Here we go: prepare to roll 0.9.3.

always get included with the relevant files.

Configure

@@ -97,6 +97,7 @@ my %table=(
 "debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe:(unknown):::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe:(unknown):::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall:(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"debug-bodo",	"gcc:-DL_ENDIAN -O3 -g -m486 -Wall:-D_REENTRANT::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
 "dist",		"cc:-O:(unknown):::::",
 
 # Basic configs that should work on any box

INSTALL.VMS

@@ -127,15 +127,29 @@ The logical names that are set up are the following:
 
   SSLROOT       a dotted concealed logical name pointing at the
                 root directory.
-  SSLLIB        points at the directory where CRYPTORTL.OLB and
-		SSLRTL.OLB are installed.
-  SSLINCLUDE    points at the directory where the header files are
-                installed.
-  SSLEXE        points at the directory where the applications are
-                installed.
-  SSLCERTS      the place where the certificates are stored.
-  SSLPRIVATE    I'm actually not sure what this is used for.
 
+  SSLCERTS      Initially an empty directory, this is the default
+		location for certificate files.
+  SSLMISC	Various scripts.
+  SSLPRIVATE	Initially an empty directory, this is the default
+		location for private key files.
+
+  SSLEXE        Contains the openssl binary and a few other utility
+		programs.
+  SSLINCLUDE    Contains the header files needed if you want to
+		compile programs with libcrypto or libssl.
+  SSLLIB        Contains the OpenSSL library files (LIBCRYPTO.OLB
+		and LIBSSL.OLB) themselves.
+
+  OPENSSL	Same as SSLINCLUDE.  This is because the standard
+		way to include OpenSSL header files from version
+		0.9.3 and on is:
+
+			#include <openssl/header.h>
+
+		For more info on this issue, see the INSTALL. file
+		(the NOTE in section 4 of "Installation in Detail").
+		You don't need to "deleting old header files"!!!
 
 Backward portability:
 =====================

INSTALL.W32

@@ -6,7 +6,7 @@
  this is tested on Win32 but it may also work in Win 3.1 with some
  modification.  See the end of this file for Eric's original comments.
 
- You need Perl for Win32 (available from http://activestate.com/ActivePerl)
+ You need Perl for Win32 (available from http://www.activestate.com/ActivePerl)
  and one of the following C compilers:
 
   * Visual C++

Makefile.org

@@ -294,7 +294,7 @@ errors:
 
 tar:
 	@tar --norecurse -cvf - \
-		`find * -depth \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS | sort` |\
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS | sort` |\
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\

apps/apps.h

@@ -59,7 +59,7 @@
 #ifndef HEADER_APPS_H
 #define HEADER_APPS_H
 
-#include <openssl/e_os.h>
+#include "openssl/e_os.h"
 
 #include <openssl/buffer.h>
 #include <openssl/bio.h>

apps/eay.c

@@ -62,7 +62,8 @@
 
 #define MONOLITH
 #define USE_SOCKETS
-#include <openssl/e_os.h>
+
+#include "openssl/e_os.h"
 
 #include <openssl/bio.h>
 #include <openssl/stack.h>

apps/openssl-vms.cnf

@@ -3,10 +3,17 @@
 # This is mostly being used for generation of certificate requests.
 #
 
-RANDFILE		= $ENV::HOME.rnd
-oid_file		= $ENV::HOME.oid
+RANDFILE		= $ENV::HOME/.rnd
+oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
 [ new_oids ]
 
 # We can add new OIDs in here for use by 'ca' and 'req'.
@@ -35,6 +42,11 @@ private_key	= $dir.private]cakey.pem# The private key
 RANDFILE	= $dir.private].rand	# private random number file
 
 x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= md5			# which md to use.
@@ -123,31 +135,33 @@ basicConstraints=CA:FALSE
 # the certificate can be used for anything *except* object signing.
 
