Merge in changes from the 0.9.6-stable branch.

2001-05-02 09:09:04 +00:00 · 2001-05-02 09:09:04 +00:00 · 6ef9d8328b
commit 6ef9d8328b
parent 5a9c441c6e
21 changed files with 157 additions and 69 deletions
--- a/19
+++ b/19
@ -2,6 +2,25 @@
 OpenSSL CHANGES
 _______________
 Changes between 0.9.6a and 0.9.6b  [XX xxx XXXX]
  *) Move 'if (!initialized) RAND_poll()' into regions protected by
     CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
     having multiple threads call RAND_poll() concurrently.
     [Bodo Moeller]
  *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
     combination of a flag and a thread ID variable.
     Otherwise while one thread is in ssleay_rand_bytes (which sets the
     flag), *other* threads can enter ssleay_add_bytes without obeying
     the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock
     that they do not hold after the first thread unsets add_do_not_lock).
     [Bodo Moeller]
  *) Change bctest again: '-x' expressions are not available in all
     versions of 'test'.
     [Bodo Moeller]
 Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
  *) Fix a couple of memory leaks in PKCS7_dataDecode()
--- a/8
+++ b/8
@ -47,6 +47,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why do I get errors about unknown algorithms?
 * Why can't the OpenSSH configure script detect OpenSSL?
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 ===============================================================================
@ -543,5 +544,12 @@ requiring a bi-directional message exchange; both SSL_read() and
 SSL_write() will try to continue any pending handshake.
 * Why doesn't my server application receive a client certificate?
 Due to the TLS protocol definition, a client will only send a certificate,
 if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.
 ===============================================================================
--- a/Makefile.org
+++ b/Makefile.org
@ -474,19 +474,19 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
 	@echo installing man 1 and man 5
 	@for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
-		sec=`[ "$$fn" = "config" ] && echo 5 || echo 1`; \
+		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `dirname $$i`; \
 		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
 			 --release=$(VERSION) `basename $$i`) \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
 	@echo installing man 3 and man 7
 	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
-		sec=`[ "$$fn" = "des_modes" ] && echo 7 || echo 3`; \
+		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `dirname $$i`; \
 		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`) \
--- a/2
+++ b/2
@ -1,5 +1,5 @@
- OpenSSL 0.9.6a [engine] 5 Apr 2001
+ OpenSSL 0.9.6b-dev [engine] XX xxx XXXX
 Copyright (c) 1998-2000 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
--- a/apps/dgst.c
+++ b/apps/dgst.c
@ -74,7 +74,7 @@
 #undef PROG
 #define PROG	dgst_main
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout,
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 		EVP_PKEY *key, unsigned char *sigin, int siglen);
 int MAIN(int, char **);
@ -95,7 +95,7 @@ int MAIN(int argc, char **argv)
 	int debug=0;
 	const char *outfile = NULL, *keyfile = NULL;
 	const char *sigfile = NULL, *randfile = NULL;
-	char out_bin = -1, want_pub = 0, do_verify = 0;
+	int out_bin = -1, want_pub = 0, do_verify = 0;
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
@ -365,7 +365,7 @@ end:
 	EXIT(err);
 	}
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout,
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			EVP_PKEY *key, unsigned char *sigin, int siglen)
 	{
 	int len;
--- a/apps/smime.c
+++ b/apps/smime.c
@ -299,6 +299,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
 		BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,  "               the random number generator\n");
--- a/apps/speed.c
+++ b/apps/speed.c
@ -83,12 +83,12 @@
 #include <openssl/err.h>
 #include <openssl/engine.h>
-#if defined(__FreeBSD__)
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
 # define USE_TOD
 #elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
 # define TIMES
 #endif
-#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE)
+#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE) && !defined(__NetBSD__)
 # define TIMEB
 #endif
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@ -109,7 +109,11 @@
 #endif
 #if HAVE_LONG_LONG
-#define LLONG long long
+# if defined(WIN32) && !defined(__GNUC__)
 # define LLONG _int64
 # else
 # define LLONG long long
 # endif
 #else
 #define LLONG long
 #endif
@ -152,7 +156,7 @@ static void _dopr(char **sbuffer, char **buffer,
 /* some handy macros */
