Merge in recent changes from 0.9.6-stable.

CHANGES

@@ -4,6 +4,23 @@
 
  Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
 
+  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+     [Bodo Moeller]
+
+  *) Fix initialization code race conditions in
+        SSLv23_client_method(),   SSLv23_server_method(),
+        SSLv2_client_method(),    SSLv2_server_method(),
+        SSLv3_client_method(),    SSLv3_server_method(),
+        TLSv1_client_method(),    TLSv1_server_method().
+     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
+
+  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
+     the cached sessions are flushed, as the remove_cb() might use ex_data
+     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
+     (see [openssl.org #212]).
+     [Geoff Thorpe, Lutz Jaenicke]
+
   *) Fix typo in OBJ_txt2obj which incorrectly passed the content
      length, instead of the encoding length to d2i_ASN1_OBJECT.
      [Steve Henson]

FAQ

@@ -35,6 +35,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the linker complain about undefined symbols?
 * Why does the OpenSSL test fail with "bc: command not found"?
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
+* Why does the OpenSSL test fail with "bc: stack empty"?
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
@@ -392,6 +393,17 @@ and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 
 
+* Why does the OpenSSL test fail with "bc: stack empty"?
+
+On some DG/ux versions, bc seems to have a too small stack for calculations
+that the OpenSSL bntest throws at it.  This gets triggered when you run the
+test suite (using "make test").  The message returned is "bc: stack empty".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+for download instructions) can be safely used, for example.
+
+
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 
 On some Alpha installations running Tru64 Unix and Compaq C, the compilation

Makefile.org

@@ -270,9 +270,7 @@ do_gnu-shared:
 	done
 
 DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
-	collect2=`gcc -print-prog-name=collect2 2>&1` && \
-	[ -n "$$collect2" ] && \
-	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
+	my_ld=`gcc -print-prog-name=ld 2>&1` && \
 	[ -n "$$my_ld" ] && \
 	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
 
@@ -687,13 +685,13 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man=`cd util; ./pod2mantest ignore`; \
+	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
@@ -703,7 +701,7 @@ install_docs:
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \

apps/makeapps.com

@@ -1077,7 +1077,7 @@ $ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $! Show user the result
 $!
-$ WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$ WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
 $! Special Threads For OpenVMS v7.1 Or Later
 $!

apps/pkcs12.c

@@ -503,9 +503,10 @@ int MAIN(int argc, char **argv)
 		    /* Exclude verified certificate */
 		    for (i = 1; i < sk_X509_num (chain2) ; i++) 
 			sk_X509_push(certs, sk_X509_value (chain2, i));
-		}
-		sk_X509_free(chain2);
-		if (vret) {
+		    /* Free first certificate */
+		    X509_free(sk_X509_value(chain2, 0));
+		    sk_X509_free(chain2);
+		} else {
 			BIO_printf (bio_err, "Error %s getting chain.\n",
 					X509_verify_cert_error_string(vret));
 			goto export_end;
@@ -532,8 +533,6 @@ int MAIN(int argc, char **argv)
 	}
 	sk_X509_pop_free(certs, X509_free);
 	certs = NULL;
-	/* ucert is part of certs so it is already freed */
-	ucert = NULL;
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -621,7 +620,6 @@ int MAIN(int argc, char **argv)
 	if (certs) sk_X509_pop_free(certs, X509_free);
 	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
 	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-	if (ucert) X509_free(ucert);
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();

apps/s_server.c

@@ -257,10 +257,10 @@ static char **local_argv;
 static int ebcdic_new(BIO *bi);
 static int ebcdic_free(BIO *a);
 static int ebcdic_read(BIO *b, char *out, int outl);
-static int ebcdic_write(BIO *b, char *in, int inl);
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr);
+static int ebcdic_write(BIO *b, const char *in, int inl);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
 static int ebcdic_gets(BIO *bp, char *buf, int size);
-static int ebcdic_puts(BIO *bp, char *str);
+static int ebcdic_puts(BIO *bp, const char *str);
 