 # This is OK for an SSL server.
-#nsCertType			= server
+# nsCertType			= server
 
 # For an object signing certificate this would be used.
-#nsCertType = objsign
+# nsCertType = objsign
 
 # For normal client use this is typical
-#nsCertType = client, email
+# nsCertType = client, email
 
-# This is typical also
+# and for everything including object signing:
+# nsCertType = client, email, objsign
 
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
+# This will be displayed in Netscape's comment listbox.
 nsComment			= "OpenSSL Generated Certificate"
 
-# PKIX recommendations
+# PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 
+# This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
-
-subjectAltName=email:copy
+# subjectAltName=email:copy
 
 # Copy subject details
-
-issuerAltName=issuer:copy
+# issuerAltName=issuer:copy
 
 #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
 #nsBaseUrl
@@ -160,8 +174,6 @@ issuerAltName=issuer:copy
 
 # Extensions for a typical CA
 
-# It's a CA certificate
-basicConstraints = CA:true
 
 # PKIX recommendation.
 
@@ -172,19 +184,31 @@ authorityKeyIdentifier=keyid:always,issuer:always
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
 #basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
 
-# Key usage: again this should really be critical.
-keyUsage = cRLSign, keyCertSign
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
 
 # Some might want this also
-#nsCertType = sslCA, emailCA
+# nsCertType = sslCA, emailCA
 
 # Include email address in subject alt name: another PKIX recommendation
-subjectAltName=email:copy
+# subjectAltName=email:copy
 # Copy issuer details
-issuerAltName=issuer:copy
+# issuerAltName=issuer:copy
 
 # RAW DER hex encoding of an extension: beware experts only!
 # 1.2.3.5=RAW:02:03
 # You can even override a supported extension:
 # basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always

config

@@ -304,6 +304,7 @@ echo Operating system: $GUESSOS
 case "$GUESSOS" in
   alpha-*-linux2) OUT="alpha-gcc" ;;
   ppc-*-linux2) OUT="linux-ppc" ;;
+  mips-*-linux?) OUT="linux-mips" ;;
   *-*-linux2) OUT="linux-elf" ;;
   *-*-linux1) OUT="linux-aout" ;;
   sun4u-sun-solaris2) OUT="solaris-usparc-$CC" ;;

crypto/bn/bntest.c

@@ -59,7 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/e_os.h>
+
+#include "openssl/e_os.h"
+
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>

crypto/cast/cast_lcl.h

@@ -60,7 +60,8 @@
 #include <stdlib.h>
 #endif
 
-#include <openssl/e_os.h>	/* OPENSSL_EXTERN */
+
+#include "openssl/e_os.h" /* OPENSSL_EXTERN */
 
 #undef c2l
 #define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \

crypto/cryptlib.h

@@ -66,7 +66,8 @@
 extern "C" {
 #endif
 
-#include <openssl/e_os.h>
+#include "openssl/e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/buffer.h> 
 #include <openssl/bio.h> 

crypto/md5/md5_locl.h

@@ -127,7 +127,11 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
  */
 #endif
 
+#ifndef FLAT_INC
 #include "../md32_common.h"
+#else
+#include "md32_common.h"
+#endif
 
 /*
 #define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))

crypto/opensslv.h

@@ -4,15 +4,17 @@
 /* Numeric release version identifier:
  * MMNNFFRBB: major minor fix final beta/patch
  * For example:
- * 0.9.3-dev	0x00903000
- * 0.9.3beta1	0x00903001
- * 0.9.3	0x00903100
- * 0.9.3a	0x00903101
- * 1.2.3z	0x1020311a
+ * 0.9.3-dev	  0x00903000
+ * 0.9.3beta1	  0x00903001
+ * 0.9.3beta2-dev 0x00903002
+ * 0.9.3beta2     0x00903002
+ * 0.9.3	  0x00903100
+ * 0.9.3a	  0x00903101
+ * 1.2.3z	  0x1020311a
  * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
  */
-#define OPENSSL_VERSION_NUMBER	0x00903001L
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.3beta1 20 May 1999"
+#define OPENSSL_VERSION_NUMBER	0x00903100L
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.3 23 May 1999"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
 #endif /* HEADER_OPENSSLV_H */

