-        ssize_t written, read;
-        char buf[4096];
-        if (tls_init() != 0) {
-                fprintf(stderr, "tls_init failed");
-                return 1;
-        }
-        if ((tls = tls_client()) == NULL)
-                goto err;
-        if ((tls_config = tls_config_new()) == NULL)
-                goto err;
-        if (tls_config_set_ciphers(tls_config, "compat") != 0)
-                goto err;
-        tls_config_insecure_noverifycert(tls_config);
-        tls_config_insecure_noverifyname(tls_config);
-        if (tls_configure(tls, tls_config) != 0)
-                goto err;
-        if (tls_connect(tls, "google.com", "443") != 0)
-                goto err;
-        if ((written = tls_write(tls, "GET /\r\n", 7)) < 0)
-                goto err;
-        if ((read = tls_read(tls, buf, sizeof(buf))) < 0)
-                goto err;
-        buf[read - 1] = '\0';
-        puts(buf);
-        if (tls_close(tls) != 0)
-                goto err;
-        return 0;
-err:
-        fprintf(stderr, "%s\n", tls_error(tls));
-        return 1;
-}
diff --git a/libtls.pc.in b/libtls.pc.in
index 82a6a71..0d4e625 100644
--- a/libtls.pc.in
+++ b/libtls.pc.in
@@ -9,8 +9,7 @@ Name: LibreSSL-libtls
 Description: Secure communications using the TLS socket protocol.
 Version: @VERSION@
 Requires:
-Requires.private: libcrypto libssl
 Conflicts:
 Libs: -L${libdir} -ltls
-Libs.private: @LIBS@ -lcrypto -lssl @PLATFORM_LDADD@
+Libs.private: @LIBS@ @PLATFORM_LDADD@
 Cflags: -I${includedir}
diff --git a/patches/tls.h.patch b/patches/tls.h.patch
index 3d72749..180101d 100644
--- a/patches/tls.h.patch
+++ b/patches/tls.h.patch
@@ -3,7 +3,7 @@
 @@ -22,6 +22,13 @@
 extern "C" {
 #endif
- 
 +#ifdef _MSC_VER
 +#ifndef LIBRESSL_INTERNAL
 +#include <basetsd.h>
@@ -12,21 +12,5 @@
 +#endif
 +
 #include <sys/types.h>
- 
- #include <stddef.h>
--- libtls-standalone/include/tls.h.orig        2017-02-13 20:21:48.297958529 +0900
-+++ libtls-standalone/include/tls.h     2017-02-13 20:21:48.296958502 +0900
-@@ -22,6 +22,13 @@
- extern "C" {
- #endif
- 
-+#ifdef _MSC_VER
-+#ifndef LIBRESSL_INTERNAL
-+#include <basetsd.h>
-+typedef SSIZE_T ssize_t;
-+#endif
-+#endif
-+
- #include <sys/types.h>
- 
 #include <stddef.h>
diff --git a/ssl/Makefile.am b/ssl/Makefile.am
index dded59f..4c4e594 100644
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@@ -6,6 +6,15 @@ EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 EXTRA_DIST += ssl.sym
+CLEANFILES = libssl_la_objects.mk
+EXTRA_libssl_la_DEPENDENCIES = libssl_la_objects.mk
+libssl_la_objects.mk: Makefile
+        @echo "libssl_la_objects= $(libssl_la_OBJECTS)" \
+          | sed 's/  */ $$\(abs_top_builddir\)\/ssl\//g' \
+          > libssl_la_objects.mk
 libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym
 libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD)
diff --git a/tls/Makefile.am b/tls/Makefile.am
index 942abf9..4cea3a2 100644
--- a/tls/Makefile.am
+++ b/tls/Makefile.am
@@ -1,5 +1,8 @@
 include $(top_srcdir)/Makefile.am.common
+-include $(abs_top_builddir)/crypto/libcrypto_la_objects.mk
+-include $(abs_top_builddir)/ssl/libssl_la_objects.mk
 lib_LTLIBRARIES = libtls.la
 EXTRA_DIST = VERSION
@@ -7,8 +10,10 @@ EXTRA_DIST += CMakeLists.txt
 EXTRA_DIST += tls.sym
 libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym
-libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
+libtls_la_LIBADD = $(libcrypto_la_objects)
-libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
+libtls_la_LIBADD += $(libcompat_la_objects)
+libtls_la_LIBADD += $(libcompatnoopt_la_objects)
+libtls_la_LIBADD += $(libssl_la_objects)
 libtls_la_LIBADD += $(PLATFORM_LDADD)
 libtls_la_CPPFLAGS = $(AM_CPPFLAGS)
diff --git a/update.sh b/update.sh
index 20d32f8..0ed7834 100755
--- a/update.sh
+++ b/update.sh
@@ -46,7 +46,6 @@ echo $libssl_version > ssl/VERSION
 libtls_version=$major:$minor:0
 echo "libtls version $libtls_version"
 echo $libtls_version > tls/VERSION
-echo $major.$minor.0 > libtls-standalone/VERSION
 do_mv() {
        if ! cmp -s "$1" "$2"
@@ -76,9 +75,8 @@ $CP $libcrypto_src/opensslfeatures.h include/openssl
 $CP $libssl_src/pqueue.h include
 $CP $libtls_src/tls.h include
-$CP $libtls_src/tls.h libtls-standalone/include
-for i in crypto/compat libtls-standalone/compat; do
+for i in crypto/compat; do
        for j in $libc_src/crypt/arc4random.c \
            $libc_src/crypt/arc4random_uniform.c \
            $libc_src/crypt/chacha_private.h \
@@ -99,15 +97,6 @@ for i in crypto/compat libtls-standalone/compat; do
        done
 done
-$CP include/compat/stdlib.h \
-        include/compat/string.h \
-        include/compat/unistd.h \
-        libtls-standalone/include
-$CP crypto/compat/arc4random*.h \
-        crypto/compat/bsd-asprintf.c \
-        libtls-standalone/compat
 (cd $libcrypto_src/objects/;
        perl objects.pl objects.txt obj_mac.num obj_mac.h;
        perl obj_dat.pl obj_mac.h obj_dat.h )
@@ -243,19 +232,11 @@ rm -f tls/*.c tls/*.h libtls/src/*.c libtls/src/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
        if [ -e $libtls_src/$i ]; then
                $CP $libtls_src/$i tls
-                $CP $libtls_src/$i libtls-standalone/src
        fi
 done
 # add the libtls symbol export list
 $GREP '^[A-Za-z0-9_]' < $libtls_src/Symbols.list > tls/tls.sym
-mkdir -p libtls-standalone/m4
-$CP m4/check*.m4 \
-        m4/disable*.m4 \
-        libtls-standalone/m4
-sed -e "s/compat\///" crypto/Makefile.am.arc4random > \
-        libtls-standalone/compat/Makefile.am.arc4random
 # copy nc(1) source
 echo "copying nc(1) source"
 $CP $bin_src/nc/nc.1 apps/nc