aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKris Kennaway <kris@FreeBSD.org>2001-02-18 03:17:36 +0000
committerKris Kennaway <kris@FreeBSD.org>2001-02-18 03:17:36 +0000
commitde7cdddab120ecc07d412749bfb3f191c4e0afe3 (patch)
tree5058ee297163944bfec8dbad8c8cad174f437d82
parentddd58736f08d9acef3606719eba2e38ed611705b (diff)
downloadsrc-de7cdddab120ecc07d412749bfb3f191c4e0afe3.tar.gz
src-de7cdddab120ecc07d412749bfb3f191c4e0afe3.zip
Import of OpenSSL 0.9.6-STABLE snapshot dated 2001-02-10
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=72613
-rw-r--r--crypto/openssl/CHANGES136
-rwxr-xr-xcrypto/openssl/Configure9
-rw-r--r--crypto/openssl/LICENSE2
-rw-r--r--crypto/openssl/Makefile.org3
-rw-r--r--crypto/openssl/STATUS92
-rw-r--r--crypto/openssl/TABLE2301
-rw-r--r--crypto/openssl/apps/app_rand.c6
-rw-r--r--crypto/openssl/apps/ca-cert.srl2
-rw-r--r--crypto/openssl/apps/dsaparam.c2
-rw-r--r--crypto/openssl/apps/passwd.c2
-rw-r--r--crypto/openssl/apps/pca-cert.srl2
-rw-r--r--crypto/openssl/apps/req.c9
-rw-r--r--crypto/openssl/apps/rsautl.c4
-rw-r--r--crypto/openssl/apps/server.pem16
-rw-r--r--crypto/openssl/certs/expired/rsa-ssca.pem19
-rwxr-xr-xcrypto/openssl/config13
-rw-r--r--crypto/openssl/crypto/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/asn1/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/asn1/a_strnid.c2
-rw-r--r--crypto/openssl/crypto/asn1/asn1_mac.h23
-rw-r--r--crypto/openssl/crypto/asn1/x_crl.c10
-rw-r--r--crypto/openssl/crypto/bf/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/bio/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/bio/b_sock.c14
-rw-r--r--crypto/openssl/crypto/bn/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/bn/asm/pa-risc2.s2
-rw-r--r--crypto/openssl/crypto/bn/asm/pa-risc2W.s2
-rw-r--r--crypto/openssl/crypto/bn/bn.h6
-rw-r--r--crypto/openssl/crypto/bn/bn_div.c6
-rw-r--r--crypto/openssl/crypto/bn/bn_err.c3
-rw-r--r--crypto/openssl/crypto/bn/bn_lib.c7
-rw-r--r--crypto/openssl/crypto/bn/bn_rand.c52
-rw-r--r--crypto/openssl/crypto/bn/bn_shift.c5
-rw-r--r--crypto/openssl/crypto/bn/bntest.c2
-rw-r--r--crypto/openssl/crypto/buffer/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/cast/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/comp/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/conf/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/conf/conf.h2
-rw-r--r--crypto/openssl/crypto/conf/conf_err.c2
-rw-r--r--crypto/openssl/crypto/conf/conf_lib.c84
-rw-r--r--crypto/openssl/crypto/des/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/dh/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/dsa/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/dsa/dsa_ossl.c10
-rw-r--r--crypto/openssl/crypto/dso/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/dso/dso_dl.c4
-rw-r--r--crypto/openssl/crypto/err/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/evp/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/evp/evp.h36
-rw-r--r--crypto/openssl/crypto/ex_data.c2
-rw-r--r--crypto/openssl/crypto/hmac/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/idea/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/lhash/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/md2/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/md4/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/md5/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/mdc2/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/mem_dbg.c10
-rw-r--r--crypto/openssl/crypto/objects/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/opensslv.h4
-rw-r--r--crypto/openssl/crypto/pem/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/pem/pem_info.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_attr.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_key.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_utl.c18
-rw-r--r--crypto/openssl/crypto/pkcs12/pkcs12.h2
-rw-r--r--crypto/openssl/crypto/pkcs7/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_mime.c6
-rw-r--r--crypto/openssl/crypto/rand/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/rand/rand_win.c2
-rw-r--r--crypto/openssl/crypto/rand/randfile.c5
-rw-r--r--crypto/openssl/crypto/rc2/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/rc4/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/rc5/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/ripemd/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/rsa/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/rsa/rsa_eay.c101
-rw-r--r--crypto/openssl/crypto/sha/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/sha/asm/sha1-586.pl12
-rw-r--r--crypto/openssl/crypto/stack/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/txt_db/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/x509/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/x509/by_dir.c2
-rw-r--r--crypto/openssl/crypto/x509v3/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/x509v3/v3_prn.c26
-rw-r--r--crypto/openssl/crypto/x509v3/v3_purp.c6
-rw-r--r--crypto/openssl/doc/crypto/BN_rand.pod12
-rw-r--r--crypto/openssl/doc/crypto/RAND_egd.pod35
-rw-r--r--crypto/openssl/doc/crypto/bn.pod1
-rw-r--r--crypto/openssl/doc/crypto/des.pod2
-rw-r--r--crypto/openssl/doc/crypto/evp.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod67
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod38
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_add_session.pod65
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod49
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod53
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod50
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod124
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_new.pod9
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod50
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod81
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_sessions.pod34
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod4
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod90
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod70
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_options.pod183
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod106
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod82
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod55
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod284
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod154
-rw-r--r--crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod61
-rw-r--r--crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod63
-rw-r--r--crypto/openssl/doc/ssl/SSL_accept.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_clear.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_connect.pod4
-rw-r--r--crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod52
-rw-r--r--crypto/openssl/doc/ssl/SSL_get_error.pod30
-rw-r--r--crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod61
-rw-r--r--crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod59
-rw-r--r--crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod62
-rw-r--r--crypto/openssl/doc/ssl/SSL_new.pod1
-rw-r--r--crypto/openssl/doc/ssl/SSL_pending.pod13
-rw-r--r--crypto/openssl/doc/ssl/SSL_read.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_set_session.pod3
-rw-r--r--crypto/openssl/doc/ssl/SSL_write.pod8
-rw-r--r--crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod55
-rw-r--r--crypto/openssl/doc/ssl/ssl.pod139
-rw-r--r--crypto/openssl/doc/ssleay.txt2
-rw-r--r--crypto/openssl/e_os.h2
-rw-r--r--crypto/openssl/openssl.spec2
-rw-r--r--crypto/openssl/rsaref/Makefile.ssl3
-rw-r--r--crypto/openssl/ssl/Makefile.ssl3
-rw-r--r--crypto/openssl/ssl/s2_clnt.c1
-rw-r--r--crypto/openssl/ssl/s2_lib.c10
-rw-r--r--crypto/openssl/ssl/s2_pkt.c169
-rw-r--r--crypto/openssl/ssl/s3_both.c4
-rw-r--r--crypto/openssl/ssl/s3_clnt.c1
-rw-r--r--crypto/openssl/ssl/s3_lib.c88
-rw-r--r--crypto/openssl/ssl/s3_pkt.c24
-rw-r--r--crypto/openssl/ssl/s3_srvr.c1
-rw-r--r--crypto/openssl/ssl/ssl.h5
-rw-r--r--crypto/openssl/ssl/ssl2.h6
-rw-r--r--crypto/openssl/ssl/ssl_algs.c4
-rw-r--r--crypto/openssl/ssl/ssl_err.c3
-rw-r--r--crypto/openssl/ssl/ssl_lib.c3
-rw-r--r--crypto/openssl/ssl/ssl_locl.h55
-rw-r--r--crypto/openssl/ssl/ssl_sess.c1
-rw-r--r--crypto/openssl/test/Makefile.ssl2
-rwxr-xr-xcrypto/openssl/test/bctest84
-rwxr-xr-xcrypto/openssl/util/libeay.num6
-rwxr-xr-xcrypto/openssl/util/mkdef.pl26
154 files changed, 5666 insertions, 359 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 87853c3b29d0..5f3556cc7fb7 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,6 +2,142 @@
OpenSSL CHANGES
_______________
+ Changes between 0.9.6 and 0.9.6a [xx XXX 2001]
+
+ *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
+ Bleichenbacher's DSA attack.
+ [Ulf Moeller]
+
+ *) In the NCONF_...-based implementations for CONF_... queries
+ (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
+ a temporary CONF structure with the data component set to NULL
+ (which gives segmentation faults in lh_retrieve).
+ Instead, use NULL for the CONF pointer in CONF_get_string and
+ CONF_get_number (which may use environment variables) and directly
+ return NULL from CONF_get_section.
+ [Bodo Moeller]
+
+ *) Fix potential buffer overrun for EBCDIC.
+ [Ulf Moeller]
+
+ *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+ keyUsage if basicConstraints absent for a CA.
+ [Steve Henson]
+
+ *) Make SMIME_write_PKCS7() write mail header values with a format that
+ is more generally accepted (no spaces before the semicolon), since
+ some programs can't parse those values properly otherwise. Also make
+ sure BIO's that break lines after each write do not create invalid
+ headers.
+ [Richard Levitte]
+
+ *) Make the CRL encoding routines work with empty SEQUENCE OF. The
+ macros previously used would not encode an empty SEQUENCE OF
+ and break the signature.
+ [Steve Henson]
+
+ *) Zero the premaster secret after deriving the master secret in
+ DH ciphersuites.
+ [Steve Henson]
+
+ *) Add some EVP_add_digest_alias registrations (as found in
+ OpenSSL_add_all_digests()) to SSL_library_init()
+ aka OpenSSL_add_ssl_algorithms(). This provides improved
+ compatibility with peers using X.509 certificates
+ with unconventional AlgorithmIdentifier OIDs.
+ [Bodo Moeller]
+
+ *) Fix for Irix with NO_ASM.
+ ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+ *) ./config script fixes.
+ [Ulf Moeller, Richard Levitte]
+
+ *) Fix 'openssl passwd -1'.
+ [Bodo Moeller]
+
+ *) Change PKCS12_key_gen_asc() so it can cope with non null
+ terminated strings whose length is passed in the passlen
+ parameter, for example from PEM callbacks. This was done
+ by adding an extra length parameter to asc2uni().
+ [Steve Henson, reported by <oddissey@samsung.co.kr>]
+
+ *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
+ call failed, free the DSA structure.
+ [Bodo Moeller]
+
+ *) Fix to uni2asc() to cope with zero length Unicode strings.
+ These are present in some PKCS#12 files.
+ [Steve Henson]
+
+ *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
+ Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
+ when writing a 32767 byte record.
+ [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
+
+ *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
+ obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
+
+ (RSA objects have a reference count access to which is protected
+ by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
+ so they are meant to be shared between threads.)
+ [Bodo Moeller, Geoff Thorpe; original patch submitted by
+ "Reddie, Steven" <Steven.Reddie@ca.com>]
+
+ *) Fix a deadlock in CRYPTO_mem_leaks().
+ [Bodo Moeller]
+
+ *) rand_win.c fix for Borland C.
+ [Ulf Möller]
+
+ *) BN_rshift bugfix for n == 0.
+ [Bodo Moeller]
+
+ *) Store verify_result within SSL_SESSION also for client side to
+ avoid potential security hole. (Re-used sessions on the client side
+ always resulted in verify_result==X509_V_OK, not using the original
+ result of the server certificate verification.)
+ [Lutz Jaenicke]
+
+ *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
+ SSL3_RT_APPLICATION_DATA, return 0.
+ Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
+ [Bodo Moeller]
+
+ *) Fix SSL_peek:
+ Both ssl2_peek and ssl3_peek, which were totally broken in earlier
+ releases, have been re-implemented by renaming the previous
+ implementations of ssl2_read and ssl3_read to ssl2_read_internal
+ and ssl3_read_internal, respectively, and adding 'peek' parameters
+ to them. The new ssl[23]_{read,peek} functions are calls to
+ ssl[23]_read_internal with the 'peek' flag set appropriately.
+ A 'peek' parameter has also been added to ssl3_read_bytes, which
+ does the actual work for ssl3_read_internal.
+ [Bodo Moeller]
+
+ *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
+ The previous value, 12, was not always sufficient for BN_mod_exp().
+ [Bodo Moeller]
+
+ *) Fix typo in get_cert_by_subject() in by_dir.c
+ [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
+
+ *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
+
+ Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
+ and not in SSL_clear because the latter is also used by the
+ accept/connect functions; previously, the settings made by
+ SSL_set_read_ahead would be lost during the handshake.
+ [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
+
+ *) Correct util/mkdef.pl to be selective about disabled algorithms.
+ Previously, it would create entries for disableed algorithms no
+ matter what.
+ [Richard Levitte]
+
+ *) Added several new manual pages for SSL_* function.
+ [Lutz Jaenicke]
+
Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
*) In ssl23_get_client_hello, generate an error message when faced
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 340077873d0b..27981d4494a4 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -280,8 +280,8 @@ my %table=(
#
# <appro@fy.chalmers.se>
#
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC",
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
@@ -297,6 +297,7 @@ my %table=(
"linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
"linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
+"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::",
"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
@@ -719,6 +720,10 @@ if ($shared_cflag ne "")
$shared_mark2 = ".shlib.";
}
}
+else
+ {
+ $no_shared = 1;
+ }
#my ($bn1)=split(/\s+/,$bn_obj);
#$bn1 = "" unless defined $bn1;
diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE
index bdd5f7bdd09b..3fd259ac323d 100644
--- a/crypto/openssl/LICENSE
+++ b/crypto/openssl/LICENSE
@@ -12,7 +12,7 @@
---------------
/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index c6f660954ba2..7c68e29086f4 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -462,7 +462,8 @@ install: all install_docs
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+ (echo $$i | grep '\\.a$$' > /dev/null 2>&1) \
+ && $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi \
done
diff --git a/crypto/openssl/STATUS b/crypto/openssl/STATUS
new file mode 100644
index 000000000000..028abb85abea
--- /dev/null
+++ b/crypto/openssl/STATUS
@@ -0,0 +1,92 @@
+
+ OpenSSL STATUS Last modified at
+ ______________ $Date: 2000/09/24 15:42:34 $
+
+ DEVELOPMENT STATE
+
+ o OpenSSL 0.9.6: Released on September 24th, 2000
+ o OpenSSL 0.9.5a: Released on April 1st, 2000
+ o OpenSSL 0.9.5: Released on February 28th, 2000
+ o OpenSSL 0.9.4: Released on August 09th, 1999
+ o OpenSSL 0.9.3a: Released on May 29th, 1999
+ o OpenSSL 0.9.3: Released on May 25th, 1999
+ o OpenSSL 0.9.2b: Released on March 22th, 1999
+ o OpenSSL 0.9.1c: Released on December 23th, 1998
+
+ RELEASE SHOWSTOPPERS
+
+ AVAILABLE PATCHES
+
+ o CA.pl patch (Damien Miller)
+
+ IN PROGRESS
+
+ o Steve is currently working on (in no particular order):
+ ASN1 code redesign, butchery, replacement.
+ EVP cipher enhancement.
+ Proper (or at least usable) certificate chain verification.
+ Private key, certificate and CRL API and implementation.
+ Developing and bugfixing PKCS#7 (S/MIME code).
+ Various X509 issues: character sets, certificate request extensions.
+ o Geoff and Richard are currently working on:
+ ENGINE (the new code that gives hardware support among others).
+ o Richard is currently working on:
+ UTIL (a new set of library functions to support some higher level
+ functionality that is currently missing).
+ Dynamic thread-lock support.
+ Shared library support for VMS.
+
+ NEEDS PATCH
+
+ o non-blocking socket on AIX
+ o $(PERL) in */Makefile.ssl
+ o "Sign the certificate?" - "n" creates empty certificate file
+
+ OPEN ISSUES
+
+ o internal_verify doesn't know about X509.v3 (basicConstraints
+ CA flag ...)
+
+ o The Makefile hierarchy and build mechanism is still not a round thing:
+
+ 1. The config vs. Configure scripts
+ It's the same nasty situation as for Apache with APACI vs.
+ src/Configure. It confuses.
+ Suggestion: Merge Configure and config into a single configure
+ script with a Autoconf style interface ;-) and remove
+ Configure and config. Or even let us use GNU Autoconf
+ itself. Then we can avoid a lot of those platform checks
+ which are currently in Configure.
+
+ o Support for Shared Libraries has to be added at least
+ for the major Unix platforms. The details we can rip from the stuff
+ Ralf has done for the Apache src/Configure script. Ben wants the
+ solution to be really simple.
+
+ Status: Ralf will look how we can easily incorporate the
+ compiler PIC and linker DSO flags from Apache
+ into the OpenSSL Configure script.
+
+ Ulf: +1 for using GNU autoconf and libtool (but not automake,
+ which apparently is not flexible enough to generate
+ libcrypto)
+
+
+ o The perl/ stuff needs a major overhaul. Currently it's
+ totally obsolete. Either we clean it up and enhance it to be up-to-date
+ with the C code or we also could replace it with the really nice
+ Net::SSLeay package we can find under
+ http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a
+ longer time and it works fine and is a nice Perl module. Best would be
+ to convince the author to work for the OpenSSL project and create a
+ Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
+ us.
+
+ Status: Ralf thinks we should both contact the author of Net::SSLeay
+ and look how much effort it is to bring Eric's perl/ stuff up
+ to date.