crypto/pkcs7/pkcs7.h

@@ -66,6 +66,11 @@ extern "C" {
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 
+#ifdef WIN32
+/* Under Win32 this is defined in wincrypt.h */
+#undef PKCS7_ISSUER_AND_SERIAL
+#endif
+
 /*
 Encryption_ID		DES-CBC
 Digest_ID		MD5
@@ -235,11 +240,11 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #ifndef NO_FP_API
-PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 *p7);
+PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
 int i2d_PKCS7_fp(FILE *fp,PKCS7 *p7);
 #endif
 PKCS7 *PKCS7_dup(PKCS7 *p7);
-PKCS7 *d2i_PKCS7_bio(BIO *bp,PKCS7 *p7);
+PKCS7 *d2i_PKCS7_bio(BIO *bp,PKCS7 **p7);
 int i2d_PKCS7_bio(BIO *bp,PKCS7 *p7);
 #endif
 

crypto/rand/md_rand.c

@@ -60,7 +60,9 @@
 #include <sys/types.h>
 #include <time.h>
 #include <string.h>
-#include <openssl/e_os.h>
+
+#include "openssl/e_os.h"
+
 #include <openssl/crypto.h>
 
 #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)

crypto/rand/randfile.c

@@ -63,7 +63,9 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <openssl/e_os.h>
+
+#include "openssl/e_os.h"
+
 #include <openssl/rand.h>
 
 #undef BUFSIZE

crypto/rsa/rsa_oaep_test.c

@@ -2,7 +2,9 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <openssl/e_os.h>
+
+#include "openssl/e_os.h"
+
 #include <openssl/err.h>
 #ifdef NO_RSA
 int main(int argc, char *argv[])

crypto/x509/x509.h

@@ -86,6 +86,12 @@ extern "C" {
 
 #include <openssl/evp.h>
 
+
+#ifdef WIN32
+/* Under Win32 this is defined in wincrypt.h */
+#undef X509_NAME
+#endif
+
 #define X509_FILETYPE_PEM	1
 #define X509_FILETYPE_ASN1	2
 #define X509_FILETYPE_DEFAULT	3
@@ -551,39 +557,39 @@ int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
 #endif
 
 #ifndef NO_FP_API
-X509 *d2i_X509_fp(FILE *fp, X509 *x509);
+X509 *d2i_X509_fp(FILE *fp, X509 **x509);
 int i2d_X509_fp(FILE *fp,X509 *x509);
-X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL *crl);
+X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
 int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
-X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ *req);
+X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
 int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
 #ifndef NO_RSA
-RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
+RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
 int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
-RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA *rsa);
+RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
 int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
 #endif
 #ifndef NO_DSA
-DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
+DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
 int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
 #endif
 #endif
 
 #ifdef HEADER_BIO_H
-X509 *d2i_X509_bio(BIO *bp,X509 *x509);
+X509 *d2i_X509_bio(BIO *bp,X509 **x509);
 int i2d_X509_bio(BIO *bp,X509 *x509);
-X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL *crl);
+X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
 int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
-X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ *req);
+X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
 int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
 #ifndef NO_RSA
-RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
+RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
 int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
-RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA *rsa);
+RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
 int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
 #endif
 #ifndef NO_DSA
-DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
+DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
 int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
 #endif
 #endif

crypto/x509/x_all.c

@@ -133,7 +133,7 @@ X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex)
 	}
 
 #ifndef NO_FP_API
-X509 *d2i_X509_fp(FILE *fp, X509 *x509)
+X509 *d2i_X509_fp(FILE *fp, X509 **x509)
 	{
 	return((X509 *)ASN1_d2i_fp((char *(*)())X509_new,
 		(char *(*)())d2i_X509, (fp),(unsigned char **)(x509)));
@@ -145,7 +145,7 @@ int i2d_X509_fp(FILE *fp, X509 *x509)
 	}
 #endif
 
-X509 *d2i_X509_bio(BIO *bp, X509 *x509)
+X509 *d2i_X509_bio(BIO *bp, X509 **x509)
 	{
 	return((X509 *)ASN1_d2i_bio((char *(*)())X509_new,
 		(char *(*)())d2i_X509, (bp),(unsigned char **)(x509)));
@@ -163,7 +163,7 @@ X509_CRL *X509_CRL_dup(X509_CRL *crl)
 	}
 
