Build fips_premain_dso.exe in static build too.

instead of those from mingw build.

Visual Studio Express 2005 doesn't like fips_premain_dso.exe from mingw used
against its DLLs.

CHANGES

@@ -2,7 +2,34 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.7g and 0.9.7h  [XX xxx XXXX]
+ Changes between 0.9.7i and 0.9.7j  [XX xxx XXXX]
+
+  *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 
+     from a Windows bash shell such as MSYS. It is autodetected from the
+     "config" script when run from a VC++ environment. Modify standard VC++
+     build to use fipscanister.o from the GNU make build. 
+     [Steve Henson]
+
+ Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
+
+  *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
+     The value now differs depending on if you build for FIPS or not.
+     BEWARE!  A program linked with a shared FIPSed libcrypto can't be
+     safely run with a non-FIPSed libcrypto, as it may crash because of
+     the difference induced by this change.
+     [Andy Polyakov]
+
+ Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CVE-2005-2969)
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
 
   *) Minimal support for X9.31 signatures and PSS padding modes. This is
      mainly for FIPS compliance and not fully integrated at this stage.
@@ -53,6 +80,9 @@
 
  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
 
+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
+  OpenSSL 0.9.8.]
+
   *) Fixes for newer kerberos headers. NB: the casts are needed because
      the 'length' field is signed on one version and unsigned on another
      with no (?) obvious way to tell the difference, without these VC++
@@ -160,11 +190,11 @@
  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
 
   *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
-     by using the Codenomicon TLS Test Tool (CAN-2004-0079)                    
+     by using the Codenomicon TLS Test Tool (CVE-2004-0079)                    
      [Joe Orton, Steve Henson]   
 
   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
-     (CAN-2004-0112)
+     (CVE-2004-0112)
      [Joe Orton, Steve Henson]   
 
   *) Make it possible to have multiple active certificates with the same
@@ -207,9 +237,9 @@
   *) Fix various bugs revealed by running the NISCC test suite:
 
      Stop out of bounds reads in the ASN1 code when presented with
-     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     invalid tags (CVE-2003-0543 and CVE-2003-0544).
      
-     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+     Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
 
      If verify callback ignores invalid public key errors don't try to check
      certificate signature with the NULL public key.
@@ -294,7 +324,7 @@
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
-     between bad padding and a MAC verification error. (CAN-2003-0078)
+     between bad padding and a MAC verification error. (CVE-2003-0078)
 
      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@@ -511,7 +541,7 @@
 
      Remote buffer overflow in SSL3 protocol - an attacker could
      supply an oversized master key in Kerberos-enabled versions.
-     (CAN-2002-0657)
+     (CVE-2002-0657)
      [Ben Laurie (CHATS)]
 
   *) Change the SSL kerb5 codes to match RFC 2712.
@@ -2195,7 +2225,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
 
   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
-     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+     by using the Codenomicon TLS Test Tool (CVE-2004-0079)
      [Joe Orton, Steve Henson]
 
  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
@@ -2203,7 +2233,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fix additional bug revealed by the NISCC test suite:
 
      Stop bug triggering large recursion when presented with
-     certain ASN.1 tags (CAN-2003-0851)
+     certain ASN.1 tags (CVE-2003-0851)
      [Steve Henson]
 
  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
@@ -2211,7 +2241,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fix various bugs revealed by running the NISCC test suite:
 
      Stop out of bounds reads in the ASN1 code when presented with
-     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     invalid tags (CVE-2003-0543 and CVE-2003-0544).
      
      If verify callback ignores invalid public key errors don't try to check
      certificate signature with the NULL public key.
@@ -2263,7 +2293,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
-     between bad padding and a MAC verification error. (CAN-2003-0078)
+     between bad padding and a MAC verification error. (CVE-2003-0078)
 
      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@@ -2396,7 +2426,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Add various sanity checks to asn1_get_length() to reject
      the ASN1 length bytes if they exceed sizeof(long), will appear
      negative or the content length exceeds the length of the
-     supplied buffer. (CAN-2002-0659)
+     supplied buffer. (CVE-2002-0659)
      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 
   *) Assertions for various potential buffer overflows, not known to
@@ -2404,15 +2434,15 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Ben Laurie (CHATS)]
 
   *) Various temporary buffers to hold ASCII versions of integers were
-     too small for 64 bit platforms. (CAN-2002-0655)
+     too small for 64 bit platforms. (CVE-2002-0655)
      [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
 
   *) Remote buffer overflow in SSL3 protocol - an attacker could
-     supply an oversized session ID to a client. (CAN-2002-0656)
+     supply an oversized session ID to a client. (CVE-2002-0656)
      [Ben Laurie (CHATS)]
 
   *) Remote buffer overflow in SSL2 protocol - an attacker could
-     supply an oversized client master key. (CAN-2002-0656)
+     supply an oversized client master key. (CVE-2002-0656)
      [Ben Laurie (CHATS)]
 
  Changes between 0.9.6c and 0.9.6d  [9 May 2002]

Configure

@@ -205,7 +205,7 @@ my %table=(
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
 "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
@@ -280,10 +280,10 @@ my %table=(
 "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # IA-64 targets
-"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z:-b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z:-b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
 # with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z:+DD64 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z:+DD64 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
@@ -409,8 +409,8 @@ my %table=(
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
 "linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-x86_64.o:::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -539,7 +539,7 @@ my %table=(
 "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:cygwin-shared:-D_WINDLL::.dll.a",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=\"/dev/urandom\\x24\":::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
@@ -865,6 +865,14 @@ PROCESS_ARGS:
 				{
 				$withargs{"krb5-".$1}=$2;
 				}
+			elsif (/^--with-zlib-lib=(.*)$/)
+				{
+				$withargs{"zlib-lib"}=$1;
+				}
+			elsif (/^--with-zlib-include=(.*)$/)
+				{
+				$withargs{"zlib-include"}="-I$1";
+				}
 			else
 				{
 				print STDERR $usage;
@@ -878,7 +886,7 @@ PROCESS_ARGS:
 			}
 		else
 			{
-			die "target already defined - $target\n" if ($target ne "");
+			die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
 			$target=$_;
 			}
 		unless ($_ eq $target) {
@@ -1152,6 +1160,7 @@ if (!$no_shared)
 	if ($shared_cflag ne "")
 		{
 		$cflags = "$shared_cflag -DOPENSSL_PIC $cflags";
+		$shared_ldflag = "$shared_ldflag $shared_cflag" if($fips);
 		}
 	}
 
@@ -1308,6 +1317,8 @@ while (<IN>)
 	s/^PERL=.*/PERL= $perl/;
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
+	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
+	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);

FAQ

@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7g was released on April 11, 2005.
+OpenSSL 0.9.7i was released on October 14, 2005.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -141,8 +141,8 @@ less Unix-centric, it might have been used much earlier.
 
 With version 0.9.6 OpenSSL was extended to interface to external crypto
 hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 (not yet released) the changes were merged into the main
-development line, so that the special release is no longer necessary.
+version 0.9.7 the changes were merged into the main development line,
+so that the special release is no longer necessary.
 
 * How do I check the authenticity of the OpenSSL distribution?
 

Makefile.org

@@ -172,11 +172,15 @@ RMD160_ASM_OBJ= asm/rm86-out.o
 KRB5_INCLUDES=
 LIBKRB5=
 
+# Zlib stuff
+ZLIB_INCLUDE=
+LIBZLIB=
+
 # When we're prepared to use shared libraries in the programs we link here
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=
 
-DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
+DIRS=   crypto fips-1.0 ssl $(SHLIB_MARK) apps test tools
 SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
@@ -206,7 +210,6 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
-SIGS=	libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -226,13 +229,6 @@ HEADER=         e_os.h
 
 all: Makefile sub_all openssl.pc
 
-sigs:	$(SIGS)
-libcrypto.a.sha1: libcrypto.a
-	@if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-		$(RANLIB) libcrypto.a; \
-		fips/sha/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
-	fi
-
 sub_all:
 	@for i in $(DIRS); \
 	do \
@@ -258,9 +254,6 @@ sub_target:
 libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=crypto build-shared; \
-        	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-                    fips/sha/fips_standalone_sha1 -binary $@ > $@.$${HMAC_EXT:-sha1}; \
-		fi; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
@@ -308,7 +301,7 @@ do_gnu-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-Bsymbolic \
@@ -325,7 +318,7 @@ do_darwin-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS}
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		--verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
 		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
@@ -343,14 +336,15 @@ do_cygwin-shared:
 	[ "$(PLATFORM)" = "mingw" ] && shlib=$${i}eay32.dll; \
 	[ -f apps/$$shlib ] && rm apps/$$shlib; \
 	[ -f test/$$shlib ] && rm test/$$shlib; \
-	base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0x61200000; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		-shared $$base -o $$shlib \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
 		-Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \
 	cp -p $$shlib apps/; cp -p $$shlib test/; \
+	touch -c lib$$i.dll.a; \
 	libs="-l$$i $$libs"; \
 	done
 
@@ -363,7 +357,7 @@ do_alpha-osf1-shared:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
@@ -382,7 +376,7 @@ do_tru64-shared:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
@@ -401,7 +395,7 @@ do_tru64-shared-rpath:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-rpath  ${INSTALLTOP}/lib \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
@@ -423,7 +417,7 @@ do_solaris-shared:
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  MINUSZ='-z '; \
 		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-Bsymbolic \
@@ -448,7 +442,7 @@ do_svr3-shared:
 		  for obj in `ar t lib$$i.a` ; do \
 		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
@@ -474,7 +468,7 @@ do_svr5-shared:
 		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
 		  set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
-			${CC} ${SHARED_LDFLAGS} \
+			$${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			$${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
@@ -493,7 +487,7 @@ do_irix-shared:
 		fi; \
 		( WHOLELIB="-all lib$$i.a -none"; \
 		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-none"; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${WHOLELIB} $$libs ${EX_LIBS}) || exit 1; \
@@ -516,9 +510,9 @@ do_hpux-shared:
 	[ -f $$shlib ] && rm -f $$shlib; \
 	ALLSYMSFLAGS='-Wl,-Fl'; \
 	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		-Wl,-B,symbolic,+vnocompatwarnings,-z,+h,$$shlib \
-		-o $$shlib $$ALLSYMSFLAGS lib$$i.a -ldld ) || exit 1; \
+		-o $$shlib $$ALLSYMSFLAGS,lib$$i.a -ldld ) || exit 1; \
 	chmod a=rx $$shlib; \
 	done
 
@@ -564,7 +558,7 @@ do_aix-shared:
 	  OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
 	  ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
 	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
-	    $(SHAREDCMD) $(SHAREDFLAGS) \
+	    $${FIPSLD:-${CC}} $(SHAREDFLAGS) \
 		-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \
 		$$libs ${EX_LIBS} ) ) \
 	|| exit 1; \
@@ -580,7 +574,7 @@ do_reliantunix-shared:
 	( set -x; \
 	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
 	    cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \
-	    ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
+	    $${FIPSLD:-${CC}} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
 	  ) || exit 1; \
 	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
 	) || exit 1; \
@@ -726,11 +720,15 @@ crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt c
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 
+crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
+	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
+
+
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 
-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE
+update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -835,15 +833,6 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
-	@for i in $(SIGS) ;\
-	do \
-		if [ -f "$$i" ]; then \
-		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi; \
-	done;
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
 
@@ -869,8 +858,8 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
@@ -886,8 +875,8 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \

NEWS

@@ -5,6 +5,20 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+
+      o Update Windows build system for FIPS.
+
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+
+      o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
+
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+
+      o Fix SSL 2.0 Rollback, CAN-2005-2969
+      o Allow use of fixed-length exponent on DSA signing
+      o Default fixed-window RSA, DSA, DH private-key operations
+
   Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
 
       o More compilation issues fixed.