+ Paul +1
+
+ WISHES
+
+ o
diff --git a/crypto/openssl/TABLE b/crypto/openssl/TABLE
new file mode 100644
index 000000000000..35421ceed48f
--- /dev/null
+++ b/crypto/openssl/TABLE
@@ -0,0 +1,2301 @@
+Output of `Configure TABLE':
+
+*** BC-16
+$cc = bcc
+$cflags =
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** BC-32
+$cc = bcc32
+$cflags =
+$unistd =
+$thread_cflag =
+$lflags =
+$bn_ops = BN_LLONG DES_PTR RC4_INDEX
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = win32
+$shared_target=
+$shared_cflag =
+
+*** BS2000-OSD
+$cc = c89
+$cflags = -O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket -lnsl
+$bn_ops = THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** CygWin32
+$cc = gcc
+$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
+$unistd =
+$thread_cflag =
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = win32
+$shared_target=
+$shared_cflag =
+
+*** FreeBSD
+$cc = gcc
+$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-out.o asm/co86-out.o
+$des_obj = asm/dx86-out.o asm/yx86-out.o
+$bf_obj = asm/bx86-out.o
+$md5_obj = asm/mx86-out.o
+$sha1_obj = asm/sx86-out.o
+$cast_obj = asm/cx86-out.o
+$rc4_obj = asm/rx86-out.o
+$rmd160_obj = asm/rm86-out.o
+$rc5_obj = asm/r586-out.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** FreeBSD-alpha
+$cc = gcc
+$cflags = -DTERMIOS -O -fomit-frame-pointer
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** FreeBSD-elf
+$cc = gcc
+$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** MPE/iX-gcc
+$cc = gcc
+$cflags = -D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -L/SYSLOG/PUB -lsyslog -lsocket -lcurses
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** Mingw32
+$cc = gcc
+$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
+$unistd =
+$thread_cflag =
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = win32
+$shared_target=
+$shared_cflag =
+
+*** NetBSD-m68
+$cc = gcc
+$cflags = -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** NetBSD-sparc
+$cc = gcc
+$cflags = -DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** NetBSD-x86
+$cc = gcc
+$cflags = -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** OpenBSD
+$cc = gcc
+$cflags = -DTERMIOS -O3 -fomit-frame-pointer
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** OpenBSD-alpha
+$cc = gcc
+$cflags = -DTERMIOS -O3 -fomit-frame-pointer
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** OpenBSD-mips
+$cc = gcc
+$cflags = -O2 -DL_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** OpenBSD-x86
+$cc = gcc
+$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-out.o asm/co86-out.o
+$des_obj = asm/dx86-out.o asm/yx86-out.o
+$bf_obj = asm/bx86-out.o
+$md5_obj = asm/mx86-out.o
+$sha1_obj = asm/sx86-out.o
+$cast_obj = asm/cx86-out.o
+$rc4_obj = asm/rx86-out.o
+$rmd160_obj = asm/rm86-out.o
+$rc5_obj = asm/r586-out.o
+$dso_scheme = dlfcn
+$shared_target=
+$shared_cflag =
+
+*** ReliantUNIX
+$cc = cc
+$cflags = -KPIC -g -DSNI -DTERMIOS -DB_ENDIAN
+$unistd =
+$thread_cflag = -Kthread
+$lflags = -lsocket -lnsl -lc -L/usr/ucblib -lucb
+$bn_ops = BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** SINIX
+$cc = cc
+$cflags = -O -DSNI
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket -lnsl -lc -L/usr/ucblib -lucb
+$bn_ops = RC4_INDEX RC4_CHAR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** SINIX-N
+$cc = /usr/ucb/cc
+$cflags = -O2 -misaligned
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lucb
+$bn_ops = RC4_INDEX RC4_CHAR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** VC-MSDOS
+$cc = cl
+$cflags =
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** VC-NT
+$cc = cl
+$cflags =
+$unistd =
+$thread_cflag =
+$lflags =
+$bn_ops = BN_LLONG RC4_INDEX RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = win32
+$shared_target=
+$shared_cflag =
+
+*** VC-W31-16
+$cc = cl
+$cflags =
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** VC-W31-32
+$cc = cl
+$cflags =
+$unistd =
+$thread_cflag =
+$lflags =
+$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** VC-WIN16
+$cc = cl
+$cflags =
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** VC-WIN32
+$cc = cl
+$cflags =
+$unistd =
+$thread_cflag =
+$lflags =
+$bn_ops = BN_LLONG RC4_INDEX RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = win32
+$shared_target=
+$shared_cflag =
+
+*** aix-cc
+$cc = cc
+$cflags = -O -DAIX -DB_ENDIAN -qmaxmem=16384
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** aix-gcc
+$cc = gcc
+$cflags = -O3 -DAIX -DB_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** alpha-cc
+$cc = cc
+$cflags = -std1 -tune host -O4 -readonly_strings
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= true64-shared
+$shared_cflag =
+
+*** alpha-gcc
+$cc = gcc
+$cflags = -O3
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= true64-shared
+$shared_cflag =
+
+*** alpha164-cc
+$cc = cc
+$cflags = -std1 -tune host -fast -readonly_strings
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= true64-shared
+$shared_cflag =
+
+*** bsdi-elf-gcc
+$cc = gcc
+$cflags = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** bsdi-gcc
+$cc = gcc
+$cflags = -O3 -ffast-math -DL_ENDIAN -DPERL5 -m486
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = RSA_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86bsdi.o asm/co86bsdi.o
+$des_obj = asm/dx86bsdi.o asm/yx86bsdi.o
+$bf_obj = asm/bx86bsdi.o
+$md5_obj = asm/mx86bsdi.o
+$sha1_obj = asm/sx86bsdi.o
+$cast_obj = asm/cx86bsdi.o
+$rc4_obj = asm/rx86bsdi.o
+$rmd160_obj = asm/rm86bsdi.o
+$rc5_obj = asm/r586bsdi.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** cc
+$cc = cc
+$cflags = -O
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** cray-t3e
+$cc = cc
+$cflags = -DBIT_FIELD_LIMITS -DTERMIOS
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** cray-t90-cc
+$cc = cc
+$cflags = -DBIT_FIELD_LIMITS -DTERMIOS
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lefence
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-ben
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-ben-debug
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-ben-strict
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-bodo
+$cc = gcc
+$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-levitte-linux-elf
+$cc = gcc
+$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target=
+$shared_cflag =
+
+*** debug-linux-elf
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lefence -ldl
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme = dlfcn
+$shared_target=
+$shared_cflag =
+
+*** debug-linux-elf-noefence
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme = dlfcn
+$shared_target=
+$shared_cflag =
+
+*** debug-rse
+$cc = cc
+$cflags = -DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-solaris-sparcv8-cc
+$cc = cc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** debug-solaris-sparcv8-gcc
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** debug-solaris-sparcv9-cc
+$cc = cc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8plus.o
+$des_obj =
+$bf_obj =
+$md5_obj = asm/md5-sparcv8plus.o
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** debug-solaris-sparcv9-gcc
+$cc = gcc
+$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8plus.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** debug-steve
+$cc = gcc
+$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** debug-ulf
+$cc = gcc
+$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** dgux-R3-gcc
+$cc = gcc
+$cflags = -O3 -fomit-frame-pointer
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = RC4_INDEX DES_UNROLL
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** dgux-R4-gcc
+$cc = gcc
+$cflags = -O3 -fomit-frame-pointer
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lnsl -lsocket
+$bn_ops = RC4_INDEX
+$bn_obj = RC4_INDEX DES_UNROLL
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** dgux-R4-x86-gcc
+$cc = gcc
+$cflags = -O3 -fomit-frame-pointer -DL_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lnsl -lsocket
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** dist
+$cc = cc
+$cflags = -O
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** gcc
+$cc = gcc
+$cflags = -O3
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** hpux-brokencc
+$cc = cc
+$cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -ldld
+$bn_ops = DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-brokengcc
+$cc = gcc
+$cflags = -DB_ENDIAN -DBN_DIV2W -O3
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -ldld
+$bn_ops = DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-cc
+$cc = cc
+$cflags = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-gcc
+$cc = gcc
+$cflags = -DB_ENDIAN -DBN_DIV2W -O3
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-parisc-cc
+$cc = cc
+$cflags = +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-parisc-cc-o4
+$cc = cc
+$cflags = -Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY
+$unistd =
+$thread_cflag =
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-parisc-gcc
+$cc = gcc
+$cflags = -O3 -DB_ENDIAN -DBN_DIV2W
+$unistd =
+$thread_cflag =
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-parisc1_1-cc
+$cc = cc
+$cflags = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux-parisc2-cc
+$cc = cc
+$cflags = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj = asm/pa-risc2.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux10-brokencc
+$cc = cc
+$cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux10-brokengcc
+$cc = gcc
+$cflags = -DB_ENDIAN -DBN_DIV2W -O3
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux10-cc
+$cc = cc
+$cflags = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux10-gcc
+$cc = gcc
+$cflags = -DB_ENDIAN -DBN_DIV2W -O3
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldld
+$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dl
+$shared_target=
+$shared_cflag =
+
+*** hpux64-parisc-cc
+$cc = cc
+$cflags = -Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target=
+$shared_cflag =
+
+*** hpux64-parisc2-cc
+$cc = cc
+$cflags = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj = asm/pa-risc2W.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target=
+$shared_cflag =
+
+*** irix-cc
+$cc = cc
+$cflags = -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** irix-gcc
+$cc = gcc
+$cflags = -O3 -DTERMIOS -DB_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** irix-mips3-cc
+$cc = cc
+$cflags = -n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$unistd =
+$thread_cflag = -D_SGI_MP_SOURCE
+$lflags =
+$bn_ops = DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT
+$bn_obj = asm/mips3.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** irix-mips3-gcc
+$cc = gcc
+$cflags = -mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$unistd =
+$thread_cflag = -D_SGI_MP_SOURCE
+$lflags =
+$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT
+$bn_obj = asm/mips3.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** irix64-mips4-cc
+$cc = cc
+$cflags = -64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$unistd =
+$thread_cflag = -D_SGI_MP_SOURCE
+$lflags =
+$bn_ops = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG
+$bn_obj = asm/mips3.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** irix64-mips4-gcc
+$cc = gcc
+$cflags = -mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$unistd =
+$thread_cflag = -D_SGI_MP_SOURCE
+$lflags =
+$bn_ops = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG
+$bn_obj = asm/mips3.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-alpha+bwx-ccc
+$cc = ccc
+$cflags = -fast -readonly_strings -DL_ENDIAN -DTERMIO
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-alpha+bwx-gcc
+$cc = gcc
+$cflags = -O3 -DL_ENDIAN -DTERMIO
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+
+*** linux-alpha-ccc
+$cc = ccc
+$cflags = -fast -readonly_strings -DL_ENDIAN -DTERMIO
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-alpha-gcc
+$cc = gcc
+$cflags = -O3 -DL_ENDIAN -DTERMIO
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL
+$bn_obj = asm/alpha.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+
+*** linux-aout
+$cc = gcc
+$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-out.o asm/co86-out.o
+$des_obj = asm/dx86-out.o asm/yx86-out.o
+$bf_obj = asm/bx86-out.o
+$md5_obj = asm/mx86-out.o
+$sha1_obj = asm/sx86-out.o
+$cast_obj = asm/cx86-out.o
+$rc4_obj = asm/rx86-out.o
+$rmd160_obj = asm/rm86-out.o
+$rc5_obj = asm/r586-out.o
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-elf
+$cc = gcc
+$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -ldl
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-elf.o asm/co86-elf.o
+$des_obj = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj = asm/bx86-elf.o
+$md5_obj = asm/mx86-elf.o
+$sha1_obj = asm/sx86-elf.o
+$cast_obj = asm/cx86-elf.o
+$rc4_obj = asm/rx86-elf.o
+$rmd160_obj = asm/rm86-elf.o
+$rc5_obj = asm/r586-elf.o
+$dso_scheme = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+
+*** linux-elf-arm
+$cc = gcc
+$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+
+*** linux-ia64
+$cc = gcc
+$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = SIXTY_FOUR_BIT_LONG
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-m68k
+$cc = gcc
+$cflags = -DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-mips
+$cc = gcc
+$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-ppc
+$cc = gcc
+$cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-sparcv7
+$cc = gcc
+$cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-sparcv8
+$cc = gcc
+$cflags = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** linux-sparcv9
+$cc = gcc
+$cflags = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8plus.o
+$des_obj =
+$bf_obj =
+$md5_obj = asm/md5-sparcv8plus.o
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** ncr-scde
+$cc = cc
+$cflags = -O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket -lnsl
+$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** newsos4-gcc
+$cc = gcc
+$cflags = -O -DB_ENDIAN -DNEWS4
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lmld -liberty
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** nextstep
+$cc = cc
+$cflags = -O -Wall
+$unistd = <libc.h>
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** nextstep3.3
+$cc = cc
+$cflags = -O3 -Wall
+$unistd = <libc.h>
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** purify
+$cc = purify gcc
+$cflags = -g -DPURIFY -Wall
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket -lnsl
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** qnx4
+$cc = cc
+$cflags = -DL_ENDIAN -DTERMIO
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** rhapsody-ppc-cc
+$cc = cc
+$cflags = -O3 -DB_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** sco5-cc
+$cc = cc
+$cflags =
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket
+$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** sco5-gcc
+$cc = gcc
+$cflags = -O3 -fomit-frame-pointer
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** solaris-sparc-sc3
+$cc = cc
+$cflags = -fast -O -Xa -DB_ENDIAN
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** solaris-sparcv7-cc
+$cc = cc
+$cflags = -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** solaris-sparcv7-gcc
+$cc = gcc
+$cflags = -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** solaris-sparcv8-cc
+$cc = cc
+$cflags = -xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** solaris-sparcv8-gcc
+$cc = gcc
+$cflags = -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8.o
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** solaris-sparcv9-cc
+$cc = cc
+$cflags = -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8plus.o
+$des_obj =
+$bf_obj =
+$md5_obj = asm/md5-sparcv8plus.o
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** solaris-sparcv9-gcc
+$cc = gcc
+$cflags = -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8plus.o
+$des_obj =
+$bf_obj =
+$md5_obj = asm/md5-sparcv8plus.o
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** solaris-sparcv9-gcc27
+$cc = gcc
+$cflags = -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj = asm/sparcv8plus-gcc27.o
+$des_obj =
+$bf_obj =
+$md5_obj = asm/md5-sparcv8plus-gcc27.o
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** solaris-x86-gcc
+$cc = gcc
+$cflags = -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj = asm/bn86-sol.o asm/co86-sol.o
+$des_obj = asm/dx86-sol.o asm/yx86-sol.o
+$bf_obj = asm/bx86-sol.o
+$md5_obj = asm/mx86-sol.o
+$sha1_obj = asm/sx86-sol.o
+$cast_obj = asm/cx86-sol.o
+$rc4_obj = asm/rx86-sol.o
+$rmd160_obj = asm/rm86-sol.o
+$rc5_obj = asm/r586-sol.o
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+
+*** solaris64-sparcv9-cc
+$cc = cc
+$cflags = -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC
+$unistd =
+$thread_cflag = -D_REENTRANT
+$lflags = -lsocket -lnsl -ldl
+$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj = asm/md5-sparcv9.o
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+
+*** sunos-gcc
+$cc = gcc
+$cflags = -O3 -mv8 -Dssize_t=int
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** ultrix-cc
+$cc = cc
+$cflags = -std1 -O -Olimit 1000 -DL_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** ultrix-gcc
+$cc = gcc
+$cflags = -O3 -DL_ENDIAN
+$unistd =
+$thread_cflag = (unknown)
+$lflags =
+$bn_ops =
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** unixware-2.0
+$cc = cc
+$cflags = -O -DFILIO_H
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket -lnsl
+$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** unixware-2.0-pentium
+$cc = cc
+$cflags = -O -DFILIO_H -Kpentium -Kthread
+$unistd =
+$thread_cflag = (unknown)
+$lflags = -lsocket -lnsl
+$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
+
+*** unixware-7
+$cc = cc
+$cflags = -O -DFILIO_H -Kalloca
+$unistd =
+$thread_cflag = -Kthread
+$lflags = -lsocket -lnsl
+$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
+$bn_obj =
+$des_obj =
+$bf_obj =
+$md5_obj =
+$sha1_obj =
+$cast_obj =
+$rc4_obj =
+$rmd160_obj =
+$rc5_obj =
+$dso_scheme =
+$shared_target=
+$shared_cflag =
diff --git a/crypto/openssl/apps/app_rand.c b/crypto/openssl/apps/app_rand.c
index 1146f9f7f38a..8a78e12eb732 100644
--- a/crypto/openssl/apps/app_rand.c
+++ b/crypto/openssl/apps/app_rand.c
@@ -177,8 +177,10 @@ long app_RAND_load_files(char *name)
if (*n == '\0') break;
egd=RAND_egd(n);
- if (egd > 0) tot+=egd;
- tot+=RAND_load_file(n,-1);
+ if (egd > 0)
+ tot+=egd;
+ else
+ tot+=RAND_load_file(n,-1);
if (last) break;
}
if (tot > 512)
diff --git a/crypto/openssl/apps/ca-cert.srl b/crypto/openssl/apps/ca-cert.srl
index eeee65ec419f..2c7456e3eb66 100644
--- a/crypto/openssl/apps/ca-cert.srl
+++ b/crypto/openssl/apps/ca-cert.srl
@@ -1 +1 @@
-05
+07
diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c
index f861ec7b1ad8..4e8dcd3a68fd 100644
--- a/crypto/openssl/apps/dsaparam.c
+++ b/crypto/openssl/apps/dsaparam.c
@@ -311,7 +311,7 @@ bad:
printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
bits_p,bits_p);
printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
- printf("\t\treturn(NULL);\n");
+ printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
printf("\treturn(dsa);\n\t}\n");
}
diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c
index 6851a9927d31..533b4692d053 100644
--- a/crypto/openssl/apps/passwd.c
+++ b/crypto/openssl/apps/passwd.c
@@ -315,7 +315,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
strncat(out_buf, "$", 1);
strncat(out_buf, salt, 8);
assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
- salt_out = out_buf + 6;
+ salt_out = out_buf + 2 + strlen(magic);
salt_len = strlen(salt_out);
assert(salt_len <= 8);
diff --git a/crypto/openssl/apps/pca-cert.srl b/crypto/openssl/apps/pca-cert.srl
index 8a0f05e166aa..2c7456e3eb66 100644
--- a/crypto/openssl/apps/pca-cert.srl
+++ b/crypto/openssl/apps/pca-cert.srl
@@ -1 +1 @@
-01
+07
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
index 1aab38d9d7aa..b123236beb4c 100644
--- a/crypto/openssl/apps/req.c
+++ b/crypto/openssl/apps/req.c
@@ -685,16 +685,15 @@ loop:
if (newreq || x509)
{
-#ifndef NO_DSA
- if (pkey->type == EVP_PKEY_DSA)
- digest=EVP_dss1();
-#endif
-
if (pkey == NULL)
{
BIO_printf(bio_err,"you need to specify a private key\n");
goto end;
}
+#ifndef NO_DSA
+ if (pkey->type == EVP_PKEY_DSA)
+ digest=EVP_dss1();
+#endif
if (req == NULL)
{
req=X509_REQ_new();
diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c
index bcb94c3d8104..de231b045654 100644
--- a/crypto/openssl/apps/rsautl.c
+++ b/crypto/openssl/apps/rsautl.c
@@ -55,6 +55,9 @@
* Hudson (tjh@cryptsoft.com).
*
*/
+
+#ifndef NO_RSA
+
#include "apps.h"
#include <string.h>
#include <openssl/err.h>
@@ -288,3 +291,4 @@ static void usage()
BIO_printf(bio_err, "-hexdump hex dump output\n");
}
+#endif
diff --git a/crypto/openssl/apps/server.pem b/crypto/openssl/apps/server.pem
index c57b32507d0a..56248e57a3f4 100644
--- a/crypto/openssl/apps/server.pem
+++ b/crypto/openssl/apps/server.pem
@@ -1,17 +1,17 @@
issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
-----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4
-MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
+MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9
-JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO
-IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ
-FUGcPZf9ND22Etc+AQ==
+Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
+GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
+k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
+itAE+OjGF+PFKbwX8Q==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
diff --git a/crypto/openssl/certs/expired/rsa-ssca.pem b/crypto/openssl/certs/expired/rsa-ssca.pem
new file mode 100644
index 000000000000..c9403212d183
--- /dev/null
+++ b/crypto/openssl/certs/expired/rsa-ssca.pem
@@ -0,0 +1,19 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=941109235417Z
+notAfter =991231235417Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
+IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
+Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
+YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
+roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
+aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
+HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
+iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
+suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
+cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
+-----END X509 CERTIFICATE-----
diff --git a/crypto/openssl/config b/crypto/openssl/config
index 6a2625308efb..1f4fef13dbc1 100755
--- a/crypto/openssl/config
+++ b/crypto/openssl/config
@@ -168,7 +168,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
;;
NetBSD:*:*:*386*)
- echo "`/usr/sbin/sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
+ echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
;;
NetBSD:*)
@@ -394,7 +394,7 @@ case "$GUESSOS" in
mips4-sgi-irix64)
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configre irix64-mips4-$CC' *manually*."
- echo " Type Ctrl-C if you don't want to continue."
+ echo " Type return if you want to continue, Ctrl-C to abort."
read waste < /dev/tty
options="$options -mips4"
OUT="irix-mips3-$CC"
@@ -423,11 +423,11 @@ case "$GUESSOS" in
#till 64-bit glibc for SPARC is operational:-(
#echo "WARNING! If you wish to build 64-bit library, then you have to"
#echo " invoke './Configure linux64-sparcv9' *manually*."
- #echo " Type Ctrl-C if you don't want to continue."
+ #echo " Type return if you want to continue, Ctrl-C to abort."
#read waste < /dev/tty
OUT="linux-sparcv9" ;;
sparc-*-linux2)
- KARCH=`awk '/type/{print$3}' /proc/cpuinfo`
+ KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
case ${KARCH:-sun4} in
sun4u*) OUT="linux-sparcv9" ;;
sun4m) OUT="linux-sparcv8" ;;
@@ -435,6 +435,7 @@ case "$GUESSOS" in
*) OUT="linux-sparcv7" ;;
esac ;;
arm*-*-linux2) OUT="linux-elf-arm" ;;
+ s390-*-linux2) OUT="linux-s390" ;;
*-*-linux2) OUT="linux-elf" ;;
*-*-linux1) OUT="linux-aout" ;;
sun4u*-*-solaris2)
@@ -442,7 +443,7 @@ case "$GUESSOS" in
if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure solaris64-sparcv9-cc' *manually*."
- echo " Type Ctrl-C if you don't want to continue."
