vendor/openssl/3.0.8

17 files changed, 1340 insertions, 0 deletions

diff --git a/apps/include/__DECC_INCLUDE_EPILOGUE.H b/apps/include/__DECC_INCLUDE_EPILOGUE.H
new file mode 100644
index 000000000000..2ab493330675
--- /dev/null
+++ b/apps/include/__DECC_INCLUDE_EPILOGUE.H
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C/C++ on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/*
+ * The C++ compiler doesn't understand these pragmas, even though it
+ * understands the corresponding command line qualifier.
+ */
+#ifndef __cplusplus
+/* restore state.  Must correspond to the save in __decc_include_prologue.h */
+# pragma names restore
+#endif
diff --git a/apps/include/__DECC_INCLUDE_PROLOGUE.H b/apps/include/__DECC_INCLUDE_PROLOGUE.H
new file mode 100644
index 000000000000..8e95fa975488
--- /dev/null
+++ b/apps/include/__DECC_INCLUDE_PROLOGUE.H
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C/C++ on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/*
+ * The C++ compiler doesn't understand these pragmas, even though it
+ * understands the corresponding command line qualifier.
+ */
+#ifndef __cplusplus
+/* save state */
+# pragma names save
+/* have the compiler shorten symbols larger than 31 chars to 23 chars
+ * followed by a 8 hex char CRC
+ */
+# pragma names as_is,shortened
+#endif
diff --git a/apps/include/app_libctx.h b/apps/include/app_libctx.h
new file mode 100644
index 000000000000..17c0afc713d2
--- /dev/null
+++ b/apps/include/app_libctx.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_LIBCTX_H
+# define OSSL_APPS_LIBCTX_H
+
+# include <openssl/types.h>
+
+OSSL_LIB_CTX *app_create_libctx(void);
+OSSL_LIB_CTX *app_get0_libctx(void);
+int app_set_propq(const char *arg);
+const char *app_get0_propq(void);
+
+#endif
diff --git a/apps/include/app_params.h b/apps/include/app_params.h
new file mode 100644
index 000000000000..79f8f58b3122
--- /dev/null
+++ b/apps/include/app_params.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/core.h>
+
+int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent);
+void print_param_value(const OSSL_PARAM *p, int indent);
+
diff --git a/apps/include/apps.h b/apps/include/apps.h
new file mode 100644
index 000000000000..baacd0025d68
--- /dev/null
+++ b/apps/include/apps.h
@@ -0,0 +1,348 @@
+/*
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_H
+# define OSSL_APPS_H
+
+# include "e_os.h" /* struct timeval for DTLS */
+# include "internal/nelem.h"
+# include "internal/sockets.h" /* for openssl_fdset() */
+# include "internal/cryptlib.h"  /* ossl_assert() */
+# include <assert.h>
+
+# include <stdarg.h>
+# include <sys/types.h>
+# ifndef OPENSSL_NO_POSIX_IO
+#  include <sys/stat.h>
+#  include <fcntl.h>
+# endif
+
+# include <openssl/e_os2.h>
+# include <openssl/types.h>
+# include <openssl/bio.h>
+# include <openssl/x509.h>
+# include <openssl/conf.h>
+# include <openssl/txt_db.h>
+# include <openssl/engine.h>
+# include <openssl/ocsp.h>
+# include <openssl/http.h>
+# include <signal.h>
+# include "apps_ui.h"
+# include "opt.h"
+# include "fmt.h"
+# include "platform.h"
+# include "engine_loader.h"
+# include "app_libctx.h"
+
+/*
+ * quick macro when you need to pass an unsigned char instead of a char.
+ * this is true for some implementations of the is*() functions, for
+ * example.
+ */
+# define _UC(c) ((unsigned char)(c))
+
+void app_RAND_load_conf(CONF *c, const char *section);
+int app_RAND_write(void);
+int app_RAND_load(void);
+
+extern char *default_config_file; /* may be "" */
+extern BIO *bio_in;
+extern BIO *bio_out;
+extern BIO *bio_err;
+extern const unsigned char tls13_aes128gcmsha256_id[];
+extern const unsigned char tls13_aes256gcmsha384_id[];
+extern BIO_ADDR *ourpeer;
+
+BIO *dup_bio_in(int format);
+BIO *dup_bio_out(int format);
+BIO *dup_bio_err(int format);
+BIO *bio_open_owner(const char *filename, int format, int private);
+BIO *bio_open_default(const char *filename, char mode, int format);
+BIO *bio_open_default_quiet(const char *filename, char mode, int format);
+CONF *app_load_config_bio(BIO *in, const char *filename);
+#define app_load_config(filename) app_load_config_internal(filename, 0)
+#define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
+CONF *app_load_config_internal(const char *filename, int quiet);
+CONF *app_load_config_verbose(const char *filename, int verbose);
+int app_load_modules(const CONF *config);
+CONF *app_load_config_modules(const char *configfile);
+void unbuffer(FILE *fp);
+void wait_for_async(SSL *s);
+# if defined(OPENSSL_SYS_MSDOS)
+int has_stdin_waiting(void);
+# endif
+
+void corrupt_signature(const ASN1_STRING *signature);
+int set_cert_times(X509 *x, const char *startdate, const char *enddate,
+                   int days);
+int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
+int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
+                       long days, long hours, long secs);
+
+typedef struct args_st {
+    int size;
+    int argc;
+    char **argv;
+} ARGS;
+
+/* We need both wrap and the "real" function because libcrypto uses both. */
+int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
+
+int chopup_args(ARGS *arg, char *buf);
+void dump_cert_text(BIO *out, X509 *x);
+void print_name(BIO *out, const char *title, const X509_NAME *nm);
+void print_bignum_var(BIO *, const BIGNUM *, const char*,
+                      int, unsigned char *);
+void print_array(BIO *, const char *, int, const unsigned char *);
+int set_nameopt(const char *arg);
+unsigned long get_nameopt(void);
+int set_dateopt(unsigned long *dateopt, const char *arg);
+int set_cert_ex(unsigned long *flags, const char *arg);
+int set_name_ex(unsigned long *flags, const char *arg);
+int set_ext_copy(int *copy_type, const char *arg);
+int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
+char *get_passwd(const char *pass, const char *desc);
+int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
+int add_oid_section(CONF *conf);
+X509_REQ *load_csr(const char *file, int format, const char *desc);
+X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
+                     const char *pass, const char *desc);
+#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
+X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
+                   const char *desc);
+void cleanse(char *str);