 #define BIO_TYPE_EBCDIC_FILTER	(18|0x0200)
 static BIO_METHOD methods_ebcdic=
@@ -325,7 +325,7 @@ static int ebcdic_read(BIO *b, char *out, int outl)
 	return(ret);
 }
 
-static int ebcdic_write(BIO *b, char *in, int inl)
+static int ebcdic_write(BIO *b, const char *in, int inl)
 {
 	EBCDIC_OUTBUFF *wbuf;
 	int ret=0;
@@ -358,7 +358,7 @@ static int ebcdic_write(BIO *b, char *in, int inl)
 	return(ret);
 }
 
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
 	long ret;
 
@@ -377,7 +377,7 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
 
 static int ebcdic_gets(BIO *bp, char *buf, int size)
 {
-	int i, ret;
+	int i, ret=0;
 	if (bp->next_bio == NULL) return(0);
 /*	return(BIO_gets(bp->next_bio,buf,size));*/
 	for (i=0; i<size-1; ++i)
@@ -396,7 +396,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size)
 	return (ret < 0 && i == 0) ? ret : i;
 }
 
-static int ebcdic_puts(BIO *bp, char *str)
+static int ebcdic_puts(BIO *bp, const char *str)
 {
 	if (bp->next_bio == NULL) return(0);
 	return ebcdic_write(bp, str, strlen(str));

apps/speed.c

@@ -724,7 +724,7 @@ int MAIN(int argc, char **argv)
 
 			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available options:\n");
-#ifdef TIMES
+#if defined(TIMES) || defined(USE_TOD)
 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
 			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");

crypto/asn1/a_strex.c

@@ -519,7 +519,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
 	ASN1_STRING stmp, *str = &stmp;
 	int mbflag, type, ret;
-	if(!*out || !in) return -1;
+	if(!in) return -1;
 	type = in->type;
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
@@ -528,6 +528,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
-	if(out) *out = stmp.data;
+	*out = stmp.data;
 	return stmp.length;
 }

crypto/asn1/a_utctm.c

@@ -246,6 +246,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 		ts=(struct tm *)localtime(&t);
 		}
 #endif
+	if (ts == NULL)
+		return(NULL);
 	p=(char *)s->data;
 	if ((p == NULL) || (s->length < 14))
 		{

crypto/cryptlib.c

@@ -89,6 +89,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"ssl_session",
 	"ssl_sess_cert",
 	"ssl",
+	/* "ssl_method", */
 	"rand",
 	"rand2",
 	"debug_malloc",

crypto/crypto-lib.com

@@ -1333,7 +1333,7 @@ $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main C Compiling Command: ",CC
+$   WRITE/SYMBOL SYS$OUTPUT "Main C Compiling Command: ",CC
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!
@@ -1364,7 +1364,7 @@ $ IF ARCH .EQS. "AXP" THEN MACRO = "MACRO/MIGRATION/''DEBUGGER'/''MACRO_OPTIMIZE
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
+$   WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!