+ echo " Type return if you want to continue, Ctrl-C to abort."
read waste < /dev/tty
fi
OUT="solaris-sparcv9-$CC" ;;
@@ -557,7 +558,7 @@ OUT="$PREFIX$OUT"
$PERL ./Configure LIST | grep "$OUT" > /dev/null
if [ $? = "0" ]; then
- #echo Configuring for $OUT
+ echo Configuring for $OUT
if [ "$TEST" = "true" ]; then
echo $PERL ./Configure $OUT $options
diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl
index 8c399bbff14a..ae761da79f84 100644
--- a/crypto/openssl/crypto/Makefile.ssl
+++ b/crypto/openssl/crypto/Makefile.ssl
@@ -90,7 +90,8 @@ links:
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
libs:
diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl
index eae97f321d92..269af4459323 100644
--- a/crypto/openssl/crypto/asn1/Makefile.ssl
+++ b/crypto/openssl/crypto/asn1/Makefile.ssl
@@ -75,7 +75,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c
index 6b10cff99449..732e68fe462a 100644
--- a/crypto/openssl/crypto/asn1/a_strnid.c
+++ b/crypto/openssl/crypto/asn1/a_strnid.c
@@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
if(tbl) {
mask = tbl->mask;
if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
- ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+ ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask,
tbl->minsize, tbl->maxsize);
} else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
if(ret <= 0) return NULL;
diff --git a/crypto/openssl/crypto/asn1/asn1_mac.h b/crypto/openssl/crypto/asn1/asn1_mac.h
index 4512ba6cc604..af0e664b2de0 100644
--- a/crypto/openssl/crypto/asn1/asn1_mac.h
+++ b/crypto/openssl/crypto/asn1/asn1_mac.h
@@ -196,6 +196,9 @@ err:\
if ((a != NULL) && (sk_##type##_num(a) != 0)) \
M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
+#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \
+ if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
+
#define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
if ((c.slen != 0) && \
(M_ASN1_next == \
@@ -389,6 +392,9 @@ err:\
if ((a != NULL) && (sk_##type##_num(a) != 0)) \
M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
+#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \
+ if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
+
#define M_ASN1_I2D_len_IMP_SET(a,f,x) \
ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
@@ -452,6 +458,15 @@ err:\
ret+=ASN1_object_size(1,v,mtag); \
}
+#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
+ if (a)\
+ { \
+ v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
+ V_ASN1_UNIVERSAL, \
+ IS_SEQUENCE); \
+ ret+=ASN1_object_size(1,v,mtag); \
+ }
+
/* Put Macros */
#define M_ASN1_I2D_put(a,f) f(a,&p)
@@ -536,6 +551,14 @@ err:\
IS_SEQUENCE); \
}
+#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
+ if (a) \
+ { \
+ ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
+ i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
+ IS_SEQUENCE); \
+ }
+
#define M_ASN1_I2D_seq_total() \
r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
if (pp == NULL) return(r); \
diff --git a/crypto/openssl/crypto/asn1/x_crl.c b/crypto/openssl/crypto/asn1/x_crl.c
index 1f302d0e01eb..51518cdf3502 100644
--- a/crypto/openssl/crypto/asn1/x_crl.c
+++ b/crypto/openssl/crypto/asn1/x_crl.c
@@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp)
M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER);
M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME);
- M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+ M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
i2d_X509_EXTENSION);
M_ASN1_I2D_seq_total();
M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER);
M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME);
- M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+ M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
i2d_X509_EXTENSION);
M_ASN1_I2D_finish();
@@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
{ M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); }
M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
i2d_X509_REVOKED);
- M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+ M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
i2d_X509_EXTENSION,0,
V_ASN1_SEQUENCE,v1);
@@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
{ M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); }
M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
i2d_X509_REVOKED);
- M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+ M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
i2d_X509_EXTENSION,0,
V_ASN1_SEQUENCE,v1);
@@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void)
M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new);
ret->nextUpdate=NULL;
M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null);
- M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null);
+ ret->extensions = NULL;
sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp);
return(ret);
M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW);
diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl
index adc9eec3c6ab..2d61ec50f422 100644
--- a/crypto/openssl/crypto/bf/Makefile.ssl
+++ b/crypto/openssl/crypto/bf/Makefile.ssl
@@ -44,7 +44,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl
index af5998b102c4..00caa9f7eb17 100644
--- a/crypto/openssl/crypto/bio/Makefile.ssl
+++ b/crypto/openssl/crypto/bio/Makefile.ssl
@@ -49,7 +49,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c
index 64310058b45f..62cc3f1a0c81 100644
--- a/crypto/openssl/crypto/bio/b_sock.c
+++ b/crypto/openssl/crypto/bio/b_sock.c
@@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip)
/* At this point, we have something that is most probably correct
in some way, so let's init the socket. */
- if (!BIO_sock_init())
- return(0); /* don't generate another error code here */
+ if (BIO_sock_init() != 1)
+ return 0; /* don't generate another error code here */
/* If the string actually contained an IP address, we need not do
anything more */
@@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode)
{
int ret=0;
struct sockaddr_in server,client;
- int s= -1,cs;
+ int s=INVALID_SOCKET,cs;
unsigned char ip[4];
unsigned short port;
- char *str,*e;
+ char *str=NULL,*e;
const char *h,*p;
unsigned long l;
int err_num;
- if (!BIO_sock_init()) return(INVALID_SOCKET);
+ if (BIO_sock_init() != 1) return(INVALID_SOCKET);
if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET);
@@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode)
h="*";
}
- if (!BIO_get_port(p,&port)) return(INVALID_SOCKET);
+ if (!BIO_get_port(p,&port)) goto err;
memset((char *)&server,0,sizeof(server));
server.sin_family=AF_INET;
@@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode)
server.sin_addr.s_addr=INADDR_ANY;
else
{
- if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET);
+ if (!BIO_get_host_ip(h,&(ip[0]))) goto err;
l=(unsigned long)
((unsigned long)ip[0]<<24L)|
((unsigned long)ip[1]<<16L)|
diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl
index 85be16a5b64c..ad36267e2698 100644
--- a/crypto/openssl/crypto/bn/Makefile.ssl
+++ b/crypto/openssl/crypto/bn/Makefile.ssl
@@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2.s b/crypto/openssl/crypto/bn/asm/pa-risc2.s
index 7239aa2c7629..af9730d06215 100644
--- a/crypto/openssl/crypto/bn/asm/pa-risc2.s
+++ b/crypto/openssl/crypto/bn/asm/pa-risc2.s
@@ -1611,7 +1611,7 @@ bn_mul_comba4
.IMPORT $global$,DATA
.SPACE $TEXT$
.SUBSPA $CODE$
- .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16
+ .SUBSPA $LIT$,ACCESS=0x2c
C$7
.ALIGN 8
.STRINGZ "Division would overflow (%d)\n"
diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2W.s b/crypto/openssl/crypto/bn/asm/pa-risc2W.s
index 54b6606252ea..a99545754d18 100644
--- a/crypto/openssl/crypto/bn/asm/pa-risc2W.s
+++ b/crypto/openssl/crypto/bn/asm/pa-risc2W.s
@@ -1598,7 +1598,7 @@ bn_mul_comba4
.IMPORT $global$,DATA
.SPACE $TEXT$
.SUBSPA $CODE$
- .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16
+ .SUBSPA $LIT$,ACCESS=0x2c
C$4
.ALIGN 8
.STRINGZ "Division would overflow (%d)\n"
diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h
index 1eb8395b25c3..ef1cfb0259b9 100644
--- a/crypto/openssl/crypto/bn/bn.h
+++ b/crypto/openssl/crypto/bn/bn.h
@@ -239,7 +239,7 @@ typedef struct bignum_st
} BIGNUM;
/* Used for temp variables */
-#define BN_CTX_NUM 12
+#define BN_CTX_NUM 16
#define BN_CTX_NUM_POS 12
typedef struct bignum_ctx
{
@@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx);
void BN_CTX_end(BN_CTX *ctx);
int BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
int BN_num_bits(const BIGNUM *a);
int BN_num_bits_word(BN_ULONG);
BIGNUM *BN_new(void);
@@ -493,16 +494,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
#define BN_F_BN_MPI2BN 112
#define BN_F_BN_NEW 113
#define BN_F_BN_RAND 114
+#define BN_F_BN_RAND_RANGE 122
#define BN_F_BN_USUB 115
/* Reason codes. */
#define BN_R_ARG2_LT_ARG3 100
#define BN_R_BAD_RECIPROCAL 101
+#define BN_R_BIGNUM_TOO_LONG 114
#define BN_R_CALLED_WITH_EVEN_MODULUS 102
#define BN_R_DIV_BY_ZERO 103
#define BN_R_ENCODING_ERROR 104
#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105
#define BN_R_INVALID_LENGTH 106
+#define BN_R_INVALID_RANGE 115
#define BN_R_NOT_INITIALIZED 107
#define BN_R_NO_INVERSE 108
#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109
diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c
index c3772c243be5..891b6026311c 100644
--- a/crypto/openssl/crypto/bn/bn_div.c
+++ b/crypto/openssl/crypto/bn/bn_div.c
@@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX_start(ctx);
tmp=BN_CTX_get(ctx);
- tmp->neg=0;
snum=BN_CTX_get(ctx);
sdiv=BN_CTX_get(ctx);
if (dv == NULL)
res=BN_CTX_get(ctx);
else res=dv;
- if (res == NULL) goto err;
+ if (sdiv==NULL || res == NULL) goto err;
+ tmp->neg=0;
/* First we normalise the numbers */
norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
@@ -237,7 +237,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
for (i=0; i<loop-1; i++)
{
BN_ULONG q,l0;
-#ifdef BN_DIV3W
+#if defined(BN_DIV3W) && !defined(NO_ASM)
q=bn_div_3_words(wnump,d1,d0);
#else
BN_ULONG n0,n1,rem=0;
diff --git a/crypto/openssl/crypto/bn/bn_err.c b/crypto/openssl/crypto/bn/bn_err.c
index 86550c4c21d5..adc6a214fc6e 100644
--- a/crypto/openssl/crypto/bn/bn_err.c
+++ b/crypto/openssl/crypto/bn/bn_err.c
@@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[]=
{ERR_PACK(0,BN_F_BN_MPI2BN,0), "BN_mpi2bn"},
{ERR_PACK(0,BN_F_BN_NEW,0), "BN_new"},
{ERR_PACK(0,BN_F_BN_RAND,0), "BN_rand"},
+{ERR_PACK(0,BN_F_BN_RAND_RANGE,0), "BN_rand_range"},
{ERR_PACK(0,BN_F_BN_USUB,0), "BN_usub"},
{0,NULL}
};
@@ -92,11 +93,13 @@ static ERR_STRING_DATA BN_str_reasons[]=
{
{BN_R_ARG2_LT_ARG3 ,"arg2 lt arg3"},
{BN_R_BAD_RECIPROCAL ,"bad reciprocal"},
+{BN_R_BIGNUM_TOO_LONG ,"bignum too long"},
{BN_R_CALLED_WITH_EVEN_MODULUS ,"called with even modulus"},
{BN_R_DIV_BY_ZERO ,"div by zero"},
{BN_R_ENCODING_ERROR ,"encoding error"},
{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA ,"expand on static bignum data"},
{BN_R_INVALID_LENGTH ,"invalid length"},
+{BN_R_INVALID_RANGE ,"invalid range"},
{BN_R_NOT_INITIALIZED ,"not initialized"},
{BN_R_NO_INVERSE ,"no inverse"},
{BN_R_TOO_MANY_TEMPORARY_VARIABLES ,"too many temporary variables"},
diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c
index b6b0ce4b3c9f..7767d6517022 100644
--- a/crypto/openssl/crypto/bn/bn_lib.c
+++ b/crypto/openssl/crypto/bn/bn_lib.c
@@ -62,6 +62,7 @@
#endif
#include <assert.h>
+#include <limits.h>
#include <stdio.h>
#include "cryptlib.h"
#include "bn_lcl.h"
@@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
if (words > b->dmax)
{
+ if (words > (INT_MAX/(4*BN_BITS2)))
+ {
+ BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG);
+ return NULL;
+ }
+
bn_check_top(b);
if (BN_get_flags(b,BN_FLG_STATIC_DATA))
{
diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c
index 21ecbc04ed0a..224a0ff7a2c3 100644
--- a/crypto/openssl/crypto/bn/bn_rand.c
+++ b/crypto/openssl/crypto/bn/bn_rand.c
@@ -140,3 +140,55 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
{
return bnrand(1, rnd, bits, top, bottom);
}
+
+/* random number r: 0 <= r < range */
+int BN_rand_range(BIGNUM *r, BIGNUM *range)
+ {
+ int n;
+
+ if (range->neg || BN_is_zero(range))
+ {
+ BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE);
+ return 0;
+ }
+
+ n = BN_num_bits(range); /* n > 0 */
+
+ if (n == 1)
+ {
+ if (!BN_zero(r)) return 0;
+ }
+ else if (BN_is_bit_set(range, n - 2))
+ {
+ do
+ {
+ /* range = 11..._2, so each iteration succeeds with probability >= .75 */
+ if (!BN_rand(r, n, 0, 0)) return 0;
+ }
+ while (BN_cmp(r, range) >= 0);
+ }
+ else
+ {
+ /* range = 10..._2,
+ * so 3*range (= 11..._2) is exactly one bit longer than range */
+ do
+ {
+ if (!BN_rand(r, n + 1, 0, 0)) return 0;
+ /* If r < 3*range, use r := r MOD range
+ * (which is either r, r - range, or r - 2*range).
+ * Otherwise, iterate once more.
+ * Since 3*range = 11..._2, each iteration succeeds with
+ * probability >= .75. */
+ if (BN_cmp(r ,range) >= 0)
+ {
+ if (!BN_sub(r, r, range)) return 0;
+ if (BN_cmp(r, range) >= 0)
+ if (!BN_sub(r, r, range)) return 0;
+ }
+ }
+ while (BN_cmp(r, range) >= 0);
+ }
+
+ return 1;
+ }
+
diff --git a/crypto/openssl/crypto/bn/bn_shift.c b/crypto/openssl/crypto/bn/bn_shift.c
index 0883247384e9..c2608f9f4a90 100644
--- a/crypto/openssl/crypto/bn/bn_shift.c
+++ b/crypto/openssl/crypto/bn/bn_shift.c
@@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n)
r->neg=a->neg;
if (bn_wexpand(r,a->top-nw+1) == NULL) return(0);
}
+ else
+ {
+ if (n == 0)
+ return 1; /* or the copying loop will go berserk */
+ }
f= &(a->d[nw]);
t=r->d;
diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c
index 0a97af69c586..c9801dc01614 100644
--- a/crypto/openssl/crypto/bn/bntest.c
+++ b/crypto/openssl/crypto/bn/bntest.c
@@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think
static void message(BIO *out, char *m)
{
fprintf(stderr, "test %s\n", m);
-#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */
BIO_puts(out, "print \"test ");
BIO_puts(out, m);
BIO_puts(out, "\\n\"\n");
-#endif
}
int main(int argc, char *argv[])
diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl
index 4e11038c8b12..c088ec6b3c76 100644
--- a/crypto/openssl/crypto/buffer/Makefile.ssl
+++ b/crypto/openssl/crypto/buffer/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl
index afba084e8bbf..0aa1cbc55a29 100644
--- a/crypto/openssl/crypto/cast/Makefile.ssl
+++ b/crypto/openssl/crypto/cast/Makefile.ssl
@@ -47,7 +47,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl
index 3064df244798..ba705c2a1c3c 100644
--- a/crypto/openssl/crypto/comp/Makefile.ssl
+++ b/crypto/openssl/crypto/comp/Makefile.ssl
@@ -42,7 +42,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl
index ea82d467270e..a96212252a0b 100644
--- a/crypto/openssl/crypto/conf/Makefile.ssl
+++ b/crypto/openssl/crypto/conf/Makefile.ssl
@@ -40,7 +40,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/conf/conf.h b/crypto/openssl/crypto/conf/conf.h
index 2f70634455b9..cd40a0db215a 100644
--- a/crypto/openssl/crypto/conf/conf.h
+++ b/crypto/openssl/crypto/conf/conf.h
@@ -167,6 +167,8 @@ int NCONF_dump_bio(CONF *conf, BIO *out);
#define CONF_R_MISSING_EQUAL_SIGN 101
#define CONF_R_NO_CLOSE_BRACE 102
#define CONF_R_NO_CONF 105
+#define CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE 106
+#define CONF_R_NO_SECTION 107
#define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103
#define CONF_R_VARIABLE_HAS_NO_VALUE 104
diff --git a/crypto/openssl/crypto/conf/conf_err.c b/crypto/openssl/crypto/conf/conf_err.c
index 06d3163573c2..8c2bc6f1c4cb 100644
--- a/crypto/openssl/crypto/conf/conf_err.c
+++ b/crypto/openssl/crypto/conf/conf_err.c
@@ -87,6 +87,8 @@ static ERR_STRING_DATA CONF_str_reasons[]=
{CONF_R_MISSING_EQUAL_SIGN ,"missing equal sign"},
{CONF_R_NO_CLOSE_BRACE ,"no close brace"},
{CONF_R_NO_CONF ,"no conf"},
+{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE ,"no conf or environment variable"},
+{CONF_R_NO_SECTION ,"no section"},
{CONF_R_UNABLE_TO_CREATE_NEW_SECTION ,"unable to create new section"},
{CONF_R_VARIABLE_HAS_NO_VALUE ,"variable has no value"},
{0,NULL}
diff --git a/crypto/openssl/crypto/conf/conf_lib.c b/crypto/openssl/crypto/conf/conf_lib.c
index 4c8ca9e9ae4f..11ec6397324d 100644
--- a/crypto/openssl/crypto/conf/conf_lib.c
+++ b/crypto/openssl/crypto/conf/conf_lib.c
@@ -131,38 +131,59 @@ LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline)
STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section)
{
- CONF ctmp;
+ if (conf == NULL)
+ {
+ return NULL;
+ }
+ else
+ {
+ CONF ctmp;
- if (default_CONF_method == NULL)
- default_CONF_method = NCONF_default();
+ if (default_CONF_method == NULL)
+ default_CONF_method = NCONF_default();
- default_CONF_method->init(&ctmp);
- ctmp.data = conf;
- return NCONF_get_section(&ctmp, section);
+ default_CONF_method->init(&ctmp);
+ ctmp.data = conf;
+ return NCONF_get_section(&ctmp, section);
+ }
}
char *CONF_get_string(LHASH *conf,char *group,char *name)
{
- CONF ctmp;
+ if (conf == NULL)
+ {
+ return NCONF_get_string(NULL, group, name);
+ }
+ else
+ {
+ CONF ctmp;
- if (default_CONF_method == NULL)
- default_CONF_method = NCONF_default();
+ if (default_CONF_method == NULL)
+ default_CONF_method = NCONF_default();
- default_CONF_method->init(&ctmp);
- ctmp.data = conf;
- return NCONF_get_string(&ctmp, group, name);
+ default_CONF_method->init(&ctmp);
+ ctmp.data = conf;
+ return NCONF_get_string(&ctmp, group, name);
+ }
}
long CONF_get_number(LHASH *conf,char *group,char *name)
{
- CONF ctmp;
+ if (conf == NULL)
+ {
+ return NCONF_get_number(NULL, group, name);
+ }
+ else
+ {
+ CONF ctmp;
- if (default_CONF_method == NULL)
- default_CONF_method = NCONF_default();
+ if (default_CONF_method == NULL)
+ default_CONF_method = NCONF_default();
- default_CONF_method->init(&ctmp);
- ctmp.data = conf;
- return NCONF_get_number(&ctmp, group, name);
+ default_CONF_method->init(&ctmp);
+ ctmp.data = conf;
+ return NCONF_get_number(&ctmp, group, name);
+ }
}
void CONF_free(LHASH *conf)
@@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section)
return NULL;
}
+ if (section == NULL)
+ {
+ CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION);
+ return NULL;
+ }
+
return _CONF_get_section_values(conf, section);
}
char *NCONF_get_string(CONF *conf,char *group,char *name)
{
+ char *s = _CONF_get_string(conf, group, name);
+
+ /* Since we may get a value from an environment variable even
+ if conf is NULL, let's check the value first */
+ if (s) return s;
+
if (conf == NULL)
{
- CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF);
+ CONFerr(CONF_F_NCONF_GET_STRING,
+ CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE);
return NULL;
}
-
- return _CONF_get_string(conf, group, name);
+ return NULL;
}
long NCONF_get_number(CONF *conf,char *group,char *name)
{
+#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding
+ an environment variable with a suitable name. Unfortunately, there's
+ no way with the current API to see if we found one or not...