+void clear_free(char *str);
+EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
+                   const char *pass, ENGINE *e, const char *desc);
+EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
+                      const char *pass, ENGINE *e, const char *desc);
+EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
+                         const char *keytype, const char *desc);
+EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin,
+                                  const char *keytype, const char *desc,
+                                  int suppress_decode_errors);
+char *next_item(char *opt); /* in list separated by comma and/or space */
+int load_cert_certs(const char *uri,
+                    X509 **pcert, STACK_OF(X509) **pcerts,
+                    int exclude_http, const char *pass, const char *desc,
+                    X509_VERIFY_PARAM *vpm);
+STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
+                                     const char *desc, X509_VERIFY_PARAM *vpm);
+X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
+                           X509_VERIFY_PARAM *vpm);
+int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
+               const char *pass, const char *desc);
+int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
+              const char *pass, const char *desc);
+int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
+                        const char *pass, const char *desc,
+                        EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
+                        EVP_PKEY **pparams,
+                        X509 **pcert, STACK_OF(X509) **pcerts,
+                        X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
+int load_key_cert_crl(const char *uri, int format, int maybe_stdin,
+                      const char *pass, const char *desc,
+                      EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
+                      X509 **pcert, X509_CRL **pcrl);
+X509_STORE *setup_verify(const char *CAfile, int noCAfile,
+                         const char *CApath, int noCApath,
+                         const char *CAstore, int noCAstore);
+__owur int ctx_set_verify_locations(SSL_CTX *ctx,
+                                    const char *CAfile, int noCAfile,
+                                    const char *CApath, int noCApath,
+                                    const char *CAstore, int noCAstore);
+
+# ifndef OPENSSL_NO_CT
+
+/*
+ * Sets the file to load the Certificate Transparency log list from.
+ * If path is NULL, loads from the default file path.
+ * Returns 1 on success, 0 otherwise.
+ */
+__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
+
+# endif
+
+ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug);
+# define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
+void release_engine(ENGINE *e);
+int init_engine(ENGINE *e);
+int finish_engine(ENGINE *e);
+char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc);
+
+int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
+const EVP_MD *get_digest_from_engine(const char *name);
+const EVP_CIPHER *get_cipher_from_engine(const char *name);
+
+# ifndef OPENSSL_NO_OCSP
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
+                                 const char *port, const char *path,
+                                 const char *proxy, const char *no_proxy,
+                                 int use_ssl, STACK_OF(CONF_VALUE) *headers,
+                                 int req_timeout);
+# endif
+
+/* Functions defined in ca.c and also used in ocsp.c */
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
+                   ASN1_GENERALIZEDTIME **pinvtm, const char *str);
+
+# define DB_type         0
+# define DB_exp_date     1
+# define DB_rev_date     2
+# define DB_serial       3      /* index - unique */
+# define DB_file         4
+# define DB_name         5      /* index - unique when active and not
+                                 * disabled */
+# define DB_NUMBER       6
+
+# define DB_TYPE_REV     'R'    /* Revoked  */
+# define DB_TYPE_EXP     'E'    /* Expired  */
+# define DB_TYPE_VAL     'V'    /* Valid ; inserted with: ca ... -valid */
+# define DB_TYPE_SUSP    'S'    /* Suspended  */
+
+typedef struct db_attr_st {
+    int unique_subject;
+} DB_ATTR;
+typedef struct ca_db_st {
+    DB_ATTR attributes;
+    TXT_DB *db;
+    char *dbfname;
+# ifndef OPENSSL_NO_POSIX_IO
+    struct stat dbst;
+# endif
+} CA_DB;
+
+void app_bail_out(char *fmt, ...);
+void *app_malloc(size_t sz, const char *what);
+
+/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
+BIGNUM *load_serial(const char *serialfile, int *exists, int create,
+                    ASN1_INTEGER **retai);
+int save_serial(const char *serialfile, const char *suffix,
+                const BIGNUM *serial, ASN1_INTEGER **retai);
+int rotate_serial(const char *serialfile, const char *new_suffix,
+                  const char *old_suffix);
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
+
+CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
+int index_index(CA_DB *db);
+int save_index(const char *dbfile, const char *suffix, CA_DB *db);
+int rotate_index(const char *dbfile, const char *new_suffix,
+                 const char *old_suffix);
+void free_index(CA_DB *db);
+# define index_name_cmp_noconst(a, b) \
+        index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
+        (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
+int parse_yesno(const char *str, int def);
+
+X509_NAME *parse_name(const char *str, int chtype, int multirdn,
+                      const char *desc);
+void policies_print(X509_STORE_CTX *ctx);
+int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
+int x509_ctrl_string(X509 *x, const char *value);
+int x509_req_ctrl_string(X509_REQ *x, const char *value);
+int init_gen_str(EVP_PKEY_CTX **pctx,
+                 const char *algname, ENGINE *e, int do_param,
+                 OSSL_LIB_CTX *libctx, const char *propq);
+int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md,
+                 STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
+int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
+int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