crypto/crypto.h

@@ -95,36 +95,39 @@ extern "C" {
  * names in cryptlib.c
  */
 
-#define	CRYPTO_LOCK_ERR			1
-#define	CRYPTO_LOCK_ERR_HASH		2
-#define	CRYPTO_LOCK_X509		3
-#define	CRYPTO_LOCK_X509_INFO		4
-#define	CRYPTO_LOCK_X509_PKEY		5
+#define CRYPTO_LOCK_ERR			1
+#define CRYPTO_LOCK_ERR_HASH		2
+#define CRYPTO_LOCK_X509		3
+#define CRYPTO_LOCK_X509_INFO		4
+#define CRYPTO_LOCK_X509_PKEY		5
 #define CRYPTO_LOCK_X509_CRL		6
 #define CRYPTO_LOCK_X509_REQ		7
 #define CRYPTO_LOCK_DSA			8
 #define CRYPTO_LOCK_RSA			9
 #define CRYPTO_LOCK_EVP_PKEY		10
-#define	CRYPTO_LOCK_X509_STORE		11
-#define	CRYPTO_LOCK_SSL_CTX		12
-#define	CRYPTO_LOCK_SSL_CERT		13
-#define	CRYPTO_LOCK_SSL_SESSION		14
-#define	CRYPTO_LOCK_SSL_SESS_CERT	15
-#define	CRYPTO_LOCK_SSL			16
-#define	CRYPTO_LOCK_RAND		17
-#define	CRYPTO_LOCK_RAND2		18
-#define	CRYPTO_LOCK_MALLOC		19
-#define	CRYPTO_LOCK_BIO			20
-#define	CRYPTO_LOCK_GETHOSTBYNAME	21
-#define	CRYPTO_LOCK_GETSERVBYNAME	22
-#define	CRYPTO_LOCK_READDIR		23
-#define	CRYPTO_LOCK_RSA_BLINDING	24
-#define	CRYPTO_LOCK_DH			25
-#define	CRYPTO_LOCK_MALLOC2		26
-#define	CRYPTO_LOCK_DSO			27
-#define	CRYPTO_LOCK_DYNLOCK		28
-#define	CRYPTO_LOCK_ENGINE		29
-#define	CRYPTO_NUM_LOCKS		30
+#define CRYPTO_LOCK_X509_STORE		11
+#define CRYPTO_LOCK_SSL_CTX		12
+#define CRYPTO_LOCK_SSL_CERT		13
+#define CRYPTO_LOCK_SSL_SESSION		14
+#define CRYPTO_LOCK_SSL_SESS_CERT	15
+#define CRYPTO_LOCK_SSL			16
+/* for binary compatibility between 0.9.6 minor versions,
+ * reuse an existing lock (later version use a new one): */
+# define CRYPTO_LOCK_SSL_METHOD		CRYPTO_LOCK_SSL_CTX
+#define CRYPTO_LOCK_RAND		17
+#define CRYPTO_LOCK_RAND2		18
+#define CRYPTO_LOCK_MALLOC		19
+#define CRYPTO_LOCK_BIO			20
+#define CRYPTO_LOCK_GETHOSTBYNAME	21
+#define CRYPTO_LOCK_GETSERVBYNAME	22
+#define CRYPTO_LOCK_READDIR		23
+#define CRYPTO_LOCK_RSA_BLINDING	24
+#define CRYPTO_LOCK_DH			25
+#define CRYPTO_LOCK_MALLOC2		26
+#define CRYPTO_LOCK_DSO			27
+#define CRYPTO_LOCK_DYNLOCK		28
+#define CRYPTO_LOCK_ENGINE		29
+#define CRYPTO_NUM_LOCKS		30
 
 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -146,7 +149,7 @@ extern "C" {
 #endif
 #else
 #define CRYPTO_w_lock(a)
-#define	CRYPTO_w_unlock(a)
+#define CRYPTO_w_unlock(a)
 #define CRYPTO_r_lock(a)
 #define CRYPTO_r_unlock(a)
 #define CRYPTO_add(a,b,c)	((*(a))+=(b))

