openssl: also treat Cygwin Perl like MSYS Perl in test guards

Git for Windows recently stopped building its own Perl and switched to
the MSYS2-provided one. That Perl reports $^O as 'cygwin' rather than
'msys', which means OpenSSL's test skip guards that check for 'msys' no
longer fire. Tests that open listening sockets (notably
82-test_ocsp_cert_chain.t and 90-test_store.t) then hang indefinitely
because Windows Defender's firewall prompts for permission to allow the
connection, which blocks in CI where nobody can click "Allow".

The fix has two parts. For guards that were introduced by our own
carried patches (0005-Fix-Text-comparison, 0006-Mangle-Absolute-path,
0007-Fix-OS-detection), the patches themselves are updated to match
'cygwin' alongside 'msys' from the start. For guards that exist in
upstream OpenSSL (in 02-test_errstr.t, 25-test_eai_data.t,
25-test_x509.t, 80-test_cmp_http.t, 82-test_ocsp_cert_chain.t,
82-test_tfo_cli.t, and 90-test_store.t), a new patch
0009-Also-treat-Cygwin-Perl-like-MSYS-Perl-in-test-skip-g.patch is
added. MSYS2 upstream does not carry this patch because they have not
encountered the firewall hang in their CI, but it is a safety measure
that costs nothing and prevents real hangs on Windows build agents where
Defender is active.

The patches were produced from the playground repository at
mingw-w64-openssl/src/playground, which can be recreated as follows:

    git init playground && cd playground
    /usr/src/git/contrib/fast-import/import-tars.perl \
        ../openssl-3.5.6.tar.gz
    git checkout import-tars
    git am ../../000[1-9]-*.patch
    git fast-export --no-data HEAD | \
      awk '/^author /{a=$0} /^committer /{$0="committer " substr(a,8)} 1' | \
      git fast-import --force --quiet

The fast-export/fast-import awk trick forces committer identity and
timestamp to match the author on every commit, including the import
commit created by import-tars.perl (which otherwise uses the identity
of whoever runs the script). This makes the resulting OIDs fully
reproducible, so `git format-patch --no-signature -o ../.. -9 HEAD`
always exports identical patches.

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

mingw-w64-openssl/0001-support-aarch64.patch

@@ -1,19 +1,19 @@
-From b3431910bb8956041d8edd15cd0a3afa0a149efd Mon Sep 17 00:00:00 2001
+From b3a145a437302ebc822c81695f4b9a4d6c47de2c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=D9=85=D9=87=D8=AF=D9=8A=20=D8=B4=D9=8A=D9=86=D9=88=D9=86?=
  =?UTF-8?q?=20=28Mehdi=20Chinoune=29?= <mehdi.chinoune@hotmail.com>
 Date: Sat, 7 Jan 2023 08:19:23 +0100
-Subject: [PATCH 1/7] support-aarch64
+Subject: [PATCH 1/9] support-aarch64
 
 openssl: update to 3.0.7
 ---
  Configurations/10-main.conf | 12 ++++++++++++
  1 file changed, 12 insertions(+)
 
 diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index cba57b4..dd8dd5e 100644
+index 692eccb..c27dcae 100644
 --- a/Configurations/10-main.conf
 +++ b/Configurations/10-main.conf
-@@ -1746,6 +1746,18 @@ my %targets = (
+@@ -1747,6 +1747,18 @@ my %targets = (
          multilib         => "64",
      },
 

mingw-w64-openssl/0002-relocation.patch

@@ -1,8 +1,8 @@
-From 993b0cec8ad81b84a42236b007f1bca623db1520 Mon Sep 17 00:00:00 2001
+From e64549f98276b31ab4a6c45d0b837b8cc22b8bfc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=D9=85=D9=87=D8=AF=D9=8A=20=D8=B4=D9=8A=D9=86=D9=88=D9=86?=
  =?UTF-8?q?=20=28Mehdi=20Chinoune=29?= <mehdi.chinoune@hotmail.com>
 Date: Sat, 7 Jan 2023 08:19:23 +0100
-Subject: [PATCH 2/7] relocation
+Subject: [PATCH 2/9] relocation
 