+                     STACK_OF(OPENSSL_STRING) *sigopts);
+int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey,
+                       STACK_OF(OPENSSL_STRING) *vfyopts);
+int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
+                     STACK_OF(OPENSSL_STRING) *sigopts);
+
+extern char *psk_key;
+
+
+unsigned char *next_protos_parse(size_t *outlen, const char *in);
+
+void print_cert_checks(BIO *bio, X509 *x,
+                       const char *checkhost,
+                       const char *checkemail, const char *checkip);
+
+void store_setup_crl_download(X509_STORE *st);
+
+typedef struct app_http_tls_info_st {
+    const char *server;
+    const char *port;
+    int use_proxy;
+    long timeout;
+    SSL_CTX *ssl_ctx;
+} APP_HTTP_TLS_INFO;
+BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
+                     int connect, int detail);
+void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info);
+# ifndef OPENSSL_NO_SOCK
+ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
+                              const char *no_proxy, SSL_CTX *ssl_ctx,
+                              const STACK_OF(CONF_VALUE) *headers,
+                              long timeout, const char *expected_content_type,
+                              const ASN1_ITEM *it);
+ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
+                               const char *path, const char *proxy,
+                               const char *no_proxy, SSL_CTX *ctx,
+                               const STACK_OF(CONF_VALUE) *headers,
+                               const char *content_type,
+                               ASN1_VALUE *req, const ASN1_ITEM *req_it,
+                               const char *expected_content_type,
+                               long timeout, const ASN1_ITEM *rsp_it);
+# endif
+
+# define EXT_COPY_NONE   0
+# define EXT_COPY_ADD    1
+# define EXT_COPY_ALL    2
+
+# define NETSCAPE_CERT_HDR       "certificate"
+
+# define APP_PASS_LEN    1024
+
+/*
+ * IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
+ * so that the first bit will never be one, so that the DER encoding
+ * rules won't force a leading octet.
+ */
+# define SERIAL_RAND_BITS        159
+
+int app_isdir(const char *);
+int app_access(const char *, int flag);
+int fileno_stdin(void);
+int fileno_stdout(void);
+int raw_read_stdin(void *, int);
+int raw_write_stdout(const void *, int);
+
+# define TM_START        0
+# define TM_STOP         1
+double app_tminterval(int stop, int usertime);
+
+void make_uppercase(char *string);
+
+typedef struct verify_options_st {
+    int depth;
+    int quiet;
+    int error;
+    int return_error;
+} VERIFY_CB_ARGS;
+
+extern VERIFY_CB_ARGS verify_args;
+
+OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
+                                     const OSSL_PARAM *paramdefs);
+void app_params_free(OSSL_PARAM *params);
+int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name);
+void app_providers_cleanup(void);
+
+EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose);
+EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg);
+
+#endif
diff --git a/apps/include/apps_ui.h b/apps/include/apps_ui.h
new file mode 100644
index 000000000000..6875b7c372d9
--- /dev/null
+++ b/apps/include/apps_ui.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_UI_H
+# define OSSL_APPS_UI_H
+
+
+# define PW_MIN_LENGTH 4
+typedef struct pw_cb_data {
+    const void *password;
+    const char *prompt_info;
+} PW_CB_DATA;
+
+int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
+
+int setup_ui_method(void);
+void destroy_ui_method(void);
+int set_base_ui_method(const UI_METHOD *ui_method);
+const UI_METHOD *get_ui_method(void);
+
+extern BIO *bio_err;
+
+#endif
diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h
new file mode 100644
index 000000000000..6beba1473590
--- /dev/null
+++ b/apps/include/cmp_mock_srv.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Siemens AG 2018-2020
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_CMP_MOCK_SRV_H
+# define OSSL_APPS_CMP_MOCK_SRV_H
+
+# include <openssl/opensslconf.h>
+# ifndef OPENSSL_NO_CMP
+
+#  include <openssl/cmp.h>
+
+OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
+                                        const char *propq);
+void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
+
+int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
+int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
+                                    STACK_OF(X509) *chain);
+int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
+                                     STACK_OF(X509) *caPubs);
+int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
+                                     int fail_info, const char *text);
+int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val);
+int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
+int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
+
+# endif /* !defined(OPENSSL_NO_CMP) */
+#endif /* !defined(OSSL_APPS_CMP_MOCK_SRV_H) */
diff --git a/apps/include/ec_common.h b/apps/include/ec_common.h
new file mode 100644
index 000000000000..f5711657a299
--- /dev/null
+++ b/apps/include/ec_common.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_NO_EC
+static const char *point_format_options[] = {
+    "uncompressed",
+    "compressed",
+    "hybrid",
+    NULL
+};
+
+static const char *asn1_encoding_options[] = {
+    "named_curve",
+    "explicit",
+    NULL
+};
+#endif
diff --git a/apps/include/engine_loader.h b/apps/include/engine_loader.h
new file mode 100644
index 000000000000..fa80fc96567c
--- /dev/null
+++ b/apps/include/engine_loader.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#ifndef HEADER_ENGINE_LOADER_H
+# define HEADER_ENGINE_LOADER_H
+
+# include <openssl/store.h>
+
+/* this is a private URI scheme */
+# define ENGINE_SCHEME          "org.openssl.engine"
+# define ENGINE_SCHEME_COLON    (ENGINE_SCHEME ":")
+
+int setup_engine_loader(void);
+void destroy_engine_loader(void);
+
+#endif
diff --git a/apps/include/fmt.h b/apps/include/fmt.h
new file mode 100644
index 000000000000..98dfed7dc0a2
--- /dev/null
+++ b/apps/include/fmt.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Options are shared by apps (see apps.h) and the test system
+ * (see test/testutil.h').