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.7h-dev XX xxx XXXX
+ OpenSSL 0.9.7j-dev XX xxx XXXX
 
  Copyright (c) 1998-2005 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,10 +1,14 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2005/04/11 15:10:06 $
+  ______________                           $Date: 2005/10/14 22:15:44 $
 
   DEVELOPMENT STATE
 
-    o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8a: Released on October   11th, 2005
+    o  OpenSSL 0.9.8:  Released on July       5th, 2005
+    o  OpenSSL 0.9.7i: Released on October   14th, 2005
+    o  OpenSSL 0.9.7h: Released on October   11th, 2005
     o  OpenSSL 0.9.7g: Released on April     11th, 2005
     o  OpenSSL 0.9.7f: Released on March     22nd, 2005
     o  OpenSSL 0.9.7e: Released on October   25th, 2004

TABLE

@@ -127,7 +127,7 @@ $arflags      =
 
 *** DJGPP
 $cc           = gcc
-$cflags       = -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM="/dev/urandom\x24"
+$cflags       = -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MSDOS
@@ -2332,7 +2332,7 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
-$bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
+$bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/ia64-cpp.o
 $des_obj      = 
 $bf_obj       = 
@@ -2607,7 +2607,7 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
+$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/ia64-cpp.o
 $des_obj      = 
 $bf_obj       = 
@@ -3082,7 +3082,7 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR
 $bn_obj       = asm/ia64.o
 $des_obj      = 
 $bf_obj       = 
@@ -3107,7 +3107,7 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR
 $bn_obj       = asm/ia64.o
 $des_obj      = 
 $bf_obj       = 
@@ -3920,7 +3920,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

apps/CA.pl.in

@@ -66,19 +66,19 @@ foreach (@ARGV) {
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
-	    print "Certificate (and private key) is in newreq.pem\n"
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
 	} elsif (/^-newreq$/) {
 	    # create a certificate request
-	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newreq-nodes$/) {
 	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -118,10 +118,11 @@ foreach (@ARGV) {
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
 			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
 			"-export -name \"$cname\"");
 	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
 	    exit $RET;
 	} elsif (/^-xsign$/) {
 	    system ("$CA -policy policy_anything -infiles newreq.pem");

apps/CA.sh

@@ -51,15 +51,15 @@ case $i in
     ;;
 -newcert) 
     # create a certificate
-    $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
     RET=$?
-    echo "Certificate (and private key) is in newreq.pem"
+    echo "Certificate is in newcert.pem, private key is in newkey.pem"
     ;;
 -newreq) 
     # create a certificate request
-    $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
     RET=$?
-    echo "Request (and private key) is in newreq.pem"
+    echo "Request is in newreq.pem, private key is in newkey.pem"
     ;;
 -newca)     
     # if explicitly asked for or it doesn't exist then setup the directory

apps/Makefile

@@ -101,8 +101,9 @@ install:
 	(echo installing $$i; \
 	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
-	 done;
+	 mv -f  $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new \
+	 	$(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+	) done;
 	@for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
@@ -143,17 +144,19 @@ $(DLIBCRYPTO):
 
 $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
+	@if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+	  FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
+	fi; \
+	SHARED_LIBS="$(SHARED_LIBS)"; \
 	if [ "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+	  SHARED_LIBS=""; \
+	fi; \
+	if [ -z "$$SHARED_LIBS" ]; then \
 	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
-	elif [ -z "$(SHARED_LIBS)" ]; then \
-	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
 	else \
 	  set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
 	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
 	fi
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-		TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \
-	fi
 	-(cd ..; \
 	  OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \
 	  $(PERL) tools/c_rehash certs)

apps/apps.c

@@ -361,10 +361,17 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		/* The start of something good :-) */
 		if (num >= arg->count)
 			{
-			arg->count+=20;
-			arg->data=(char **)OPENSSL_realloc(arg->data,
-				sizeof(char *)*arg->count);
-			if (argc == 0) return(0);
+			char **tmp_p;
+			int tlen = arg->count + 20;
+			tmp_p = (char **)OPENSSL_realloc(arg->data,
+				sizeof(char *)*tlen);
+			if (tmp_p == NULL)
+				return 0;
+			arg->data  = tmp_p;
+			arg->count = tlen;
+			/* initialize newly allocated data */
+			for (i = num; i < arg->count; i++)
+				arg->data[i] = NULL;
 			}
 		arg->data[num++]=p;
 
@@ -1591,8 +1598,9 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1893,8 +1901,9 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1929,8 +1938,9 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else

apps/asn1pars.c

@@ -182,7 +182,7 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"%s [options] <infile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
-		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");

apps/ca.c

@@ -943,7 +943,6 @@ bad:
 			if (verbose) BIO_printf(bio_err,
 				"Done. %d entries marked as expired\n",i); 
 	      		}
-			goto err;
 	  	}
 
  	/*****************************************************************/

apps/openssl.c

@@ -237,14 +237,7 @@ int main(int Argc, char *Argv[])
 
 #ifdef OPENSSL_FIPS
 	if(getenv("OPENSSL_FIPS")) {
-#if defined(_WIN32)
-		char filename[MAX_PATH] = "";
-		GetModuleFileNameA( NULL, filename, MAX_PATH) ;
-		p = filename;
-#else
-		p = Argv[0];
-#endif
-		if (!FIPS_mode_set(1,p)) {
+		if (!FIPS_mode_set(1)) {
 			ERR_load_crypto_strings();
 			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 			EXIT(1);

certs/argena.pem

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIG0zCCBbugAwIBAgIBADANBgkqhkiG9w0BAQUFADCBzDELMAkGA1UEBhMCQVQx
+EDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTE6MDgGA1UEChMxQVJH
+RSBEQVRFTiAtIEF1c3RyaWFuIFNvY2lldHkgZm9yIERhdGEgUHJvdGVjdGlvbjEl
+MCMGA1UECxMcQS1DRVJUIENlcnRpZmljYXRpb24gU2VydmljZTEYMBYGA1UEAxMP
+QS1DRVJUIEFEVkFOQ0VEMR0wGwYJKoZIhvcNAQkBFg5pbmZvQGEtY2VydC5hdDAe
+Fw0wNDEwMjMxNDE0MTRaFw0xMTEwMjMxNDE0MTRaMIHMMQswCQYDVQQGEwJBVDEQ
+MA4GA1UECBMHQXVzdHJpYTEPMA0GA1UEBxMGVmllbm5hMTowOAYDVQQKEzFBUkdF
+IERBVEVOIC0gQXVzdHJpYW4gU29jaWV0eSBmb3IgRGF0YSBQcm90ZWN0aW9uMSUw
+IwYDVQQLExxBLUNFUlQgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlMRgwFgYDVQQDEw9B
+LUNFUlQgQURWQU5DRUQxHTAbBgkqhkiG9w0BCQEWDmluZm9AYS1jZXJ0LmF0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3euXIy+mnf6BYKbK+QH5k679
+tUFqeT8jlZxMew8eNiHuw9KoxWBzL6KksK+5uK7Gatw+sbAYntEGE80P+Jg1hADM
+e+Fr5V0bc6QS3gkVtfUCW/RIvfMM39oxvmqJmOgPnJU7H6+nmLtsq61tv9kVJi/2
+4Y5wXW3odet72sF57EoG6s78w0BUVLNcMngS9bZZzmdG3/d6JbkGgoNF/8DcgCBJ
+W/t0JrcIzyppXIOVtUzzOrrU86zuUgT3Rtkl5kjG7DEHpFb9H0fTOY1v8+gRoaO6
+2gA0PCiysgVZjwgVeYe3KAg11nznyleDv198uK3Dc1oXIGYjJx2FpKWUvAuAEwID
+AQABo4ICvDCCArgwHQYDVR0OBBYEFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYMIH5BgNV
+HSMEgfEwge6AFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYoYHSpIHPMIHMMQswCQYDVQQG
+EwJBVDEQMA4GA1UECBMHQXVzdHJpYTEPMA0GA1UEBxMGVmllbm5hMTowOAYDVQQK
+EzFBUkdFIERBVEVOIC0gQXVzdHJpYW4gU29jaWV0eSBmb3IgRGF0YSBQcm90ZWN0
+aW9uMSUwIwYDVQQLExxBLUNFUlQgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlMRgwFgYD
+VQQDEw9BLUNFUlQgQURWQU5DRUQxHTAbBgkqhkiG9w0BCQEWDmluZm9AYS1jZXJ0
+LmF0ggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgHmMEcGA1UdJQRAMD4G
+CCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcD
+CAYKKwYBBAGCNwoDBDARBglghkgBhvhCAQEEBAMCAP8wUQYDVR0gBEowSDBGBggq
+KAAYAQEBAzA6MDgGCCsGAQUFBwIBFixodHRwOi8vd3d3LmEtY2VydC5hdC9jZXJ0
+aWZpY2F0ZS1wb2xpY3kuaHRtbDA7BglghkgBhvhCAQgELhYsaHR0cDovL3d3dy5h
+LWNlcnQuYXQvY2VydGlmaWNhdGUtcG9saWN5Lmh0bWwwGQYDVR0RBBIwEIEOaW5m
+b0BhLWNlcnQuYXQwLwYDVR0SBCgwJoEOaW5mb0BhLWNlcnQuYXSGFGh0dHA6Ly93
+d3cuYS1jZXJ0LmF0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHBzOi8vc2VjdXJlLmEt
+Y2VydC5hdC9jZ2ktYmluL2EtY2VydC1hZHZhbmNlZC5jZ2kwDQYJKoZIhvcNAQEF
+BQADggEBACX1IvgfdG2rvfv35O48vSEvcVaEdlN8USFBHWz3JRAozgzvaBtwHkjK
+Zwt5l/BWOtjbvHfRjDt7ijlBEcxOOrNC1ffyMHwHrXpvff6YpQ5wnxmIYEQcURiG
+HMqruEX0WkuDNgSKwefsgXs27eeBauHgNGVcTYH1rmHu/ZyLpLxOyJQ2PCzA1DzW
+3rWkIX92ogJ7lTRdWrbxwUL1XGinxnnaQ74+/y0pI9JNEv7ic2tpkweRMpkedaLW
+msC1+orfKTebsg69aMaCx7o6jNONRmR/7TVaPf8/k6g52cHZ9YWjQvup22b5rWxG
+J5r5LZ4vCPmF4+T4lutjUYAa/lGuQTg=
+-----END CERTIFICATE-----