crypto/des/FILES

@@ -1,96 +0,0 @@
-/* General stuff */
-COPYRIGHT	- Copyright info.
-MODES.DES	- A description of the features of the different modes of DES.
-FILES		- This file.
-INSTALL		- How to make things compile.
-Imakefile	- For use with kerberos.
-README		- What this package is.
-VERSION		- Which version this is and what was changed.
-KERBEROS	- Kerberos version 4 notes.
-Makefile.PL	- An old makefile to build with perl5, not current.
-Makefile.ssl	- The SSLeay makefile
-Makefile.uni	- The normal unix makefile.
-GNUmakefile	- The makefile for use with glibc.
-makefile.bc	- A Borland C makefile
-times		- Some outputs from 'speed' on some machines.
-vms.com		- For use when compiling under VMS
-
-/* My SunOS des(1) replacement */
-des.c		- des(1) source code.
-des.man		- des(1) manual.
-
-/* Testing and timing programs. */
-destest.c	- Source for libdes.a test program.
-speed.c		- Source for libdes.a timing program.
-rpw.c		- Source for libdes.a testing password reading routines.
-
-/* libdes.a source code */
-des_crypt.man	- libdes.a manual page.
-des.h		- Public libdes.a header file.
-ecb_enc.c	- des_ecb_encrypt() source, this contains the basic DES code.
-ecb3_enc.c	- des_ecb3_encrypt() source.
-cbc_ckm.c	- des_cbc_cksum() source.
-cbc_enc.c	- des_cbc_encrypt() source.
-ncbc_enc.c	- des_cbc_encrypt() that is 'normal' in that it copies
-		  the new iv values back in the passed iv vector.
-ede_enc.c	- des_ede3_cbc_encrypt() cbc mode des using triple DES.
-cbc3_enc.c	- des_3cbc_encrypt() source, don't use this function.
-cfb_enc.c	- des_cfb_encrypt() source.
-cfb64enc.c	- des_cfb64_encrypt() cfb in 64 bit mode but setup to be
-		  used as a stream cipher.
-cfb64ede.c	- des_ede3_cfb64_encrypt() cfb in 64 bit mode but setup to be
-		  used as a stream cipher and using triple DES.
-ofb_enc.c	- des_cfb_encrypt() source.
-ofb64_enc.c	- des_ofb_encrypt() ofb in 64 bit mode but setup to be
-		  used as a stream cipher.
-ofb64ede.c	- des_ede3_ofb64_encrypt() ofb in 64 bit mode but setup to be
-		  used as a stream cipher and using triple DES.
-enc_read.c	- des_enc_read() source.
-enc_writ.c	- des_enc_write() source.
-pcbc_enc.c	- des_pcbc_encrypt() source.
-qud_cksm.c	- quad_cksum() source.
-rand_key.c	- des_random_key() source.
-read_pwd.c	- Source for des_read_password() plus related functions.
-set_key.c	- Source for des_set_key().
-str2key.c	- Covert a string of any length into a key.
-fcrypt.c	- A small, fast version of crypt(3).
-des_locl.h	- Internal libdes.a header file.
-podd.h		- Odd parity tables - used in des_set_key().
-sk.h		- Lookup tables used in des_set_key().
-spr.h		- What is left of the S tables - used in ecb_encrypt().
-des_ver.h	- header file for the external definition of the
-		  version string.
-des.doc		- SSLeay documentation for the library.
-
-/* The perl scripts - you can ignore these files they are only
- * included for the curious */
-des.pl		- des in perl anyone? des_set_key and des_ecb_encrypt
-		  both done in a perl library.
-testdes.pl	- Testing program for des.pl
-doIP		- Perl script used to develop IP xor/shift code.
-doPC1		- Perl script used to develop PC1 xor/shift code.
-doPC2		- Generates sk.h.
-PC1		- Output of doPC1 should be the same as output from PC1.
-PC2		- used in development of doPC2.
-shifts.pl	- Perl library used by my perl scripts.
-
-/* I started making a perl5 dynamic library for libdes
- * but did not fully finish, these files are part of that effort. */
-DES.pm
-DES.pod
-DES.xs
-t
-typemap
-
-/* The following are for use with sun RPC implementaions. */
-rpc_des.h
-rpc_enc.c
-
-/* The following are contibuted by Mark Murray <mark@grondar.za>.  They
- * are not normally built into libdes due to machine specific routines
- * contained in them.  They are for use in the most recent incarnation of
- * export kerberos v 4 (eBones). */
-supp.c
-new_rkey.c
-
-

crypto/pem/pem_lib.c

@@ -405,8 +405,11 @@ err:
 	memset(iv,0,sizeof(iv));
 	memset((char *)&ctx,0,sizeof(ctx));
 	memset(buf,0,PEM_BUFSIZE);
-	memset(data,0,(unsigned int)dsize);
-	OPENSSL_free(data);
+	if (data != NULL)
+		{
+		memset(data,0,(unsigned int)dsize);
+		OPENSSL_free(data);
+		}
 	return(ret);
 	}
 

crypto/rand/rand_egd.c

@@ -59,7 +59,7 @@
 /* Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
  */
 
-#if defined(WIN32) || defined(VMS) || defined(__VMS)
+#if defined(WIN32) || defined(MSDOS) || defined(VMS) || defined(__VMS)
 int RAND_egd(const char *path)
 	{
 	return(-1);

doc/crypto/BN_CTX_new.pod

@@ -42,7 +42,7 @@ BN_CTX_init() and BN_CTX_free() have no return values.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
 L<BN_CTX_start(3)|BN_CTX_start(3)>
 