+ The meaning of this is that if a number is not found anywhere, it
+ will always default to 0. */
if (conf == NULL)
{
- CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF);
+ CONFerr(CONF_F_NCONF_GET_NUMBER,
+ CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE);
return 0;
}
+#endif
return _CONF_get_number(conf, group, name);
}
diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl
index b3cfe3dab6ba..28e58f4207ff 100644
--- a/crypto/openssl/crypto/des/Makefile.ssl
+++ b/crypto/openssl/crypto/des/Makefile.ssl
@@ -57,7 +57,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
des: des.o cbc3_enc.o lib
diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl
index 30f1b8029030..ccee00eeca2c 100644
--- a/crypto/openssl/crypto/dh/Makefile.ssl
+++ b/crypto/openssl/crypto/dh/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl
index 5df3b1cc43b8..1dfdb2d76922 100644
--- a/crypto/openssl/crypto/dsa/Makefile.ssl
+++ b/crypto/openssl/crypto/dsa/Makefile.ssl
@@ -41,7 +41,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c
index 094356518f2e..428357233057 100644
--- a/crypto/openssl/crypto/dsa/dsa_ossl.c
+++ b/crypto/openssl/crypto/dsa/dsa_ossl.c
@@ -179,13 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
kinv=NULL;
/* Get random k */
- for (;;)
- {
- if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err;
- if (BN_cmp(&k,dsa->q) >= 0)
- BN_sub(&k,&k,dsa->q);
- if (!BN_is_zero(&k)) break;
- }
+ do
+ if (!BN_rand_range(&k, dsa->q)) goto err;
+ while (BN_is_zero(&k));
if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
{
diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl
index effc46d2dc94..33630e0bbb25 100644
--- a/crypto/openssl/crypto/dso/Makefile.ssl
+++ b/crypto/openssl/crypto/dso/Makefile.ssl
@@ -41,7 +41,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/dso/dso_dl.c b/crypto/openssl/crypto/dso/dso_dl.c
index 69810fc3bb93..f661ec5bfb39 100644
--- a/crypto/openssl/crypto/dso/dso_dl.c
+++ b/crypto/openssl/crypto/dso/dso_dl.c
@@ -187,7 +187,7 @@ static void *dl_bind_var(DSO *dso, const char *symname)
DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE);
return(NULL);
}
- if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0)
+ if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0)
{
DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE);
return(NULL);
@@ -216,7 +216,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE);
return(NULL);
}
- if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0)
+ if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0)
{
DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE);
return(NULL);
diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl
index d001895cb676..42b9faa559f1 100644
--- a/crypto/openssl/crypto/err/Makefile.ssl
+++ b/crypto/openssl/crypto/err/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl
index 747051e4f13b..fb9945db1684 100644
--- a/crypto/openssl/crypto/evp/Makefile.ssl
+++ b/crypto/openssl/crypto/evp/Makefile.ssl
@@ -58,7 +58,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h
index f5b938d2f848..cdf5f3cf8942 100644
--- a/crypto/openssl/crypto/evp/evp.h
+++ b/crypto/openssl/crypto/evp/evp.h
@@ -463,12 +463,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, EVP_CIPHER *cipher,
EVP_MD *md, int en_de);
+#ifndef NO_RSA
#define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
(char *)(rsa))
+#endif
+
+#ifndef NO_DSA
#define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\
(char *)(dsa))
+#endif
+
+#ifndef NO_DH
#define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\
(char *)(dh))
+#endif
/* Add some extra combinations */
#define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
@@ -612,17 +620,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k,
#endif
EVP_MD *EVP_md_null(void);
+#ifndef NO_MD2
EVP_MD *EVP_md2(void);
+#endif
+#ifndef NO_MD4
EVP_MD *EVP_md4(void);
+#endif
+#ifndef NO_MD5
EVP_MD *EVP_md5(void);
+#endif
+#ifndef NO_SHA
EVP_MD *EVP_sha(void);
EVP_MD *EVP_sha1(void);
EVP_MD *EVP_dss(void);
EVP_MD *EVP_dss1(void);
+#endif
+#ifndef NO_MDC2
EVP_MD *EVP_mdc2(void);
+#endif
+#ifndef NO_RIPEMD
EVP_MD *EVP_ripemd160(void);
-
+#endif
EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */
+#ifndef NO_DES
EVP_CIPHER *EVP_des_ecb(void);
EVP_CIPHER *EVP_des_ede(void);
EVP_CIPHER *EVP_des_ede3(void);
@@ -636,31 +656,43 @@ EVP_CIPHER *EVP_des_cbc(void);
EVP_CIPHER *EVP_des_ede_cbc(void);
EVP_CIPHER *EVP_des_ede3_cbc(void);
EVP_CIPHER *EVP_desx_cbc(void);
+#endif
+#ifndef NO_RC4
EVP_CIPHER *EVP_rc4(void);
EVP_CIPHER *EVP_rc4_40(void);
+#endif
+#ifndef NO_IDEA
EVP_CIPHER *EVP_idea_ecb(void);
EVP_CIPHER *EVP_idea_cfb(void);
EVP_CIPHER *EVP_idea_ofb(void);
EVP_CIPHER *EVP_idea_cbc(void);
+#endif
+#ifndef NO_RC2
EVP_CIPHER *EVP_rc2_ecb(void);
EVP_CIPHER *EVP_rc2_cbc(void);
EVP_CIPHER *EVP_rc2_40_cbc(void);
EVP_CIPHER *EVP_rc2_64_cbc(void);
EVP_CIPHER *EVP_rc2_cfb(void);
EVP_CIPHER *EVP_rc2_ofb(void);
+#endif
+#ifndef NO_BF
EVP_CIPHER *EVP_bf_ecb(void);
EVP_CIPHER *EVP_bf_cbc(void);
EVP_CIPHER *EVP_bf_cfb(void);
EVP_CIPHER *EVP_bf_ofb(void);
+#endif
+#ifndef NO_CAST
EVP_CIPHER *EVP_cast5_ecb(void);
EVP_CIPHER *EVP_cast5_cbc(void);
EVP_CIPHER *EVP_cast5_cfb(void);
EVP_CIPHER *EVP_cast5_ofb(void);
+#endif
+#ifndef NO_RC5
EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
-
+#endif
void OpenSSL_add_all_algorithms(void);
void OpenSSL_add_all_ciphers(void);
void OpenSSL_add_all_digests(void);
diff --git a/crypto/openssl/crypto/ex_data.c b/crypto/openssl/crypto/ex_data.c
index 1ee88da2a83b..739e543d782c 100644
--- a/crypto/openssl/crypto/ex_data.c
+++ b/crypto/openssl/crypto/ex_data.c
@@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long
ret=idx;
err:
MemCheck_on();
- return(idx);
+ return(ret);
}
int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl
index 430eab4c9a15..ed3c8c64d1ca 100644
--- a/crypto/openssl/crypto/hmac/Makefile.ssl
+++ b/crypto/openssl/crypto/hmac/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl
index 3bd3e53ef4f4..d29bcd687460 100644
--- a/crypto/openssl/crypto/idea/Makefile.ssl
+++ b/crypto/openssl/crypto/idea/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl
index d7a51db3ee6c..60bb6b12e406 100644
--- a/crypto/openssl/crypto/lhash/Makefile.ssl
+++ b/crypto/openssl/crypto/lhash/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl
index c25ab74a3816..8b382c35ff44 100644
--- a/crypto/openssl/crypto/md2/Makefile.ssl
+++ b/crypto/openssl/crypto/md2/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl
index 5341bf5b4632..bc38badb0a2b 100644
--- a/crypto/openssl/crypto/md4/Makefile.ssl
+++ b/crypto/openssl/crypto/md4/Makefile.ssl
@@ -40,7 +40,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl
index 92ffc0b502d5..e5ec4a21ae33 100644
--- a/crypto/openssl/crypto/md5/Makefile.ssl
+++ b/crypto/openssl/crypto/md5/Makefile.ssl
@@ -50,7 +50,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl
index a50de0f42a67..4b1b3e36961a 100644
--- a/crypto/openssl/crypto/mdc2/Makefile.ssl
+++ b/crypto/openssl/crypto/mdc2/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c
index 866c53e73a92..ddf4be28caa8 100644
--- a/crypto/openssl/crypto/mem_dbg.c
+++ b/crypto/openssl/crypto/mem_dbg.c
@@ -671,7 +671,15 @@ void CRYPTO_mem_leaks(BIO *b)
* void_fn_to_char kludge in CRYPTO_mem_leaks_cb.
* Otherwise the code police will come and get us.)
*/
+ int old_mh_mode;
+
CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+
+ /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(),
+ * which uses CRYPTO_is_mem_check_on */
+ old_mh_mode = mh_mode;
+ mh_mode = CRYPTO_MEM_CHECK_OFF;
+
if (mh != NULL)
{
lh_free(mh);
@@ -685,6 +693,8 @@ void CRYPTO_mem_leaks(BIO *b)
amih = NULL;
}
}
+
+ mh_mode = old_mh_mode;
CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
}
MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl
index 47fdc34eec53..1b43d8027b84 100644
--- a/crypto/openssl/crypto/objects/Makefile.ssl
+++ b/crypto/openssl/crypto/objects/Makefile.ssl
@@ -39,7 +39,8 @@ all: obj_dat.h lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h
index 71b53efd5187..4c644abe4400 100644
--- a/crypto/openssl/crypto/opensslv.h
+++ b/crypto/openssl/crypto/opensslv.h
@@ -25,8 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x0090600fL
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6 24 Sep 2000"
+#define OPENSSL_VERSION_NUMBER 0x00906010L
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a-dev XX xxx XXXX"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl
index ed8910921883..111dbc1ae460 100644
--- a/crypto/openssl/crypto/pem/Makefile.ssl
+++ b/crypto/openssl/crypto/pem/Makefile.ssl
@@ -40,7 +40,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c
index 1c5c6dea000e..f1694f112531 100644
--- a/crypto/openssl/crypto/pem/pem_info.c
+++ b/crypto/openssl/crypto/pem/pem_info.c
@@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
{
if ( (xi->enc_data!=NULL) && (xi->enc_len>0) )
{
- /* copy from wierdo names into more normal things */
+ /* copy from weirdo names into more normal things */
iv=xi->enc_cipher.iv;
data=(unsigned char *)xi->enc_data;
i=xi->enc_len;
diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl
index 8f42d3044dfb..c92dd276398c 100644
--- a/crypto/openssl/crypto/pkcs12/Makefile.ssl
+++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl
@@ -45,7 +45,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/pkcs12/p12_attr.c b/crypto/openssl/crypto/pkcs12/p12_attr.c
index f1a210b5d274..a16a97d03dff 100644
--- a/crypto/openssl/crypto/pkcs12/p12_attr.c
+++ b/crypto/openssl/crypto/pkcs12/p12_attr.c
@@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
{
unsigned char *uniname;
int ret, unilen;
- if (!asc2uni(name, &uniname, &unilen)) {
+ if (!asc2uni(name, namelen, &uniname, &unilen)) {
PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c
index b042dcf05c95..a9b4b8c9721e 100644
--- a/crypto/openssl/crypto/pkcs12/p12_key.c
+++ b/crypto/openssl/crypto/pkcs12/p12_key.c
@@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
if(!pass) {
unipass = NULL;
uniplen = 0;
- } else if (!asc2uni(pass, &unipass, &uniplen)) {
+ } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) {
PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
return 0;
}
diff --git a/crypto/openssl/crypto/pkcs12/p12_utl.c b/crypto/openssl/crypto/pkcs12/p12_utl.c
index 17f41b45496b..2f1d1e534fc8 100644
--- a/crypto/openssl/crypto/pkcs12/p12_utl.c
+++ b/crypto/openssl/crypto/pkcs12/p12_utl.c
@@ -62,30 +62,34 @@
/* Cheap and nasty Unicode stuff */
-unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen)
+unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
{
int ulen, i;
unsigned char *unitmp;
- ulen = strlen(asc)*2 + 2;
- if (!(unitmp = OPENSSL_malloc (ulen))) return NULL;
- for (i = 0; i < ulen; i+=2) {
+ if (asclen == -1) asclen = strlen(asc);
+ ulen = asclen*2 + 2;
+ if (!(unitmp = OPENSSL_malloc(ulen))) return NULL;
+ for (i = 0; i < ulen - 2; i+=2) {
unitmp[i] = 0;
unitmp[i + 1] = asc[i>>1];
}
+ /* Make result double null terminated */
+ unitmp[ulen - 2] = 0;
+ unitmp[ulen - 1] = 0;
if (unilen) *unilen = ulen;
if (uni) *uni = unitmp;
return unitmp;
}
-char *uni2asc (unsigned char *uni, int unilen)
+char *uni2asc(unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
asclen = unilen / 2;
/* If no terminating zero allow for one */
- if (uni[unilen - 1]) asclen++;
+ if (!unilen || uni[unilen - 1]) asclen++;
uni++;
- if (!(asctmp = OPENSSL_malloc (asclen))) return NULL;
+ if (!(asctmp = OPENSSL_malloc(asclen))) return NULL;
for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i];
asctmp[asclen - 1] = 0;
return asctmp;
diff --git a/crypto/openssl/crypto/pkcs12/pkcs12.h b/crypto/openssl/crypto/pkcs12/pkcs12.h
index 502fceff954a..e529154f2634 100644
--- a/crypto/openssl/crypto/pkcs12/pkcs12.h
+++ b/crypto/openssl/crypto/pkcs12/pkcs12.h
@@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
EVP_MD *md_type);
int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
int saltlen, EVP_MD *md_type);
-unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen);
+unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
char *uni2asc(unsigned char *uni, int unilen);
int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
PKCS12_BAGS *PKCS12_BAGS_new(void);
diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl
index 1757fc39ac78..5e8a6808d357 100644
--- a/crypto/openssl/crypto/pkcs7/Makefile.ssl
+++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl
@@ -58,7 +58,8 @@ verify: verify.o example.o lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c
index 994473c0bd3d..086d39427012 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_mime.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c
@@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
}
bound[32] = 0;
BIO_printf(bio, "MIME-Version: 1.0\n");
- BIO_printf(bio, "Content-Type: multipart/signed ; ");
- BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; ");
- BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound);
+ BIO_printf(bio, "Content-Type: multipart/signed;");
+ BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";");
+ BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound);
BIO_printf(bio, "This is an S/MIME signed message\n\n");
/* Now write out the first part */
BIO_printf(bio, "------%s\n", bound);
diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl
index b3054dc166c9..e9a6876b5a74 100644
--- a/crypto/openssl/crypto/rand/Makefile.ssl
+++ b/crypto/openssl/crypto/rand/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c
index 9f2dcff9a92b..8850b9ae916c 100644
--- a/crypto/openssl/crypto/rand/rand_win.c
+++ b/crypto/openssl/crypto/rand/rand_win.c
@@ -570,7 +570,7 @@ static void readtimer(void)
DWORD w;
LARGE_INTEGER l;
static int have_perfc = 1;
-#ifndef __GNUC__
+#ifdef _MSC_VER
static int have_tsc = 1;
DWORD cyclecount;
diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c
index 528e410f7400..02f16aa81032 100644
--- a/crypto/openssl/crypto/rand/randfile.c
+++ b/crypto/openssl/crypto/rand/randfile.c
@@ -83,6 +83,9 @@
/* #define RFILE ".rnd" - defined in ../../e_os.h */
+/* Note that these functions are intended for seed files only.
+ * Entropy devices and EGD sockets are handled in rand_unix.c */
+
int RAND_load_file(const char *file, long bytes)
{
/* If bytes >= 0, read up to 'bytes' bytes.
@@ -117,7 +120,7 @@ int RAND_load_file(const char *file, long bytes)
if (bytes > 0)
{
bytes-=n;
- if (bytes == 0) break;
+ if (bytes <= 0) break;
}
}
fclose(in);
diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl
index 542397d69aa6..6966e01b6f27 100644
--- a/crypto/openssl/crypto/rc2/Makefile.ssl
+++ b/crypto/openssl/crypto/rc2/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl
index 53eac2064a4c..8ffff0a74e3d 100644
--- a/crypto/openssl/crypto/rc4/Makefile.ssl
+++ b/crypto/openssl/crypto/rc4/Makefile.ssl
@@ -47,7 +47,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl
index 3d1685602969..cf5d176859ba 100644
--- a/crypto/openssl/crypto/rc5/Makefile.ssl
+++ b/crypto/openssl/crypto/rc5/Makefile.ssl
@@ -44,7 +44,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl
index 4bd78dd6fd2f..0b1cd7394132 100644
--- a/crypto/openssl/crypto/ripemd/Makefile.ssl
+++ b/crypto/openssl/crypto/ripemd/Makefile.ssl
@@ -42,7 +42,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl
index 22a42b4e1b74..1be9a1cd2397 100644
--- a/crypto/openssl/crypto/rsa/Makefile.ssl
+++ b/crypto/openssl/crypto/rsa/Makefile.ssl
@@ -41,7 +41,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index 618b5bd59565..62618fe5a999 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -138,11 +138,28 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
- if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_n == NULL)
+ {
+ rsa->_method_mod_n = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
-
+
if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
rsa->_method_mod_n)) goto err;
@@ -369,11 +386,28 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
/* do the decrypt */
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
- if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_n == NULL)
+ {
+ rsa->_method_mod_n = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
-
+
if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
rsa->_method_mod_n)) goto err;
@@ -421,20 +455,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
{
if (rsa->_method_mod_p == NULL)
{
- if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
- ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_p == NULL)
+ {
+ rsa->_method_mod_p = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
+
if (rsa->_method_mod_q == NULL)
{
- if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
- if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
- ctx))
- goto err;
+ BN_MONT_CTX* bn_mont_ctx;
+ if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
+ {
+ BN_MONT_CTX_free(bn_mont_ctx);
+ goto err;
+ }
+ if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ if (rsa->_method_mod_q == NULL)
+ {
+ rsa->_method_mod_q = bn_mont_ctx;
+ bn_mont_ctx = NULL;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ }
+ if (bn_mont_ctx)
+ BN_MONT_CTX_free(bn_mont_ctx);
}
}
-
+
if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
rsa->_method_mod_q)) goto err;
diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl
index 0e6e7b8940c6..75d3e0bf4ff3 100644
--- a/crypto/openssl/crypto/sha/Makefile.ssl
+++ b/crypto/openssl/crypto/sha/Makefile.ssl
@@ -42,7 +42,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
# elf
diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl
index 09df993ecd4e..fe51fd079457 100644
--- a/crypto/openssl/crypto/sha/asm/sha1-586.pl
+++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl
@@ -317,7 +317,7 @@ sub BODY_60_79
sub sha1_block_host
{
- local($name)=@_;
+ local($name, $sclabel)=@_;
&function_begin_B($name,"");
@@ -352,7 +352,7 @@ sub sha1_block_host
&mov(&swtmp($i+0),$A);
&mov(&swtmp($i+1),$B);
}
- &jmp(&label("shortcut"));
+ &jmp($sclabel);
&function_end_B($name);
}
@@ -529,10 +529,12 @@ sub sha1_block_data
&pop("esi");
&ret();
- # it has to reside within sha1_block_asm_host_order body
- # because it calls &jmp(&label("shortcut"));
- &sha1_block_host("sha1_block_asm_host_order");
+ # keep a note of shortcut label so it can be used outside
+ # block.
+ my $sclabel = &label("shortcut");
&function_end_B($name);
+ # Putting this here avoids problems with MASM in debugging mode
+ &sha1_block_host("sha1_block_asm_host_order", $sclabel);
}
diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl
index 69d0a1cf6884..2027d3946ce1 100644
--- a/crypto/openssl/crypto/stack/Makefile.ssl
+++ b/crypto/openssl/crypto/stack/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl
index 0e900ce7485b..567202abb771 100644
--- a/crypto/openssl/crypto/txt_db/Makefile.ssl
+++ b/crypto/openssl/crypto/txt_db/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl
index f8e59666c99f..55356c680b20 100644
--- a/crypto/openssl/crypto/x509/Makefile.ssl
+++ b/crypto/openssl/crypto/x509/Makefile.ssl
@@ -49,7 +49,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c
index cac64a6f4045..448bd7e69cca 100644
--- a/crypto/openssl/crypto/x509/by_dir.c
+++ b/crypto/openssl/crypto/x509/by_dir.c
@@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
* it out again */
CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
- if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
+ if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
else tmp = NULL;
CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl
index 483df46fd416..8ed366504940 100644
--- a/crypto/openssl/crypto/x509v3/Makefile.ssl
+++ b/crypto/openssl/crypto/x509v3/Makefile.ssl
@@ -43,7 +43,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c
index dbc4fb1f1600..14b804c4ad33 100644
--- a/crypto/openssl/crypto/x509v3/v3_prn.c
+++ b/crypto/openssl/crypto/x509v3/v3_prn.c
@@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
else BIO_printf(out, "%s:%s", nval->name, nval->value);
#else
else {
- char tmp[10240]; /* 10k is BIO_printf's limit anyway */
- ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1);
- BIO_printf(out, "%s:%s", nval->name, tmp);
+ int len;
+ char *tmp;
+ len = strlen(nval->value)+1;
+ tmp = OPENSSL_malloc(len);
+ if (tmp)
+ {
+ ascii2ebcdic(tmp, nval->value, len);
+ BIO_printf(out, "%s:%s", nval->name, tmp);
+ OPENSSL_free(tmp);
+ }
}
#endif
if(ml) BIO_puts(out, "\n");
@@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
BIO_printf(out, "%*s%s", indent, "", value);
#else
{
- char tmp[10240]; /* 10k is BIO_printf's limit anyway */
- ascii2ebcdic(tmp, value, strlen(value)+1);
- BIO_printf(out, "%*s%s", indent, "", tmp);
+ int len;
+ char *tmp;
+ len = strlen(value)+1;
+ tmp = OPENSSL_malloc(len);
+ if (tmp)
+ {
+ ascii2ebcdic(tmp, value, len);
+ BIO_printf(out, "%*s%s", indent, "", tmp);
+ OPENSSL_free(tmp);
+ }
}
#endif
} else if(method->i2v) {
diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c
index 867699b26f3a..8aecd00e6325 100644
--- a/crypto/openssl/crypto/x509v3/v3_purp.c
+++ b/crypto/openssl/crypto/x509v3/v3_purp.c
@@ -362,6 +362,8 @@ static int ca_check(const X509 *x)
else return 0;
} else {
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+ /* If key usage present it must have certSign so tolerate it */
+ else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
else return 2;
}
}
@@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x)
if(ca_ret != 2) return ca_ret;
else return 0;
}
-
+
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
{
@@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
int ret;
ret = purpose_smime(x, ca);
if(!ret || ca) return ret;
- if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+ if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
return ret;
}
diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod
index 33363c981f60..2a8bed5fed8f 100644
--- a/crypto/openssl/doc/crypto/BN_rand.pod
+++ b/crypto/openssl/doc/crypto/BN_rand.pod
@@ -12,6 +12,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
+
=head1 DESCRIPTION
BN_rand() generates a cryptographically strong pseudo-random number of
@@ -25,11 +27,14 @@ this function are not necessarily unpredictable. They can be used for
non-cryptographic purposes and for certain purposes in cryptographic
protocols, but usually not for key generation etc.
-The PRNG must be seeded prior to calling BN_rand().
+BN_rand_range() generates a cryptographically strong pseudo-random
+number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>.
+
+The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
=head1 RETURN VALUES
-BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error.
+The functions return 1 on success, 0 on error.
The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
@@ -40,6 +45,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
=head1 HISTORY
BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5.
+BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range()
+in OpenSSL 0.9.6a.
=cut
diff --git a/crypto/openssl/doc/crypto/RAND_egd.pod b/crypto/openssl/doc/crypto/RAND_egd.pod
index 40241e2df8ee..71cab3ca04a4 100644
--- a/crypto/openssl/doc/crypto/RAND_egd.pod
+++ b/crypto/openssl/doc/crypto/RAND_egd.pod
@@ -9,10 +9,30 @@ RAND_egd - query entropy gathering daemon
#include <openssl/rand.h>
int RAND_egd(const char *path);
+ int RAND_egd_bytes(const char *path, int bytes);
=head1 DESCRIPTION
RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
+It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
+OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for
+RAND_egd_bytes(path, 255);
+
+RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>.
+It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
+OpenSSL built-in PRNG.
+This function is more flexible than RAND_egd().
+When only one secret key must
+be generated, it is not necessary to request the full amount 255 bytes from
+the EGD socket. This can be advantageous, since the amount of entropy
+that can be retrieved from EGD over time is limited.
+
+=head1 NOTES
+
+On systems without /dev/*random devices providing entropy from the kernel,
+the EGD entropy gathering daemon can be used to collect entropy. It provides
+a socket interface through which entropy can be gathered in chunks up to
+255 bytes. Several chunks can be queried during one connection.
EGD is available from http://www.lothar.com/tech/crypto/ (C<perl
Makefile.PL; make; make install> to install). It is run as B<egd>
@@ -21,22 +41,27 @@ RAND_egd() is called with that path as an argument, it tries to read
random bytes that EGD has collected. The read is performed in
non-blocking mode.
-Alternatively, the EGD-compatible daemon PRNGD can be used. It is
+Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is
available from
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html .
+PRNGD does employ an internal PRNG itself and can therefore never run
+out of entropy.
=head1 RETURN VALUE
-RAND_egd() returns the number of bytes read from the daemon on
-success, and -1 if the connection failed or the daemon did not return
-enough data to fully seed the PRNG.