certs/argeng.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAyygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCQVQx
+EDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTFCMEAGA1UEChM5QXJn
+ZSBEYXRlbiBPZXN0ZXJyZWljaGlzY2hlIEdlc2VsbHNjaGFmdCBmdWVyIERhdGVu
+c2NodXR6MSIwIAYJKoZIhvcNAQkBFhNhLWNlcnRAYXJnZWRhdGVuLmF0MB4XDTAx
+MDIxMjExMzAzMFoXDTA5MDIxMjExMzAzMFowgZgxCzAJBgNVBAYTAkFUMRAwDgYD
+VQQIEwdBdXN0cmlhMQ8wDQYDVQQHEwZWaWVubmExQjBABgNVBAoTOUFyZ2UgRGF0
+ZW4gT2VzdGVycmVpY2hpc2NoZSBHZXNlbGxzY2hhZnQgZnVlciBEYXRlbnNjaHV0
+ejEiMCAGCSqGSIb3DQEJARYTYS1jZXJ0QGFyZ2VkYXRlbi5hdDCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAwgsHqoNtmmrJ86+e1I4hOVBaL4kokqKN2IPOIL+1
+XwY8vfOOUfPEdhWpaC0ldt7VYrksgDiUccgH0FROANWK2GkfKMDzjjXHysR04uEb
+Om7Kqjqn0nproOGkFG+QvBZgs+Ws+HXNFJA6V76fU4+JXq4452LSK4Lr5YcBquu3
+NJECAwEAAaOCARkwggEVMB0GA1UdDgQWBBQ0j59zH/G31zRjgK1y2P//tSAWZjCB
+xQYDVR0jBIG9MIG6gBQ0j59zH/G31zRjgK1y2P//tSAWZqGBnqSBmzCBmDELMAkG
+A1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTFCMEAG
+A1UEChM5QXJnZSBEYXRlbiBPZXN0ZXJyZWljaGlzY2hlIEdlc2VsbHNjaGFmdCBm
+dWVyIERhdGVuc2NodXR6MSIwIAYJKoZIhvcNAQkBFhNhLWNlcnRAYXJnZWRhdGVu
+LmF0ggEAMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQE
+AwICBDANBgkqhkiG9w0BAQQFAAOBgQBFuJYncqMYB6gXQS3eDOI90BEHfFTKy/dV
+AV+K7QdAYikWmqgBheRdPKddJdccPy/Zl/p3ZT7GhDyC5f3wZjcuu8AJ27BNwbCA
+x54dgxgCNcyPm79nY8MRtEdEpoRGdSsFKJemz6hpXM++MWFciyrRWIIA44XB0Gv3
+US0spjsDPQ==
+-----END CERTIFICATE-----

config

@@ -54,6 +54,22 @@ SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
 VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
 
 
+
+ 
+
+# Check for VC++ presence first.
+#
+#if [ "x$MSVCDIR" != "x" -o "x$VCINSTALLDIR" != "x" ]; then
+#	perl Configure VC-WIN32 $*
+#	cmd /c ms\\do_masm.bat
+#	perl util/mk1mf.pl VC-WIN32-GMAKE >mak.tmp
+#	rm Makefile
+#	mv mak.tmp Makefile
+#	echo "Configured for VC++ using GNU make"
+#	exit 0
+#fi
+#
+
 # Now test for ISC and SCO, since it is has a braindamaged uname.
 #
 # We need to work around FreeBSD 1.1.5.1 
@@ -339,6 +355,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 
     MINGW*)
 	echo "${MACHINE}-whatever-mingw"; echo 0;
+	# Save fipslib path so VC++ build can find it
+	(cd /usr/local/ssl/lib ; pwd -W ) > util/fipslib_path.txt
+	# Extract _chkstk.o so VC++ can use it, to avoid __alloca link error
+	(cd ms ; ar x `gcc -print-libgcc-file-name` _chkstk.o)
 	;;
     CYGWIN*)
 	case "$RELEASE" in

crypto/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/Makefile
+# OpenSSL/crypto/Makefile
 #
 
 DIR=		crypto

crypto/asn1/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# OpenSSL/crypto/asn1/Makefile
 #
 
 DIR=	asn1

crypto/asn1/tasn_dec.c

@@ -903,7 +903,7 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in
 			return 0;
 #endif
 		} else {
-			if(!collect_data(buf, &p, plen)) return 0;
+			if(plen && !collect_data(buf, &p, plen)) return 0;
 		}
 		len -= p - q;
 	}

crypto/asn1/tasn_enc.c

@@ -445,9 +445,12 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
 		case V_ASN1_BOOLEAN:
 		tbool = (ASN1_BOOLEAN *)pval;
 		if(*tbool == -1) return -1;
-		/* Default handling if value == size field then omit */
-		if(*tbool && (it->size > 0)) return -1;
-		if(!*tbool && !it->size) return -1;
+		if (it->utype != V_ASN1_ANY)
+			{
+			/* Default handling if value == size field then omit */
+			if(*tbool && (it->size > 0)) return -1;
+			if(!*tbool && !it->size) return -1;
+			}
 		c = (unsigned char)*tbool;
 		cont = &c;
 		len = 1;

crypto/bf/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/blowfish/Makefile
+# OpenSSL/crypto/blowfish/Makefile
 #
 
 DIR=	bf

crypto/bio/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bio/Makefile
+# OpenSSL/crypto/bio/Makefile
 #
 
 DIR=	bio

crypto/bio/bss_conn.c

@@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_C_DO_STATE_MACHINE:
 		/* use this one to start the connection */
-		if (!(data->state != BIO_CONN_S_OK))
+		if (data->state != BIO_CONN_S_OK)
 			ret=(long)conn_state(b,data);
 		else
 			ret=1;

crypto/bn/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bn/Makefile
+# OpenSSL/crypto/bn/Makefile
 #
 
 DIR=	bn
@@ -329,3 +329,5 @@ bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c
+bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_x931p.o: ../../include/openssl/opensslconf.h bn_x931p.c

crypto/bn/asm/ppc.pl

@@ -116,7 +116,7 @@ if ($opf =~ /32\.s/) {
 	$UDIV=	"divwu";	# unsigned divide
 	$UCMPI=	"cmplwi";	# unsigned compare with immediate
 	$UCMP=	"cmplw";	# unsigned compare
-	$COUNTZ="cntlzw";	# count leading zeros
+	$CNTLZ=	"cntlzw";	# count leading zeros
 	$SHL=	"slw";		# shift left
 	$SHR=	"srw";		# unsigned shift right
 	$SHRI=	"srwi";		# unsigned shift right by immediate	
@@ -124,6 +124,7 @@ if ($opf =~ /32\.s/) {
 	$CLRU=	"clrlwi";	# clear upper bits
 	$INSR=	"insrwi";	# insert right
 	$ROTL=	"rotlwi";	# rotate left by immediate
+	$TR=	"tw";		# conditional trap
 } elsif ($opf =~ /64\.s/) {
 	$BITS=	64;
 	$BNSZ=	$BITS/8;
@@ -139,7 +140,7 @@ if ($opf =~ /32\.s/) {
 	$UDIV=	"divdu";	# unsigned divide
 	$UCMPI=	"cmpldi";	# unsigned compare with immediate
 	$UCMP=	"cmpld";	# unsigned compare
-	$COUNTZ="cntlzd";	# count leading zeros
+	$CNTLZ=	"cntlzd";	# count leading zeros
 	$SHL=	"sld";		# shift left
 	$SHR=	"srd";		# unsigned shift right
 	$SHRI=	"srdi";		# unsigned shift right by immediate	
@@ -147,6 +148,7 @@ if ($opf =~ /32\.s/) {
 	$CLRU=	"clrldi";	# clear upper bits
 	$INSR=	"insrdi";	# insert right 
 	$ROTL=	"rotldi";	# rotate left by immediate
+	$TR=	"td";		# conditional trap
 } else { die "nonsense $opf"; }
 
 ( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
@@ -1710,17 +1712,12 @@ Lppcasm_add_adios:
 	bclr	BO_ALWAYS,CR0_LT	
 Lppcasm_div1:
 	xor	r0,r0,r0		#r0=0
-	$COUNTZ	r7,r5			#r7 = num leading 0s in d.
-	subfic	r8,r7,$BITS		#r8 = BN_num_bits_word(d)
-	cmpi	0,0,r8,$BITS		#
-	bc	BO_IF,CR0_EQ,Lppcasm_div2	#proceed if (r8==$BITS)	
-	li	r9,1			# r9=1
-	$SHL	r10,r9,r8		# r9<<=r8
-	$UCMP	0,r3,r10		#	
-	bc	BO_IF,CR0_GT,Lppcasm_div2	#or if (h > (1<<r8))
-	$UDIV	r3,r3,r0		#if not assert(0) divide by 0!
-					#that's how we signal overflow
-	bclr	BO_ALWAYS,CR0_LT	#return. NEVER REACHED.
+	li	r8,$BITS
+	$CNTLZ.	r7,r5			#r7 = num leading 0s in d.
+	bc	BO_IF,CR0_EQ,Lppcasm_div2	#proceed if no leading zeros
+	subf	r8,r7,r8		#r8 = BN_num_bits_word(d)
+	$SHR.	r9,r3,r8		#are there any bits above r8'th?
+	$TR	16,r9,r0		#if there're, signal to dump core...
 Lppcasm_div2:
 	$UCMP	0,r3,r5			#h>=d?
 	bc	BO_IF,CR0_LT,Lppcasm_div3	#goto Lppcasm_div3 if not

crypto/bn/asm/sparcv8plus.S

@@ -162,10 +162,14 @@
  * BN_ULONG w;
  */
 bn_mul_add_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_add_words_proceed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_add_words_proceed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -260,10 +264,14 @@ bn_mul_add_words:
  * BN_ULONG w;
  */
 bn_mul_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_words_proceeed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -344,10 +352,14 @@ bn_mul_words:
  * int n;
  */
 bn_sqr_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_sqr_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_sqr_words_proceeed:
 	andcc	%o2,-4,%g0
@@ -445,6 +457,7 @@ bn_div_words:
  * int n;
  */
 bn_add_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_add_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -454,7 +467,6 @@ bn_add_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_add_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_add_words_loop:		! wow! 32 aligned!
 	dec	4,%o3
@@ -523,6 +535,7 @@ bn_add_words:
  * int n;
  */
 bn_sub_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_sub_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -532,7 +545,6 @@ bn_sub_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_sub_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_sub_words_loop:		! wow! 32 aligned!
 	dec	4,%o3

crypto/buffer/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/buffer/Makefile
+# OpenSSL/crypto/buffer/Makefile
 #
 
 DIR=	buffer

crypto/cast/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/cast/Makefile
+# OpenSSL/crypto/cast/Makefile
 #
 
 DIR=	cast

crypto/comp/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/comp/Makefile
+# OpenSSL/crypto/comp/Makefile
 #
 
 DIR=	comp

crypto/comp/c_zlib.c

@@ -51,30 +51,17 @@ static COMP_METHOD zlib_method={
  */
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 # include <windows.h>
-
-# define Z_CALLCONV _stdcall
-# define ZLIB_SHARED
-#else
-# define Z_CALLCONV
 #endif /* !(OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32) */
 