 =head1 HISTORY

doc/crypto/BN_add.pod

@@ -86,7 +86,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
 L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
 
 =head1 HISTORY

doc/crypto/BN_add_word.pod

@@ -46,7 +46,7 @@ BN_mod_word() and BN_div_word() return B<a>%B<w>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
 
 =head1 HISTORY
 

doc/crypto/BN_bn2bin.pod

@@ -80,7 +80,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_zero(3)|BN_zero(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_zero(3)|BN_zero(3)>,
 L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>,
 L<BN_num_bytes(3)|BN_num_bytes(3)>
 

doc/crypto/BN_copy.pod

@@ -25,7 +25,7 @@ by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
 
 =head1 HISTORY
 

doc/crypto/BN_generate_prime.pod

@@ -90,7 +90,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>
 
 =head1 HISTORY
 

doc/crypto/BN_mod_inverse.pod

@@ -27,7 +27,7 @@ NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_err
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
 
 =head1 HISTORY
 

doc/crypto/BN_mod_mul_montgomery.pod

@@ -81,7 +81,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
 L<BN_CTX_new(3)|BN_CTX_new(3)>
 
 =head1 HISTORY

doc/crypto/BN_mod_mul_reciprocal.pod

@@ -69,7 +69,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
 L<BN_CTX_new(3)|BN_CTX_new(3)>
 
 =head1 HISTORY

doc/crypto/BN_new.pod

@@ -42,7 +42,7 @@ values.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
 
 =head1 HISTORY
 

doc/crypto/BN_rand.pod

@@ -45,7 +45,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
 L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
 
 =head1 HISTORY

doc/crypto/DH_generate_key.pod

@@ -40,7 +40,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
 
 =head1 HISTORY
 

doc/crypto/DH_generate_parameters.pod

@@ -59,7 +59,8 @@ a usable generator.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DH_free(3)|DH_free(3)>
 
 =head1 HISTORY
 

doc/crypto/DH_new.pod

@@ -29,7 +29,7 @@ DH_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<err(3)|err(3)>,
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
 L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
 L<DH_generate_key(3)|DH_generate_key(3)>
 

doc/crypto/DSA_SIG_new.pod

@@ -30,7 +30,8 @@ DSA_SIG_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
 
 =head1 HISTORY
 

doc/crypto/DSA_do_sign.pod

@@ -36,7 +36,7 @@ L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
 L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
 L<DSA_sign(3)|DSA_sign(3)>
 

doc/crypto/DSA_dup_DH.pod

@@ -27,7 +27,7 @@ Be careful to avoid small subgroup attacks when using this.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
 
 =head1 HISTORY
 

doc/crypto/DSA_generate_key.pod

@@ -24,7 +24,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
 
 =head1 HISTORY
 

doc/crypto/DSA_generate_parameters.pod

@@ -90,7 +90,7 @@ Seed lengths E<gt> 20 are not supported.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
 L<DSA_free(3)|DSA_free(3)>
 
 =head1 HISTORY

doc/crypto/DSA_new.pod

@@ -30,7 +30,7 @@ DSA_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
 L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
 L<DSA_generate_key(3)|DSA_generate_key(3)>
 

doc/crypto/DSA_sign.pod

@@ -55,7 +55,7 @@ Standard, DSS), ANSI X9.30
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
 L<DSA_do_sign(3)|DSA_do_sign(3)>
 
 =head1 HISTORY

doc/crypto/EVP_SealInit.pod

@@ -12,7 +12,7 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
  int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl, unsigned char *in, int inl);
- int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl);
 
 =head1 DESCRIPTION
@@ -43,8 +43,7 @@ page.
 