 #ifndef NO_FP_API
-X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL *crl)
+X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
 	{
 	return((X509_CRL *)ASN1_d2i_fp((char *(*)())
 		X509_CRL_new,(char *(*)())d2i_X509_CRL, (fp),
@@ -176,7 +176,7 @@ int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
 	}
 #endif
 
-X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL *crl)
+X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
 	{
 	return((X509_CRL *)ASN1_d2i_bio((char *(*)())
 		X509_CRL_new,(char *(*)())d2i_X509_CRL, (bp),
@@ -195,7 +195,7 @@ PKCS7 *PKCS7_dup(PKCS7 *p7)
 	}
 
 #ifndef NO_FP_API
-PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 *p7)
+PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
 	{
 	return((PKCS7 *)ASN1_d2i_fp((char *(*)())
 		PKCS7_new,(char *(*)())d2i_PKCS7, (fp),
@@ -208,7 +208,7 @@ int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
 	}
 #endif
 
-PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 *p7)
+PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
 	{
 	return((PKCS7 *)ASN1_d2i_bio((char *(*)())
 		PKCS7_new,(char *(*)())d2i_PKCS7, (bp),
@@ -227,7 +227,7 @@ X509_REQ *X509_REQ_dup(X509_REQ *req)
 	}
 
 #ifndef NO_FP_API
-X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ *req)
+X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
 	{
 	return((X509_REQ *)ASN1_d2i_fp((char *(*)())
 		X509_REQ_new, (char *(*)())d2i_X509_REQ, (fp),
@@ -240,7 +240,7 @@ int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
 	}
 #endif
 
-X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ *req)
+X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
 	{
 	return((X509_REQ *)ASN1_d2i_bio((char *(*)())
 		X509_REQ_new, (char *(*)())d2i_X509_REQ, (bp),
@@ -266,7 +266,7 @@ RSA *RSAPrivateKey_dup(RSA *rsa)
 	}
 
 #ifndef NO_FP_API
-RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
+RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
 	{
 	return((RSA *)ASN1_d2i_fp((char *(*)())
 		RSA_new,(char *(*)())d2i_RSAPrivateKey, (fp),
@@ -278,7 +278,7 @@ int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
 	return(ASN1_i2d_fp(i2d_RSAPrivateKey,fp,(unsigned char *)rsa));
 	}
 
-RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA *rsa)
+RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
 	{
 	return((RSA *)ASN1_d2i_fp((char *(*)())
 		RSA_new,(char *(*)())d2i_RSAPublicKey, (fp),
@@ -291,7 +291,7 @@ int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
 	}
 #endif
 
-RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
+RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
 	{
 	return((RSA *)ASN1_d2i_bio((char *(*)())
 		RSA_new,(char *(*)())d2i_RSAPrivateKey, (bp),
@@ -303,7 +303,7 @@ int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
 	return(ASN1_i2d_bio(i2d_RSAPrivateKey,bp,(unsigned char *)rsa));
 	}
 
-RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA *rsa)
+RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
 	{
 	return((RSA *)ASN1_d2i_bio((char *(*)())
 		RSA_new,(char *(*)())d2i_RSAPublicKey, (bp),
@@ -318,7 +318,7 @@ int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
 
 #ifndef NO_DSA
 #ifndef NO_FP_API
-DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
+DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
 	{
 	return((DSA *)ASN1_d2i_fp((char *(*)())
 		DSA_new,(char *(*)())d2i_DSAPrivateKey, (fp),
@@ -331,7 +331,7 @@ int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
 	}
 #endif
 
-DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
+DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
 	{
 	return((DSA *)ASN1_d2i_bio((char *(*)())
 		DSA_new,(char *(*)())d2i_DSAPrivateKey, (bp),

crypto/x509v3/v3_lib.c

@@ -131,6 +131,7 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
 void X509V3_EXT_cleanup(void)
 {
 	sk_pop_free(ext_list, ext_list_free);
+	ext_list = NULL;
 }
 
 static void ext_list_free(X509V3_EXT_METHOD *ext)

e_os.h

@@ -61,8 +61,8 @@
 
 #include <openssl/e_os2.h>
 /* <openssl/e_os2.h> contains what we can justify to make visible
- * to the outside.  e_os.h shouldn't even be in the include/openssl
- * directory, these are just local definitions. */
+ * to the outside; this file e_os.h is not part of the exported
+ * interface. */
 