 #ifdef ZLIB_SHARED
 #include <openssl/dso.h>
 
-/* Prototypes for built in stubs */
-static int stub_compress(Bytef *dest,uLongf *destLen,
-	const Bytef *source, uLong sourceLen);
-static int stub_inflateEnd(z_streamp strm);
-static int stub_inflate(z_streamp strm, int flush);
-static int stub_inflateInit_(z_streamp strm, const char * version,
-	int stream_size);
-
 /* Function pointers */
-typedef int (Z_CALLCONV *compress_ft)(Bytef *dest,uLongf *destLen,
+typedef int (*compress_ft)(Bytef *dest,uLongf *destLen,
 	const Bytef *source, uLong sourceLen);
-typedef int (Z_CALLCONV *inflateEnd_ft)(z_streamp strm);
-typedef int (Z_CALLCONV *inflate_ft)(z_streamp strm, int flush);
-typedef int (Z_CALLCONV *inflateInit__ft)(z_streamp strm,
+typedef int (*inflateEnd_ft)(z_streamp strm);
+typedef int (*inflate_ft)(z_streamp strm, int flush);
+typedef int (*inflateInit__ft)(z_streamp strm,
 	const char * version, int stream_size);
 static compress_ft	p_compress=NULL;
 static inflateEnd_ft	p_inflateEnd=NULL;
@@ -84,10 +71,10 @@ static inflateInit__ft	p_inflateInit_=NULL;
 static int zlib_loaded = 0;     /* only attempt to init func pts once */
 static DSO *zlib_dso = NULL;
 
-#define compress                stub_compress
-#define inflateEnd              stub_inflateEnd
-#define inflate                 stub_inflate
-#define inflateInit_            stub_inflateInit_
+#define compress                p_compress
+#define inflateEnd              p_inflateEnd
+#define inflate                 p_inflate
+#define inflateInit_            p_inflateInit_
 #endif /* ZLIB_SHARED */
 
 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
@@ -191,16 +178,6 @@ COMP_METHOD *COMP_zlib(void)
 		{
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 		zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
-		if (!zlib_dso)
-			{
-			zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
-			if (zlib_dso)
-				{
-				/* Clear the errors from the first failed
-				   DSO_load() */
-				ERR_clear_error();
-				}
-			}
 #else
 		zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
@@ -218,54 +195,21 @@ COMP_METHOD *COMP_zlib(void)
 			p_inflateInit_
 				= (inflateInit__ft) DSO_bind_func(zlib_dso,
 					"inflateInit_");
-			zlib_loaded++;
+
+			if (p_compress && p_inflateEnd && p_inflate
+				&& p_inflateInit_)
+				zlib_loaded++;
 			}
 		}
 
 #endif
+#ifdef ZLIB_SHARED
+	if (zlib_loaded)
+#endif
 #if defined(ZLIB) || defined(ZLIB_SHARED)
-	meth = &zlib_method;
+		meth = &zlib_method;
 #endif
 
 	return(meth);
 	}
 
-#ifdef ZLIB_SHARED
-/* Stubs for each function to be dynamicly loaded */
-static int 
-stub_compress(Bytef *dest,uLongf *destLen,const Bytef *source, uLong sourceLen)
-	{
-	if (p_compress)
-		return(p_compress(dest,destLen,source,sourceLen));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflateEnd(z_streamp strm)
-	{
-	if ( p_inflateEnd )
-		return(p_inflateEnd(strm));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflate(z_streamp strm, int flush)
-	{
-	if ( p_inflate )
-		return(p_inflate(strm,flush));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflateInit_(z_streamp strm, const char * version, int stream_size)
-	{
-	if ( p_inflateInit_ )
-		return(p_inflateInit_(strm,version,stream_size));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-#endif /* ZLIB_SHARED */

crypto/conf/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/conf/Makefile
+# OpenSSL/crypto/conf/Makefile
 #
 
 DIR=	conf

crypto/conf/conf_def.c

@@ -613,13 +613,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 				e++;
 				}
 			/* So at this point we have
-			 * ns which is the start of the name string which is
+			 * np which is the start of the name string which is
 			 *   '\0' terminated. 
-			 * cs which is the start of the section string which is
+			 * cp which is the start of the section string which is
 			 *   '\0' terminated.
 			 * e is the 'next point after'.
-			 * r and s are the chars replaced by the '\0'
-			 * rp and sp is where 'r' and 's' came from.
+			 * r and rr are the chars replaced by the '\0'
+			 * rp and rrp is where 'r' and 'rr' came from.
 			 */
 			p=_CONF_get_string(conf,cp,np);
 			if (rrp != NULL) *rrp=rr;
@@ -638,6 +638,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 			   points at.  /RL */
 			len -= e-from;
 			from=e;
+
+			/* In case there were no braces or parenthesis around
+			   the variable reference, we have to put back the
+			   character that was replaced with a '\0'.  /RL */
+			*rp = r;
 			}
 		else
 			buf->data[to++]= *(from++);

crypto/cryptlib.c

@@ -734,5 +734,11 @@ int fips_clear_owning_thread(void)
 		}
 	return ret;
 	}
+
+unsigned char *fips_signature_witness(void)
+	{
+	extern unsigned char FIPS_signature[];
+	return FIPS_signature;
+	}
 #endif /* OPENSSL_FIPS */
 

crypto/crypto-lib.com

@@ -265,10 +265,15 @@ $ LIB_KRB5 = "krb5_asn"
 $!
 $! Setup exceptional compilations
 $!
+$ ! Add definitions for no threads on OpenVMS 7.1 and higher
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
+$ ! Disable the DOLLARID warning
 $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
+$ ! Disable disjoint optimization
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
+$ ! Disable the MIXLINKAGE warning
+$ COMPILEWITH_CC6 = ",enc_read,set_key,"
 $!
 $! Figure Out What Other Modules We Are To Build.
 $!
@@ -497,7 +502,12 @@ $       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
 $       THEN
 $         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $       ELSE
-$         CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         IF COMPILEWITH_CC6 - FILE_NAME0 .NES. COMPILEWITH_CC6
+$         THEN
+$           CC6/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ELSE
+$           CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ENDIF
 $       ENDIF
 $     ENDIF
 $   ENDIF
@@ -1077,14 +1087,18 @@ $   THEN
 $     IF CCDISABLEWARNINGS .EQS. ""
 $     THEN
 $       CC4DISABLEWARNINGS = "DOLLARID"
+$       CC6DISABLEWARNINGS = "MIXLINKAGE"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CC6DISABLEWARNINGS = CCDISABLEWARNINGS + ",MIXLINKAGE"
 $       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
 $     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC6DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
+$     CC6DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
@@ -1095,6 +1109,7 @@ $   ELSE
 $     CC5 = CC + "/NOOPTIMIZE"
 $   ENDIF
 $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$   CC6 = CC - CCDISABLEWARNINGS + CC6DISABLEWARNINGS
 $!
 $!  Show user the result
 $!

crypto/des/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/des/Makefile
+# OpenSSL/crypto/des/Makefile
 #
 
 DIR=	des

crypto/dh/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dh/Makefile
+# OpenSSL/crypto/dh/Makefile
 #
 
 DIR=	dh

crypto/dsa/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dsa/Makefile
+# OpenSSL/crypto/dsa/Makefile
 #
 
 DIR=	dsa

crypto/dso/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dso/Makefile
+# OpenSSL/crypto/dso/Makefile
 #
 
 DIR=	dso

crypto/dso/dso_dl.c

@@ -126,7 +126,8 @@ static int dl_load(DSO *dso)
 		DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
 		goto err;
 		}
-	ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
+	ptr = shl_load(filename, BIND_IMMEDIATE |
+		(dso->flags&DSO_FLAG_NO_NAME_TRANSLATION?0:DYNAMIC_PATH), 0L);
 	if(ptr == NULL)
 		{
 		DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
@@ -289,7 +290,11 @@ int DSO_pathbyaddr(void *addr,char *path,int sz)
 	struct shl_descriptor inf;
 	int i,len;
 
-	if (addr == NULL) addr = dl_ref_point;
+	if (addr == NULL)
+		{
+		union { void(*f)(); void *p; } t = { dl_ref_point };
+		addr = t.p;
+		}
 
 	for (i=-1;shl_get_r(i,&inf)==0;i++)
 		{

crypto/dso/dso_dlfcn.c

@@ -232,7 +232,7 @@ static void *dlfcn_bind_var(DSO *dso, const char *symname)
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 	{
 	void *ptr;
-	DSO_FUNC_TYPE sym;
+	DSO_FUNC_TYPE sym, *tsym = &sym;
 
 	if((dso == NULL) || (symname == NULL))
 		{
@@ -250,7 +250,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
 		return(NULL);
 		}
-	*(void**)(&sym) = dlsym(ptr, symname);
+	*(void**)(tsym) = dlsym(ptr, symname);
 	if(sym == NULL)
 		{
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
@@ -302,7 +302,11 @@ int DSO_pathbyaddr(void *addr,char *path,int sz)
 	Dl_info dli;
 	int len;
 
-	if (addr == NULL) addr = dlfcn_ref_point;
+	if (addr == NULL)
+		{
+		union { void(*f)(void); void *p; } t = { dlfcn_ref_point };
+		addr = t.p;
+		}
 
 	if (dladdr(addr,&dli))
 		{

crypto/dso/dso_win32.c

@@ -68,6 +68,25 @@ DSO_METHOD *DSO_METHOD_win32(void)
 	}
 #else
 
+#ifdef _WIN32_WCE
+# if _WIN32_WCE < 300
+static FARPROC GetProcAddressA(HMODULE hModule,LPCSTR lpProcName)
+	{
+	WCHAR lpProcNameW[64];
+	int i;
+
+	for (i=0;lpProcName[i] && i<64;i++)
+		lpProcNameW[i] = (WCHAR)lpProcName[i];
+	if (i==64) return NULL;
+	lpProcNameW[i] = 0;
+
+	return GetProcAddressW(hModule,lpProcNameW);
+	}
+# endif
+# undef GetProcAddress
+# define GetProcAddress GetProcAddressA
+#endif
+
 /* Part of the hack in "win32_load" ... */
 #define DSO_MAX_TRANSLATED_SIZE 256
 
@@ -122,7 +141,7 @@ static int win32_load(DSO *dso)
 		DSOerr(DSO_F_WIN32_LOAD,DSO_R_NO_FILENAME);
 		goto err;
 		}
-	h = LoadLibrary(filename);
+	h = LoadLibraryA(filename);
 	if(h == NULL)
 		{
 		DSOerr(DSO_F_WIN32_LOAD,DSO_R_LOAD_FAILED);

crypto/engine/hw_aep.c

@@ -474,6 +474,7 @@ static int aep_init(ENGINE *e)
 
 	if(aep_dso)
 		DSO_free(aep_dso);
+	aep_dso = NULL;
 		
 	p_AEP_OpenConnection    = NULL;
 	p_AEP_ModExp            = NULL;

crypto/engine/hw_atalla.c

@@ -375,6 +375,7 @@ static int atalla_init(ENGINE *e)
 err:
 	if(atalla_dso)
 		DSO_free(atalla_dso);
+	atalla_dso = NULL;
 	p_Atalla_GetHardwareConfig = NULL;
 	p_Atalla_RSAPrivateKeyOpFn = NULL;
 	p_Atalla_GetPerformanceStatistics = NULL;

crypto/engine/hw_cswift.c

@@ -90,6 +90,7 @@ static int cswift_destroy(ENGINE *e);
 static int cswift_init(ENGINE *e);
 static int cswift_finish(ENGINE *e);
 static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in);
 
 /* BIGNUM stuff */
 static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -403,7 +404,10 @@ static int cswift_init(ENGINE *e)
 	return 1;
 err:
 	if(cswift_dso)
+	{
 		DSO_free(cswift_dso);
+		cswift_dso = NULL;
+	}
 	p_CSwift_AcquireAccContext = NULL;
 	p_CSwift_AttachKeyParam = NULL;
 	p_CSwift_SimpleRequest = NULL;
@@ -553,6 +557,29 @@ err:
 	return to_return;
 	}
 