+RAND_egd() and RAND_egd_bytes() return the number of bytes read from the
+daemon on success, and -1 if the connection failed or the daemon did not
+return enough data to fully seed the PRNG.
=head1 SEE ALSO
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
+L<RAND_cleanup(3)|RAND_cleanup(3)>
=head1 HISTORY
RAND_egd() is available since OpenSSL 0.9.5.
+RAND_egd_bytes() is available since OpenSSL 0.9.6.
+
=cut
diff --git a/crypto/openssl/doc/crypto/bn.pod b/crypto/openssl/doc/crypto/bn.pod
index 1504a1c92dfd..d183028d6127 100644
--- a/crypto/openssl/doc/crypto/bn.pod
+++ b/crypto/openssl/doc/crypto/bn.pod
@@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod
index ab3e26e9ecd8..99080391b176 100644
--- a/crypto/openssl/doc/crypto/des.pod
+++ b/crypto/openssl/doc/crypto/des.pod
@@ -345,7 +345,7 @@ the MIT Kerberos library.
=head1 SEE ALSO
-crypt(3), L<des_modes(3)|des_modes(3)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
+crypt(3), L<des_modes(7)|des_modes(7)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/evp.pod b/crypto/openssl/doc/crypto/evp.pod
index f089dd49a219..edf47dbde664 100644
--- a/crypto/openssl/doc/crypto/evp.pod
+++ b/crypto/openssl/doc/crypto/evp.pod
@@ -10,7 +10,7 @@ evp - high-level cryptographic functions
=head1 DESCRIPTION
-The EVP library provided a high-level interface to cryptographic
+The EVP library provides a high-level interface to cryptographic
functions.
B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption
diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
index 7fea14ee6867..bf851dcea5a0 100644
--- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
@@ -2,8 +2,7 @@
=head1 NAME
-SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version,
-SSL_CIPHER_description - get SSL_CIPHER properties
+SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties
=head1 SYNOPSIS
@@ -29,9 +28,10 @@ SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently
SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. B<len> must be at least
-128 bytes, otherwise the string "Buffer too small" is returned. If B<buf>
-is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the
-allocation fails, the string "OPENSSL_malloc Error" is returned.
+128 bytes, otherwise a pointer to the the string "Buffer too small" is
+returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using
+OPENSSL_malloc(). If the allocation fails, a pointer to the string
+"OPENSSL_malloc Error" is returned.
=head1 NOTES
@@ -40,11 +40,66 @@ export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm
does use the full 128 bits (which would be returned for B<alg_bits>), of
which however 88bits are fixed. The search space is hence only 40 bits.
+The string returned by SSL_CIPHER_description() in case of success consists
+of cleartext information seperated by one or more blanks in the following
+sequence:
+
+=over 4
+
+=item <ciphername>
+
+Textual representation of the cipher name.
+
+=item <protocol version>
+
+Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3.
+
+=item Kx=<key exchange>
+
+Key exchange method: B<RSA> (for export ciphers as B<RSA(512)> or
+B<RSA(1024)>), B<DH> (for export ciphers as B<DH(512)> or B<DH(1024)>),
+B<DH/RSA>, B<DH/DSS>, B<Fortezza>.
+
+=item Au=<authentication>
+
+Authentication method: B<RSA>, B<DSS>, B<DH>, B<None>. None is the
+representation of anonymous ciphers.
+
+=item Enc=<symmectric encryption method>
+
+Encryption method with number of secret bits: B<DES(40)>, B<DES(56)>,
+B<3DES(168)>, B<RC4(40)>, B<RC4(56)>, B<RC4(64)>, B<RC4(128)>,
+B<RC2(40)>, B<RC2(56)>, B<RC2(128)>, B<IDEA(128)>, B<Fortezza>, B<None>.
+
+=item Mac=<message authentication code>
+
+Message digest: B<MD5>, B<SHA1>.
+
+=item <export flag>
+
+If the cipher is flagged exportable with respect to old US crypto
+regulations, the word "B<export>" is printed.
+
+=back
+
+=head1 EXAMPLES
+
+Some examples for the output of SSL_CIPHER_description():
+
+ EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
+ EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
+ RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
+ EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
+
=head1 BUGS
If SSL_CIPHER_description() is called with B<cipher> being NULL, the
library crashes.
+If SSL_CIPHER_description() cannot handle a built-in cipher, the according
+description of the cipher property is B<unknown>. This case should not
+occur.
+
=head1 RETURN VALUES
See DESCRIPTION
@@ -52,6 +107,6 @@ See DESCRIPTION
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>,
-L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>
+L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
new file mode 100644
index 000000000000..21a9db0e2a40
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_add_extra_chain_cert - add certificate to chain
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
+
+=head1 DESCRIPTION
+
+SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate
+chain presented together with the certificate. Several certificates
+can be added one after the other.
+
+=head1 NOTES
+
+When constructing the certificate chain, the chain will be formed from
+these certificates explicitly specified. If no chain is specified,
+the library will try to complete the chain from the available CA
+certificates in the trusted CA storage, see
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+
+=head1 RETURN VALUES
+
+SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
+error stack to find out the reason for failure otherwise.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
new file mode 100644
index 000000000000..af326c2f7340
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session - manipulate session cache
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);
+ int SSL_add_session(SSL_CTX *ctx, SSL_SESSION *c);
+
+ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
+ int SSL_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
+
+=head1 DESCRIPTION
+
+SSL_CTX_add_session() adds the session B<c> to the context B<ctx>. The
+reference count for session B<c> is incremented by 1. If a session with
+the same session id already exists, the old session is removed by calling
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
+
+SSL_CTX_remove_session() removes the session B<c> from the context B<ctx>.
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> is called once for B<c>.
+
+SSL_add_session() and SSL_remove_session() are synonyms for their
+SSL_CTX_*() counterparts.
+
+=head1 NOTES
+
+When adding a new session to the internal session cache, it is examined
+whether a session with the same session id already exists. In this case
+it is assumed that both sessions are identical. If the same session is
+stored in a different SSL_SESSION object, The old session is
+removed and replaced by the new session. If the session is actually
+identical (the SSL_SESSION object is identical), SSL_CTX_add_session()
+is a no-op, and the return value is 0.
+
+
+=head1 RETURN VALUES
+
+The following values are returned by all functions:
+
+=over 4
+
+=item 0
+
+ The operation failed. In case of the add operation, it was tried to add
+ the same (identical) session twice. In case of the remove operation, the
+ session was not found in the cache.
+
+=item 1
+
+ The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod
new file mode 100644
index 000000000000..148c36c87151
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod
@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_flush_sessions, SSL_flush_sessions - remove expired sessions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
+ void SSL_flush_sessions(SSL_CTX *ctx, long tm);
+
+=head1 DESCRIPTION
+
+SSL_CTX_flush_sessions() causes a run through the session cache of
+B<ctx> to remove sessions expired at time B<tm>.
+
+SSL_flush_sessions() is a synonym for SSL_CTX_flush_sessions().
+
+=head1 NOTES
+
+If enabled, the internal session cache will collect all sessions established
+up to the specified maximum number (see SSL_CTX_sess_set_cache_size()).
+As sessions will not be reused ones they are expired, they should be
+removed from the cache to save resources. This can either be done
+ automatically whenever 255 new sessions were established (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
+or manually by calling SSL_CTX_flush_sessions().
+
+The parameter B<tm> specifies the time which should be used for the
+expiration test, in most cases the actual time given by time(0)
+will be used.
+
+SSL_CTX_flush_sessions() will only check sessions stored in the internal
+cache. When a session is found and removed, the remove_session_cb is however
+called to synchronize with the external cache (see
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>).
+
+=head1 RETURN VALUES
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
new file mode 100644
index 000000000000..15067438c82d
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_get_ex_new_index(long argl, void *argp,
+ CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,
+ CRYPTO_EX_free *free_func);
+
+ int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg);
+
+ void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx);
+
+ typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
+ int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+SSL_CTX_get_ex_new_index() is used to register a new index for application
+specific data.
+
+SSL_CTX_set_ex_data() is used to store application data at B<arg> for B<idx>
+into the B<ctx> object.
+
+SSL_CTX_get_ex_data() is used to retrieve the information for B<idx> from
+B<ctx>.
+
+A detailed description for the B<*_get_ex_new_index()> functionality
+can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
+The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
new file mode 100644
index 000000000000..7f10c6e94509
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback - get currently set verification parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+ int SSL_get_verify_mode(SSL *ssl);
+ int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+ int SSL_get_verify_depth(SSL *ssl);
+ int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *);
+ int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *);
+
+=head1 DESCRIPTION
+
+SSL_CTX_get_verify_mode() returns the verification mode currently set in
+B<ctx>.
+
+SSL_get_verify_mode() returns the verification mode currently set in
+B<ssl>.
+
+SSL_CTX_get_verify_depth() returns the verification depth limit currently set
+in B<ctx>. If no limit has been explicitly set, -1 is returned and the
+default value will be used.
+
+SSL_get_verify_depth() returns the verification depth limit currently set
+in B<ssl>. If no limit has been explicitly set, -1 is returned and the
+default value will be used.
+
+SSL_CTX_get_verify_callback() returns a function pointer to the verification
+callback currently set in B<ctx>. If no callback was explicitly set, the
+NULL pointer is returned and the default callback will be used.
+
+SSL_get_verify_callback() returns a function pointer to the verification
+callback currently set in B<ssl>. If no callback was explicitly set, the
+NULL pointer is returned and the default callback will be used.
+
+=head1 RETURN VALUES
+
+See DESCRIPTION
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
new file mode 100644
index 000000000000..0e2d2179c8c1
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -0,0 +1,124 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_load_verify_locations - set default locations for trusted CA
+certificates
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+ const char *CApath);
+
+=head1 DESCRIPTION
+
+SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at
+which CA certificates for verification purposes are located. The certificates
+available via B<CAfile> and B<CApath> are trusted.
+
+=head1 NOTES
+
+If B<CAfile> is not NULL, it points to a file of CA certificates in PEM
+format. The file can contain several CA certificates identified by
+
+ -----BEGIN CERTIFICATE-----
+ ... (CA certificate in base64 encoding) ...
+ -----END CERTIFICATE-----
+
+sequences. Before, between, and after the certificates text is allowed
+which can be used e.g. for descriptions of the certificates.
+
+The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations()
+function.
+
+If on an TLS/SSL server no special setting is perfomed using *client_CA_list()
+functions, the certificates contained in B<CAfile> are listed to the client
+as available CAs during the TLS/SSL handshake.
+
+If B<CApath> is not NULL, it points to a directory containing CA certificates
+in PEM format. The files each contain one CA certificate. The files are
+looked up by the CA subject name hash value, which must hence be available.
+If more than one CA certificate with the same name hash value exist, the
+extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
+is performed in the ordering of the extension number, regardless of other
+properties of the certificates.
+Use the B<c_rehash> utility to create the necessary links.
+
+The certificates in B<CApath> are only looked up when required, e.g. when
+building the certificate chain or when actually performing the verification
+of a peer certificate.
+
+On a server, the certificates in B<CApath> are not listed as available
+CA certificates to a client during a TLS/SSL handshake.
+
+When looking up CA certificates, the OpenSSL library will first search the
+certificates in B<CAfile>, then those in B<CApath>. Certificate matching
+is done based on the subject name, the key identifier (if present), and the
+serial number as taken from the certificate to be verified. If these data
+do not match, the next certificate will be tried. If a first certificate
+matching the parameters is found, the verification process will be performed;
+no other certificates for the same parameters will be searched in case of
+failure.
+
+When building its own certificate chain, an OpenSSL client/server will
+try to fill in missing certificates from B<CAfile>/B<CApath>, if the
+certificate chain was not explicitely specified (see
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>.
+
+=head1 WARNINGS
+
+If several CA certificates matching the name, key identifier, and serial
+number condition are available, only the first one will be examined. This
+may lead to unexpected results if the same CA certificate is available
+with different expiration dates. If a "certificate expired" verification
+error occurs, no other certificate will be searched. Make sure to not
+have expired certificates mixed with valid ones.
+
+=head1 EXAMPLES
+
+Generate a CA certificate file with descriptive text from the CA certificates
+ca1.pem ca2.pem ca3.pem:
+
+ #!/bin/sh
+ rm CAfile.pem
+ for i in ca1.pem ca2.pem ca3.pem ; do
+ openssl x509 -in $i -text >> CAfile.pem
+ done
+
+Prepare the directory /some/where/certs containing several CA certificates
+for use as B<CApath>:
+
+ cd /some/where/certs
+ c_rehash .
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 0
+
+The operation failed because B<CAfile> and B<CApath> are NULL or the
+processing at one of the locations specified failed. Check the error
+stack to find out the reason.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
index e166c692c355..8b16ea3c903d 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
@@ -33,9 +33,9 @@ understand SSLv2 client hello messages.
=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
A TLS/SSL connection established with these methods will only understand the
-SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages
-and will indicate that it also understands TLSv1. A server will only understand
-SSLv3 and TLSv1 client hello messages. This especially means, that it will
+SSLv3 protocol. A client will send out SSLv3 client hello messages
+and will indicate that it only understands SSLv3. A server will only understand
+SSLv3 client hello messages. This especially means, that it will
not understand SSLv2 client hello messages which are widely used for
compatibility reasons, see SSLv23_*_method().
@@ -46,7 +46,8 @@ TLSv1 protocol. A client will send out TLSv1 client hello messages
and will indicate that it only understands TLSv1. A server will only understand
TLSv1 client hello messages. This especially means, that it will
not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method().
+compatibility reasons, see SSLv23_*_method(). It will also not understand
+SSLv3 client hello messages.
=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod
new file mode 100644
index 000000000000..469933baf35b
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size - manipulate session cache size
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t);
+ long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sess_set_cache_size() sets the size of the internal session cache
+of context B<ctx> to B<t>.
+
+SSL_CTX_sess_get_cache_size() returns the currently valid session cache size.
+
+=head1 NOTES
+
+The internal session cache size is SSL_SESSION_CACHE_MAX_SIZE_DEFAULT,
+currently 1024*20, so that up to 20000 sessions can be held. This size
+can be modified using the SSL_CTX_sess_set_cache_size() call. A special
+case is the size 0, which is used for unlimited size.
+
+When the maximum number of sessions is reached, no more new sessions are
+added to the cache. New space may be added by calling
+L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> to remove
+expired sessions.
+
+If the size of the session cache is reduced and more sessions are already
+in the session cache, old session will be removed at the next time a
+session shall be added. This removal is not synchronized with the
+expiration of sessions.
+
+=head1 RETURN VALUES
+
+SSL_CTX_sess_set_cache_size() returns the previously valid size.
+
+SSL_CTX_sess_get_cache_size() returns the currently valid size.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod
new file mode 100644
index 000000000000..b6f15b440425
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -0,0 +1,81 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
+ int (*new_session_cb)(SSL *, SSL_SESSION *));
+ void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
+ void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *));
+ void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
+ SSL_SESSION (*get_session_cb)(SSL *, unsigned char *, int, int *));
+
+ int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
+ void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
+ SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *data, int len, int *copy);
+
+ int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
+ void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
+ SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,
+ int len, int *copy);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically
+called whenever a new session was negotiated.
+
+SSL_CTX_sess_set_remove_cb() sets the callback function, which is
+automatically called whenever a session is removed by the SSL engine,
+because it is considered faulty or the session has become obsolete because
+of exceeding the timeout value.
+
+SSL_CTX_sess_set_get_cb() sets the callback function which is called,
+whenever a SSL/TLS client proposed to resume a session but the session
+could not be found in the internal session cache (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>).
+(SSL/TLS server only.)
+
+SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and
+SSL_CTX_sess_get_get_cb() allow to retrieve the function pointers of the
+provided callback functions. If a callback function has not been set,
+the NULL pointer is returned.
+
+=head1 NOTES
+
+In order to allow external session caching, synchronization with the internal
+session cache is realized via callback functions. Inside these callback
+functions, session can be saved to disk or put into a database using the
+L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)> interface.
+
+The new_session_cb() is called, whenever a new session has been negotiated
+and session caching is enabled (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>).
+The new_session_cb() is passed the B<ssl> connection and the ssl session
+B<sess>. If the callback returns B<0>, the session will be immediately
+removed again.
+
+The remove_session_cb() is called, whenever the SSL engine removes a session
+from the internal cache. This happens if the session is removed because
+it is expired or when a connection was not shutdown cleanly. The
+remove_session_cb() is passed the B<ctx> and the ssl session B<sess>.
+It does not provide any feedback.
+
+The get_session_cb() is only called on SSL/TLS servers with the session id
+proposed by the client. The get_session_cb() is always called, also when
+session caching was disabled. The get_session_cb() is passed the
+B<ssl> connection, the session id of length B<length> at the memory location
+B<data>. With the parameter B<copy> the callback can require the
+SSL engine to increment the reference count of the SSL_SESSION object.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod
new file mode 100644
index 000000000000..ad92a8c5d23e
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sessions - access internal session cache
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sessions() returns a pointer to the lhash databases containing the
+internal session cache for B<ctx>.
+
+=head1 NOTES
+
+The sessions in the internal session cache are kept in an
+L<lhash(3)|lhash(3)> type database. It is possible to directly
+access this database e.g. for searching. In parallel, the sessions
+form a linked list which is maintained seperatly from the
+L<lhash(3)|lhash(3)> operations, so that the database must not be
+modified directly but by using the
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)> family of functions.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<lhash(3)|lhash(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
index 272d6b3de282..9a29eeeb9558 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
@@ -2,8 +2,7 @@
=head1 NAME
-SSL_CTX_set_cipher_list, SSL_set_cipher_list
-- choose list of available SSL_CIPHERs
+SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs
=head1 SYNOPSIS
@@ -47,6 +46,7 @@ could be selected and 0 on complete failure.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<ciphers(1)|ciphers(1)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
new file mode 100644
index 000000000000..f27a291cb654
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
+SSL_add_client_CA - set list of CAs sent to the client when requesting a
+client certificate
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
+ void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
+ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
+ int SSL_add_client_CA(SSL *ssl, X509 *cacert);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when
+requesting a client certificate for B<ctx>.
+
+SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
+requesting a client certificate for the chosen B<ssl>, overriding the
+setting valid for B<ssl>'s SSL_CTX object.
+
+SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the
+list of CAs sent to the client when requesting a client certificate for
+B<ctx>.
+
+SSL_add_client_CA() adds the CA name extracted from B<cacert> to the
+list of CAs sent to the client when requesting a client certificate for
+the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
+
+=head1 NOTES
+
+When a TLS/SSL server requests a client certificate (see
+B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which
+it will accept certificates, to the client. If no special list is provided,
+the CAs available using the B<CAfile> option in
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+are sent.
+
+This list can be explicitely set using the SSL_CTX_set_client_CA_list() for
+B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
+specified overrides the previous setting. The CAs listed do not become
+trusted (B<list> only contains the names, not the complete certificates); use
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+to additionally load them for verification.
+
+SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional
+items the list of client CAs. If no list was specified before using
+SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client
+CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly
+specified using
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+are no longer used automatically.
+
+These functions are only useful for TLS/SSL servers.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return
+diagnostic information.
+
+SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return
+values:
+
+=over 4
+
+=item 1
+
+The operation succeeded.
+
+=item 0
+
+A failure while manipulating the STACK_OF(X509_NAME) object occured or
+the X509_NAME could not be extracted from B<cacert>. Check the error stack
+to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
new file mode 100644
index 000000000000..a5343a1cf398
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
+ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+
+ int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_default_passwd_cb() sets the default password callback called
+when loading/storing a PEM certificate with encryption.
+
+SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
+will be provided to the password callback on invocation.
+
+The pem_passwd_cb(), which must be provided by the application, hands back the
+password to be used during decryption. On invocation a pointer to B<userdata>
+is provided. The pem_passwd_cb must write the password into the provided buffer
+B<buf> which is of size B<size>. The actual length of the password must
+be returned to the calling function. B<rwflag> indicates whether the
+callback is used for reading/decryption (rwflag=0) or writing/encryption
+(rwflag=1).
+
+=head1 NOTES
+
+When loading or storing private keys, a password might be supplied to
+protect the private key. The way this password can be supplied may depend
+on the application. If only one private key is handled, it can be practical
+to have pem_passwd_cb() handle the password dialog interactively. If several
+keys have to be handled, it can be practical to ask for the password once,
+then keep it in memory and use it several times. In the last case, the
+password could be stored into the B<userdata> storage and the
+pem_passwd_cb() only returns the password already stored.
+
+Other items in PEM formatting (certificates) can also be encrypted, it is
+however not usual, as certificate information is considered public.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata()
+do not provide diagnostic information.
+
+=head1 EXAMPLES
+
+The following example returns the password provided as B<userdata> to the
+calling function. The password is considered to be a '\0' terminated
+string. If the password does not fit into the buffer, the password is
+truncated.
+
+ int pem_passwd_cb(char *buf, int size, int rwflag, void *password)
+ {
+ strncpy(buf, (char *)(password), size);
+ buf[size - 1] = '\0';
+ return(strlen(buf));
+ }
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
new file mode 100644
index 000000000000..bd5b0cbf9629
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -0,0 +1,183 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_options(SSL_CTX *ctx, long options);
+ long SSL_set_options(SSL *ssl, long options);
+
+ long SSL_CTX_get_options(SSL_CTX *ctx);
+ long SSL_get_options(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
+Options already set before are not cleared.
+
+SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
+Options already set before are not cleared.
+
+SSL_CTX_get_options() returns the options set for B<ctx>.
+
+SSL_get_options() returns the options set for B<ssl>.
+
+=head1 NOTES
+
+The behaviour of the SSL library can be changed by setting several options.