 #define char_to_int(p) (p - '0')
-#define MAX(p,q) ((p >= q) ? p : q)
+#define OSSL_MAX(p,q) ((p >= q) ? p : q)
 static void
 _dopr(
@ -503,13 +507,13 @@ fmtint(
    convert[place] = 0;
    zpadlen = max - place;
-    spadlen = min - MAX(max, place) - (signvalue ? 1 : 0);
+    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0);
    if (zpadlen < 0)
        zpadlen = 0;
    if (spadlen < 0)
        spadlen = 0;
    if (flags & DP_F_ZERO) {
-        zpadlen = MAX(zpadlen, spadlen);
+        zpadlen = OSSL_MAX(zpadlen, spadlen);
        spadlen = 0;
    }
    if (flags & DP_F_MINUS)
@ -641,7 +645,7 @@ fmtfp(
            (caps ? "0123456789ABCDEF"
              : "0123456789abcdef")[fracpart % 10];
        fracpart = (fracpart / 10);
-    } while (fracpart && (fplace < 20));
+    } while (fplace < max);
    if (fplace == 20)
        fplace--;
    fconvert[fplace] = 0;
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@ -554,9 +554,9 @@ int	EVP_read_pw_string(char *buf,int length,const char *prompt,int verify);
 void	EVP_set_pw_prompt(char *prompt);
 char *	EVP_get_pw_prompt(void);
-int	EVP_BytesToKey(const EVP_CIPHER *type,EVP_MD *md,unsigned char *salt,
+int     EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
-		unsigned char *data, int datal, int count,
+		const unsigned char *salt, const unsigned char *data, int datal,
-		unsigned char *key,unsigned char *iv);
+       		int count, unsigned char *key, unsigned char *iv);
 int	EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
 		unsigned char *key, unsigned char *iv);
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@ -95,9 +95,9 @@ int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
 #endif
 	}
-int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, unsigned char *salt,
+int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, 
-	     unsigned char *data, int datal, int count, unsigned char *key,
+             const unsigned char *salt, const unsigned char *data, int datal, 
-	     unsigned char *iv)
+             int count, unsigned char *key, unsigned char *iv)
 	{
 	EVP_MD_CTX c;
 	unsigned char md_buf[EVP_MAX_MD_SIZE];
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@ -25,8 +25,8 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER	0x0090601fL
+#define OPENSSL_VERSION_NUMBER	0x00906020L
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.6a [engine] 5 Apr 2001"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.6b-dev [engine] XX xxx XXXX"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@ -141,10 +141,11 @@ static long md_count[2]={0,0};
 static double entropy=0;
 static int initialized=0;
-/* This should be set to 1 only when ssleay_rand_add() is called inside
+static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
-   an already locked state, so it doesn't try to lock and thereby cause
+                                           * holds CRYPTO_LOCK_RAND
-   a hang.  And it should always be reset back to 0 before unlocking. */
+                                           * (to prevent double locking) */
-static int add_do_not_lock=0;
+static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */
 #ifdef PREDICT
 int rand_predictable=0;
@ -191,6 +192,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 	long md_c[2];
 	unsigned char local_md[MD_DIGEST_LENGTH];
 	MD_CTX m;
 	int do_not_lock;
 	/*
 	 * (Based on the rand(3) manpage)
@ -207,7 +209,10 @@ static void ssleay_rand_add(const void *buf, int num, double add)
         * hash function.
 	 */
-	if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	/* check if we already have the lock */
 	do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
 	if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	st_idx=state_index;
 	/* use our own copies of the counters so that even
@ -239,7 +244,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 	md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
-	if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
 		{
@ -281,7 +286,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 		}
 	memset((char *)&m,0,sizeof(m));
-	if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	/* Don't just copy back local_md into md -- this could mean that
 	 * other thread's seeding remains without effect (except for
 	 * the incremented counter).  By XORing it we keep at least as
@ -292,7 +297,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 		}
 	if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
 	    entropy += add;
-	if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 #if !defined(THREADS) && !defined(WIN32)
 	assert(md_c[1] == md_count[1]);
@ -347,14 +352,18 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 	 * global 'md'.