+ * In order to remove the dependency between apps and options, the following
+ * shared fields have been moved into this file.
+ */
+
+#ifndef OSSL_APPS_FMT_H
+#define OSSL_APPS_FMT_H
+
+/*
+ * On some platforms, it's important to distinguish between text and binary
+ * files.  On some, there might even be specific file formats for different
+ * contents.  The FORMAT_xxx macros are meant to express an intent with the
+ * file being read or created.
+ */
+# define B_FORMAT_TEXT   0x8000
+# define FORMAT_UNDEF    0
+# define FORMAT_TEXT    (1 | B_FORMAT_TEXT)     /* Generic text */
+# define FORMAT_BINARY   2                      /* Generic binary */
+# define FORMAT_BASE64  (3 | B_FORMAT_TEXT)     /* Base64 */
+# define FORMAT_ASN1     4                      /* ASN.1/DER */
+# define FORMAT_PEM     (5 | B_FORMAT_TEXT)
+# define FORMAT_PKCS12   6
+# define FORMAT_SMIME   (7 | B_FORMAT_TEXT)
+# define FORMAT_ENGINE   8                      /* Not really a file format */
+# define FORMAT_PEMRSA  (9 | B_FORMAT_TEXT)     /* PEM RSAPublicKey format */
+# define FORMAT_ASN1RSA  10                     /* DER RSAPublicKey format */
+# define FORMAT_MSBLOB   11                     /* MS Key blob format */
+# define FORMAT_PVK      12                     /* MS PVK file format */
+# define FORMAT_HTTP     13                     /* Download using HTTP */
+# define FORMAT_NSS      14                     /* NSS keylog format */
+
+int FMT_istext(int format);
+
+#endif /* OSSL_APPS_FMT_H_ */
diff --git a/apps/include/function.h b/apps/include/function.h
new file mode 100644
index 000000000000..14e8dd388670
--- /dev/null
+++ b/apps/include/function.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_FUNCTION_H
+# define OSSL_APPS_FUNCTION_H
+
+# include <openssl/lhash.h>
+# include "opt.h"
+
+#define DEPRECATED_NO_ALTERNATIVE   "unknown"
+
+typedef enum FUNC_TYPE {
+    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
+    FT_md_alg, FT_cipher_alg
+} FUNC_TYPE;
+
+typedef struct function_st {
+    FUNC_TYPE type;
+    const char *name;
+    int (*func)(int argc, char *argv[]);
+    const OPTIONS *help;
+    const char *deprecated_alternative;
+    const char *deprecated_version;
+} FUNCTION;
+
+DEFINE_LHASH_OF(FUNCTION);
+
+/* Structure to hold the number of columns to be displayed and the
+ * field width used to display them.
+ */
+typedef struct {
+    int columns;
+    int width;
+} DISPLAY_COLUMNS;
+
+void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc);
+
+#endif
diff --git a/apps/include/http_server.h b/apps/include/http_server.h
new file mode 100644
index 000000000000..8c339660a65e
--- /dev/null
+++ b/apps/include/http_server.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_HTTP_SERVER_H
+# define OSSL_HTTP_SERVER_H
+
+# include "apps.h"
+
+# ifndef HAVE_FORK
+#  if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+#   define HAVE_FORK 0
+#  else
+#   define HAVE_FORK 1
+#  endif
+# endif
+
+# if HAVE_FORK
+#  undef NO_FORK
+# else
+#  define NO_FORK
+# endif
+
+# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+    && !defined(OPENSSL_NO_POSIX_IO)
+#  define HTTP_DAEMON
+#  include <sys/types.h>
+#  include <sys/wait.h>
+#  include <syslog.h>
+#  include <signal.h>
+#  define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
+# else
+#  undef LOG_DEBUG
+#  undef LOG_INFO
+#  undef LOG_WARNING
+#  undef LOG_ERR
+#  define LOG_DEBUG     7
+#  define LOG_INFO      6
+#  define LOG_WARNING   4
+#  define LOG_ERR       3
+# endif
+
+/*-
+ * Log a message to syslog if multi-threaded HTTP_DAEMON, else to bio_err
+ * prog: the name of the current app
+ * level: the severity of the message, e.g., LOG_ERR
+ * fmt: message with potential extra parameters like with printf()
+ * returns nothing
+ */
+void log_message(const char *prog, int level, const char *fmt, ...);
+
+# ifndef OPENSSL_NO_SOCK
+/*-
+ * Initialize an HTTP server by setting up its listening BIO
+ * prog: the name of the current app
+ * port: the port to listen on
+ * returns a BIO for accepting requests, NULL on error
+ */
+BIO *http_server_init_bio(const char *prog, const char *port);
+
+/*-
+ * Accept an ASN.1-formatted HTTP request
+ * it: the expected request ASN.1 type
+ * preq: pointer to variable where to place the parsed request
+ * ppath: pointer to variable where to place the request path, or NULL
+ * pcbio: pointer to variable where to place the BIO for sending the response to
+ * acbio: the listening bio (typically as returned by http_server_init_bio())
+ * found_keep_alive: for returning flag if client requests persistent connection
+ * prog: the name of the current app, for diagnostics only
+ * port: the local port listening to, for diagnostics only
+ * accept_get: whether to accept GET requests (in addition to POST requests)
+ * timeout: connection timeout (in seconds), or 0 for none/infinite
+ * returns 0 in case caller should retry, then *preq == *ppath == *pcbio == NULL
+ * returns -1 on fatal error; also then holds *preq == *ppath == *pcbio == NULL
+ * returns 1 otherwise. In this case it is guaranteed that *pcbio != NULL while
+ * *ppath == NULL and *preq == NULL if and only if the request is invalid,
+ * On return value 1 the caller is responsible for sending an HTTP response,
+ * using http_server_send_asn1_resp() or http_server_send_status().