 EVP_SealInit() returns 0 on error or B<npubk> if successful.
 
-EVP_SealUpdate() and EVP_SealFinal() return 1 for success and 0 for
-failure.
+EVP_SealUpdate() returns 1 for success and 0 for failure.
 
 =head1 NOTES
 

doc/crypto/RAND_bytes.pod

@@ -35,7 +35,8 @@ method.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<err(3)|err(3)>, L<RAND_add(3)|RAND_add(3)>
+L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<RAND_add(3)|RAND_add(3)>
 
 =head1 HISTORY
 

doc/crypto/RSA_check_key.pod

@@ -39,7 +39,7 @@ key data too.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
+L<rsa(3)|rsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
 
 =head1 HISTORY
 

doc/crypto/RSA_generate_key.pod

@@ -59,7 +59,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_free(3)|RSA_free(3)>
 
 =head1 HISTORY
 

doc/crypto/RSA_private_encrypt.pod

@@ -59,7 +59,8 @@ obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
 
 =head1 HISTORY
 

doc/crypto/RSA_public_encrypt.pod

@@ -72,7 +72,8 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_size(3)|RSA_size(3)>
 
 =head1 NOTES
 

doc/crypto/RSA_sign.pod

@@ -50,8 +50,8 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
+L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
 L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> 
 
 =head1 HISTORY

doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod

@@ -47,8 +47,8 @@ These functions serve no recognizable purpose.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
 L<RSA_verify(3)|RSA_verify(3)>
 
 =head1 HISTORY

doc/openssl.txt

@@ -344,7 +344,7 @@ the extension.
 
 Examples:
 
-subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/
+subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
 subjectAltName=email:my@other.address,RID:1.2.3.4
 
 Issuer Alternative Name.

ssl/s23_clnt.c

@@ -87,11 +87,15 @@ SSL_METHOD *SSLv23_client_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&SSLv23_client_data,
 			(char *)sslv23_base_method(),sizeof(SSL_METHOD));
 		SSLv23_client_data.ssl_connect=ssl23_connect;
 		SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&SSLv23_client_data);
 	}

ssl/s23_srvr.c

@@ -139,11 +139,15 @@ SSL_METHOD *SSLv23_server_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&SSLv23_server_data,
 			(char *)sslv23_base_method(),sizeof(SSL_METHOD));
 		SSLv23_server_data.ssl_accept=ssl23_accept;
 		SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&SSLv23_server_data);
 	}

ssl/s2_clnt.c

@@ -145,11 +145,15 @@ SSL_METHOD *SSLv2_client_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
 			sizeof(SSL_METHOD));
 		SSLv2_client_data.ssl_connect=ssl2_connect;
 		SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&SSLv2_client_data);
 	}

ssl/s2_srvr.c

@@ -145,11 +145,15 @@ SSL_METHOD *SSLv2_server_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
 			sizeof(SSL_METHOD));
 		SSLv2_server_data.ssl_accept=ssl2_accept;
 		SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&SSLv2_server_data);
 	}
@@ -1001,7 +1005,7 @@ static int request_certificate(SSL *s)
 	len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
 		{
-		SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
+		SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
 		goto end;
 		}
 	j = (int)len - s->init_num;

ssl/s3_clnt.c

@@ -146,11 +146,15 @@ SSL_METHOD *SSLv3_client_method(void)
 
 	if (init)
 		{
-		init=0;
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
 			sizeof(SSL_METHOD));
 		SSLv3_client_data.ssl_connect=ssl3_connect;
 		SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&SSLv3_client_data);
 	}
@@ -632,23 +636,11 @@ static int ssl3_get_server_hello(SSL *s)
 	/* get the session-id */
 	j= *(p++);
 