 	 */
 	if (!initialized)
 		RAND_poll();
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	add_do_not_lock = 1;	/* Since we call ssleay_rand_add while in
 				   this locked state. */
-	initialized = 1;
+	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 	crypto_lock_rand = 1;
 	locking_thread = CRYPTO_thread_id();
 	if (!initialized)
 		{
 		RAND_poll();
 		initialized = 1;
 		}
 	if (!stirred_pool)
 		do_stir_pool = 1;
@ -418,8 +427,9 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 	md_count[0] += 1;
-	add_do_not_lock = 0;	/* If this would ever be forgotten, we can
+	/* before unlocking, we must clear 'crypto_lock_rand' */
-				   expect any evil god to eat our souls. */
+	crypto_lock_rand = 0;
 	locking_thread = 0;
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 	while (num > 0)
@ -498,14 +508,37 @@ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
 static int ssleay_rand_status(void)
 	{
 	int ret;
 	int do_not_lock;
 	/* check if we already have the lock
 	 * (could happen if a RAND_poll() implementation calls RAND_status()) */
 	do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
 	if (!do_not_lock)
 		{
 		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 		/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 		crypto_lock_rand = 1;
 		locking_thread = CRYPTO_thread_id();
 		}
 	if (!initialized)
 		{
 		RAND_poll();
 		initialized = 1;
 		}
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	initialized = 1;
 	ret = entropy >= ENTROPY_NEEDED;
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 	if (!do_not_lock)
 		{
 		/* before unlocking, we must clear 'crypto_lock_rand' */
 		crypto_lock_rand = 0;
 		locking_thread = 0;
 		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 		}
 	return ret;
 	}
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@ -101,11 +101,11 @@ Sign some data using a private key:
 Recover the signed data
- openssl rsautl -sign -in sig -inkey key.pem
+ openssl rsautl -verify -in sig -inkey key.pem
 Examine the raw signed data:
- openssl rsautl -sign -in file -inkey key.pem -raw -hexdump
+ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@ -7,7 +7,7 @@ s_server - SSL/TLS server program
 =head1 SYNOPSIS
-B<openssl> B<s_client>
+B<openssl> B<s_server>
 [B<-accept port>]
 [B<-context id>]
 [B<-verify depth>]
--- a/doc/crypto/bio.pod
+++ b/doc/crypto/bio.pod
@ -40,7 +40,7 @@ BIO).
 =head1 SEE ALSO
 L<BIO_ctrl(3)|BIO_ctrl(3)>,
-L<BIO_f_base64(3)|BIO_f_base64(3)>,
+L<BIO_f_base64(3)|BIO_f_base64(3)>, L<BIO_f_buffer(3)|BIO_f_buffer(3)>,
 L<BIO_f_cipher(3)|BIO_f_cipher(3)>, L<BIO_f_md(3)|BIO_f_md(3)>,
 L<BIO_f_null(3)|BIO_f_null(3)>, L<BIO_f_ssl(3)|BIO_f_ssl(3)>,
 L<BIO_find_type(3)|BIO_find_type(3)>, L<BIO_new(3)|BIO_new(3)>,
--- a/doc/ssl/SSL_CTX_load_verify_locations.pod
+++ b/doc/ssl/SSL_CTX_load_verify_locations.pod
@ -33,10 +33,6 @@ which can be used e.g. for descriptions of the certificates.
 The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations()
 function.
 If on an TLS/SSL server no special setting is performed using *client_CA_list()
 functions, the certificates contained in B<CAfile> are listed to the client
 as available CAs during the TLS/SSL handshake.
 If B<CApath> is not NULL, it points to a directory containing CA certificates
 in PEM format. The files each contain one CA certificate. The files are
 looked up by the CA subject name hash value, which must hence be available.
@ -50,9 +46,6 @@ The certificates in B<CApath> are only looked up when required, e.g. when
 building the certificate chain or when actually performing the verification
 of a peer certificate.
 On a server, the certificates in B<CApath> are not listed as available
 CA certificates to a client during a TLS/SSL handshake.