 openssl: update to 3.0.7
 ---
@@ -26,7 +26,7 @@ index aee5c46..9a97547 100644
 
  SOURCE[../libcrypto]=$UPLINKSRC
 diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
-index 0f24f2f..a9b2206 100644
+index 917fa84..8d8e3cf 100644
 --- a/crypto/engine/eng_list.c
 +++ b/crypto/engine/eng_list.c
 @@ -12,6 +12,7 @@
@@ -51,10 +51,10 @@ index 0f24f2f..a9b2206 100644
 +            load_dir = reloc;
 +        }
          iterator = ENGINE_by_id("dynamic");
-         if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-             !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
+         if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) || !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD", load_dir, 0) || !ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) || !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
+             goto notfound;
 diff --git a/crypto/provider_core.c b/crypto/provider_core.c
-index c71c1e7..19c3dbb 100644
+index 507be35..0f8da50 100644
 --- a/crypto/provider_core.c
 +++ b/crypto/provider_core.c
 @@ -30,6 +30,7 @@
@@ -63,9 +63,9 @@ index c71c1e7..19c3dbb 100644
  #include "crypto/context.h"
 +#include "pathtools.h"
  #ifndef FIPS_MODULE
- # include <openssl/self_test.h>
- # include <openssl/indicator.h>
-@@ -991,8 +992,13 @@ static int provider_init(OSSL_PROVIDER *prov)
+ #include <openssl/self_test.h>
+ #include <openssl/indicator.h>
+@@ -997,8 +998,13 @@ static int provider_init(OSSL_PROVIDER *prov)
 
              if (load_dir == NULL) {
                  load_dir = ossl_safe_getenv("OPENSSL_MODULES");
@@ -82,7 +82,7 @@ index c71c1e7..19c3dbb 100644
 
              DSO_ctrl(prov->module, DSO_CTRL_SET_FLAGS,
 diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
-index 7d5b642..7f0a1d1 100644
+index 5a6ecaf..447a45a 100644
 --- a/crypto/x509/x509_def.c
 +++ b/crypto/x509/x509_def.c
 @@ -10,6 +10,7 @@

mingw-w64-openssl/0003-test_rand-use-the-better-chomp.patch

@@ -1,7 +1,7 @@
-From fbb81a899dabd443737e726fde930906fce5f846 Mon Sep 17 00:00:00 2001
+From 0eda9fae1ece0f89b08cbcfcf55fe0099711cf49 Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Wed, 25 Oct 2023 17:10:17 +0200
-Subject: [PATCH 3/7] test_rand: use the "better chomp"
+Subject: [PATCH 3/9] test_rand: use the "better chomp"
 
 Following in the footsteps of
 https://github.com/openssl/openssl/commit/9ba96fbb2523cb12747c559c704c58bd8f9e7982

mingw-w64-openssl/0004-mingw32-broken-test.patch

@@ -1,14 +1,14 @@
-From c4e21984736e7837d0aa160f2007cc92c1d3710e Mon Sep 17 00:00:00 2001
+From d21e01aa7fa2981c3897fe8e170d03c66b3a2c1d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Matthias=20A=C3=9Fhauer?= <mha1993@live.de>
 Date: Fri, 24 Nov 2023 06:47:04 +0000
-Subject: [PATCH 4/7] mingw32-broken-test
+Subject: [PATCH 4/9] mingw32-broken-test
 