 #ifdef  __cplusplus
 extern "C" {
@@ -103,9 +103,6 @@ extern "C" {
 #ifdef WIN32
 #define get_last_sys_error()	GetLastError()
 #define clear_sys_error()	SetLastError(0)
-/* These are defined in wincrypt.h and can cause problems */
-#undef X509_NAME
-#undef PKCS7_SIGNER_INFO
 #if !defined(WINNT)
 #define WIN_CONSOLE_BUG
 #endif
@@ -351,6 +348,9 @@ extern HINSTANCE _hInstance;
 #ifdef sgi
 #define IRIX_CC_BUG	/* all version of IRIX I've tested (4.* 5.*) */
 #endif
+#ifdef SNI
+#define IRIX_CC_BUG	/* CDS++ up to V2.0Bsomething suffered from the same bug.*/
+#endif
 
 #ifdef NO_MD2
 #define MD2_Init MD2Init

install.com

@@ -53,7 +53,7 @@ $	IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
 	   CREATE/DIR/LOG WRK_SSLROOT:[VMS]
 $
 $	SDIRS := CRYPTO,SSL,RSAREF,APPS,VMS!,TEST,TOOLS
-$	EXHEADER := e_os.h
+$	EXHEADER := e_os.h,e_os2.h
 $
 $	COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
 $

makevms.com

@@ -220,7 +220,7 @@ $ IF F$PARSE("SYS$DISK:[.INCLUDE.OPENSSL]") .EQS. "" THEN -
 $!
 $! Copy All The ".H" Files From The Main Directory.
 $!
-$ EXHEADER := e_os.h
+$ EXHEADER := e_os.h,e_os2.h
 $ COPY 'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL]
 $!
 $! Copy All The ".H" Files From The [.CRYPTO] Directory Tree.

ms/do_nt.bat

@@ -1,7 +1,7 @@
 
 perl util\mkfiles.pl >MINFO
-perl util\mk1mf.pl VC-NT no-asm >ms\nt.mak
-perl util\mk1mf.pl VC-NT dll no-asm >ms\ntdll.mak
+perl util\mk1mf.pl no-asm VC-NT >ms\nt.mak
+perl util\mk1mf.pl dll no-asm VC-NT >ms\ntdll.mak
 
-perl util\mkdef.pl NT libeay > ms\libeay32.def
-perl util\mkdef.pl NT ssleay > ms\ssleay32.def
+perl util\mkdef.pl libeay NT > ms\libeay32.def
+perl util\mkdef.pl ssleay NT > ms\ssleay32.def

ssl/s3_srvr.c

@@ -557,7 +557,9 @@ static int ssl3_get_client_hello(SSL *s)
 			{ /* previous session */
 			s->hit=1;
 			}
-		else
+		else if (i == -1)
+			goto err;
+		else /* i == 0 */
 			{
 			if (!ssl_get_new_session(s,1))
 				goto err;

ssl/ssl.c

@@ -61,7 +61,6 @@
 #include <string.h>
 
 #define USE_SOCKETS
-#include <openssl/e_os.h>
 
 #include <openssl/buffer.h>
 #include <openssl/stack.h>

ssl/ssl_locl.h

@@ -63,7 +63,7 @@
 #include <string.h>
 #include <errno.h>
 
-#include <openssl/e_os.h>
+#include "openssl/e_os.h"
 
 #include <openssl/buffer.h>
 #include <openssl/comp.h>

ssl/ssl_sess.c

@@ -168,6 +168,8 @@ int ssl_get_new_session(SSL *s, int session)
 			CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
 			if (r == NULL) break;
 			/* else - woops a session_id match */
+			/* XXX should also check external cache!
+			 * (But the probability of a collision is negligible, anyway...) */
 			}
 		}
 	else
@@ -188,24 +190,29 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 	/* This is used only by servers. */
 