+
+int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in)
+{
+	int mod;
+	int numbytes = BN_num_bytes(in);
+
+	mod = 0;
+	while( ((out->nbytes = (numbytes+mod)) % 32) )
+	{
+		mod++;
+	}
+	out->value = (unsigned char*)OPENSSL_malloc(out->nbytes);
+	if(!out->value)
+	{
+		return 0;
+	}
+	BN_bn2bin(in, &out->value[mod]);
+	if(mod)
+		memset(out->value, 0, mod);
+
+	return 1;
+}
+
 /* Un petit mod_exp chinois */
 static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 			const BIGNUM *q, const BIGNUM *dmp1,
@@ -562,15 +589,16 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	SW_LARGENUMBER arg, res;
 	SW_PARAM sw_param;
 	SW_CONTEXT_HANDLE hac;
-	BIGNUM *rsa_p = NULL;
-	BIGNUM *rsa_q = NULL;
-	BIGNUM *rsa_dmp1 = NULL;
-	BIGNUM *rsa_dmq1 = NULL;
-	BIGNUM *rsa_iqmp = NULL;
-	BIGNUM *argument = NULL;
 	BIGNUM *result = NULL;
+	BIGNUM *argument = NULL;
 	int to_return = 0; /* expect failure */
 	int acquired = 0;
+
+	sw_param.up.crt.p.value = NULL;
+	sw_param.up.crt.q.value = NULL;
+	sw_param.up.crt.dmp1.value = NULL;
+	sw_param.up.crt.dmq1.value = NULL;
+	sw_param.up.crt.iqmp.value = NULL;
  
 	if(!get_context(&hac))
 		{
@@ -578,44 +606,55 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		goto err;
 		}
 	acquired = 1;
+
 	/* Prepare the params */
-	BN_CTX_start(ctx);
-	rsa_p = BN_CTX_get(ctx);
-	rsa_q = BN_CTX_get(ctx);
-	rsa_dmp1 = BN_CTX_get(ctx);
-	rsa_dmq1 = BN_CTX_get(ctx);
-	rsa_iqmp = BN_CTX_get(ctx);
-	argument = BN_CTX_get(ctx);
-	result = BN_CTX_get(ctx);
-	if(!result)
+	argument = BN_new();
+	result = BN_new();
+	if(!result || !argument)
 		{
 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_CTX_FULL);
 		goto err;
 		}
-	if(!bn_wexpand(rsa_p, p->top) || !bn_wexpand(rsa_q, q->top) ||
-			!bn_wexpand(rsa_dmp1, dmp1->top) ||
-			!bn_wexpand(rsa_dmq1, dmq1->top) ||
-			!bn_wexpand(rsa_iqmp, iqmp->top) ||
-			!bn_wexpand(argument, a->top) ||
+
+
+	sw_param.type = SW_ALG_CRT;
+	/************************************************************************/
+	/* 04/02/2003                                                           */
+	/* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+	/* limitation of cswift with values not a multiple of 32                */
+	/************************************************************************/
+	if(!cswift_bn_32copy(&sw_param.up.crt.p, p))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.q, q))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.dmp1, dmp1))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.dmq1, dmq1))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.iqmp, iqmp))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(	!bn_wexpand(argument, a->top) ||
 			!bn_wexpand(result, p->top + q->top))
 		{
 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
 		goto err;
 		}
-	sw_param.type = SW_ALG_CRT;
-	sw_param.up.crt.p.nbytes = BN_bn2bin(p, (unsigned char *)rsa_p->d);
-	sw_param.up.crt.p.value = (unsigned char *)rsa_p->d;
-	sw_param.up.crt.q.nbytes = BN_bn2bin(q, (unsigned char *)rsa_q->d);
-	sw_param.up.crt.q.value = (unsigned char *)rsa_q->d;
-	sw_param.up.crt.dmp1.nbytes = BN_bn2bin(dmp1,
-		(unsigned char *)rsa_dmp1->d);
-	sw_param.up.crt.dmp1.value = (unsigned char *)rsa_dmp1->d;
-	sw_param.up.crt.dmq1.nbytes = BN_bn2bin(dmq1,
-		(unsigned char *)rsa_dmq1->d);
-	sw_param.up.crt.dmq1.value = (unsigned char *)rsa_dmq1->d;
-	sw_param.up.crt.iqmp.nbytes = BN_bn2bin(iqmp,
-		(unsigned char *)rsa_iqmp->d);
-	sw_param.up.crt.iqmp.value = (unsigned char *)rsa_iqmp->d;
+
 	/* Attach the key params */
 	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
 	switch(sw_status)
@@ -654,9 +693,22 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
 	to_return = 1;
 err:
+	if(sw_param.up.crt.p.value)
+		OPENSSL_free(sw_param.up.crt.p.value);
+	if(sw_param.up.crt.q.value)
+		OPENSSL_free(sw_param.up.crt.q.value);
+	if(sw_param.up.crt.dmp1.value)
+		OPENSSL_free(sw_param.up.crt.dmp1.value);
+	if(sw_param.up.crt.dmq1.value)
+		OPENSSL_free(sw_param.up.crt.dmq1.value);
+	if(sw_param.up.crt.iqmp.value)
+		OPENSSL_free(sw_param.up.crt.iqmp.value);
+	if(result)
+		BN_free(result);
+	if(argument)
+		BN_free(argument);
 	if(acquired)
 		release_context(hac);
-	BN_CTX_end(ctx);
 	return to_return;
 	}
  
@@ -665,6 +717,27 @@ static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	BN_CTX *ctx;
 	int to_return = 0;
+	const RSA_METHOD * def_rsa_method;
+
+	/* Try the limits of RSA (2048 bits) */
+	if(BN_num_bytes(rsa->p) > 128 ||
+		BN_num_bytes(rsa->q) > 128 ||
+		BN_num_bytes(rsa->dmp1) > 128 ||
+		BN_num_bytes(rsa->dmq1) > 128 ||
+		BN_num_bytes(rsa->iqmp) > 128)
+	{
+#ifdef RSA_NULL
+		def_rsa_method=RSA_null_method();
+#else
+#if 0
+		def_rsa_method=RSA_PKCS1_RSAref();
+#else
+		def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+		if(def_rsa_method)
+			return def_rsa_method->rsa_mod_exp(r0, I, rsa);
+	}
 
 	if((ctx = BN_CTX_new()) == NULL)
 		goto err;
@@ -686,6 +759,26 @@ err:
 static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 	{
+	const RSA_METHOD * def_rsa_method;
+
+	/* Try the limits of RSA (2048 bits) */
+	if(BN_num_bytes(r) > 256 ||
+		BN_num_bytes(a) > 256 ||
+		BN_num_bytes(m) > 256)
+	{
+#ifdef RSA_NULL
+		def_rsa_method=RSA_null_method();
+#else
+#if 0
+		def_rsa_method=RSA_PKCS1_RSAref();
+#else
+		def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+		if(def_rsa_method)
+			return def_rsa_method->bn_mod_exp(r, a, p, m, ctx, m_ctx);
+	}
+
 	return cswift_mod_exp(r, a, p, m, ctx);
 	}
 
@@ -930,9 +1023,10 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
 	SW_CONTEXT_HANDLE hac;
 	SW_STATUS swrc;
 	SW_LARGENUMBER largenum;
-	size_t nbytes = 0;
 	int acquired = 0;
 	int to_return = 0; /* assume failure */
+	unsigned char buf32[1024];
+
 
 	if (!get_context(&hac))
 	{
@@ -941,17 +1035,19 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
 	}
 	acquired = 1;
 
-	while (nbytes < (size_t)num)
+	/************************************************************************/
+	/* 04/02/2003                                                           */
+	/* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+	/* limitation of cswift with values not a multiple of 32                */
+	/************************************************************************/
+
+	while(num >= sizeof(buf32))
 	{
+		largenum.value = buf;
+		largenum.nbytes = sizeof(buf32);
 		/* tell CryptoSwift how many bytes we want and where we want it.
 		 * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
 		 *       - CryptoSwift can only do multiple of 32-bits. */
-		largenum.value = (SW_BYTE *) buf + nbytes;
-		if (4096 > num - nbytes)
-			largenum.nbytes = num - nbytes;
-		else
-			largenum.nbytes = 4096;
-
 		swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
 		if (swrc != SW_OK)
 		{
@@ -961,14 +1057,30 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
 			ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
 			goto err;
 		}
-
-		nbytes += largenum.nbytes;
+		buf += sizeof(buf32);
+		num -= sizeof(buf32);
+	}
+	if(num)
+	{
+		largenum.nbytes = sizeof(buf32);
+		largenum.value = buf32;
+		swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+		if (swrc != SW_OK)
+		{
+			char tmpbuf[20];
+			CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED);
+			sprintf(tmpbuf, "%ld", swrc);
+			ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+			goto err;
+		}
+		memcpy(buf, largenum.value, num);
 	}
-	to_return = 1;  /* success */
 
+	to_return = 1;  /* success */
 err:
 	if (acquired)
 		release_context(hac);
+
 	return to_return;
 }
 

crypto/engine/hw_ubsec.c

@@ -454,6 +454,7 @@ static int ubsec_init(ENGINE *e)
 err:
 	if(ubsec_dso)
 		DSO_free(ubsec_dso);
+	ubsec_dso = NULL;
 	p_UBSEC_ubsec_bytes_to_bits = NULL;
 	p_UBSEC_ubsec_bits_to_bytes = NULL;
 	p_UBSEC_ubsec_open = NULL;

crypto/engine/tb_dsa.c

@@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e)
 	{
 	if(e->dsa_meth)
 		return engine_table_register(&dsa_table,
-				engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+				engine_unregister_all_DSA, e, &dummy_nid, 1, 1);
 	return 1;
 	}
 

crypto/err/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/err/Makefile
+# OpenSSL/crypto/err/Makefile
 #
 
 DIR=	err

crypto/evp/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/evp/Makefile
+# OpenSSL/crypto/evp/Makefile
 #
 
 DIR=	evp

crypto/evp/encode.c

@@ -313,7 +313,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 			/* There will never be more than two '=' */
 			}
 
-		if ((v == B64_EOF) || (n >= 64))
+		if ((v == B64_EOF && (n&3) == 0) || (n >= 64))
 			{
 			/* This is needed to work correctly on 64 byte input
 			 * lines.  We process the line and then need to

crypto/evp/evp.h

@@ -132,7 +132,11 @@
 #define EVP_CAST5_KEY_SIZE		16
 #define EVP_RC5_32_12_16_KEY_SIZE	16
 */
+#ifdef OPENSSL_FIPS
 #define EVP_MAX_MD_SIZE			64	/* longest known SHA512 */
+#else
+#define EVP_MAX_MD_SIZE			(16+20)	/* The SSLv3 md5+sha1 type */
+#endif
 #define EVP_MAX_KEY_LENGTH		32
 #define EVP_MAX_IV_LENGTH		16
 #define EVP_MAX_BLOCK_LENGTH		32

crypto/evp/m_dss1.c

@@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }
 
 static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+#ifndef OPENSSL_FIPS
 	{ return SHA1_Update(ctx->md_data,data,count); }
+#else
+	{
+	OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+	return SHA1_Update(ctx->md_data,data,count);
+	}
+#endif
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
 	{ return SHA1_Final(md,ctx->md_data); }
@@ -77,7 +84,7 @@ static const EVP_MD dss1_md=
 	NID_dsa,
 	NID_dsaWithSHA1,
 	SHA_DIGEST_LENGTH,
-	0,
+	EVP_MD_FLAG_FIPS,
 	init,
 	update,
 	final,

crypto/hmac/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	hmac

crypto/hmac/hmac.h

@@ -64,7 +64,11 @@
 
 #include <openssl/evp.h>
 
+#ifdef OPENSSL_FIPS
 #define HMAC_MAX_MD_CBLOCK	128
+#else
+#define HMAC_MAX_MD_CBLOCK	64
+#endif
 