 ---
  test/asn1_time_test.c | 7 -------
  1 file changed, 7 deletions(-)
 
 diff --git a/test/asn1_time_test.c b/test/asn1_time_test.c
-index 32bc4ff..4d1fdbe 100644
+index 6e18cd0..450f470 100644
 --- a/test/asn1_time_test.c
 +++ b/test/asn1_time_test.c
 @@ -68,13 +68,6 @@ static const struct TESTDATA_asn1_to_utc asn1_to_utc[] = {

mingw-w64-openssl/0005-Fix-Text-comparison.patch

@@ -1,14 +1,18 @@
-From f208d3920935f0efeac542391305e5baffe47687 Mon Sep 17 00:00:00 2001
+From 2313d1d189ac8d0107778b69fd7d93093bc8546c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Matthias=20A=C3=9Fhauer?= <mha1993@live.de>
 Date: Tue, 16 Sep 2025 15:23:00 +0200
-Subject: [PATCH 5/7] Fix Text comparison
+Subject: [PATCH 5/9] Fix Text comparison
 
 0615d3a (Use text compare for PEM and text files, 2025-03-19) introduced perls
 compare_text into the tests, but didn't account for a scenario like our
 MINGW-Packages where openssl uses CRLF as an EOL, but the perl running the tests
 expects just LF.
 
 Teach the affected tests to compare while accounting for differences in EOLs.
+
+Since Git for Windows recently stopped building its own Perl and now uses
+the MSYS2-provided one, $^O reports 'cygwin' rather than 'msys'. Account
+for both values so the CRLF normalization fires in either case.
 ---
  test/recipes/15-test_dsaparam.t      |  3 +--
  test/recipes/15-test_ml_kem_codecs.t |  2 +-
@@ -48,7 +52,7 @@ index bebb8b8..71292f1 100644
  use OpenSSL::Glob;
  use OpenSSL::Test qw/:DEFAULT data_file srctop_file bldtop_dir/;
 diff --git a/test/recipes/15-test_pkey.t b/test/recipes/15-test_pkey.t
-index 70bb083..e01ccd6 100644
+index 1f23795..6dd7b09 100644
 --- a/test/recipes/15-test_pkey.t
 +++ b/test/recipes/15-test_pkey.t
 @@ -11,8 +11,8 @@ use warnings;
@@ -87,7 +91,7 @@ index 50cb01a..6d40cfd 100644
 
  setup("test_pkcs8");
 diff --git a/util/perl/OpenSSL/Test/Utils.pm b/util/perl/OpenSSL/Test/Utils.pm
-index 34eafc4..daeb155 100644
+index 34eafc4..7a70d53 100644
 --- a/util/perl/OpenSSL/Test/Utils.pm
 +++ b/util/perl/OpenSSL/Test/Utils.pm
 @@ -11,11 +11,12 @@ use strict;
@@ -108,7 +112,7 @@ index 34eafc4..daeb155 100644
      return $have_IPv6;
  }
 
-+if ($^O eq 'msys') {
++if ($^O eq 'msys' || $^O eq 'cygwin') {
 +    no warnings 'redefine';
 +    sub compare_text {
 +        return File::Compare::compare_text($_[0], $_[1], sub {$_[0]=~ s/\r\n/\n/;$_[1]=~ s/\r\n/\n/; $_[0] ne $_[1]});

mingw-w64-openssl/0006-Mangle-Absolute-path.patch

@@ -1,26 +1,30 @@
-From 2c09395d987f18c333b15b3a33f4f412a3aac7ff Mon Sep 17 00:00:00 2001
+From de78b43696852c8e403d40527e3478209545463f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Matthias=20A=C3=9Fhauer?= <mha1993@live.de>
 Date: Wed, 17 Sep 2025 10:53:00 +0200
-Subject: [PATCH 6/7] Mangle Absolute path
+Subject: [PATCH 6/9] Mangle Absolute path
 
 Test 25-test_verify.t tries to test some file:// URLs containing an absolute path,
 but perls abs_path() creates MSYS2 absolute paths in our case, which our native
 openssl doesn't understand.
 