 When looking up CA certificates, the OpenSSL library will first search the
 certificates in B<CAfile>, then those in B<CApath>. Certificate matching
 is done based on the subject name, the key identifier (if present), and the
@ -62,6 +55,13 @@ matching the parameters is found, the verification process will be performed;
 no other certificates for the same parameters will be searched in case of
 failure.
 In server mode, when requesting a client certificate, the server must send
 the list of CAs of which it will accept client certificates. This list
 is not influenced by the contents of B<CAfile> or B<CApath> and must
 explicitely be set using the
 L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
 family of functions.
 When building its own certificate chain, an OpenSSL client/server will
 try to fill in missing certificates from B<CAfile>/B<CApath>, if the
 certificate chain was not explicitly specified (see
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
@ -36,25 +36,23 @@ the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
 When a TLS/SSL server requests a client certificate (see
 B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which
-it will accept certificates, to the client. If no special list is provided,
+it will accept certificates, to the client.
 the CAs available using the B<CAfile> option in
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
 are sent.
-This list can be explicitly set using the SSL_CTX_set_client_CA_list() for
+This list must explicitly be set using SSL_CTX_set_client_CA_list() for
 B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
 specified overrides the previous setting. The CAs listed do not become
 trusted (B<list> only contains the names, not the complete certificates); use
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 
 to additionally load them for verification.
 If the list of acceptable CAs is compiled in a file, the
 L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
 function can be used to help importing the necessary data.
 SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional
 items the list of client CAs. If no list was specified before using
 SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client
-CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly
+CA list for B<ctx> or B<ssl> (as appropriate) is opened.
 specified using
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
 are no longer used automatically.
 These functions are only useful for TLS/SSL servers.
@ -80,11 +78,17 @@ to find out the reason.
 =back
 =head1 EXAMPLES
 Scan all certificates in B<CAfile> and list them as acceptable CAs:
  SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
 =head1 SEE ALSO
 L<ssl(3)|ssl(3)>,
 L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
 =cut
--- a/doc/ssl/SSL_get_peer_certificate.pod
+++ b/doc/ssl/SSL_get_peer_certificate.pod
@ -17,6 +17,12 @@ peer presented. If the peer did not present a certificate, NULL is returned.
 =head1 NOTES
 Due to the protocol definition, a TLS/SSL server will always send a
 certificate, if present. A client will only send a certificate when
 explicitely requested to do so by the server (see
 L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>). If an anonymous cipher
 is used, no certificates are sent.
 That a certificate is returned does not indicate information about the
 verification state, use L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
 to check the verification state.
@ -43,6 +49,7 @@ The return value points to the certificate presented by the peer.
 =head1 SEE ALSO
-L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
+L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
 L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
 =cut
--- a/doc/ssl/SSL_shutdown.pod
+++ b/doc/ssl/SSL_shutdown.pod
@ -66,7 +66,7 @@ Call SSL_get_error() with the return value B<ret> to find out the reason.
 L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
 L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>,
 L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
 =cut
--- a/test/Makefile.ssl
+++ b/test/Makefile.ssl
@ -192,7 +192,7 @@ test_bn:
 	@./$(BNTEST) >tmp.bntest
 	@echo quit >>tmp.bntest
 	@echo "running bc"
-	@<tmp.bntest sh -c "`sh ./bctest || true`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
+	@<tmp.bntest sh -c "`sh ./bctest; true`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
 	@echo 'test a^b%c implementations'
 	./$(EXPTEST)
--- a/test/bctest
+++ b/test/bctest
@ -12,10 +12,22 @@
 IFS=:
-for dir in $PATH; do
+try_without_dir=true
-    bc="$dir/bc"
+# First we try "bc", then "$dir/bc" for each item in $PATH.
 for dir in dummy:$PATH; do
    if [ "$try_without_dir" = true ]; then
      # first iteration
      bc=bc
      try_without_dir=false
    else
      # second and later iterations
      bc="$dir/bc"
      if [ ! -f "$bc" ]; then  # '-x' is not available on Ultrix
        bc=''
      fi
    fi
-    if [ -x "$bc" -a ! -d "$bc" ]; then
+    if [ ! "$bc" = '' ]; then
        failure=none