+The options are coded as bitmasks and can be combined by a logical B<or>
+operation (|). Options can only be added but can never be reset.
+
+During a handshake, the option settings of the SSL object used. When
+a new SSL object is created from a context using SSL_new(), the current
+option setting is copied. Changes to B<ctx> do not affect already created
+SSL objects. SSL_clear() does not affect the settings.
+
+The following B<bug workaround> options are available:
+
+=over 4
+
+=item SSL_OP_MICROSOFT_SESS_ID_BUG
+
+www.microsoft.com - when talking SSLv2, if session-id reuse is
+performed, the session-id passed back in the server-finished message
+is different from the one decided upon.
+
+=item SSL_OP_NETSCAPE_CHALLENGE_BUG
+
+Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
+challenge but then appears to only use 16 bytes when generating the
+encryption keys. Using 16 bytes is ok but it should be ok to use 32.
+According to the SSLv3 spec, one should use 32 bytes for the challenge
+when opperating in SSLv2/v3 compatablity mode, but as mentioned above,
+this breaks this server so 16 bytes is the way to go.
+
+=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+
+ssl3.netscape.com:443, first a connection is established with RC4-MD5.
+If it is then resumed, we end up using DES-CBC3-SHA. It should be
+RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
+
+Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
+It only really shows up when connecting via SSLv2/v3 then reconnecting
+via SSLv3. The cipher list changes....
+
+NEW INFORMATION. Try connecting with a cipher list of just
+DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses
+RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when
+doing a re-connect, always takes the first cipher in the cipher list.
+
+=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+
+...
+
+=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+
+...
+
+=item SSL_OP_MSIE_SSLV2_RSA_PADDING
+
+...
+
+=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+
+...
+
+=item SSL_OP_TLS_D5_BUG
+
+...
+
+=item SSL_OP_TLS_BLOCK_PADDING_BUG
+
+...
+
+=item SSL_OP_TLS_ROLLBACK_BUG
+
+Disable version rollback attack detection.
+
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello. Some
+clients violate this rule by adapting to the server's answer. (Example:
+the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+only understands up to SSLv3. In this case the client must still use the
+same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
+to the server's answer and violate the version rollback protection.)
+
+=item SSL_OP_ALL
+
+All of the above bug workarounds.
+
+=back
+
+It is save and recommended to use SSL_OP_ALL to enable the bug workaround
+options.
+
+The following B<modifying> options are available:
+
+=over 4
+
+=item SSL_OP_SINGLE_DH_USE
+
+Always create a new key when using temporary DH parameters.
+
+=item SSL_OP_EPHEMERAL_RSA
+
+Also use the temporary RSA key when doing RSA operations.
+
+=item SSL_OP_PKCS1_CHECK_1
+
+...
+
+=item SSL_OP_PKCS1_CHECK_2
+
+...
+
+=item SSL_OP_NETSCAPE_CA_DN_BUG
+
+If we accept a netscape connection, demand a client cert, have a
+non-self-sighed CA which does not have it's CA in netscape, and the
+browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
+
+=item SSL_OP_NON_EXPORT_FIRST
+
+On servers try to use non-export (stronger) ciphers first. This option does
+not work under all circumstances (in the code it is declared "broken").
+
+=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+
+...
+
+=item SSL_OP_NO_SSLv2
+
+Do not use the SSLv2 protocol.
+
+=item SSL_OP_NO_SSLv3
+
+Do not use the SSLv3 protocol.
+
+=item SSL_OP_NO_TLSv1
+
+Do not use the TLSv1 protocol.
+
+=back
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
+after adding B<options>.
+
+SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>
+
+=head1 HISTORY
+
+SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6.
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
new file mode 100644
index 000000000000..ba3502a0a423
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -0,0 +1,106 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode - enable/disable session caching
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode);
+ long SSL_CTX_get_session_cache_mode(SSL_CTX ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_session_cache_mode() enables/disables session caching
+by setting the operational mode for B<ctx> to <mode>.
+
+SSL_CTX_get_session_cache_mode() returns the currently used cache mode.
+
+=head1 NOTES
+
+The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse.
+The sessions can be held in memory for each B<ctx>, if more than one
+SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX
+object.
+
+In order to reuse a session, a client must send the session's id to the
+server. It can only send exactly one id. The server then decides whether it
+agrees in reusing the session or starts the handshake for a new session.
+
+A server will lookup up the session in its internal session storage. If
+the session is not found in internal storage or internal storage is
+deactivated, the server will try the external storage if available.
+
+Since a client may try to reuse a session intended for use in a different
+context, the session id context must be set by the server (see
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>).
+
+The following session cache modes and modifiers are available:
+
+=over 4
+
+=item SSL_SESS_CACHE_OFF
+
+No session caching for client or server takes place.
+
+=item SSL_SESS_CACHE_CLIENT
+
+Client sessions are added to the session cache. As there is no reliable way
+for the OpenSSL library to know whether a session should be reused or which
+session to choose (due to the abstract BIO layer the SSL engine does not
+have details about the connection), the application must select the session
+to be reused by using the L<SSL_set_session(3)|SSL_set_session(3)>
+function. This option is not activated by default.
+
+=item SSL_SESS_CACHE_SERVER
+
+Server sessions are added to the session cache. When a client proposes a
+session to be reused, the session is looked up in the internal session cache.
+If the session is found, the server will try to reuse the session.
+This is the default.
+
+=item SSL_SESS_CACHE_BOTH
+
+Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time.
+
+=item SSL_SESS_CACHE_NO_AUTO_CLEAR
+
+Normally the session cache is checked for expired sessions every
+255 connections using the
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> function. Since
+this may lead to a delay which cannot be controlled, the automatic
+flushing may be disabled and
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> can be called
+explicitly by the application.
+
+=item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
+
+By setting this flag sessions are cached in the internal storage but
+they are not looked up automatically. If an external session cache
+is enabled, sessions are looked up in the external cache. As automatic
+lookup only applies for SSL/TLS servers, the flag has no effect on
+clients.
+
+=back
+
+The default mode is SSL_SESS_CACHE_SERVER.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_session_cache_mode() returns the previously set cache mode.
+
+SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
+
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
+L<SSL_CTX_set_timeout.pod(3)|SSL_CTX_set_timeout.pod(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
new file mode 100644
index 000000000000..5949395159e7
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -0,0 +1,82 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only)
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
+ unsigned int sid_ctx_len);
+ int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
+ unsigned int sid_ctx_len);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_session_id_context() sets the context B<sid_ctx> of length
+B<sid_ctx_len> within which a session can be reused for the B<ctx> object.
+
+SSL_set_session_id_context() sets the context B<sid_ctx> of length
+B<sid_ctx_len> within which a session can be reused for the B<ssl> object.
+
+=head1 NOTES
+
+Sessions are generated within a certain context. When exporting/importing
+sessions with B<i2d_SSL_SESSION>/B<d2i_SSL_SESSION> it would be possible,
+to re-import a session generated from another context (e.g. another
+application), which might lead to malfunctions. Therefore each application
+must set its own session id context B<sid_ctx> which is used to distinguish
+the contexts and is stored in exported sessions. The B<sid_ctx> can be
+any kind of binary data with a given length, it is therefore possible
+to use e.g. the name of the application and/or the hostname and/or service
+name ...
+
+The session id context becomes part of the session. The session id context
+is set by the SSL/TLS server. The SSL_CTX_set_session_id_context() and
+SSL_set_session_id_context() functions are therefore only useful on the
+server side.
+
+OpenSSL clients will check the session id context returned by the server
+when reusing a session.
+
+The maximum length of the B<sid_ctx> is limited to
+B<SSL_MAX_SSL_SESSION_ID_LENGTH>.
+
+=head1 WARNINGS
+
+If the session id context is not set on an SSL/TLS server, stored sessions
+will not be reused but a fatal error will be flagged and the handshake
+will fail.
+
+If a server returns a different session id context to an OpenSSL client
+when reusing a session, an error will be flagged and the handshake will
+fail. OpenSSL servers will always return the correct session id context,
+as an OpenSSL server checks the session id context itself before reusing
+a session as described above.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_session_id_context() and SSL_set_session_id_context()
+return the following values:
+
+=over 4
+
+=item 0
+
+The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
+the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
+is logged to the error stack.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod
new file mode 100644
index 000000000000..21faed12d425
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_timeout, SSL_CTX_get_timeout - manipulate timeout values for session caching
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
+ long SSL_CTX_get_timeout(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_timeout() sets the timeout for newly created sessions for
+B<ctx> to B<t>. The timeout value B<t> must be given in seconds.
+
+SSL_CTX_get_timeout() returns the currently set timeout value for B<ctx>.
+
+=head1 NOTES
+
+Whenever a new session is created, it is assigned a maximum lifetime. This
+lifetime is specified by storing the creation time of the session and the
+timeout value valid at this time. If the actual time is later than creation
+time plus timeout, the session is not reused.
+
+Due to this realization, all sessions behave according to the timeout value
+valid at the time of the session negotiation. Changes of the timeout value
+do not affect already established sessions.
+
+The expiration time of a single session can be modified using the
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)> family of functions.
+
+Expired sessions are removed from the internal session cache, whenever
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> is called, either
+directly by the application or automatically (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
+
+The default value for session timeout is 300 seconds.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_timeout() returns the previously set timeout value.
+
+SSL_CTX_get_timeout() returns the currently set timeout value.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
new file mode 100644
index 000000000000..fc0b76118fd1
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
@@ -0,0 +1,284 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
+ int (*verify_callback)(int, X509_STORE_CTX *));
+ void SSL_set_verify(SSL *s, int mode,
+ int (*verify_callback)(int, X509_STORE_CTX *));
+ void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
+ void SSL_set_verify_depth(SSL *s, int depth);
+
+ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and
+specifies the B<verify_callback> function to be used. If no callback function
+shall be specified, the NULL pointer can be used for B<verify_callback>.
+
+SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and
+specifies the B<verify_callback> function to be used. If no callback function
+shall be specified, the NULL pointer can be used for B<verify_callback>. In
+this case last B<verify_callback> set specifically for this B<ssl> remains. If
+no special B<callback> was set before, the default callback for the underlying
+B<ctx> is used, that was valid at the the time B<ssl> was created with
+L<SSL_new(3)|SSL_new(3)>.
+
+SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
+verification that shall be allowed for B<ctx>. (See the BUGS section.)
+
+SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
+verification that shall be allowed for B<ssl>. (See the BUGS section.)
+
+=head1 NOTES
+
+The verification of certificates can be controlled by a set of logically
+or'ed B<mode> flags:
+
+=over 4
+
+=item SSL_VERIFY_NONE
+
+B<Server mode:> the server will not send a client certificate request to the
+client, so the client will not send a certificate.
+
+B<Client mode:> if not using an anonymous cipher (by default disabled), the
+server will send a certificate which will be checked. The result of the
+certificate verification process can be checked after the TLS/SSL handshake
+using the L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> function.
+The handshake will be continued regardless of the verification result.
+
+=item SSL_VERIFY_PEER
+
+B<Server mode:> the server sends a client certificate request to the client.
+The certificate returned (if any) is checked. If the verification process
+fails as indicated by B<verify_callback>, the TLS/SSL handshake is
+immediately terminated with an alert message containing the reason for
+the verification failure.
+The behaviour can be controlled by the additional
+SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
+
+B<Client mode:> the server certificate is verified. If the verification process
+fails as indicated by B<verify_callback>, the TLS/SSL handshake is
+immediately terminated with an alert message containing the reason for
+the verification failure. If no server certificate is sent, because an
+anonymous cipher is used, SSL_VERIFY_PEER is ignored.
+
+=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+
+B<Server mode:> if the client did not return a certificate, the TLS/SSL
+handshake is immediately terminated with a "handshake failure" alert.
+This flag must be used together with SSL_VERIFY_PEER.
+
+B<Client mode:> ignored
+
+=item SSL_VERIFY_CLIENT_ONCE
+
+B<Server mode:> only request a client certificate on the initial TLS/SSL
+handshake. Do not ask for a client certificate again in case of a
+renegotiation. This flag must be used together with SSL_VERIFY_PEER.
+
+B<Client mode:> ignored
+
+=back
+
+Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be
+set at any time.
+
+SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up
+to which depth certificates in a chain are used during the verification
+procedure. If the certificate chain is longer than allowed, the certificates
+above the limit are ignored. Error messages are generated as if these
+certificates would not be present, most likely a
+X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued.
+The depth count is "level 0:peer certificate", "level 1: CA certificate",
+"level 2: higher level CA certificate", and so on. Setting the maximum
+depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9,
+allowing for the peer certificate and additional 9 CA certificates.
+
+The B<verify_callback> function is used to control the behaviour when the
+SSL_VERIFY_PEER flag is set. It must be supplied by the application and
+receives two arguments: B<preverify_ok> indicates, whether the verification of
+the certificate in question was passed (preverify_ok=1) or not
+(preverify_ok=0). B<x509_ctx> is a pointer to the complete context used
+for the certificate chain verification.
+
+The certificate chain is checked starting with the deepest nesting level
+(the root CA certificate) and worked upward to the peer's certificate.
+At each level signatures and issuer attributes are checked. Whenever
+a verification error is found, the error number is stored in B<x509_ctx>
+and B<verify_callback> is called with B<preverify_ok>=0. By applying
+X509_CTX_store_* functions B<verify_callback> can locate the certificate
+in question and perform additional steps (see EXAMPLES). If no error is
+found for a certificate, B<verify_callback> is called with B<preverify_ok>=1
+before advancing to the next level.
+
+The return value of B<verify_callback> controls the strategy of the further
+verification process. If B<verify_callback> returns 0, the verification
+process is immediately stopped with "verification failed" state. If
+SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
+the TLS/SSL handshake is terminated. If B<verify_callback> returns 1,
+the verification process is continued. If B<verify_callback> always returns
+1, the TLS/SSL handshake will never be terminated because of this application
+experiencing a verification failure. The calling process can however
+retrieve the error code of the last verification error using
+L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its
+own error storage managed by B<verify_callback>.
+
+If no B<verify_callback> is specified, the default callback will be used.
+Its return value is identical to B<preverify_ok>, so that any verification
+failure will lead to a termination of the TLS/SSL handshake with an
+alert message, if SSL_VERIFY_PEER is set.
+
+=head1 BUGS
+
+In client mode, it is not checked whether the SSL_VERIFY_PEER flag
+is set, but whether SSL_VERIFY_NONE is not set. This can lead to
+unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not
+used as required (exactly one must be set at any time).
+
+The certificate verification depth set with SSL[_CTX]_verify_depth()
+stops the verification at a certain depth. The error message produced
+will be that of an incomplete certificate chain and not
+X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.
+
+=head1 RETURN VALUES
+
+The SSL*_set_verify*() functions do not provide diagnostic information.
+
+=head1 EXAMPLES
+
+The following code sequence realizes an example B<verify_callback> function
+that will always continue the TLS/SSL handshake regardless of verification
+failure, if wished. The callback realizes a verification depth limit with
+more informational output.
+
+All verification errors are printed, informations about the certificate chain
+are printed on request.
+The example is realized for a server that does allow but not require client
+certificates.
+
+The example makes use of the ex_data technique to store application data
+into/retrieve application data from the SSL structure
+(see L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
+
+ ...
+ typedef struct {
+ int verbose_mode;
+ int verify_depth;
+ int always_continue;
+ } mydata_t;
+ int mydata_index;
+ ...
+ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ {
+ char buf[256];
+ X509 *err_cert;
+ int err, depth;
+ SSL *ssl;
+ mydata_t *mydata;
+
+ err_cert = X509_STORE_CTX_get_current_cert(ctx);
+ err = X509_STORE_CTX_get_error(ctx);
+ depth = X509_STORE_CTX_get_error_depth(ctx);
+
+ /*
+ * Retrieve the pointer to the SSL of the connection currently treated
+ * and the application specific data stored into the SSL object.
+ */
+ ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ mydata = SSL_get_ex_data(ssl, mydata_index);
+
+ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
+
+ /*
+ * Catch a too long certificate chain. The depth limit set using
+ * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
+ * that whenever the "depth>verify_depth" condition is met, we
+ * have violated the limit and want to log this error condition.
+ * We must do it here, because the CHAIN_TOO_LONG error would not
+ * be found explicitly; only errors introduced by cutting off the
+ * additional certificates would be logged.
+ */
+ if (depth > mydata->verify_depth) {
+ preverify_ok = 0;
+ err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+ X509_STORE_CTX_set_error(ctx, err);
+ }
+ if (!preverify_ok) {
+ printf("verify error:num=%d:%s:depth=%d:%s\n", err,
+ X509_verify_cert_error_string(err), depth, buf);
+ }
+ else if (mydata->verbose_mode)
+ {
+ printf("depth=%d:%s\n", depth, buf);
+ }
+
+ /*
+ * At this point, err contains the last verification error. We can use
+ * it for something special
+ */
+ if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)
+ {
+ X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+ printf("issuer= %s\n", buf);
+ }
+
+ if (mydata->always_continue)
+ return 1;
+ else
+ return preverify_ok;
+ }
+ ...
+
+ mydata_t mydata;
+
+ ...
+ mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
+
+ ...
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
+ verify_callback);
+
+ /*
+ * Let the verify_callback catch the verify_depth error so that we get
+ * an appropriate error in the logfile.
+ */
+ SSL_CTX_set_verify_depth(verify_depth + 1);
+
+ /*
+ * Set up the SSL specific data into "mydata" and store it into th SSL
+ * structure.
+ */
+ mydata.verify_depth = verify_depth; ...
+ SSL_set_ex_data(ssl, mydata_index, &mydata);
+
+ ...
+ SSL_accept(ssl); /* check of success left out for clarity */
+ if (peer = SSL_get_peer_certificate(ssl))
+ {
+ if (SSL_get_verify_result(ssl) == X509_V_OK)
+ {
+ /* The client sent a certificate which verified OK */
+ }
+ }
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
+L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
+L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
+L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
new file mode 100644
index 000000000000..58fa3e6a84f6
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
@@ -0,0 +1,154 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key - load certificate and key data
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
+ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
+ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
+ int SSL_use_certificate(SSL *ssl, X509 *x);
+ int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
+ int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+
+ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
+
+ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
+ int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d,
+ long len);
+ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
+ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
+ int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
+ int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
+ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
+ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
+ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
+ int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
+
+ int SSL_CTX_check_private_key(SSL_CTX *ctx);
+ int SSL_check_private_key(SSL *ssl);
+
+=head1 DESCRIPTION
+
+These functions load the certificates and private keys into the SSL_CTX
+or SSL object, respectively.
+
+The SSL_CTX_* class of functions loads the certificates and keys into the
+SSL_CTX object B<ctx>. The information is passed to SSL objects B<ssl>
+created from B<ctx> with L<SSL_new(3)|SSL_new(3)> by copying, so that
+changes applied to B<ctx> do not propagate to already existing SSL objects.
+
+The SSL_* class of functions only loads certificates and keys into a
+specific SSL object. The specific information is kept, when
+L<SSL_clear(3)|SSL_clear(3)> is called for this SSL object.
+
+SSL_CTX_use_certificate() loads the certificate B<x> into B<ctx>,
+SSL_use_certificate() loads B<x> into B<ssl>. The rest of the
+certificates needed to form the complete certificate chain can be
+specified using the
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+function.
+
+SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from
+the memory location B<d> (with length B<len>) into B<ctx>,
+SSL_use_certificate_ASN1() loads the ASN1 encoded certificate into B<ssl>.
+
+SSL_CTX_use_certificate_file() loads the first certificate stored in B<file>
+into B<ctx>. The formatting B<type> of the certificate must be specified
+from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
+SSL_use_certificate_file() loads the certificate from B<file> into B<ssl>.
+See the NOTES section on why SSL_CTX_use_certificate_chain_file()
+should be preferred.
+
+SSL_CTX_use_certificate_chain_file() loads a certificate chain from
+B<file> into B<ctx>. The certificates must be in PEM format and must
+be sorted starting with the certificate to the highest level (root CA).
+There is no corresponding function working on a single SSL object.
+
+SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
+SSL_CTX_use_RSAPrivateKey() adds the private key B<rsa> of type RSA
+to B<ctx>. SSL_use_PrivateKey() adds B<pkey> as private key to B<ssl>;
+SSL_use_RSAPrivateKey() adds B<rsa> as private key of type RSA to B<ssl>.
+
+SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk>
+stored at memory location B<d> (length B<len>) to B<ctx>.
+SSL_CTX_use_RSAPrivateKey_ASN1() adds the private key of type RSA
+stored at memory location B<d> (length B<len>) to B<ctx>.
+SSL_use_PrivateKey_ASN1() and SSL_use_RSAPrivateKey_ASN1() add the private
+key to B<ssl>.
+
+SSL_CTX_use_PrivateKey_file() adds the first private key found in
+B<file> to B<ctx>. The formatting B<type> of the certificate must be specified
+from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
+SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in
+B<file> to B<ctx>. SSL_use_PrivateKey_file() adds the first private key found
+in B<file> to B<ssl>; SSL_use_RSAPrivateKey_file() adds the first private
+RSA key found to B<ssl>.
+
+SSL_CTX_check_private_key() checks the consistency of a private key with
+the corresponding certificate loaded into B<ctx>. If more than one
+key/certificate pair (RSA/DSA) is installed, the last item installed will
+be checked. If e.g. the last item was a RSA certificate or key, the RSA
+key/certificate pair will be checked. SSL_check_private_key() performs
+the same check for B<ssl>. If no key/certificate was explicitly added for
+this B<ssl>, the last item added into B<ctx> will be checked.