 Run the path through cygpath to convert it into the expected format.
+
+Since Git for Windows recently stopped building its own Perl and now uses
+the MSYS2-provided one, $^O reports 'cygwin' rather than 'msys'. Account
+for both values so the cygpath conversion fires in either case.
 ---
  test/recipes/25-test_verify.t | 4 ++++
  1 file changed, 4 insertions(+)
 
 diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
-index 673c3d5..786a302 100644
+index ab8cdff..b7a6029 100644
 --- a/test/recipes/25-test_verify.t
 +++ b/test/recipes/25-test_verify.t
-@@ -614,6 +614,10 @@ my $foo_file = "cert.pem";
+@@ -626,6 +626,10 @@ my $foo_file = "cert.pem";
  copy($rootcert, $foo_file);
  ok(vfy_root("-CAstore", $foo_file), "CAstore foo:file");
  my $abs_cert = abs_path($rootcert);
-+if ($^O eq "msys") {
++if ($^O eq "msys" || $^O eq "cygwin") {
 +    $abs_cert = `cygpath -m $abs_cert`;
 +    chomp $abs_cert;
 +}

mingw-w64-openssl/0007-Fix-OS-detection.patch

@@ -1,28 +1,32 @@
-From f4413c73dc50a0b249bc7ca629dbf5906e7a23c1 Mon Sep 17 00:00:00 2001
+From 68e41868b1711ae6a4fee3e77e1f0bb37d9e1546 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Matthias=20A=C3=9Fhauer?= <mha1993@live.de>
 Date: Tue, 16 Sep 2025 17:29:00 +0200
-Subject: [PATCH 7/7] Fix OS detection
+Subject: [PATCH 7/9] Fix OS detection
 
 OpenSSL tests assume the perl that runs the tests to be native to the platform
 of the openssl being tested. This isn't the case for our MINGW-Packages.
 
 Teach the affected tests to treat msys perl the same as they would MSWin32 perl.
+
+Since Git for Windows recently stopped building its own Perl and now uses
+the MSYS2-provided one, $^O reports 'cygwin' rather than 'msys'. Account
+for both values in the OS detection guards.
 ---
  test/recipes/20-test_speed.t      | 4 ++--
  test/recipes/25-test_verify.t     | 4 ++--
  test/recipes/70-test_sslrecords.t | 2 +-
  3 files changed, 5 insertions(+), 5 deletions(-)
 
 diff --git a/test/recipes/20-test_speed.t b/test/recipes/20-test_speed.t
-index 3c3c5fa..1c37d5d 100644
+index c6a9824..cff981b 100644
 --- a/test/recipes/20-test_speed.t
 +++ b/test/recipes/20-test_speed.t
 @@ -29,7 +29,7 @@ ok(run(app(['openssl', 'speed', '-testmode'])),
 
  SKIP: {
      skip "Multi option is not supported by this OpenSSL build", 1
 -       if $^O =~ /^(VMS|MSWin32)$/;
-+       if $^O =~ /^(VMS|MSWin32|msys)$/;
++       if $^O =~ /^(VMS|MSWin32|msys|cygwin)$/;
 
      ok(run(app(['openssl', 'speed', '-testmode', '-multi', 2])),
             "Test the multi option");
@@ -31,42 +35,42 @@ index 3c3c5fa..1c37d5d 100644
  SKIP: {
      skip "Mlock option is not supported by this OpenSSL build", 1
 -       if $^O !~ /^(linux|MSWin32)$/;
-+       if $^O =~ /^(linux|MSWin32|msys)$/;
++       if $^O =~ /^(linux|MSWin32|msys|cygwin)$/;
 
         ok(run(app(['openssl', 'speed', '-testmode', '-mlock'])),
                "Test the mlock option");
 diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
-index 786a302..0f9b7b5 100644
+index b7a6029..4e1bb67 100644
 --- a/test/recipes/25-test_verify.t
 +++ b/test/recipes/25-test_verify.t
-@@ -605,7 +605,7 @@ ok(!vfy_root("-CAstore", "non-existing", "-CAfile", $rootcert), "CAfile and non-
+@@ -617,7 +617,7 @@ ok(!vfy_root("-CAstore", "non-existing", "-CAfile", $rootcert), "CAfile and non-
 