+ * The caller must free any non-NULL *preq, *ppath, and *pcbio pointers.
+ */
+int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
+                             char **ppath, BIO **pcbio, BIO *acbio,
+                             int *found_keep_alive,
+                             const char *prog, const char *port,
+                             int accept_get, int timeout);
+
+/*-
+ * Send an ASN.1-formatted HTTP response
+ * cbio: destination BIO (typically as returned by http_server_get_asn1_req())
+ *       note: cbio should not do an encoding that changes the output length
+ * keep_alive: grant persistent connnection
+ * content_type: string identifying the type of the response
+ * it: the response ASN.1 type
+ * resp: the response to send
+ * returns 1 on success, 0 on failure
+ */
+int http_server_send_asn1_resp(BIO *cbio, int keep_alive,
+                               const char *content_type,
+                               const ASN1_ITEM *it, const ASN1_VALUE *resp);
+
+/*-
+ * Send a trivial HTTP response, typically to report an error or OK
+ * cbio: destination BIO (typically as returned by http_server_get_asn1_req())
+ * status: the status code to send
+ * reason: the corresponding human-readable string
+ * returns 1 on success, 0 on failure
+ */
+int http_server_send_status(BIO *cbio, int status, const char *reason);
+
+# endif
+
+# ifdef HTTP_DAEMON
+extern int multi;
+extern int acfd;
+
+void socket_timeout(int signum);
+void spawn_loop(const char *prog);
+# endif
+
+#endif
diff --git a/apps/include/names.h b/apps/include/names.h
new file mode 100644
index 000000000000..f4d6f6a9a333
--- /dev/null
+++ b/apps/include/names.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/safestack.h>
+
+/* Standard comparing function for names */
+int name_cmp(const char * const *a, const char * const *b);
+/* collect_names is meant to be used with EVP_{type}_doall_names */
+void collect_names(const char *name, void *vdata);
+/* Sorts and prints a stack of names to |out| */
+void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names);
diff --git a/apps/include/opt.h b/apps/include/opt.h
new file mode 100644
index 000000000000..4f83a0ed53c9
--- /dev/null
+++ b/apps/include/opt.h
@@ -0,0 +1,400 @@
+/*
+ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#ifndef OSSL_APPS_OPT_H
+#define OSSL_APPS_OPT_H
+
+#include <sys/types.h>
+#include <openssl/e_os2.h>
+#include <openssl/types.h>
+#include <stdarg.h>
+
+#define OPT_COMMON OPT_ERR = -1, OPT_EOF = 0, OPT_HELP
+
+/*
+ * Common verification options.
+ */
+# define OPT_V_ENUM \
+        OPT_V__FIRST=2000, \
+        OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
+        OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
+        OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
+        OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
+        OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
+        OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
+        OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
+        OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
+        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
+        OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
+        OPT_V__LAST
+
+# define OPT_V_OPTIONS \
+        OPT_SECTION("Validation"), \
+        { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
+        { "purpose", OPT_V_PURPOSE, 's', \
+            "certificate chain purpose"}, \
+        { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
+        { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
+            "chain depth limit" }, \
+        { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
+            "chain authentication security level" }, \
+        { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
+        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
+            "expected peer hostname" }, \
+        { "verify_email", OPT_V_VERIFY_EMAIL, 's', \
+            "expected peer email" }, \
+        { "verify_ip", OPT_V_VERIFY_IP, 's', \
+            "expected peer IP address" }, \
+        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
+            "permit unhandled critical extensions"}, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
+        { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
+        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
+        { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
+        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
+            "set policy variable require-explicit-policy"}, \
+        { "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
+            "set policy variable inhibit-any-policy"}, \
+        { "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
+            "set policy variable inhibit-policy-mapping"}, \
+        { "x509_strict", OPT_V_X509_STRICT, '-', \
+            "disable certificate compatibility work-arounds"}, \
+        { "extended_crl", OPT_V_EXTENDED_CRL, '-', \
+            "enable extended CRL features"}, \
+        { "use_deltas", OPT_V_USE_DELTAS, '-', \
+            "use delta CRLs"}, \
+        { "policy_print", OPT_V_POLICY_PRINT, '-', \
+            "print policy processing diagnostics"}, \
+        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
+            "check root CA self-signatures"}, \
+        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
+            "search trust store first (default)" }, \
+        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
+        { "suiteB_128", OPT_V_SUITEB_128, '-', \
+            "Suite B 128-bit mode allowing 192-bit algorithms"}, \
+        { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
+        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
+            "accept chains anchored by intermediate trust-store CAs"}, \
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
+        { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
+
+# define OPT_V_CASES \
+        OPT_V__FIRST: case OPT_V__LAST: break; \
+        case OPT_V_POLICY: \
+        case OPT_V_PURPOSE: \
+        case OPT_V_VERIFY_NAME: \
+        case OPT_V_VERIFY_DEPTH: \
+        case OPT_V_VERIFY_AUTH_LEVEL: \
+        case OPT_V_ATTIME: \
+        case OPT_V_VERIFY_HOSTNAME: \
+        case OPT_V_VERIFY_EMAIL: \
+        case OPT_V_VERIFY_IP: \
+        case OPT_V_IGNORE_CRITICAL: \
+        case OPT_V_ISSUER_CHECKS: \
+        case OPT_V_CRL_CHECK: \
+        case OPT_V_CRL_CHECK_ALL: \
+        case OPT_V_POLICY_CHECK: \
+        case OPT_V_EXPLICIT_POLICY: \
+        case OPT_V_INHIBIT_ANY: \
+        case OPT_V_INHIBIT_MAP: \
+        case OPT_V_X509_STRICT: \
+        case OPT_V_EXTENDED_CRL: \
+        case OPT_V_USE_DELTAS: \
+        case OPT_V_POLICY_PRINT: \
+        case OPT_V_CHECK_SS_SIG: \
+        case OPT_V_TRUSTED_FIRST: \
+        case OPT_V_SUITEB_128_ONLY: \
+        case OPT_V_SUITEB_128: \
+        case OPT_V_SUITEB_192: \
+        case OPT_V_PARTIAL_CHAIN: \
+        case OPT_V_NO_ALT_CHAINS: \
+        case OPT_V_NO_CHECK_TIME: \
+        case OPT_V_ALLOW_PROXY_CERTS
+
+/*
+ * Common "extended validation" options.