+
+=head1 NOTES
+
+The internal certificate store of OpenSSL can hold two private key/certificate
+pairs at a time: one key/certificate of type RSA and one key/certificate
+of type DSA. The certificate used depends on the cipher select, see
+also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.
+
+When reading certificates and private keys from file, files of type
+SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
+one certificate or private key, consequently
+SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting.
+Files of type SSL_FILETYPE_PEM can contain more than one item.
+
+SSL_CTX_use_certificate_chain_file() adds the first certificate found
+in the file to the certificate store. The other certificates are added
+to the store of chain certificates using
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>.
+There exists only one extra chain store, so that the same chain is appended
+to both types of certificates, RSA and DSA! If it is not intented to use
+both type of certificate at the same time, it is recommended to use the
+SSL_CTX_use_certificate_chain_file() instead of the
+SSL_CTX_use_certificate_file() function in order to allow the use of
+complete certificate chains even when no trusted CA storage is used or
+when the CA issuing the certificate shall not be added to the trusted
+CA storage.
+
+If additional certificates are needed to complete the chain during the
+TLS negotiation, CA certificates are additionally looked up in the
+locations of trusted CA certificates, see
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+
+The private keys loaded from file can be encrypted. In order to successfully
+load encrypted keys, a function returning the passphrase must have been
+supplied, see
+L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>.
+(Certificate files might be encrypted as well from the technical point
+of view, it however does not make sense as the data in the certificate
+is considered public anyway.)
+
+=head1 RETURN VALUES
+
+On success, the functions return 1.
+Otherwise check out the error stack to find out the reason.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
+L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
new file mode 100644
index 000000000000..dd5cb4f04bba
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_SESSION_get_ex_new_index(long argl, void *argp,
+ CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,
+ CRYPTO_EX_free *free_func);
+
+ int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg);
+
+ void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx);
+
+ typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
+ int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+SSL_SESSION_get_ex_new_index() is used to register a new index for application
+specific data.
+
+SSL_SESSION_set_ex_data() is used to store application data at B<arg> for B<idx>
+into the B<session> object.
+
+SSL_SESSION_get_ex_data() is used to retrieve the information for B<idx> from
+B<session>.
+
+A detailed description for the B<*_get_ex_new_index()> functionality
+can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
+The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+
+=head1 WARNINGS
+
+The application data is only maintained for sessions held in memory. The
+application data is not included when dumping the session with
+i2d_SSL_SESSION() (and all functions indirectly calling the dump functions
+like PEM_write_SSL_SESSION() and PEM_write_bio_SSL_SESSION()) and can
+therefore not be restored.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
new file mode 100644
index 000000000000..cd33b73aa359
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
@@ -0,0 +1,63 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_get_timeout - retrieve and manipulate session time and timeout settings
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_SESSION_get_time(SSL_SESSION *s);
+ long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
+ long SSL_SESSION_get_timeout(SSL_SESSION *s);
+ long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
+
+ long SSL_get_time(SSL_SESSION *s);
+ long SSL_set_time(SSL_SESSION *s, long tm);
+ long SSL_get_timeout(SSL_SESSION *s);
+ long SSL_set_timeout(SSL_SESSION *s, long tm);
+
+=head1 DESCRIPTION
+
+SSL_SESSION_get_time() returns the time at which the session B<s> was
+established. The time is given in seconds since the Epoch and therefore
+compatible to the time delivered by the time() call.
+
+SSL_SESSION_set_time() replaces the creation time of the session B<s> with
+the chosen value B<tm>.
+
+SSL_SESSION_get_timeout() returns the timeout value set for session B<s>
+in seconds.
+
+SSL_SESSION_set_timeout() sets the timeout value for session B<s> in seconds
+to B<tm>.
+
+The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout()
+functions are synonyms for the SSL_SESSION_*() counterparts.
+
+=head1 NOTES
+
+Sessions are expired by examining the creation time and the timeout value.
+Both are set at creation time of the session to the actual time and the
+default timeout value at creation, respectively, as set by
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>.
+Using these functions it is possible to extend or shorten the lifetime
+of the session.
+
+=head1 RETURN VALUES
+
+SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently
+valid values.
+
+SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success.
+
+If any of the function is passed the NULL pointer for the session B<s>,
+0 is returned.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod
index 0c79ac515e1d..46f95abb2f22 100644
--- a/crypto/openssl/doc/ssl/SSL_accept.pod
+++ b/crypto/openssl/doc/ssl/SSL_accept.pod
@@ -54,7 +54,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item -1
+=item E<lt>0
The TLS/SSL handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
diff --git a/crypto/openssl/doc/ssl/SSL_clear.pod b/crypto/openssl/doc/ssl/SSL_clear.pod
index 862fd8291df1..aeb0b5c7a230 100644
--- a/crypto/openssl/doc/ssl/SSL_clear.pod
+++ b/crypto/openssl/doc/ssl/SSL_clear.pod
@@ -34,6 +34,6 @@ The SSL_clear() operation was successful.
=back
L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>,
-L<ssl(3)|ssl(3)>
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod
index debe41744f0a..00813ecfff6f 100644
--- a/crypto/openssl/doc/ssl/SSL_connect.pod
+++ b/crypto/openssl/doc/ssl/SSL_connect.pod
@@ -51,7 +51,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item -1
+=item E<lt>0
The TLS/SSL handshake was not successful, because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
@@ -64,6 +64,6 @@ to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
new file mode 100644
index 000000000000..d358bc352e69
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for
+B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>.
+
+SSL_get_client_CA_list() returns the list of client CAs explicitely
+set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in
+server mode. In client mode, SSL_get_client_CA_list returns the list of
+client CAs sent from the server, if any.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return
+diagnostic information.
+
+SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return
+values:
+
+=over 4
+
+=item STACK_OF(X509_NAMES)
+
+List of CA names explicitely set (for B<ctx> or in server mode) or send
+by the server (client mode).
+
+=item NULL
+
+No client CA list was explicitely set (for B<ctx> or in server mode) or
+the server did not send a list of CAs (client mode).
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod
index d85b56425828..fefaf619369a 100644
--- a/crypto/openssl/doc/ssl/SSL_get_error.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_error.pod
@@ -14,8 +14,8 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation
SSL_get_error() returns a result code (suitable for the C "switch"
statement) for a preceding call to SSL_connect(), SSL_accept(),
-SSL_read(), or SSL_write() on B<ssl>. The value returned by that
-TLS/SSL I/O function must be passed to SSL_get_error() in parameter
+SSL_read(), SSL_peek(), or SSL_write() on B<ssl>. The value returned by
+that TLS/SSL I/O function must be passed to SSL_get_error() in parameter
B<ret>.
In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
@@ -48,16 +48,26 @@ has been closed.
=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
The operation did not complete; the same TLS/SSL I/O function should be
-called again later. There will be protocol progress if, by then, the
-underlying B<BIO> has data available for reading (if the result code is
-B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>).
-For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that
-select() or poll() on the underlying socket can be used to find out
-when the TLS/SSL I/O function should be retried.
+called again later. If, by then, the underlying B<BIO> has data
+available for reading (if the result code is B<SSL_ERROR_WANT_READ>)
+or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL
+protocol progress will take place, i.e. at least part of an TLS/SSL
+record will be read or written. Note that the retry may again lead to
+a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition.
+There is no fixed upper limit for the number of iterations that
+may be necessary until progress becomes visible at application
+protocol level.
+
+For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or
+poll() on the underlying socket can be used to find out when the
+TLS/SSL I/O function should be retried.
Caveat: Any TLS/SSL I/O function can lead to either of
-B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read()
-may want to write data and SSL_write() may want to read data.
+B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. In particular,
+SSL_read() or SSL_peek() may want to write data and SSL_write() may want
+to read data. This is mainly because TLS/SSL handshakes may occur at any
+time during the protocol (initiated by either the client or the server);
+SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes.
=item SSL_ERROR_WANT_X509_LOOKUP
diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
new file mode 100644
index 000000000000..165c6a5b2cae
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+SSL_get_ex_data_X509_STORE_CTX_idx - get ex_data index to access SSL structure
+from X509_STORE_CTX
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_ex_data_X509_STORE_CTX_idx(void);
+
+=head1 DESCRIPTION
+
+SSL_get_ex_data_X509_STORE_CTX_idx() returns the index number under which
+the pointer to the SSL object is stored into the X509_STORE_CTX object.
+
+=head1 NOTES
+
+Whenever a X509_STORE_CTX object is created for the verification of the
+peers certificate during a handshake, a pointer to the SSL object is
+stored into the X509_STORE_CTX object to identify the connection affected.
+To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can
+be used with the correct index. This index is globally the same for all
+X509_STORE_CTX objects and can be retrieved using
+SSL_get_ex_data_X509_STORE_CTX_idx(). The index value is set when
+SSL_get_ex_data_X509_STORE_CTX_idx() is first called either by the application
+program directly or indirectly during other SSL setup functions or during
+the handshake.
+
+The value depends on other index values defined for X509_STORE_CTX objects
+before the SSL index is created.
+
+=head1 RETURN VALUES
+
+=over 4
+
+=item E<gt>=0
+
+The index value to access the pointer.
+
+=item E<lt>0
+
+An error occurred, check the error stack for a detailed error message.
+
+=back
+
+=head1 EXAMPLES
+
+The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to
+access the SSL object for the connection to be accessed during the
+verify_callback() when checking the peers certificate. Please check
+the example in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
new file mode 100644
index 000000000000..2b69bb105003
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_ex_new_index(long argl, void *argp,
+ CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,
+ CRYPTO_EX_free *free_func);
+
+ int SSL_set_ex_data(SSL *ssl, int idx, void *arg);
+
+ void *SSL_get_ex_data(SSL *ssl, int idx);
+
+ typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+ typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
+ int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+SSL_get_ex_new_index() is used to register a new index for application
+specific data.
+
+SSL_set_ex_data() is used to store application data at B<arg> for B<idx> into
+the B<ssl> object.
+
+SSL_get_ex_data() is used to retrieve the information for B<idx> from
+B<ssl>.
+
+A detailed description for the B<*_get_ex_new_index()> functionality
+can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
+The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+
+=head1 EXAMPLES
+
+An example on how to use the functionality is included in the example
+verify_callback() in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod b/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod
new file mode 100644
index 000000000000..02527dc2edc8
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+SSL_load_client_CA_file - load certificate names from file
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
+
+=head1 DESCRIPTION
+
+SSL_load_client_CA_file() reads certificates from B<file> and returns
+a STACK_OF(X509_NAME) with the subject names found.
+
+=head1 NOTES
+
+SSL_load_client_CA_file() reads a file of PEM formatted certificates and
+extracts the X509_NAMES of the certificates found. While the name suggests
+the specific usage as support function for
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+it is not limited to CA certificates.
+
+=head1 EXAMPLES
+
+Load names of CAs from file and use it as a client CA list:
+
+ SSL_CTX *ctx;
+ STACK_OF(X509_NAME) *cert_names;
+
+ ...
+ cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
+ if (cert_names != NULL)
+ SSL_CTX_set_client_CA_list(ctx, cert_names);
+ else
+ error_handling();
+ ...
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+The operation failed, check out the error stack for the reason.
+
+=item Pointer to STACK_OF(X509_NAME)
+
+Pointer to the subject names of the successfully read certificates.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_new.pod b/crypto/openssl/doc/ssl/SSL_new.pod
index 8e8638fa9561..3b084e867d08 100644
--- a/crypto/openssl/doc/ssl/SSL_new.pod
+++ b/crypto/openssl/doc/ssl/SSL_new.pod
@@ -37,6 +37,7 @@ The return value points to an allocated SSL structure.
=head1 SEE ALSO
L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
L<ssl(3)|ssl(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_pending.pod b/crypto/openssl/doc/ssl/SSL_pending.pod
index 744e1855e151..b4c48598b25d 100644
--- a/crypto/openssl/doc/ssl/SSL_pending.pod
+++ b/crypto/openssl/doc/ssl/SSL_pending.pod
@@ -25,6 +25,19 @@ L<SSL_read(3)|SSL_read(3)>.
The number of bytes pending is returned.
+=head1 BUGS
+
+SSL_pending() takes into account only bytes from the TLS/SSL record
+that is currently being processed (if any). If the B<SSL> object's
+I<read_ahead> flag is set, additional protocol bytes may have been
+read containing more TLS/SSL records; these are ignored by
+SSL_pending().
+
+Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type
+of pending data is application data.
+
+=head1 SEE ALSO
+
L<SSL_read(3)|SSL_read(3)>, L<ssl(3)|ssl(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_read.pod b/crypto/openssl/doc/ssl/SSL_read.pod
index 072dc26cf284..9bff32500b89 100644
--- a/crypto/openssl/doc/ssl/SSL_read.pod
+++ b/crypto/openssl/doc/ssl/SSL_read.pod
@@ -61,7 +61,7 @@ The read operation was not successful, probably because no data was
available. Call SSL_get_error() with the return value B<ret> to find out,
whether an error occurred.
-=item -1
+=item E<lt>0
The read operation was not successful, because either an error occurred
or action must be taken by the calling process. Call SSL_get_error() with the
diff --git a/crypto/openssl/doc/ssl/SSL_set_session.pod b/crypto/openssl/doc/ssl/SSL_set_session.pod
index 9f78d9e434ae..c4f7878579d5 100644
--- a/crypto/openssl/doc/ssl/SSL_set_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_set_session.pod
@@ -40,6 +40,7 @@ The operation succeeded.
=head1 SEE ALSO
-L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod
index db67c187e0ee..8110161522a3 100644
--- a/crypto/openssl/doc/ssl/SSL_write.pod
+++ b/crypto/openssl/doc/ssl/SSL_write.pod
@@ -2,7 +2,7 @@
=head1 NAME
-SSL_read - write bytes to a TLS/SSL connection.
+SSL_write - write bytes to a TLS/SSL connection.
=head1 SYNOPSIS
@@ -31,7 +31,7 @@ when the underlying BIO could not satisfy the needs of SSL_write()
to continue the operation. In this case a call to SSL_get_error() with the
return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
-call to SSL_write() can also cause write operations! The calling process
+call to SSL_write() can also cause read operations! The calling process
then must repeat the call after taking appropriate action to satisfy the
needs of SSL_write(). The action depends on the underlying BIO. When using a
non-blocking socket, nothing is to be done, but select() can be used to check
@@ -60,9 +60,9 @@ bytes actually written to the TLS/SSL connection.
The write operation was not successful. Call SSL_get_error() with the return
value B<ret> to find out, whether an error occurred.
-=item -1
+=item E<lt>0
-The read operation was not successful, because either an error occurred
+The write operation was not successful, because either an error occurred
or action must be taken by the calling process. Call SSL_get_error() with the
return value B<ret> to find out the reason.
diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
new file mode 100644
index 000000000000..8142b6b39f75
--- /dev/null
+++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length);
+ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+d2i_SSL_SESSION() transforms the external ASN1 representation of an SSL/TLS
+session, stored as binary data at location B<pp> with length B<length>, into
+an SSL_SESSION object.
+
+i2d_SSL_SESSION() transforms the SSL_SESSION object B<in> into the ASN1
+representation and stores it into the memory location pointed to by B<pp>.
+The length of the resulting ASN1 representation is returned. If B<pp> is
+the NULL pointer, only the length is calculated and returned.
+
+=head1 NOTES
+
+The SSL_SESSION object is built from several malloc()ed parts, it can
+therefore not be moved, copied or stored directly. In order to store
+session data on disk or into a database, it must be transformed into
+a binary ASN1 representation.
+
+When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically
+allocated.
+
+When using i2d_SSL_SESSION(), the memory location pointed to by B<pp> must be
+large enough to hold the binary representation of the session. There is no
+known limit on the size of the created ASN1 representation, so the necessary
+amount of space should be obtained by first calling i2d_SSL_SESSION() with
+B<pp=NULL>, and obtain the size needed, then allocate the memory and
+call i2d_SSL_SESSION() again.
+
+=head1 RETURN VALUES
+
+d2i_SSL_SESSION() returns a pointer to the newly allocated SSL_SESSION
+object. In case of failure the NULL-pointer is returned and the error message
+can be retrieved from the error stack.
+
+i2d_SSL_SESSION() returns the size of the ASN1 representation in bytes.
+When the session is not valid, B<0> is returned and no operation is performed.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+
+=cut
diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod
index 8ffe5904d523..2911c83e4879 100644
--- a/crypto/openssl/doc/ssl/ssl.pod
+++ b/crypto/openssl/doc/ssl/ssl.pod
@@ -13,6 +13,69 @@ The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols. It provides a rich API which is
documented here.
+At first the library must be initialized; see
+L<SSL_library_init(3)|SSL_library_init(3)>.
+
+Then an B<SSL_CTX> object is created as a framework to establish
+TLS/SSL enabled connections (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>).
+Various options regarding certificates, algorithms etc. can be set
+in this object.
+
+When a network connection has been created, it can be assigned to an
+B<SSL> object. After the B<SSL> object has been created using
+L<SSL_new(3)|SSL_new(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)> or
+L<SSL_set_bio(3)|SSL_set_bio(3)> can be used to associate the network
+connection with the object.
+
+Then the TLS/SSL handshake is performed using
+L<SSL_accept(3)|SSL_accept(3)> or L<SSL_connect(3)|SSL_connect(3)>
+respectively.
+L<SSL_read(3)|SSL_read(3)> and L<SSL_write(3)|SSL_write(3)> are used
+to read and write data on the TLS/SSL connection.
+L<SSL_shutdown(3)|SSL_shutdown(3)> can be used to shut down the
+TLS/SSL connection.
+
+=head1 DATA STRUCTURES
+
+Currently the OpenSSL B<ssl> library functions deals with the following data
+structures:
+
+=over 4
+
+=item B<SSL_METHOD> (SSL Method)
+
+That's a dispatch structure describing the internal B<ssl> library
+methods/functions which implement the various protocol versions (SSLv1, SSLv2
+and TLSv1). It's needed to create an B<SSL_CTX>.
+
+=item B<SSL_CIPHER> (SSL Cipher)
+
+This structure holds the algorithm information for a particular cipher which
+are a core part of the SSL/TLS protocol. The available ciphers are configured
+on a B<SSL_CTX> basis and the actually used ones are then part of the
+B<SSL_SESSION>.
+
+=item B<SSL_CTX> (SSL Context)
+
+That's the global context structure which is created by a server or client
+once per program life-time and which holds mainly default values for the
+B<SSL> structures which are later created for the connections.
+
+=item B<SSL_SESSION> (SSL Session)
+
+This is a structure containing the current TLS/SSL session details for a
+connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
+
+=item B<SSL> (SSL Connection)
+
+That's the main SSL/TLS structure which is created by a server or client per
+established connection. This actually is the core structure in the SSL API.
+Under run-time the application usually deals with this structure which has
+links to mostly all other structures.
+
+=back
+
+
=head1 HEADER FILES
Currently the OpenSSL B<ssl> library provides the following C header files
@@ -55,46 +118,6 @@ it's already included by ssl.h>.
=back
-=head1 DATA STRUCTURES
-
-Currently the OpenSSL B<ssl> library functions deals with the following data
-structures:
-
-=over 4
-
-=item B<SSL_METHOD> (SSL Method)
-
-That's a dispatch structure describing the internal B<ssl> library
-methods/functions which implement the various protocol versions (SSLv1, SSLv2
-and TLSv1). It's needed to create an B<SSL_CTX>.
-
-=item B<SSL_CIPHER> (SSL Cipher)
-
-This structure holds the algorithm information for a particular cipher which
-are a core part of the SSL/TLS protocol. The available ciphers are configured
-on a B<SSL_CTX> basis and the actually used ones are then part of the
-B<SSL_SESSION>.
-
-=item B<SSL_CTX> (SSL Context)
-
-That's the global context structure which is created by a server or client
-once per program life-time and which holds mainly default values for the
-B<SSL> structures which are later created for the connections.
-
-=item B<SSL_SESSION> (SSL Session)
-
-This is a structure containing the current TLS/SSL session details for a
-connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
-
-=item B<SSL> (SSL Connection)
-
-That's the main SSL/TLS structure which is created by a server or client per
-established connection. This actually is the core structure in the SSL API.
-Under run-time the application usually deals with this structure which has
-links to mostly all other structures.
-
-=back
-
=head1 API FUNCTIONS
Currently the OpenSSL B<ssl> library exports 214 API functions.
@@ -625,20 +648,48 @@ connection defined in the B<SSL> structure.
L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_connect(3)|SSL_connect(3)>,
+L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
+L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>,
+L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>,
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_get_error(3)|SSL_get_error(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
+L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
+L<SSL_get_fd(3)|SSL_get_fd(3)>,
L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>,
L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
L<SSL_get_session(3)|SSL_get_session(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_library_init(3)|SSL_library_init(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_library_init(3)|SSL_library_init(3)>,
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
+L<SSL_new(3)|SSL_new(3)>,
L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>,
L<SSL_set_session(3)|SSL_set_session(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
+L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt
index 3e964c2e9aeb..fab8d42c4221 100644
--- a/crypto/openssl/doc/ssleay.txt
+++ b/crypto/openssl/doc/ssleay.txt
@@ -5743,7 +5743,7 @@ strucutre but also the private key and certificate associated with
EXAMPLES.
-So lets play at being a wierd SSL server.
+So lets play at being a weird SSL server.