  SKIP: {
      skip "file names with colons aren't supported on Windows and VMS", 1
 -        if $^O =~ /^(MSWin32|VMS)$/;
-+        if $^O =~ /^(MsWin32|VMS|msys)$/;
++        if $^O =~ /^(MsWin32|VMS|msys|cygwin)$/;
      my $foo_file = "foo:cert.pem";
      copy($rootcert, $foo_file);
      ok(vfy_root("-CAstore", $foo_file), "CAstore foo:file");
-@@ -622,7 +622,7 @@ if ($^O eq "msys") {
+@@ -634,7 +634,7 @@ if ($^O eq "msys" || $^O eq "cygwin") {
  # file://authority/C:/what/ever/foo.pem and file:///C:/what/ever/foo.pem
  # file://C:/what/ever/foo.pem is non-standard and may not be accepted.
  # See RFC 8089 for details.
 -$abs_cert = "/" . $abs_cert if ($^O eq "MSWin32");
-+$abs_cert = "/" . $abs_cert if ($^O eq "MSWin32" or $^O eq "msys");
++$abs_cert = "/" . $abs_cert if ($^O eq "MSWin32" or $^O eq "msys" or $^O eq "cygwin");
  ok(vfy_root("-CAstore", "file://".$abs_cert), "CAstore file:///path");
  ok(vfy_root("-CAstore", "file://localhost".$abs_cert), "CAstore file://localhost/path");
  ok(!vfy_root("-CAstore", "file://otherhost".$abs_cert), "CAstore file://otherhost/path");
 diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
-index 299ecb6..8efbca4 100644
+index 299ecb6..13192e3 100644
 --- a/test/recipes/70-test_sslrecords.t
 +++ b/test/recipes/70-test_sslrecords.t
 @@ -43,7 +43,7 @@ SKIP: {
 
  SKIP: {
      skip "DTLS 1.2 is disabled", 22 if disabled("dtls1_2");
 -    skip "DTLSProxy does not work on Windows", 22 if $^O =~ /^(MSWin32)$/;
-+    skip "DTLSProxy does not work on Windows", 22 if $^O =~ /^(MSWin32|msys)$/;
++    skip "DTLSProxy does not work on Windows", 22 if $^O =~ /^(MSWin32|msys|cygwin)$/;
      run_tests(1);
  }
 

mingw-w64-openssl/0008-Define-SIO_UDP_NETRESET-if-necessary.patch

@@ -1,7 +1,7 @@
-From c3c28ed00601a2fbab8efbdc787cb0e1696b1fea Mon Sep 17 00:00:00 2001
+From f482755719e780a0655d1c0b8c1fcf1183a188b0 Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Tue, 27 Jan 2026 17:48:43 +0100
-Subject: [PATCH] Define `SIO_UDP_NETRESET` if necessary
+Subject: [PATCH 8/9] Define `SIO_UDP_NETRESET` if necessary
 
 Older `mingw-w64-headers` versions seem not to define this constant, but
 OpenSSL started using it in v3.5.5.
@@ -12,7 +12,7 @@ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
  1 file changed, 3 insertions(+)
 
 diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c
-index 1a95f13..fd913c7 100644
+index c30bc3c..0c8c5ac 100644
 --- a/ssl/quic/quic_reactor.c
 +++ b/ssl/quic/quic_reactor.c
 @@ -15,6 +15,9 @@
@@ -25,6 +25,3 @@ index 1a95f13..fd913c7 100644
  #endif
 
  /*
--- 
-2.52.0.windows.1
-