+ */
+# define OPT_X_ENUM \
+        OPT_X__FIRST=1000, \
+        OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
+        OPT_X_CERTFORM, OPT_X_KEYFORM, \
+        OPT_X__LAST
+
+# define OPT_X_OPTIONS \
+        OPT_SECTION("Extended certificate"), \
+        { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
+        { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
+        { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
+        { "xchain_build", OPT_X_CHAIN_BUILD, '-', \
+            "build certificate chain for the extended certificates"}, \
+        { "xcertform", OPT_X_CERTFORM, 'F', \
+            "format of Extended certificate (PEM/DER/P12); has no effect" }, \
+        { "xkeyform", OPT_X_KEYFORM, 'F', \
+            "format of Extended certificate's key (DER/PEM/P12); has no effect"}
+
+# define OPT_X_CASES \
+        OPT_X__FIRST: case OPT_X__LAST: break; \
+        case OPT_X_KEY: \
+        case OPT_X_CERT: \
+        case OPT_X_CHAIN: \
+        case OPT_X_CHAIN_BUILD: \
+        case OPT_X_CERTFORM: \
+        case OPT_X_KEYFORM
+
+/*
+ * Common SSL options.
+ * Any changes here must be coordinated with ../ssl/ssl_conf.c
+ */
+# define OPT_S_ENUM \
+        OPT_S__FIRST=3000, \
+        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
+        OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
+        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
+        OPT_S_LEGACYCONN, \
+        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \
+        OPT_S_PRIORITIZE_CHACHA, \
+        OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
+        OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
+        OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
+        OPT_S_MINPROTO, OPT_S_MAXPROTO, \
+        OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, OPT_S__LAST
+
+# define OPT_S_OPTIONS \
+        OPT_SECTION("TLS/SSL"), \
+        {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
+        {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
+        {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
+        {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
+        {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, \
+        {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
+        {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
+        {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
+        {"no_ticket", OPT_S_NOTICKET, '-', \
+            "Disable use of TLS session tickets"}, \
+        {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
+        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
+            "Enable use of legacy renegotiation (dangerous)"}, \
+        {"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
+            "Allow client-initiated renegotiation" }, \
+        {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
+            "Disable all renegotiation."}, \
+        {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
+            "Allow initial connection to servers that don't support RI"}, \
+        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
+            "Disallow session resumption on renegotiation"}, \
+        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
+            "Disallow initial connection to servers that don't support RI"}, \
+        {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \
+            "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \
+        {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \
+            "Prioritize ChaCha ciphers when preferred by clients"}, \
+        {"strict", OPT_S_STRICT, '-', \
+            "Enforce strict certificate checks as per TLS standard"}, \
+        {"sigalgs", OPT_S_SIGALGS, 's', \
+            "Signature algorithms to support (colon-separated list)" }, \
+        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
+            "Signature algorithms to support for client certificate" \
+            " authentication (colon-separated list)" }, \
+        {"groups", OPT_S_GROUPS, 's', \
+            "Groups to advertise (colon-separated list)" }, \
+        {"curves", OPT_S_CURVES, 's', \
+            "Groups to advertise (colon-separated list)" }, \
+        {"named_curve", OPT_S_NAMEDCURVE, 's', \
+            "Elliptic curve used for ECDHE (server-side only)" }, \
+        {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \
+        {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
+        {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
+        {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
+        {"record_padding", OPT_S_RECORD_PADDING, 's', \
+            "Block size to pad TLS 1.3 records to."}, \
+        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
+            "Perform all sorts of protocol violations for testing purposes"}, \
+        {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
+            "Disable TLSv1.3 middlebox compat mode" }, \
+        {"no_etm", OPT_S_NO_ETM, '-', \
+            "Disable Encrypt-then-Mac extension"}
+
+# define OPT_S_CASES \
+        OPT_S__FIRST: case OPT_S__LAST: break; \
+        case OPT_S_NOSSL3: \
+        case OPT_S_NOTLS1: \
+        case OPT_S_NOTLS1_1: \
+        case OPT_S_NOTLS1_2: \
+        case OPT_S_NOTLS1_3: \
+        case OPT_S_BUGS: \
+        case OPT_S_NO_COMP: \
+        case OPT_S_COMP: \
+        case OPT_S_NOTICKET: \
+        case OPT_S_SERVERPREF: \
+        case OPT_S_LEGACYRENEG: \
+        case OPT_S_CLIENTRENEG: \
+        case OPT_S_LEGACYCONN: \
+        case OPT_S_ONRESUMP: \
+        case OPT_S_NOLEGACYCONN: \
+        case OPT_S_ALLOW_NO_DHE_KEX: \
+        case OPT_S_PRIORITIZE_CHACHA: \
+        case OPT_S_STRICT: \
+        case OPT_S_SIGALGS: \
+        case OPT_S_CLIENTSIGALGS: \
+        case OPT_S_GROUPS: \
+        case OPT_S_CURVES: \
+        case OPT_S_NAMEDCURVE: \
+        case OPT_S_CIPHER: \
+        case OPT_S_CIPHERSUITES: \
+        case OPT_S_RECORD_PADDING: \
+        case OPT_S_NO_RENEGOTIATION: \
+        case OPT_S_MINPROTO: \
+        case OPT_S_MAXPROTO: \
+        case OPT_S_DEBUGBROKE: \
+        case OPT_S_NO_MIDDLEBOX: \
+        case OPT_S_NO_ETM
+
+#define IS_NO_PROT_FLAG(o) \
+ (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
+  || o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
+
+/*
+ * Random state options.