 #ifdef  __cplusplus
 extern "C" {

crypto/idea/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/idea/Makefile
+# OpenSSL/crypto/idea/Makefile
 #
 
 DIR=	idea

crypto/lhash/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/lhash/Makefile
+# OpenSSL/crypto/lhash/Makefile
 #
 
 DIR=	lhash

crypto/md2/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	md2

crypto/md4/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md4/Makefile
+# OpenSSL/crypto/md4/Makefile
 #
 
 DIR=    md4

crypto/md5/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md5/Makefile
+# OpenSSL/crypto/md5/Makefile
 #
 
 DIR=    md5

crypto/mdc2/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/mdc2/Makefile
+# OpenSSL/crypto/mdc2/Makefile
 #
 
 DIR=	mdc2

crypto/objects/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/objects/Makefile
+# OpenSSL/crypto/objects/Makefile
 #
 
 DIR=	objects

crypto/objects/obj_dat.h

@@ -63,11 +63,11 @@
  */
 
 #define NUM_NID 676
-#define NUM_SN 668
-#define NUM_LN 668
-#define NUM_OBJ 632
+#define NUM_SN 669
+#define NUM_LN 669
+#define NUM_OBJ 633
 
-static unsigned char lvalues[4572]={
+static unsigned char lvalues[4575]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -330,9 +330,9 @@ static unsigned char lvalues[4572]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2092] OBJ_ac_auditEntity */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2100] OBJ_ac_targeting */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2108] OBJ_aaControls */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbqp_ipAddrBlock */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbqp_autonomousSysNum */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbqp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbgp_routerIdentifier */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2140] OBJ_textNotice */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2148] OBJ_ipsecEndSystem */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2156] OBJ_ipsecTunnel */
@@ -691,15 +691,16 @@ static unsigned char lvalues[4572]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4467] OBJ_proxyCertInfo */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4475] OBJ_id_ppl_anyLanguage */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4483] OBJ_id_ppl_inheritAll */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4491] OBJ_Independent */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4499] OBJ_sha256WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4508] OBJ_sha384WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4517] OBJ_sha512WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4526] OBJ_sha224WithRSAEncryption */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4535] OBJ_sha256 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4544] OBJ_sha384 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4553] OBJ_sha512 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4562] OBJ_sha224 */
+0x55,0x1D,0x1E,                              /* [4491] OBJ_name_constraints */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4494] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4502] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4511] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4520] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4529] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4538] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4547] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4556] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4565] OBJ_sha224 */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1142,12 +1143,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[2092]),0},
 {"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2100]),0},
 {"aaControls","aaControls",NID_aaControls,8,&(lvalues[2108]),0},
-{"sbqp-ipAddrBlock","sbqp-ipAddrBlock",NID_sbqp_ipAddrBlock,8,
+{"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
 	&(lvalues[2116]),0},
-{"sbqp-autonomousSysNum","sbqp-autonomousSysNum",
-	NID_sbqp_autonomousSysNum,8,&(lvalues[2124]),0},
-{"sbqp-routerIdentifier","sbqp-routerIdentifier",
-	NID_sbqp_routerIdentifier,8,&(lvalues[2132]),0},
+{"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
+	NID_sbgp_autonomousSysNum,8,&(lvalues[2124]),0},
+{"sbgp-routerIdentifier","sbgp-routerIdentifier",
+	NID_sbgp_routerIdentifier,8,&(lvalues[2132]),0},
 {"textNotice","textNotice",NID_textNotice,8,&(lvalues[2140]),0},
 {"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
 	&(lvalues[2148]),0},
@@ -1762,20 +1763,21 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[4475]),0},
 {"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
 	&(lvalues[4483]),0},
-{NULL,NULL,NID_undef,0,NULL},
-{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4491]),0},
+{"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3,
+	&(lvalues[4491]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4494]),0},
 {"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
-	&(lvalues[4499]),0},
+	&(lvalues[4502]),0},
 {"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
-	&(lvalues[4508]),0},
+	&(lvalues[4511]),0},
 {"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
-	&(lvalues[4517]),0},
+	&(lvalues[4520]),0},
 {"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
-	&(lvalues[4526]),0},
-{"SHA256","sha256",NID_sha256,9,&(lvalues[4535]),0},
-{"SHA384","sha384",NID_sha384,9,&(lvalues[4544]),0},
-{"SHA512","sha512",NID_sha512,9,&(lvalues[4553]),0},
-{"SHA224","sha224",NID_sha224,9,&(lvalues[4562]),0},
+	&(lvalues[4529]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4538]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4547]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4556]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4565]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -2210,6 +2212,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[649]),/* "msUPN" */
 &(nid_objs[481]),/* "nSRecord" */
 &(nid_objs[173]),/* "name" */
+&(nid_objs[666]),/* "nameConstraints" */
 &(nid_objs[369]),/* "noCheck" */
 &(nid_objs[403]),/* "noRevAvail" */
 &(nid_objs[72]),/* "nsBaseUrl" */
@@ -2282,9 +2285,9 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[ 1]),/* "rsadsi" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -2545,6 +2548,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[126]),/* "X509v3 Extended Key Usage" */
 &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
 &(nid_objs[83]),/* "X509v3 Key Usage" */
+&(nid_objs[666]),/* "X509v3 Name Constraints" */
 &(nid_objs[403]),/* "X509v3 No Revocation Available" */
 &(nid_objs[401]),/* "X509v3 Policy Constraints" */
 &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
@@ -2958,9 +2962,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[124]),/* "run length compression" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -3169,6 +3173,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[430]),/* OBJ_hold_instruction_code        2 5 29 23 */
 &(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
 &(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[666]),/* OBJ_name_constraints             2 5 29 30 */
 &(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
 &(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
 &(nid_objs[90]),/* OBJ_authority_key_identifier     2 5 29 35 */
@@ -3419,9 +3424,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[287]),/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
 &(nid_objs[288]),/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
 &(nid_objs[289]),/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
-&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
-&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
-&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+&(nid_objs[290]),/* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+&(nid_objs[291]),/* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+&(nid_objs[292]),/* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
 &(nid_objs[663]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */

crypto/objects/obj_mac.h

@@ -1068,17 +1068,17 @@
 #define NID_aaControls		289
 #define OBJ_aaControls		OBJ_id_pe,6L
 
-#define SN_sbqp_ipAddrBlock		"sbqp-ipAddrBlock"
-#define NID_sbqp_ipAddrBlock		290
-#define OBJ_sbqp_ipAddrBlock		OBJ_id_pe,7L
+#define SN_sbgp_ipAddrBlock		"sbgp-ipAddrBlock"
+#define NID_sbgp_ipAddrBlock		290
+#define OBJ_sbgp_ipAddrBlock		OBJ_id_pe,7L
 
-#define SN_sbqp_autonomousSysNum		"sbqp-autonomousSysNum"
-#define NID_sbqp_autonomousSysNum		291
-#define OBJ_sbqp_autonomousSysNum		OBJ_id_pe,8L
+#define SN_sbgp_autonomousSysNum		"sbgp-autonomousSysNum"
+#define NID_sbgp_autonomousSysNum		291
+#define OBJ_sbgp_autonomousSysNum		OBJ_id_pe,8L
 
-#define SN_sbqp_routerIdentifier		"sbqp-routerIdentifier"
-#define NID_sbqp_routerIdentifier		292
-#define OBJ_sbqp_routerIdentifier		OBJ_id_pe,9L
+#define SN_sbgp_routerIdentifier		"sbgp-routerIdentifier"
+#define NID_sbgp_routerIdentifier		292
+#define OBJ_sbgp_routerIdentifier		OBJ_id_pe,9L
 
 #define SN_ac_proxying		"ac-proxying"
 #define NID_ac_proxying		397
@@ -1799,6 +1799,11 @@
 #define NID_delta_crl		140
 #define OBJ_delta_crl		OBJ_id_ce,27L
 
+#define SN_name_constraints		"nameConstraints"
+#define LN_name_constraints		"X509v3 Name Constraints"
+#define NID_name_constraints		666
+#define OBJ_name_constraints		OBJ_id_ce,30L
+
 #define SN_crl_distribution_points		"crlDistributionPoints"
 #define LN_crl_distribution_points		"X509v3 CRL Distribution Points"
 #define NID_crl_distribution_points		103

crypto/objects/obj_mac.num

@@ -287,9 +287,9 @@ qcStatements		286
 ac_auditEntity		287
 ac_targeting		288
 aaControls		289
-sbqp_ipAddrBlock		290
-sbqp_autonomousSysNum		291
-sbqp_routerIdentifier		292
+sbgp_ipAddrBlock		290
+sbgp_autonomousSysNum		291
+sbgp_routerIdentifier		292
 textNotice		293
 ipsecEndSystem		294
 ipsecTunnel		295
@@ -663,7 +663,7 @@ id_ppl		662
 proxyCertInfo		663
 id_ppl_anyLanguage		664
 id_ppl_inheritAll		665
-id_ppl_independent		666
+name_constraints		666
 Independent		667
 sha256WithRSAEncryption		668
 sha384WithRSAEncryption		669

crypto/objects/objects.txt

@@ -346,9 +346,9 @@ id-pe 3			: qcStatements
 id-pe 4			: ac-auditEntity
 id-pe 5			: ac-targeting
 id-pe 6			: aaControls
-id-pe 7			: sbqp-ipAddrBlock
-id-pe 8			: sbqp-autonomousSysNum
-id-pe 9			: sbqp-routerIdentifier
+id-pe 7			: sbgp-ipAddrBlock
+id-pe 8			: sbgp-autonomousSysNum
+id-pe 9			: sbgp-routerIdentifier
 id-pe 10		: ac-proxying
 !Cname sinfo-access
 id-pe 11		: subjectInfoAccess	: Subject Information Access
@@ -589,6 +589,8 @@ id-ce 21		: CRLReason		: X509v3 CRL Reason Code
 id-ce 24		: invalidityDate	: Invalidity Date
 !Cname delta-crl
 id-ce 27		: deltaCRL		: X509v3 Delta CRL Indicator
+!Cname name-constraints
+id-ce 30		: nameConstraints	: X509v3 Name Constraints
 !Cname crl-distribution-points
 id-ce 31		: crlDistributionPoints	: X509v3 CRL Distribution Points
 !Cname certificate-policies

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x00907080L
+#define OPENSSL_VERSION_NUMBER	0x0090709fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7h-fips-dev XX xxx XXXX"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7j-fips-dev XX xxx XXXX"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7h-dev XX xxx XXXX"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7j-dev XX xxx XXXX"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/pem/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pem/Makefile
+# OpenSSL/crypto/pem/Makefile
 #
 