 	SSL_SESSION *ret=NULL,data;
-	int copy=1;
+	int fatal = 0;
 
 	/* conn_init();*/
 	data.ssl_version=s->version;
 	data.session_id_length=len;
 	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
-		return(0);
+		goto err;
 	memcpy(data.session_id,session_id,len);
 
 	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 		{
 		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
 		ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
+		if (ret != NULL)
+		    /* don't allow other threads to steal it: */
+		    CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
 		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
 		}
 
 	if (ret == NULL)
 		{
+		int copy=1;
+	
 		s->ctx->stats.sess_miss++;
 		ret=NULL;
 		if (s->ctx->get_session_cb != NULL
@@ -214,28 +221,52 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 			{
 			s->ctx->stats.sess_cb_hit++;
 
+			/* Increment reference count now if the session callback
+			 * asks us to do so (note that if the session structures
+			 * returned by the callback are shared between threads,
+			 * it must handle the reference count itself [i.e. copy == 0],
+			 * or things won't be thread-safe). */
+			if (copy)
+				CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+
 			/* The following should not return 1, otherwise,
 			 * things are very strange */
 			SSL_CTX_add_session(s->ctx,ret);
 			}
-		if (ret == NULL) return(0);
+		if (ret == NULL)
+			goto err;
 		}
 
+	/* Now ret is non-NULL, and we own one of its reference counts. */
+
 	if((s->verify_mode&SSL_VERIFY_PEER)
 	   && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
 	       || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
 	    {
-		if (s->sid_ctx_length)
-			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
-		else
-			/* application should have used SSL[_CTX]_set_session_id_context */
-			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-	    return 0;
-	    }
+		/* We've found the session named by the client, but we don't
+		 * want to use it in this context. */
+		
+		if (s->sid_ctx_length == 0)
+			{
+			/* application should have used SSL[_CTX]_set_session_id_context
+			 * -- we could tolerate this and just pretend we never heard
+			 * of this session, but then applications could effectively
+			 * disable the session cache by accident without anyone noticing */
 
-	/* auto free it */
-	if (!copy)
-	    SSL_SESSION_free(ret);
+			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+			fatal = 1;
+			goto err;
+			}
+		else
+			{
+#if 0 /* The client cannot always know when a session is not appropriate,
+	   * so we shouldn't generate an error message. */
+
+			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+#endif
+			goto err; /* treat like cache miss */
+			}
+		}
 
 	if (ret->cipher == NULL)
 		{
@@ -250,22 +281,25 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 		else 
 			ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
 		if (ret->cipher == NULL)
-			return(0);
+			goto err;
 		}
 
+
+#if 0 /* This is way too late. */
+
 	/* If a thread got the session, then 'swaped', and another got
 	 * it and then due to a time-out decided to 'Free' it we could
 	 * be in trouble.  So I'll increment it now, then double decrement
 	 * later - am I speaking rubbish?. */
 	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+#endif
 
 	if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
 		{
 		s->ctx->stats.sess_timeout++;
 		/* remove it from the cache */
 		SSL_CTX_remove_session(s->ctx,ret);
-		SSL_SESSION_free(ret);		/* again to actually Free it */
-		return(0);
+		goto err;
 		}
 
 	s->ctx->stats.sess_hit++;
@@ -278,6 +312,14 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 		SSL_SESSION_free(s->session);
 	s->session=ret;
 	return(1);
+
+ err:
+	if (ret != NULL)
+		SSL_SESSION_free(ret);
+	if (fatal)
+		return -1;
+	else
+		return 0;
 	}
 
 int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)

ssl/ssl_task.c

@@ -123,8 +123,10 @@ int LIB$INIT_TIMER(), LIB$SHOW_TIMER();
 
 #include <string.h>		/* from ssltest.c */
 #include <errno.h>
+
+#include "openssl/e_os.h"
+
 #include <openssl/buffer.h>
-#include <openssl/e_os.h>
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>

ssl/ssltest.c

@@ -60,7 +60,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
-#include <openssl/e_os.h>
+
+#include "openssl/e_os.h"
+
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>