+ */
+# define OPT_R_ENUM \
+        OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
+
+# define OPT_R_OPTIONS \
+    OPT_SECTION("Random state"), \
+    {"rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator"}, \
+    {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
+
+# define OPT_R_CASES \
+        OPT_R__FIRST: case OPT_R__LAST: break; \
+        case OPT_R_RAND: case OPT_R_WRITERAND
+
+/*
+ * Provider options.
+ */
+# define OPT_PROV_ENUM \
+        OPT_PROV__FIRST=1600, \
+        OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
+        OPT_PROV__LAST
+
+# define OPT_CONFIG_OPTION \
+        { "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
+
+# define OPT_PROV_OPTIONS \
+        OPT_SECTION("Provider"), \
+        { "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
+        { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
+        { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
+
+# define OPT_PROV_CASES \
+        OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
+        case OPT_PROV_PROVIDER: \
+        case OPT_PROV_PROVIDER_PATH: \
+        case OPT_PROV_PROPQUERY
+
+/*
+ * Option parsing.
+ */
+extern const char OPT_HELP_STR[];
+extern const char OPT_MORE_STR[];
+extern const char OPT_SECTION_STR[];
+extern const char OPT_PARAM_STR[];
+
+typedef struct options_st {
+    const char *name;
+    int retval;
+    /*
+     * value type: - no value (also the value zero), n number, p positive
+     * number, u unsigned, l long, s string, < input file, > output file,
+     * f any format, F der/pem format, E der/pem/engine format identifier.
+     * l, n and u include zero; p does not.
+     */
+    int valtype;
+    const char *helpstr;
+} OPTIONS;
+/* Special retval values: */
+#define OPT_PARAM 0 /* same as OPT_EOF usually defined in apps */
+#define OPT_DUP -2 /* marks duplicate occurrence of option in help output */
+
+/*
+ * A string/int pairing; widely use for option value lookup, hence the
+ * name OPT_PAIR. But that name is misleading in s_cb.c, so we also use
+ * the "generic" name STRINT_PAIR.
+ */
+typedef struct string_int_pair_st {
+    const char *name;
+    int retval;
+} OPT_PAIR, STRINT_PAIR;
+
+/* Flags to pass into opt_format; see FORMAT_xxx, below. */
+# define OPT_FMT_PEMDER          (1L <<  1)
+# define OPT_FMT_PKCS12          (1L <<  2)
+# define OPT_FMT_SMIME           (1L <<  3)
+# define OPT_FMT_ENGINE          (1L <<  4)
+# define OPT_FMT_MSBLOB          (1L <<  5)
+/* (1L <<  6) was OPT_FMT_NETSCAPE, but wasn't used */
+# define OPT_FMT_NSS             (1L <<  7)
+# define OPT_FMT_TEXT            (1L <<  8)
+# define OPT_FMT_HTTP            (1L <<  9)
+# define OPT_FMT_PVK             (1L << 10)
+# define OPT_FMT_PDE     (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
+# define OPT_FMT_PDS     (OPT_FMT_PEMDER | OPT_FMT_SMIME)
+# define OPT_FMT_ANY     ( \
+        OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
+        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS   | \
+        OPT_FMT_TEXT   | OPT_FMT_HTTP   | OPT_FMT_PVK)
+
+/* Divide options into sections when displaying usage */
+#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" }
+#define OPT_PARAMETERS() { OPT_PARAM_STR, 1, '-', "Parameters:\n" }
+
+const char *opt_path_end(const char *filename);
+char *opt_init(int ac, char **av, const OPTIONS * o);
+char *opt_progname(const char *argv0);
+char *opt_appname(const char *argv0);
+char *opt_getprog(void);
+void opt_help(const OPTIONS * list);
+
+void opt_begin(void);
+int opt_next(void);
+char *opt_flag(void);
+char *opt_arg(void);
+char *opt_unknown(void);
+int opt_cipher(const char *name, EVP_CIPHER **cipherp);
+int opt_cipher_any(const char *name, EVP_CIPHER **cipherp);
+int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp);
+int opt_md(const char *name, EVP_MD **mdp);
+int opt_md_silent(const char *name, EVP_MD **mdp);
+
+int opt_int(const char *arg, int *result);
+int opt_int_arg(void);
+int opt_long(const char *arg, long *result);
+int opt_ulong(const char *arg, unsigned long *result);
+int opt_intmax(const char *arg, ossl_intmax_t *result);
+int opt_uintmax(const char *arg, ossl_uintmax_t *result);
+
+int opt_isdir(const char *name);
+int opt_format(const char *s, unsigned long flags, int *result);
+void print_format_error(int format, unsigned long flags);
+int opt_printf_stderr(const char *fmt, ...);
+int opt_string(const char *name, const char **options);
+int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
+
+int opt_verify(int i, X509_VERIFY_PARAM *vpm);
+int opt_rand(int i);
+int opt_provider(int i);
+int opt_provider_option_given(void);
+
+char **opt_rest(void);
+int opt_num_rest(void);
+
+/* Returns non-zero if legacy paths are still available */
+int opt_legacy_okay(void);
+
+
+#endif /* OSSL_APPS_OPT_H */
diff --git a/apps/include/platform.h b/apps/include/platform.h
new file mode 100644
index 000000000000..491559df3152
--- /dev/null
+++ b/apps/include/platform.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_PLATFORM_H
+# define OSSL_APPS_PLATFORM_H
+
+# include <openssl/e_os2.h>
+
+# if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+/*
+ * VMS C only for now, implemented in vms_decc_init.c
+ * If other C compilers forget to terminate argv with NULL, this function
+ * can be re-used.