-       if(j > sizeof s->session->session_id)
-               {
-               al=SSL_AD_ILLEGAL_PARAMETER;
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-               goto f_err;
-               }
-
-	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
+	if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
 		{
-		/* SSLref returns 16 :-( */
-		if (j < SSL2_SSL_SESSION_ID_LENGTH)
-			{
-			al=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
-			goto f_err;
-			}
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+		goto f_err;
 		}
 	if (j != 0 && j == s->session->session_id_length
 	    && memcmp(p,s->session->session_id,j) == 0)
@@ -656,6 +648,7 @@ static int ssl3_get_server_hello(SSL *s)
 	    if(s->sid_ctx_length != s->session->sid_ctx_length
 	       || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
 		{
+		/* actually a client application bug */
 		al=SSL_AD_ILLEGAL_PARAMETER;
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 		goto f_err;

ssl/s3_srvr.c

@@ -151,11 +151,15 @@ SSL_METHOD *SSLv3_server_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
 			sizeof(SSL_METHOD));
 		SSLv3_server_data.ssl_accept=ssl3_accept;
 		SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&SSLv3_server_data);
 	}

ssl/ssl-lib.com

@@ -1089,7 +1089,7 @@ $   ENDIF
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$   WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!

ssl/ssl_lib.c

@@ -1245,13 +1245,24 @@ void SSL_CTX_free(SSL_CTX *a)
 		abort(); /* ok */
 		}
 #endif
+  
+	/*
+	 * Free internal session cache. However: the remove_cb() may reference
+	 * the ex_data of SSL_CTX, thus the ex_data store can only be removed
+	 * after the sessions were flushed.
+	 * As the ex_data handling routines might also touch the session cache,
+	 * the most secure solution seems to be: empty (flush) the cache, then
+	 * free ex_data, then finally free the cache.
+	 * (See ticket [openssl.org #212].)
+	 */
+  	if (a->sessions != NULL)
+  		SSL_CTX_flush_sessions(a,0);
+
 	CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
 
 	if (a->sessions != NULL)
-		{
-		SSL_CTX_flush_sessions(a,0);
-		lh_free(a->sessions);
-		}
+  		lh_free(a->sessions);
+
 	if (a->cert_store != NULL)
 		X509_STORE_free(a->cert_store);
 	if (a->cipher_list != NULL)

ssl/t1_clnt.c

@@ -79,11 +79,15 @@ SSL_METHOD *TLSv1_client_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
 			sizeof(SSL_METHOD));
 		TLSv1_client_data.ssl_connect=ssl3_connect;
 		TLSv1_client_data.get_ssl_method=tls1_get_client_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&TLSv1_client_data);
 	}

ssl/t1_srvr.c

@@ -80,11 +80,15 @@ SSL_METHOD *TLSv1_server_method(void)
 
 	if (init)
 		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
 		memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
 			sizeof(SSL_METHOD));
 		TLSv1_server_data.ssl_accept=ssl3_accept;
 		TLSv1_server_data.get_ssl_method=tls1_get_server_method;
 		init=0;
+
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 		}
 	return(&TLSv1_server_data);
 	}

test/maketests.com

@@ -906,7 +906,7 @@ $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$   WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!

util/pod2mantest

@@ -11,7 +11,8 @@
 
 
 IFS=:
-try_without_dir=false
+
+try_without_dir=true
 # First we try "pod2man", then "$dir/pod2man" for each item in $PATH.
 for dir in dummy:$PATH; do
     if [ "$try_without_dir" = true ]; then
@@ -29,9 +30,16 @@ for dir in dummy:$PATH; do
     if [ ! "$pod2man" = '' ]; then
         failure=none
 
+	if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | fgrep OpenSSL >/dev/null; then
+	    :
+	else
+	    failure=BasicTest
+	fi
 
-	if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null 2>&1; then
-	    failure=MultilineTest
+	if [ "$failure" = none ]; then
+	    if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null; then
+	        failure=MultilineTest
+	    fi
 	fi
 
 
@@ -45,9 +53,5 @@ for dir in dummy:$PATH; do
 done
 
 echo "No working pod2man found.  Consider installing a new version." >&2
-if [ "$1" = ignore ]; then
-  echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2
-  echo "../../util/pod2man.pl"
-  exit 0
-fi
-exit 1
+echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2
+echo "$1 ../../util/pod2man.pl"