 DIR=	pem

crypto/perlasm/x86asm.pl

@@ -90,7 +90,7 @@ $tmp
 #ifdef OUT
 #define OK	1
 #define ALIGN	4
-#if defined(__CYGWIN__) || defined(__DJGPP__)
+#if defined(__CYGWIN__) || defined(__DJGPP__) || defined(__MINGW32__)
 #undef SIZE
 #undef TYPE
 #define SIZE(a,b)

crypto/perlasm/x86nasm.pl

@@ -221,7 +221,15 @@ sub using486
 
 sub main'file
 	{
-	push(@out, "segment .text use32\n");
+	local $tmp;
+	$tmp=<<___;
+%ifdef __omf__
+section	code	use32 class=code
+%else
+section	.text
+%endif
+___
+	push(@out,$tmp);
 	}
 
 sub main'function_begin

crypto/pkcs12/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs12/Makefile
+# OpenSSL/crypto/pkcs12/Makefile
 #
 
 DIR=	pkcs12

crypto/pkcs12/p12_add.c

@@ -148,7 +148,11 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
 /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
 {
-	if(!PKCS7_type_is_data(p7)) return NULL;
+	if(!PKCS7_type_is_data(p7))
+		{
+		PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return NULL;
+		}
 	return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
 
@@ -211,5 +215,10 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
 
 STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12)
 {
+	if (!PKCS7_type_is_data(p12->authsafes))
+		{
+		PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return NULL;
+		}
 	return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
 }

crypto/pkcs12/p12_mutl.c

@@ -72,6 +72,12 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
 	unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
 	int saltlen, iter;
 
+	if (!PKCS7_type_is_data(p12->authsafes))
+		{
+		PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return 0;
+		}
+
 	salt = p12->mac->salt->data;
 	saltlen = p12->mac->salt->length;
 	if (!p12->mac->iter) iter = 1;

crypto/pkcs12/pk12err.c

@@ -93,6 +93,8 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN),	"PKCS12_PBE_keyivgen"},
 {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC),	"PKCS12_setup_mac"},
 {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC),	"PKCS12_set_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES),	"PKCS12_unpack_authsafes"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA),	"PKCS12_unpack_p7data"},
 {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE),	"PKCS8_add_keyusage"},
 {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT),	"PKCS8_encrypt"},
 {ERR_FUNC(PKCS12_F_VERIFY_MAC),	"VERIFY_MAC"},
@@ -102,6 +104,7 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 static ERR_STRING_DATA PKCS12_str_reasons[]=
 	{
 {ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"},
+{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"},
 {ERR_REASON(PKCS12_R_DECODE_ERROR)       ,"decode error"},
 {ERR_REASON(PKCS12_R_ENCODE_ERROR)       ,"encode error"},
 {ERR_REASON(PKCS12_R_ENCRYPT_ERROR)      ,"encrypt error"},

crypto/pkcs12/pkcs12.h

@@ -287,12 +287,15 @@ void ERR_load_PKCS12_strings(void);
 #define PKCS12_F_PKCS12_PBE_KEYIVGEN			 120
 #define PKCS12_F_PKCS12_SETUP_MAC			 122
 #define PKCS12_F_PKCS12_SET_MAC				 123
+#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES		 129
+#define PKCS12_F_PKCS12_UNPACK_P7DATA			 130
 #define PKCS12_F_PKCS8_ADD_KEYUSAGE			 124
 #define PKCS12_F_PKCS8_ENCRYPT				 125
 #define PKCS12_F_VERIFY_MAC				 126
 
 /* Reason codes. */
 #define PKCS12_R_CANT_PACK_STRUCTURE			 100
+#define PKCS12_R_CONTENT_TYPE_NOT_DATA			 121
 #define PKCS12_R_DECODE_ERROR				 101
 #define PKCS12_R_ENCODE_ERROR				 102
 #define PKCS12_R_ENCRYPT_ERROR				 103

crypto/pkcs7/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs7/Makefile
+# OpenSSL/crypto/pkcs7/Makefile
 #
 
 DIR=	pkcs7

crypto/rand/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rand/Makefile
+# OpenSSL/crypto/rand/Makefile
 #
 
 DIR=	rand

crypto/rand/rand_lib.c

@@ -87,16 +87,6 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 
 const RAND_METHOD *RAND_get_rand_method(void)
 	{
-#ifdef OPENSSL_FIPS
-	if(FIPS_mode()
-		&& default_RAND_meth != FIPS_rand_check())
-	    {
-	    RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
-	    return 0;
-	    }
-#endif
-
-
 	if (!default_RAND_meth)
 		{
 #ifndef OPENSSL_NO_ENGINE
@@ -114,8 +104,22 @@ const RAND_METHOD *RAND_get_rand_method(void)
 			funct_ref = e;
 		else
 #endif
-			default_RAND_meth = RAND_SSLeay();
+#ifdef OPENSSL_FIPS
+			if(FIPS_mode())
+				default_RAND_meth=FIPS_rand_method();
+			else
+#endif
+				default_RAND_meth = RAND_SSLeay();
 		}
+
+#ifdef OPENSSL_FIPS
+	if(FIPS_mode()
+		&& default_RAND_meth != FIPS_rand_check())
+	    {
+	    RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
+	    return 0;
+	    }
+#endif
 	return default_RAND_meth;
 	}
 

crypto/rc2/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc2/Makefile
+# OpenSSL/crypto/rc2/Makefile
 #
 
 DIR=	rc2

crypto/rc4/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc4/Makefile
+# OpenSSL/crypto/rc4/Makefile
 #
 
 DIR=	rc4
@@ -69,7 +69,11 @@ asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
 asm/rc4-x86_64.s: asm/rc4-x86_64.pl;	$(PERL) asm/rc4-x86_64.pl $@
 
 asm/rc4-ia64.s: asm/rc4-ia64.S
-	$(CC) $(CFLAGS) -E asm/rc4-ia64.S > $@
+	@case `awk '/^#define RC4_INT/{print$$NF}' $(TOP)/include/openssl/opensslconf.h` in \
+	int)	set -x; $(CC) $(CFLAGS) -DSZ=4 -E asm/rc4-ia64.S > $@ ;; \
+	char)	set -x; $(CC) $(CFLAGS) -DSZ=1 -E asm/rc4-ia64.S > $@ ;; \
+	*)	exit 1 ;; \
+	esac
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

crypto/rc4/asm/rc4-ia64.S

@@ -7,7 +7,7 @@
 // disclaimed.
 // ====================================================================
 
-.ident  "rc4-ia64.S, Version 1.1"
+.ident  "rc4-ia64.S, Version 2.0"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 
 // What's wrong with compiler generated code? Because of the nature of
@@ -27,17 +27,10 @@
 // Legitimate "collisions" do occur within every 256^2 bytes window.
 // Fortunately there're enough free instruction slots to keep prior
 // reference to key[x+1], detect "collision" and compensate for it.
-// All this without sacrificing a single clock cycle:-)
-// Furthermore. In order to compress loop body to the minimum, I chose
-// to deploy deposit instruction, which substitutes for the whole
-// key->data+((x&255)<<log2(sizeof(key->data[0]))). This unfortunately
-// requires key->data to be aligned at sizeof(key->data) boundary.
-// This is why you'll find "RC4_INT pad[512-256-2];" addenum to RC4_KEY
-// and "d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));" in
-// rc4_skey.c [and rc4_enc.c, where it's retained for debugging
-// purposes]. Throughput is ~210MBps on 900MHz CPU, which is is >3x
-// faster than gcc generated code and +30% - if compared to HP-UX C.
-// Unrolling loop below should give >30% on top of that...
+// All this without sacrificing a single clock cycle:-) Throughput is
+// ~210MBps on 900MHz CPU, which is is >3x faster than gcc generated
+// code and +30% - if compared to HP-UX C. Unrolling loop below should
+// give >30% on top of that...
 
 .text
 .explicit
@@ -48,7 +41,9 @@
 # define ADDP	add
 #endif
 
+#ifndef SZ
 #define SZ	4	// this is set to sizeof(RC4_INT)
+#endif
 // SZ==4 seems to be optimal. At least SZ==8 is not any faster, not for
 // assembler implementation, while SZ==1 code is ~30% slower.
 #if SZ==1	// RC4_INT is unsigned char
@@ -101,45 +96,53 @@ RC4:
 	ADDP	out=0,in3
 	brp.loop.imp	.Ltop,.Lexit-16	};;
 { .mmi;	LDKEY	yy=[key]			// load key->y
-	add	ksch=(255+1)*SZ,key		// as ksch will be used with
-						// deposit instruction only,
-						// I don't have to &~255...
+	add	ksch=SZ,key
 	mov	ar.lc=in1		}
 { .mmi;	mov	key_y[1]=r0			// guarantee inequality
 						// in first iteration
 	add	xx=1,xx
 	mov	pr.rot=1<<16		};;
 { .mii;	nop.m	0
-	dep	key_x[1]=xx,ksch,OFF,8
+	dep	key_x[1]=xx,r0,OFF,8
 	mov	ar.ec=3			};;	// note that epilogue counter
 						// is off by 1. I compensate
 						// for this at exit...
 .Ltop:
-// The loop is scheduled for 3*(n+2) spin-rate on Itanium 2, which
+// The loop is scheduled for 4*(n+2) spin-rate on Itanium 2, which
 // theoretically gives asymptotic performance of clock frequency
-// divided by 3 bytes per seconds, or 500MBps on 1.5GHz CPU. Measured
-// performance however is distinctly lower than 1/4:-( The culplrit
-// seems to be *(out++)=dat, which inadvertently splits the bundle,
-// even though there is M-port available... Unrolling is due...
-// Unrolled loop should collect output with variable shift instruction
-// in order to avoid starvation for integer shifter... It should be
-// possible to get pretty close to theoretical peak...
-{ .mmi;	(p16)	LDKEY	tx[0]=[key_x[1]]		// tx=key[xx]
-	(p17)	LDKEY	ty[0]=[key_y[1]]		// ty=key[yy]	
-	(p18)	dep	rnd[1]=rnd[1],ksch,OFF,8}	// &key[(tx+ty)&255]
+// divided by 4 bytes per seconds, or 400MBps on 1.6GHz CPU. This is
+// for sizeof(RC4_INT)==4. For smaller RC4_INT STKEY inadvertently
+// splits the last bundle and you end up with 5*n spin-rate:-(
+// Originally the loop was scheduled for 3*n and relied on key
+// schedule to be aligned at 256*sizeof(RC4_INT) boundary. But
+// *(out++)=dat, which maps to st1, had same effect [inadvertent
+// bundle split] and holded the loop back. Rescheduling for 4*n
+// made it possible to eliminate dependence on specific alignment
+// and allow OpenSSH keep "abusing" our API. Reaching for 3*n would
+// require unrolling, sticking to variable shift instruction for
+// collecting output [to avoid starvation for integer shifter] and
+// copying of key schedule to controlled place in stack [so that
+// deposit instruction can serve as substitute for whole
+// key->data+((x&255)<<log2(sizeof(key->data[0])))]...
 { .mmi;	(p19)	st1	[out]=dat[3],1			// *(out++)=dat
 	(p16)	add	xx=1,xx				// x++
-	(p16)	cmp.ne.unc p20,p21=key_x[1],key_y[1]	};;
+	(p18)	dep	rnd[1]=rnd[1],r0,OFF,8	}	// ((tx+ty)&255)<<OFF
+{ .mmi;	(p16)	add	key_x[1]=ksch,key_x[1]		// &key[xx&255]
+	(p17)	add	key_y[1]=ksch,key_y[1]	};;	// &key[yy&255]	
+{ .mmi;	(p16)	LDKEY	tx[0]=[key_x[1]]		// tx=key[xx]
+	(p17)	LDKEY	ty[0]=[key_y[1]]		// ty=key[yy]	
+	(p16)	dep	key_x[0]=xx,r0,OFF,8	}	// (xx&255)<<OFF
+{ .mmi;	(p18)	add	rnd[1]=ksch,rnd[1]		// &key[(tx+ty)&255]
+	(p16)	cmp.ne.unc p20,p21=key_x[1],key_y[1] };;
 { .mmi;	(p18)	LDKEY	rnd[1]=[rnd[1]]			// rnd=key[(tx+ty)&255]
-	(p16)	ld1	dat[0]=[inp],1			// dat=*(inp++)
-	(p16)	dep	key_x[0]=xx,ksch,OFF,8	}	// &key[xx&255]
+	(p16)	ld1	dat[0]=[inp],1		}	// dat=*(inp++)
 .pred.rel	"mutex",p20,p21
 { .mmi;	(p21)	add	yy=yy,tx[1]			// (p16)
 	(p20)	add	yy=yy,tx[0]			// (p16) y+=tx
 	(p21)	mov	tx[0]=tx[1]		};;	// (p16)
 { .mmi;	(p17)	STKEY	[key_y[1]]=tx[1]		// key[yy]=tx
 	(p17)	STKEY	[key_x[2]]=ty[0]		// key[xx]=ty
-	(p16)	dep	key_y[0]=yy,ksch,OFF,8	}	// &key[yy&255]
+	(p16)	dep	key_y[0]=yy,r0,OFF,8	}	// &key[yy&255]
 { .mmb;	(p17)	add	rnd[0]=tx[1],ty[0]		// tx+=ty
 	(p18)	xor	dat[2]=dat[2],rnd[1]		// dat^=rnd
 	br.ctop.sptk	.Ltop			};;