/* setup a context */
ctx=SSL_CTX_new();
diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h
index 0c0784f9a972..4f9c983ef184 100644
--- a/crypto/openssl/e_os.h
+++ b/crypto/openssl/e_os.h
@@ -355,12 +355,14 @@ extern HINSTANCE _hInstance;
# if defined(VMS) && !defined(__DECC)
# include <socket.h>
# include <in.h>
+# include <inet.h>
# else
# include <sys/socket.h>
# ifdef FILIO_H
# include <sys/filio.h> /* Added for FIONBIO under unixware */
# endif
# include <netinet/in.h>
+# include <arpa/inet.h>
# endif
# if defined(NeXT) || defined(_NEXT_SOURCE)
diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec
index 18ae94e54cb7..fa8c16b7c76f 100644
--- a/crypto/openssl/openssl.spec
+++ b/crypto/openssl/openssl.spec
@@ -94,7 +94,7 @@ perl util/perlpath.pl /usr/bin/perl
./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared
%endif
%ifarch alpha
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared
+./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha-gcc shared
%endif
LD_LIBRARY_PATH=`pwd` make
LD_LIBRARY_PATH=`pwd` make rehash
diff --git a/crypto/openssl/rsaref/Makefile.ssl b/crypto/openssl/rsaref/Makefile.ssl
index 69d41a9a6dfb..8f27c48a5a6a 100644
--- a/crypto/openssl/rsaref/Makefile.ssl
+++ b/crypto/openssl/rsaref/Makefile.ssl
@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl
index 04dd3e866349..61b9cee090b6 100644
--- a/crypto/openssl/ssl/Makefile.ssl
+++ b/crypto/openssl/ssl/Makefile.ssl
@@ -55,7 +55,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
+ @echo You may get an error following this line. Please ignore.
+ - $(RANLIB) $(LIB)
@touch lib
files:
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 47dd09c286f3..28d6d6529616 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
goto err;
}
ERR_clear_error(); /* but we keep s->verify_result */
+ s->session->verify_result = s->verify_result;
/* server's cert for this session */
sc=ssl_sess_cert_new();
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index 129ed89d9704..a590dbfa5ca6 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -260,7 +260,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u)
int ssl2_pending(SSL *s)
{
- return(s->s2->ract_data_length);
+ return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
}
int ssl2_new(SSL *s)
@@ -270,10 +270,16 @@ int ssl2_new(SSL *s)
if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
memset(s2,0,sizeof *s2);
+#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
+# error "assertion failed"
+#endif
+
if ((s2->rbuf=OPENSSL_malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ /* wbuf needs one byte more because when using two-byte headers,
+ * we leave the first byte unused in do_ssl_write (s2_pkt.c) */
if ((s2->wbuf=OPENSSL_malloc(
- SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
s->s2=s2;
ssl2_clear(s);
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index 56662f29facb..1f119442b4e8 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#include "ssl_locl.h"
#ifndef NO_SSL2
@@ -66,23 +119,12 @@ static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
static int ssl_mt_error(int n);
-int ssl2_peek(SSL *s, char *buf, int len)
- {
- int ret;
- ret=ssl2_read(s,buf,len);
- if (ret > 0)
- {
- s->s2->ract_data_length+=ret;
- s->s2->ract_data-=ret;
- }
- return(ret);
- }
-/* SSL_read -
+/* SSL 2.0 imlementation for SSL_read/SSL_peek -
* This routine will return 0 to len bytes, decrypted etc if required.
*/
-int ssl2_read(SSL *s, void *buf, int len)
+static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
{
int n;
unsigned char mac[MAX_MAC_SIZE];
@@ -90,14 +132,14 @@ int ssl2_read(SSL *s, void *buf, int len)
int i;
unsigned int mac_size=0;
-ssl2_read_again:
+ ssl2_read_again:
if (SSL_in_init(s) && !s->in_handshake)
{
n=s->handshake_func(s);
if (n < 0) return(n);
if (n == 0)
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE);
return(-1);
}
}
@@ -114,13 +156,22 @@ ssl2_read_again:
n=len;
memcpy(buf,s->s2->ract_data,(unsigned int)n);
- s->s2->ract_data_length-=n;
- s->s2->ract_data+=n;
- if (s->s2->ract_data_length == 0)
- s->rstate=SSL_ST_READ_HEADER;
+ if (!peek)
+ {
+ s->s2->ract_data_length-=n;
+ s->s2->ract_data+=n;
+ if (s->s2->ract_data_length == 0)
+ s->rstate=SSL_ST_READ_HEADER;
+ }
+
return(n);
}
+ /* s->s2->ract_data_length == 0
+ *
+ * Fill the buffer, then goto ssl2_read_again.
+ */
+
if (s->rstate == SSL_ST_READ_HEADER)
{
if (s->first_packet)
@@ -133,7 +184,7 @@ ssl2_read_again:
(p[2] == SSL2_MT_CLIENT_HELLO) ||
(p[2] == SSL2_MT_SERVER_HELLO))))
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET);
return(-1);
}
}
@@ -211,48 +262,49 @@ ssl2_read_again:
(unsigned int)mac_size) != 0) ||
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
return(-1);
}
}
INC32(s->s2->read_sequence); /* expect next number */
/* s->s2->ract_data is now available for processing */
-#if 1
- /* How should we react when a packet containing 0
- * bytes is received? (Note that SSLeay/OpenSSL itself
- * never sends such packets; see ssl2_write.)
- * Returning 0 would be interpreted by the caller as
- * indicating EOF, so it's not a good idea.
- * Instead, we just continue reading. Note that using
- * select() for blocking sockets *never* guarantees
+ /* Possibly the packet that we just read had 0 actual data bytes.
+ * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.)
+ * In this case, returning 0 would be interpreted by the caller
+ * as indicating EOF, so it's not a good idea. Instead, we just
+ * continue reading; thus ssl2_read_internal may have to process
+ * multiple packets before it can return.
+ *
+ * [Note that using select() for blocking sockets *never* guarantees
* that the next SSL_read will not block -- the available
- * data may contain incomplete packets, and except for SSL 2
- * renegotiation can confuse things even more. */
+ * data may contain incomplete packets, and except for SSL 2,
+ * renegotiation can confuse things even more.] */
goto ssl2_read_again; /* This should really be
- * "return ssl2_read(s,buf,len)",
- * but that would allow for
- * denial-of-service attacks if a
- * C compiler is used that does not
- * recognize end-recursion. */
-#else
- /* If a 0 byte packet was sent, return 0, otherwise
- * we play havoc with people using select with
- * blocking sockets. Let them handle a packet at a time,
- * they should really be using non-blocking sockets. */
- if (s->s2->ract_data_length == 0)
- return(0);
- return(ssl2_read(s,buf,len));
-#endif
+ * "return ssl2_read(s,buf,len)",
+ * but that would allow for
+ * denial-of-service attacks if a
+ * C compiler is used that does not
+ * recognize end-recursion. */
}
else
{
- SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE);
+ SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE);
return(-1);
}
}
+int ssl2_read(SSL *s, void *buf, int len)
+ {
+ return ssl2_read_internal(s, buf, len, 0);
+ }
+
+int ssl2_peek(SSL *s, char *buf, int len)
+ {
+ return ssl2_read_internal(s, buf, len, 1);
+ }
+
static int read_n(SSL *s, unsigned int n, unsigned int max,
unsigned int extend)
{
@@ -483,6 +535,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
{
bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
j=len+mac_size;
+ /* Two-byte headers allow for a larger record length than
+ * three-byte headers, but we can't use them if we need
+ * padding or if we have to set the escape bit. */
if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) &&
(!s->s2->escape))
{
@@ -498,25 +553,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
}
else if ((bs <= 1) && (!s->s2->escape))
{
- /* len=len; */
+ /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
+ * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
s->s2->three_byte_header=0;
p=0;
}
- else /* 3 byte header */
+ else /* we may have to use a 3 byte header */
{
- /*len=len; */
+ /* If s->s2->escape is not set, then
+ * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
+ * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
p=(j%bs);
p=(p == 0)?0:(bs-p);
if (s->s2->escape)
+ {
s->s2->three_byte_header=1;
+ if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
+ j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
+ }
else
s->s2->three_byte_header=(p == 0)?0:1;
}
}
+
+ /* Now
+ * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+ * holds, and if s->s2->three_byte_header is set, then even
+ * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
+ */
+
/* mac_size is the number of MAC bytes
* len is the number of data bytes we are going to send
* p is the number of padding bytes
- * if p == 0, it is a 2 byte header */
+ * (if it is a two-byte header, then p == 0) */
s->s2->wlength=len;
s->s2->padding=p;
diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
index d92c164b0fa9..10d8d3b15afc 100644
--- a/crypto/openssl/ssl/s3_both.c
+++ b/crypto/openssl/ssl/s3_both.c
@@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
while (s->init_num < 4)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
- 4 - s->init_num);
+ 4 - s->init_num, 0);
if (i <= 0)
{
s->rwstate=SSL_READING;
@@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
n=s->s3->tmp.message_size;
while (n > 0)
{
- i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
+ i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
if (i <= 0)
{
s->rwstate=SSL_READING;
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index 62040f9f1d01..eec45cfa485d 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
+ s->session->verify_result = s->verify_result;
x=NULL;
ret=1;
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index cee2021b6b0c..c170ceb97dd0 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#include <stdio.h>
#include <openssl/md5.h>
@@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
return(NULL);
}
-/* The problem is that it may not be the correct record type */
int ssl3_pending(SSL *s)
{
- return(s->s3->rrec.length);
+ return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
}
int ssl3_new(SSL *s)
@@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s)
else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
{
/* If we are waiting for a close from our peer, we are closed */
- ssl3_read_bytes(s,0,NULL,0);
+ ssl3_read_bytes(s,0,NULL,0,0);
}
if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
@@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len)
return(ret);
}
-int ssl3_read(SSL *s, void *buf, int len)
+static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
{
int ret;
clear_sys_error();
if (s->s3->renegotiate) ssl3_renegotiate_check(s);
s->s3->in_read_app_data=1;
- ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
+ ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
if ((ret == -1) && (s->s3->in_read_app_data == 0))
{
/* ssl3_read_bytes decided to call s->handshake_func, which
@@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len)
* by resetting 'in_read_app_data', strangely); so disable
* handshake processing and try to read application data again. */
s->in_handshake++;
- ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
+ ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
s->in_handshake--;
}
else
@@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len)
return(ret);
}
-int ssl3_peek(SSL *s, char *buf, int len)
+int ssl3_read(SSL *s, void *buf, int len)
{
- SSL3_RECORD *rr;
- int n;
-
- rr= &(s->s3->rrec);
- if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA))
- {
- n=ssl3_read(s,buf,1);
- if (n <= 0) return(n);
- rr->length++;
- rr->off--;
- }
+ return ssl3_read_internal(s, buf, len, 0);
+ }
- if ((unsigned int)len > rr->length)
- n=rr->length;
- else
- n=len;
- memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
- return(n);
+int ssl3_peek(SSL *s, char *buf, int len)
+ {
+ return ssl3_read_internal(s, buf, len, 1);
}
int ssl3_renegotiate(SSL *s)
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index 14140798539d..9ab76604a645 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
* Application data protocol
* none of our business
*/
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
{
int al,i,j,ret;
unsigned int n;
@@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
if (!ssl3_setup_buffers(s))
return(-1);
- if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+ if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+ (peek && (type != SSL3_RT_APPLICATION_DATA)))
{
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
return -1;
@@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
unsigned char *dst = buf;
unsigned int k;
+ /* peek == 0 */
n = 0;
while ((len > 0) && (s->s3->handshake_fragment_len > 0))
{
@@ -763,7 +765,7 @@ start:
* s->s3->rrec.length, - number of bytes. */
rr = &(s->s3->rrec);
- /* get new packet */
+ /* get new packet if necessary */
if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
{
ret=ssl3_get_record(s);
@@ -781,7 +783,8 @@ start:
goto err;
}
- /* If the other end has shutdown, throw anything we read away */
+ /* If the other end has shut down, throw anything we read away
+ * (even in 'peek' mode) */
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
rr->length=0;
@@ -810,12 +813,15 @@ start:
n = (unsigned int)len;
memcpy(buf,&(rr->data[rr->off]),n);
- rr->length-=n;
- rr->off+=n;
- if (rr->length == 0)
+ if (!peek)
{
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
+ rr->length-=n;
+ rr->off+=n;
+ if (rr->length == 0)
+ {
+ s->rstate=SSL_ST_READ_HEADER;
+ rr->off=0;
+ }
}
return(n);
}
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index bb8cfb31e55a..d04232960e30 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -1414,6 +1414,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,p,i);
+ memset(p,0,i);
}
else
#endif
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index fdbdc70ba72f..fad7a0e70b36 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void );
#define SSL_CTX_get_read_ahead(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
#define SSL_CTX_set_read_ahead(ctx,m) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
/* NB: the keylength is only applicable when is_export is true */
#ifndef NO_RSA
@@ -1238,7 +1238,9 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL2_ACCEPT 122
#define SSL_F_SSL2_CONNECT 123
#define SSL_F_SSL2_ENC_INIT 124
+#define SSL_F_SSL2_PEEK 234
#define SSL_F_SSL2_READ 125
+#define SSL_F_SSL2_READ_INTERNAL 236
#define SSL_F_SSL2_SET_CERTIFICATE 126
#define SSL_F_SSL2_WRITE 127
#define SSL_F_SSL3_ACCEPT 128
@@ -1263,6 +1265,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL3_GET_SERVER_DONE 145
#define SSL_F_SSL3_GET_SERVER_HELLO 146
#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
+#define SSL_F_SSL3_PEEK 235
#define SSL_F_SSL3_READ_BYTES 148
#define SSL_F_SSL3_READ_N 149
#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h
index df7d03c18f70..f8b56afb6b20 100644
--- a/crypto/openssl/ssl/ssl2.h
+++ b/crypto/openssl/ssl/ssl2.h
@@ -134,11 +134,11 @@ extern "C" {
/* Upper/Lower Bounds */
#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
#ifdef MPE
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998
+#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
#else
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767
+#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
#endif
-#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/
+#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
#define SSL2_CHALLENGE_LENGTH 16
/*#define SSL2_CHALLENGE_LENGTH 32 */
diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c
index a91ee6d22e45..dde8918fe0e3 100644
--- a/crypto/openssl/ssl/ssl_algs.c
+++ b/crypto/openssl/ssl/ssl_algs.c
@@ -88,9 +88,13 @@ int SSL_library_init(void)
#ifndef NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
#if !defined(NO_SHA) && !defined(NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
#endif
/* If you want support for phased out ciphers, add the following */
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index 17b4caf528a9..9945758104b5 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -91,7 +91,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"},
{ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"},
{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"},
+{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"},
{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"},
+{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"},
{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"},
{ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"},
{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"},
@@ -116,6 +118,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"},
{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"},
{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"},
+{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"},
{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"},
{ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"},
{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"},
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index 635b25062e8b..fec98dd8f43d 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -119,7 +119,9 @@ int SSL_clear(SSL *s)
s->client_version=s->version;
s->rwstate=SSL_NOTHING;
s->rstate=SSL_ST_READ_HEADER;
+#if 0
s->read_ahead=s->ctx->read_ahead;
+#endif
if (s->init_buf != NULL)
{
@@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
s->options=ctx->options;
s->mode=ctx->mode;
+ s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */
SSL_clear(s);
CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index d70fff4627d6..bc9c69914331 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#ifndef HEADER_SSL_LOCL_H
#define HEADER_SSL_LOCL_H
@@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl);
int ssl3_dispatch_alert(SSL *s);
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
+int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
const char *sender, int slen,unsigned char *p);
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index 416def8908e8..7064262def86 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
if (s->session != NULL)
SSL_SESSION_free(s->session);
s->session=session;
+ s->verify_result = s->session->verify_result;
/* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
ret=1;
}
diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl
index 480e4bc807cf..8b353795cdf8 100644
--- a/crypto/openssl/test/Makefile.ssl
+++ b/crypto/openssl/test/Makefile.ssl
@@ -191,7 +191,7 @@ test_bn:
@./$(BNTEST) >tmp.bntest
@echo quit >>tmp.bntest
@echo "running bc"
- @bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"'
+ @<tmp.bntest sh -c "`sh ./bctest`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
@echo 'test a^b%c implementations'
./$(EXPTEST)
diff --git a/crypto/openssl/test/bctest b/crypto/openssl/test/bctest
new file mode 100755
index 000000000000..6fa0663bb008
--- /dev/null
+++ b/crypto/openssl/test/bctest
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# This script is used by test/Makefile.ssl to check whether a sane 'bc'
+# is installed.
+# ('make test_bn' should not try to run 'bc' if it does not exist or if
+# it is a broken 'bc' version that is known to cause trouble.)
+#
+# If 'bc' works, we also test if it knows the 'print' command.
+#
+# In any case, output an appropriate command line for running (or not
+# running) bc.
+
+
+# Test for SunOS 5.[78] bc bug (or missing bc)
+if [ 0 != "`bc <<\EOF
+obase=16
+ibase=16
+a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\
+CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\
+10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\
+C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\
+3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\
+4FC3CADF855448B24A9D7640BCF473E
+b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\
+9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\
+8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\
+3ED0E2017D60A68775B75481449
+(a/b)*b + (a%b) - a
+EOF`" ]
+then
+ echo "bc does not work. Consider installing GNU bc." >&2
+ echo "cat >/dev/null"
+ exit 1
+fi
+
+
+# Test for SCO bc bug.
+if [ "0
+0" != "`bc <<\EOF
+obase=16
+ibase=16
+-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\
+9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\
+11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\
+1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\
+AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\
+F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\
+B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\
+02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\
+85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\
+A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\
+E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\
+8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\
+04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\
+89C8D71
+AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\
+928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\
+8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\
+37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\
+E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\
+F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\
+9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\
+D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\
+5296964
+EOF`" ]
+then
+ echo "bc does not work. Consider installing GNU bc." >&2
+ echo "cat >/dev/null"
+ exit 1
+fi
+
+
+# bc works, good.
+# Now check if it knows the 'print' command.
+if [ "OK" = "`bc 2>/dev/null <<\EOF
+print \"OK\"
+EOF`" ]
+then
+ echo "bc"
+else
+ echo "sed 's/print.*//' | bc"
+fi
+
+exit 0
diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num
index 3a72228d6acb..9f0f5988601a 100755
--- a/crypto/openssl/util/libeay.num
+++ b/crypto/openssl/util/libeay.num
@@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES
EVP_des_ede_ofb 309 EXIST::FUNCTION:DES
EVP_des_ofb 310 EXIST::FUNCTION:DES
EVP_desx_cbc 311 EXIST::FUNCTION:DES
-EVP_dss 312 EXIST::FUNCTION:DSA
-EVP_dss1 313 EXIST::FUNCTION:DSA
+EVP_dss 312 EXIST::FUNCTION:DSA,SHA
+EVP_dss1 313 EXIST::FUNCTION:DSA,SHA
EVP_enc_null 314 EXIST::FUNCTION:
EVP_get_cipherbyname 315 EXIST::FUNCTION:
EVP_get_digestbyname 316 EXIST::FUNCTION:
@@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION:
PKCS7_cert_from_signer_info 939 EXIST::FUNCTION:
PKCS7_get_signer_info 940 EXIST::FUNCTION:
EVP_delete_alias 941 NOEXIST::FUNCTION:
-EVP_mdc2 942 EXIST::FUNCTION:
+EVP_mdc2 942 EXIST::FUNCTION:MDC2
PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA
PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA
d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA
diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl
index 0ac793555c12..8ec1d07989a9 100755
--- a/crypto/openssl/util/mkdef.pl
+++ b/crypto/openssl/util/mkdef.pl
@@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-rc4$/) { $no_rc4=1; }
elsif (/^no-rc5$/) { $no_rc5=1; }
elsif (/^no-idea$/) { $no_idea=1; }
- elsif (/^no-des$/) { $no_des=1; }
+ elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; }
elsif (/^no-bf$/) { $no_bf=1; }
elsif (/^no-cast$/) { $no_cast=1; }
elsif (/^no-md2$/) { $no_md2=1; }
@@ -704,7 +704,8 @@ EOF
} else {
(my $n, my $i) = split /\\/, $nums{$s};
my %pf = ();
- my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1));
+ my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1));
+ my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1));
# @p_purged must contain hardware platforms only
my @p_purged = ();
foreach $ptmp (@p) {
@@ -726,7 +727,26 @@ EOF
|| (!$negatives
&& ($rsaref || !grep(/^RSAREF$/,@p)))
|| ($negatives
- && (!$rsaref || !grep(/^!RSAREF$/,@p))))) {
+ && (!$rsaref || !grep(/^!RSAREF$/,@p))))
+ && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a)))
+ && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a)))
+ && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a)))
+ && (!@a || (!$no_idea || !grep(/^IDEA$/,@a)))
+ && (!@a || (!$no_des || !grep(/^DES$/,@a)))
+ && (!@a || (!$no_bf || !grep(/^BF$/,@a)))
+ && (!@a || (!$no_cast || !grep(/^CAST$/,@a)))
+ && (!@a || (!$no_md2 || !grep(/^MD2$/,@a)))
+ && (!@a || (!$no_md4 || !grep(/^MD4$/,@a)))
+ && (!@a || (!$no_md5 || !grep(/^MD5$/,@a)))
+ && (!@a || (!$no_sha || !grep(/^SHA$/,@a)))
+ && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a)))
+ && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a)))
+ && (!@a || (!$no_rsa || !grep(/^RSA$/,@a)))
+ && (!@a || (!$no_dsa || !grep(/^DSA$/,@a)))
+ && (!@a || (!$no_dh || !grep(/^DH$/,@a)))
+ && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a)))
+ && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a)))
+ ) {
printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n;
# } else {
# print STDERR "DEBUG: \"$sym\" (@p):",