+ */
+char **copy_argv(int *argc, char *argv[]);
+# endif
+
+# ifdef _WIN32
+/*
+ * Win32-specific argv initialization that splits OS-supplied UNICODE
+ * command line string to array of UTF8-encoded strings.
+ */
+void win32_utf8argv(int *argc, char **argv[]);
+# endif
+
+#endif
diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h
new file mode 100644
index 000000000000..d610df40be3f
--- /dev/null
+++ b/apps/include/s_apps.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/opensslconf.h>
+
+#include <openssl/ssl.h>
+#include <openssl/srp.h>
+
+#define PORT            "4433"
+#define PROTOCOL        "tcp"
+
+typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
+int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
+int do_server(int *accept_sock, const char *host, const char *port,
+              int family, int type, int protocol, do_server_cb cb,
+              unsigned char *context, int naccept, BIO *bio_s_out);
+
+int verify_callback(int ok, X509_STORE_CTX *ctx);
+
+int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+                       STACK_OF(X509) *chain, int build_chain);
+int ssl_print_sigalgs(BIO *out, SSL *s);
+int ssl_print_point_formats(BIO *out, SSL *s);
+int ssl_print_groups(BIO *out, SSL *s, int noshared);
+int ssl_print_tmp_key(BIO *out, SSL *s);
+int init_client(int *sock, const char *host, const char *port,
+                const char *bindhost, const char *bindport,
+                int family, int type, int protocol);
+int should_retry(int i);
+void do_ssl_shutdown(SSL *ssl);
+
+long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
+                       int argi, long argl, int ret, size_t *processed);
+
+void apps_ssl_info_callback(const SSL *s, int where, int ret);
+void msg_cb(int write_p, int version, int content_type, const void *buf,
+            size_t len, SSL *ssl, void *arg);
+void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
+               int len, void *arg);
+
+int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
+                             unsigned int *cookie_len);
+int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
+                           unsigned int cookie_len);
+
+#ifdef __VMS                     /* 31 char symbol name limit */
+# define generate_stateless_cookie_callback      generate_stateless_cookie_cb
+# define verify_stateless_cookie_callback        verify_stateless_cookie_cb
+#endif
+
+int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                       size_t *cookie_len);
+int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
+                                     size_t cookie_len);
+
+typedef struct ssl_excert_st SSL_EXCERT;
+
+void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
+void ssl_excert_free(SSL_EXCERT *exc);
+int args_excert(int option, SSL_EXCERT **pexc);
+int load_excert(SSL_EXCERT **pexc);
+void print_verify_detail(SSL *s, BIO *bio);
+void print_ssl_summary(SSL *s);
+int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
+                     int crl_download);
+int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
+                    const char *vfyCAfile, const char *vfyCAstore,
+                    const char *chCApath, const char *chCAfile,
+                    const char *chCAstore, STACK_OF(X509_CRL) *crls,
+                    int crl_download);
+void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
+int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
+void print_ca_names(BIO *bio, SSL *s);
+
+#ifndef OPENSSL_NO_SRP
+/* The client side SRP context that we pass to all SRP related callbacks */
+typedef struct srp_arg_st {
+    char *srppassin;
+    char *srplogin;
+    int msg;                    /* copy from c_msg */
+    int debug;                  /* copy from c_debug */
+    int amp;                    /* allow more groups */
+    int strength;               /* minimal size for N */
+} SRP_ARG;
+
+int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
+                   int c_debug);
+void set_up_dummy_srp(SSL_CTX *ctx);
+
+/* The server side SRP context that we pass to all SRP related callbacks */
+typedef struct srpsrvparm_st {
+    char *login;
+    SRP_VBASE *vb;
+    SRP_user_pwd *user;
+} srpsrvparm;
+
+int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
+                             char *srpuserseed, char *srp_verifier_file);
+void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
+#endif /* OPENSSL_NO_SRP */
diff --git a/apps/include/vms_term_sock.h b/apps/include/vms_term_sock.h
new file mode 100644
index 000000000000..eae37b1af931
--- /dev/null
+++ b/apps/include/vms_term_sock.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016 VMS Software, Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_APPS_VMS_TERM_SOCK_H
+# define OSSL_APPS_VMS_TERM_SOCK_H
+
+/*
+** Terminal Socket Function Codes
+*/
+# define TERM_SOCK_CREATE       1
+# define TERM_SOCK_DELETE       2
+
+/*
+** Terminal Socket Status Codes
+*/
+# define TERM_SOCK_FAILURE      0
+# define TERM_SOCK_SUCCESS      1
+
+/*
+** Terminal Socket Prototype
+*/
+int TerminalSocket (int FunctionCode, int *ReturnSocket);
+
+#endif