crypto/rc4/rc4.h

@@ -73,10 +73,6 @@ typedef struct rc4_key_st
 	{
 	RC4_INT x,y;
 	RC4_INT data[256];
-#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
-	/* see crypto/rc4/asm/rc4-ia64.S for further details... */
-	RC4_INT pad[512-256-2];
-#endif
 	} RC4_KEY;
 
  

crypto/rc4/rc4_enc.c

@@ -77,10 +77,6 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
         x=key->x;     
         y=key->y;     
         d=key->data; 
-#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
-	/* see crypto/rc4/asm/rc4-ia64.S for further details... */
-	d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
-#endif
 
 #if defined(RC4_CHUNK)
 	/*

crypto/rc4/rc4_skey.c

@@ -95,10 +95,6 @@ FIPS_NON_FIPS_VCIPHER_Init(RC4)
         unsigned int i;
         
         d= &(key->data[0]);
-#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
-	/* see crypto/rc4/asm/rc4-ia64.S for further details... */
-	d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
-#endif
 
 	for (i=0; i<256; i++)
 		d[i]=i;

crypto/rc5/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc5/Makefile
+# OpenSSL/crypto/rc5/Makefile
 #
 
 DIR=	rc5

crypto/ripemd/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/ripemd/Makefile
+# OpenSSL/crypto/ripemd/Makefile
 #
 
 DIR=    ripemd

crypto/rsa/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rsa/Makefile
+# OpenSSL/crypto/rsa/Makefile
 #
 
 DIR=	rsa

crypto/rsa/rsa.h

@@ -389,17 +389,17 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING			 113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
 #define RSA_R_OAEP_DECODING_ERROR			 121
-#define RSA_R_SLEN_RECOVERY_FAILED			 135
 #define RSA_R_PADDING_CHECK_FAILED			 114
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
+#define RSA_R_SLEN_CHECK_FAILED				 136
+#define RSA_R_SLEN_RECOVERY_FAILED			 135
 #define RSA_R_SSLV3_ROLLBACK_ATTACK			 115
 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
 #define RSA_R_UNKNOWN_ALGORITHM_TYPE			 117
 #define RSA_R_UNKNOWN_PADDING_TYPE			 118
 #define RSA_R_WRONG_SIGNATURE_LENGTH			 119
-#define RSA_R_SLEN_CHECK_FAILED				 136
 
 #ifdef  __cplusplus
 }

crypto/sha/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/sha/Makefile
+# OpenSSL/crypto/sha/Makefile
 #
 
 DIR=    sha

crypto/stack/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/stack/Makefile
+# OpenSSL/crypto/stack/Makefile
 #
 
 DIR=	stack

crypto/txt_db/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/txt_db/Makefile
+# OpenSSL/crypto/txt_db/Makefile
 #
 
 DIR=	txt_db

crypto/x509/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509/Makefile
+# OpenSSL/crypto/x509/Makefile
 #
 
 DIR=	x509

crypto/x509/by_dir.c

@@ -114,7 +114,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	{
 	int ret=0;
 	BY_DIR *ld;
-	char *dir;
+	char *dir = NULL;
 
 	ld=(BY_DIR *)ctx->method_data;
 
@@ -123,17 +123,16 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	case X509_L_ADD_DIR:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
-			ret=add_cert_dir(ld,X509_get_default_cert_dir(),
-				X509_FILETYPE_PEM);
+			dir=(char *)Getenv(X509_get_default_cert_dir_env());
+			if (dir)
+				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+			else
+				ret=add_cert_dir(ld,X509_get_default_cert_dir(),
+					X509_FILETYPE_PEM);
 			if (!ret)
 				{
 				X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
 				}
-			else
-				{
-				dir=(char *)Getenv(X509_get_default_cert_dir_env());
-				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
-				}
 			}
 		else
 			ret=add_cert_dir(ld,argp,(int)argl);

crypto/x509v3/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509v3/Makefile
+# OpenSSL/crypto/x509v3/Makefile
 #
 
 DIR=	x509v3

crypto/x509v3/v3_cpols.c

@@ -137,7 +137,15 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	CONF_VALUE *cnf;
 	int i, ia5org;
 	pols = sk_POLICYINFO_new_null();
+	if (pols == NULL) {
+		X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
 	vals =  X509V3_parse_list(value);
+	if (vals == NULL) {
+		X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
+		goto err;
+	}
 	ia5org = 0;
 	for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
 		cnf = sk_CONF_VALUE_value(vals, i);
@@ -176,6 +184,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 	return pols;
 	err:
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
 	return NULL;
 }

doc/apps/enc.pod

@@ -191,12 +191,12 @@ Blowfish and RC5 algorithms use a 128 bit key.
  des-ecb            DES in ECB mode
 
  des-ede-cbc        Two key triple DES EDE in CBC mode
- des-ede            Alias for des-ede
+ des-ede            Two key triple DES EDE in ECB mode
  des-ede-cfb        Two key triple DES EDE in CFB mode
  des-ede-ofb        Two key triple DES EDE in OFB mode
 
  des-ede3-cbc       Three key triple DES EDE in CBC mode
- des-ede3           Alias for des-ede3-cbc
+ des-ede3           Three key triple DES EDE in ECB mode
  des3               Alias for des-ede3-cbc
  des-ede3-cfb       Three key triple DES EDE CFB mode
  des-ede3-ofb       Three key triple DES EDE in OFB mode
@@ -211,9 +211,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  rc2-cbc            128 bit RC2 in CBC mode
  rc2                Alias for rc2-cbc
- rc2-cfb            128 bit RC2 in CBC mode
- rc2-ecb            128 bit RC2 in CBC mode
- rc2-ofb            128 bit RC2 in CBC mode
+ rc2-cfb            128 bit RC2 in CFB mode
+ rc2-ecb            128 bit RC2 in ECB mode
+ rc2-ofb            128 bit RC2 in OFB mode
  rc2-64-cbc         64 bit RC2 in CBC mode
  rc2-40-cbc         40 bit RC2 in CBC mode
 
@@ -223,9 +223,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  rc5-cbc            RC5 cipher in CBC mode
  rc5                Alias for rc5-cbc
- rc5-cfb            RC5 cipher in CBC mode
- rc5-ecb            RC5 cipher in CBC mode
- rc5-ofb            RC5 cipher in CBC mode
+ rc5-cfb            RC5 cipher in CFB mode
+ rc5-ecb            RC5 cipher in ECB mode
+ rc5-ofb            RC5 cipher in OFB mode
 
 =head1 EXAMPLES
 

doc/crypto/PKCS7_verify.pod

@@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure
 
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
 
-int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
 

doc/crypto/hmac.pod

@@ -18,7 +18,7 @@ authentication code
  void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
                const EVP_MD *md);
  void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
-               	   const EVP_MD *md);
+               	   const EVP_MD *md, ENGINE *impl);
  void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
  void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 

doc/crypto/threads.pod

@@ -65,9 +65,10 @@ B<CRYPTO_LOCK>, and releases it otherwise.
 B<file> and B<line> are the file number of the function setting the
 lock. They can be useful for debugging.
 
-id_function(void) is a function that returns a thread ID. It is not
+id_function(void) is a function that returns a thread ID, for example
+pthread_self() if it returns an integer (see NOTES below).  It isn't
 needed on Windows nor on platforms where getpid() returns a different
-ID for each thread (most notably Linux).
+ID for each thread (see NOTES below).
 
 Additionally, OpenSSL supports dynamic locks, and sometimes, some parts
 of OpenSSL need it for better performance.  To enable this, the following
@@ -124,7 +125,7 @@ CRYPTO_get_new_dynlockid() returns the index to the newly created lock.
 
 The other functions return no values.
 
-=head1 NOTE
+=head1 NOTES
 
 You can find out if OpenSSL was configured with thread support:
 
@@ -139,6 +140,22 @@ You can find out if OpenSSL was configured with thread support:
 Also, dynamic locks are currently not used internally by OpenSSL, but
 may do so in the future.
 
+Defining id_function(void) has it's own issues.  Generally speaking,
+pthread_self() should be used, even on platforms where getpid() gives
+different answers in each thread, since that may depend on the machine
+the program is run on, not the machine where the program is being
+compiled.  For instance, Red Hat 8 Linux and earlier used
+LinuxThreads, whose getpid() returns a different value for each
+thread.  Red Hat 9 Linux and later use NPTL, which is
+Posix-conformant, and has a getpid() that returns the same value for
+all threads in a process.  A program compiled on Red Hat 8 and run on
+Red Hat 9 will therefore see getpid() returning the same value for
+all threads.
+
+There is still the issue of platforms where pthread_self() returns
+something other than an integer.  This is a bit unusual, and this
+manual has no cookbook solution for that case.
+
 =head1 EXAMPLES
 
 B<crypto/threads/mttest.c> shows examples of the callback functions on

doc/ssl/SSL_CTX_set_options.pod

@@ -86,7 +86,7 @@ doing a re-connect, always takes the first cipher in the cipher list.
 
 =item SSL_OP_MSIE_SSLV2_RSA_PADDING
 
-...
+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG