Release OpenSSL 0.9.6a beta2 [engine].

The tag will be OpenSSL-engine-0_9_6a-beta2.

.cvsignore

@@ -11,3 +11,5 @@ maketest.log
 cctest
 cctest.c
 cctest.a
+libcrypto.so.*
+libssl.so.*

CHANGES

@@ -2,7 +2,918 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.5 and 0.9.5a  [XX XXX 2000]
+ Changes between 0.9.6 and 0.9.6a  [xx XXX 2001]
+
+  *) Fix bug in PKCS#12 key generation routines. This was triggered
+     if a 3DES key was generated with a 0 initial byte. Include
+     PKCS12_BROKEN_KEYGEN compilation option to retain the old
+     (but broken) behaviour.
+     [Steve Henson]
+
+  *) Fix memory leaks in err.c: free err_data string if necessary;
+     don't write to the wrong index in ERR_set_error_data.
+     [Bodo Moeller]
+
+  *) Implement ssl23_peek (analogous to ssl23_read), which previously
+     did not exist.
+     [Bodo Moeller]
+
+  *) Replace rdtsc with _emit statements for VC++ version 5.
+     [Jeremy Cooper <jeremy@baymoo.org>]
+
+  *) Make it possible to reuse SSLv2 sessions.
+     [Richard Levitte]
+
+  *) In copy_email() check for >= 0 as a return value for
+     X509_NAME_get_index_by_NID() since 0 is a valid index.
+     [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
+
+  *) Use better test patterns in bntest.
+     [Ulf M<>ller]
+
+  *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
+     the method-specific "init()" handler. Also clean up ex_data after
+     calling the method-specific "finish()" handler. Previously, this was
+     happening the other way round.
+     [Geoff Thorpe]
+
+  *) Avoid coredump with unsupported or invalid public keys by checking if
+     X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
+     PKCS7_verify() fails with non detached data.
+     [Steve Henson]
+
+  *) Don't use getenv in library functions when run as setuid/setgid.
+     New function OPENSSL_issetugid().
+     [Ulf Moeller]
+
+  *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
+     due to incorrect handling of multi-threading:
+
+     1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
+
+     2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
+
+     3. Count how many times MemCheck_off() has been called so that
+        nested use can be treated correctly.  This also avoids 
+        inband-signalling in the previous code (which relied on the
+        assumption that thread ID 0 is impossible).
+     [Bodo Moeller]
+
+  *) Add "-rand" option also to s_client and s_server.
+     [Lutz Jaenicke]
+
+  *) Fix CPU detection on Irix 6.x.
+     [Kurt Hockenbury <khockenb@stevens-tech.edu> and
+      "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+  *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
+     was empty.
+     [Steve Henson]
+
+  *) Use the cached encoding of an X509_NAME structure rather than
+     copying it. This is apparently the reason for the libsafe "errors"
+     but the code is actually correct.
+     [Steve Henson]
+
+  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
+     Bleichenbacher's DSA attack.
+     Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
+     to be set and top=0 forces the highest bit to be set; top=-1 is new
+     and leaves the highest bit random.
+     [Ulf Moeller]
+
+  *) In the NCONF_...-based implementations for CONF_... queries
+     (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
+     a temporary CONF structure with the data component set to NULL
+     (which gives segmentation faults in lh_retrieve).
+     Instead, use NULL for the CONF pointer in CONF_get_string and
+     CONF_get_number (which may use environment variables) and directly
+     return NULL from CONF_get_section.
+     [Bodo Moeller]
+
+  *) Fix potential buffer overrun for EBCDIC.
+     [Ulf Moeller]
+
+  *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+     keyUsage if basicConstraints absent for a CA.
+     [Steve Henson]
+
+  *) Make SMIME_write_PKCS7() write mail header values with a format that
+     is more generally accepted (no spaces before the semicolon), since
+     some programs can't parse those values properly otherwise.  Also make
+     sure BIO's that break lines after each write do not create invalid
+     headers.
+     [Richard Levitte]
+
+  *) Make the CRL encoding routines work with empty SEQUENCE OF. The
+     macros previously used would not encode an empty SEQUENCE OF
+     and break the signature.
+     [Steve Henson]
+
+  *) Zero the premaster secret after deriving the master secret in
+     DH ciphersuites.
+     [Steve Henson]
+
+  *) Add some EVP_add_digest_alias registrations (as found in
+     OpenSSL_add_all_digests()) to SSL_library_init()
+     aka OpenSSL_add_ssl_algorithms().  This provides improved
+     compatibility with peers using X.509 certificates
+     with unconventional AlgorithmIdentifier OIDs.
+     [Bodo Moeller]
+
+  *) Fix for Irix with NO_ASM.
+     ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+  *) ./config script fixes.
+     [Ulf Moeller, Richard Levitte]
+
+  *) Fix 'openssl passwd -1'.
+     [Bodo Moeller]
+
+  *) Change PKCS12_key_gen_asc() so it can cope with non null
+     terminated strings whose length is passed in the passlen
+     parameter, for example from PEM callbacks. This was done
+     by adding an extra length parameter to asc2uni().
+     [Steve Henson, reported by <oddissey@samsung.co.kr>]
+
+  *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
+     call failed, free the DSA structure.
+     [Bodo Moeller]
+
+  *) Fix to uni2asc() to cope with zero length Unicode strings.
+     These are present in some PKCS#12 files.
+     [Steve Henson]
+
+  *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
+     Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
+     when writing a 32767 byte record.
+     [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
+
+  *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
+     obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
+
+     (RSA objects have a reference count access to which is protected
+     by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
+     so they are meant to be shared between threads.)
+     [Bodo Moeller, Geoff Thorpe; original patch submitted by
+     "Reddie, Steven" <Steven.Reddie@ca.com>]
+
+  *) Fix a deadlock in CRYPTO_mem_leaks().
+     [Bodo Moeller]
+
+  *) rand_win.c fix for Borland C.
+     [Ulf M<>ller]
+ 
+  *) BN_rshift bugfix for n == 0.
+     [Bodo Moeller]
+
+  *) Store verify_result within SSL_SESSION also for client side to
+     avoid potential security hole. (Re-used sessions on the client side
+     always resulted in verify_result==X509_V_OK, not using the original
+     result of the server certificate verification.)
+     [Lutz Jaenicke]
+
+  *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
+     SSL3_RT_APPLICATION_DATA, return 0.
+     Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
+     [Bodo Moeller]
+
+  *) Fix SSL_peek:
+     Both ssl2_peek and ssl3_peek, which were totally broken in earlier
+     releases, have been re-implemented by renaming the previous
+     implementations of ssl2_read and ssl3_read to ssl2_read_internal
+     and ssl3_read_internal, respectively, and adding 'peek' parameters
+     to them.  The new ssl[23]_{read,peek} functions are calls to
+     ssl[23]_read_internal with the 'peek' flag set appropriately.
+     A 'peek' parameter has also been added to ssl3_read_bytes, which
+     does the actual work for ssl3_read_internal.
+     [Bodo Moeller]
+
+  *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
+     The previous value, 12, was not always sufficient for BN_mod_exp().
+     [Bodo Moeller]
+
+  *) Fix typo in get_cert_by_subject() in by_dir.c
+     [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
+
+  *) Rework the system to generate shared libraries:
+
+     - Make note of the expected extension for the shared libraries and
+       if there is a need for symbolic links from for example libcrypto.so.0
+       to libcrypto.so.0.9.7.  There is extended info in Configure for
+       that.
+
+     - Make as few rebuilds of the shared libraries as possible.
+
+     - Still avoid linking the OpenSSL programs with the shared libraries.
+
+     - When installing, install the shared libraries separately from the
+       static ones.
+     [Richard Levitte]
+
+  *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
+
+     Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
+     and not in SSL_clear because the latter is also used by the
+     accept/connect functions; previously, the settings made by
+     SSL_set_read_ahead would be lost during the handshake.
+     [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]     
+
+  *) Correct util/mkdef.pl to be selective about disabled algorithms.
+     Previously, it would create entries for disableed algorithms no
+     matter what.
+     [Richard Levitte]
+
+  *) Added several new manual pages for SSL_* function.
+     [Lutz Jaenicke]
+
+ Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
+
+  *) In ssl23_get_client_hello, generate an error message when faced
+     with an initial SSL 3.0/TLS record that is too small to contain the
+     first two bytes of the ClientHello message, i.e. client_version.
+     (Note that this is a pathologic case that probably has never happened
+     in real life.)  The previous approach was to use the version number
+     from the record header as a substitute; but our protocol choice
+     should not depend on that one because it is not authenticated
+     by the Finished messages.
+     [Bodo Moeller]
+
+  *) More robust randomness gathering functions for Windows.
+     [Jeffrey Altman <jaltman@columbia.edu>]
+
+  *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
+     not set then we don't setup the error code for issuer check errors
+     to avoid possibly overwriting other errors which the callback does
+     handle. If an application does set the flag then we assume it knows
+     what it is doing and can handle the new informational codes
+     appropriately.
+     [Steve Henson]
+
+  *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
+     a general "ANY" type, as such it should be able to decode anything
+     including tagged types. However it didn't check the class so it would
+     wrongly interpret tagged types in the same way as their universal
+     counterpart and unknown types were just rejected. Changed so that the
+     tagged and unknown types are handled in the same way as a SEQUENCE:
+     that is the encoding is stored intact. There is also a new type
+     "V_ASN1_OTHER" which is used when the class is not universal, in this
+     case we have no idea what the actual type is so we just lump them all
+     together.
+     [Steve Henson]
+
+  *) On VMS, stdout may very well lead to a file that is written to
+     in a record-oriented fashion.  That means that every write() will
+     write a separate record, which will be read separately by the
+     programs trying to read from it.  This can be very confusing.
+
+     The solution is to put a BIO filter in the way that will buffer
+     text until a linefeed is reached, and then write everything a
+     line at a time, so every record written will be an actual line,
+     not chunks of lines and not (usually doesn't happen, but I've
+     seen it once) several lines in one record.  BIO_f_linebuffer() is
+     the answer.
+
+     Currently, it's a VMS-only method, because that's where it has
+     been tested well enough.
+     [Richard Levitte]
+
+  *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
+     it can return incorrect results.
+     (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
+     but it was in 0.9.6-beta[12].)
+     [Bodo Moeller]
+
+  *) Disable the check for content being present when verifying detached
+     signatures in pk7_smime.c. Some versions of Netscape (wrongly)
+     include zero length content when signing messages.
+     [Steve Henson]
+
+  *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
+     BIO_ctrl (for BIO pairs).
+     [Bodo M<>ller]
+
+  *) Add DSO method for VMS.
+     [Richard Levitte]
+
+  *) Bug fix: Montgomery multiplication could produce results with the
+     wrong sign.
+     [Ulf M<>ller]
+
+  *) Add RPM specification openssl.spec and modify it to build three
+     packages.  The default package contains applications, application
+     documentation and run-time libraries.  The devel package contains
+     include files, static libraries and function documentation.  The
+     doc package contains the contents of the doc directory.  The original
+     openssl.spec was provided by Damien Miller <djm@mindrot.org>.
+     [Richard Levitte]
+     
+  *) Add a large number of documentation files for many SSL routines.
+     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
+
+  *) Add a configuration entry for Sony News 4.
+     [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]
+
+  *) Don't set the two most significant bits to one when generating a
+     random number < q in the DSA library.
+     [Ulf M<>ller]
+
+  *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
+     behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
+     the underlying transport is blocking) if a handshake took place.
+     (The default behaviour is needed by applications such as s_client
+     and s_server that use select() to determine when to use SSL_read;
+     but for applications that know in advance when to expect data, it
+     just makes things more complicated.)
+     [Bodo Moeller]
+
+  *) Add RAND_egd_bytes(), which gives control over the number of bytes read
+     from EGD.
+     [Ben Laurie]
+
+  *) Add a few more EBCDIC conditionals that make `req' and `x509'
+     work better on such systems.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
+
+  *) Add two demo programs for PKCS12_parse() and PKCS12_create().
+     Update PKCS12_parse() so it copies the friendlyName and the
+     keyid to the certificates aux info.
+     [Steve Henson]
+
+  *) Fix bug in PKCS7_verify() which caused an infinite loop
+     if there was more than one signature.
+     [Sven Uszpelkat <su@celocom.de>]
+
+  *) Major change in util/mkdef.pl to include extra information
+     about each symbol, as well as presentig variables as well
+     as functions.  This change means that there's n more need
+     to rebuild the .num files when some algorithms are excluded.
+     [Richard Levitte]
+
+  *) Allow the verify time to be set by an application,
+     rather than always using the current time.
+     [Steve Henson]
+  
+  *) Phase 2 verify code reorganisation. The certificate
+     verify code now looks up an issuer certificate by a
+     number of criteria: subject name, authority key id
+     and key usage. It also verifies self signed certificates
+     by the same criteria. The main comparison function is
+     X509_check_issued() which performs these checks.
+ 
+     Lot of changes were necessary in order to support this
+     without completely rewriting the lookup code.
+ 
+     Authority and subject key identifier are now cached.
+ 
+     The LHASH 'certs' is X509_STORE has now been replaced
+     by a STACK_OF(X509_OBJECT). This is mainly because an
+     LHASH can't store or retrieve multiple objects with
+     the same hash value.
+
+     As a result various functions (which were all internal
+     use only) have changed to handle the new X509_STORE
+     structure. This will break anything that messed round
+     with X509_STORE internally.
+ 
+     The functions X509_STORE_add_cert() now checks for an
+     exact match, rather than just subject name.
+ 
+     The X509_STORE API doesn't directly support the retrieval
+     of multiple certificates matching a given criteria, however
+     this can be worked round by performing a lookup first
+     (which will fill the cache with candidate certificates)
+     and then examining the cache for matches. This is probably
+     the best we can do without throwing out X509_LOOKUP
+     entirely (maybe later...).
+ 
+     The X509_VERIFY_CTX structure has been enhanced considerably.
+ 
+     All certificate lookup operations now go via a get_issuer()
+     callback. Although this currently uses an X509_STORE it
+     can be replaced by custom lookups. This is a simple way
+     to bypass the X509_STORE hackery necessary to make this
+     work and makes it possible to use more efficient techniques
+     in future. A very simple version which uses a simple
+     STACK for its trusted certificate store is also provided
+     using X509_STORE_CTX_trusted_stack().
+ 
+     The verify_cb() and verify() callbacks now have equivalents
+     in the X509_STORE_CTX structure.
+ 
+     X509_STORE_CTX also has a 'flags' field which can be used
+     to customise the verify behaviour.
+     [Steve Henson]
+ 
+  *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
+     excludes S/MIME capabilities.
+     [Steve Henson]
+
+  *) When a certificate request is read in keep a copy of the
+     original encoding of the signed data and use it when outputing
+     again. Signatures then use the original encoding rather than
+     a decoded, encoded version which may cause problems if the
+     request is improperly encoded.
+     [Steve Henson]
+
+  *) For consistency with other BIO_puts implementations, call
+     buffer_write(b, ...) directly in buffer_puts instead of calling
+     BIO_write(b, ...).
+
+     In BIO_puts, increment b->num_write as in BIO_write.
+     [Peter.Sylvester@EdelWeb.fr]
+
+  *) Fix BN_mul_word for the case where the word is 0. (We have to use
+     BN_zero, we may not return a BIGNUM with an array consisting of
+     words set to zero.)
+     [Bodo Moeller]
+
+  *) Avoid calling abort() from within the library when problems are
+     detected, except if preprocessor symbols have been defined
+     (such as REF_CHECK, BN_DEBUG etc.).
+     [Bodo Moeller]
+
+  *) New openssl application 'rsautl'. This utility can be
+     used for low level RSA operations. DER public key
+     BIO/fp routines also added.
+     [Steve Henson]
+
+  *) New Configure entry and patches for compiling on QNX 4.
+     [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]
+
+  *) A demo state-machine implementation was sponsored by
+     Nuron (http://www.nuron.com/) and is now available in
+     demos/state_machine.
+     [Ben Laurie]
+
+  *) New options added to the 'dgst' utility for signature
+     generation and verification.
+     [Steve Henson]
+
+  *) Unrecognized PKCS#7 content types are now handled via a
+     catch all ASN1_TYPE structure. This allows unsupported
+     types to be stored as a "blob" and an application can
+     encode and decode it manually.
+     [Steve Henson]
+
+  *) Fix various signed/unsigned issues to make a_strex.c
+     compile under VC++.
+     [Oscar Jacobsson <oscar.jacobsson@celocom.com>]
+
+  *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
+     length if passed a buffer. ASN1_INTEGER_to_BN failed
+     if passed a NULL BN and its argument was negative.
+     [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]
+
+  *) Modification to PKCS#7 encoding routines to output definite
+     length encoding. Since currently the whole structures are in
+     memory there's not real point in using indefinite length 
+     constructed encoding. However if OpenSSL is compiled with
+     the flag PKCS7_INDEFINITE_ENCODING the old form is used.
+     [Steve Henson]
+
+  *) Added BIO_vprintf() and BIO_vsnprintf().
+     [Richard Levitte]
+
+  *) Added more prefixes to parse for in the the strings written
+     through a logging bio, to cover all the levels that are available
+     through syslog.  The prefixes are now:
+
+	PANIC, EMERG, EMR	=>	LOG_EMERG
+	ALERT, ALR		=>	LOG_ALERT
+	CRIT, CRI		=>	LOG_CRIT
+	ERROR, ERR		=>	LOG_ERR
+	WARNING, WARN, WAR	=>	LOG_WARNING
+	NOTICE, NOTE, NOT	=>	LOG_NOTICE
+	INFO, INF		=>	LOG_INFO
+	DEBUG, DBG		=>	LOG_DEBUG
+
+     and as before, if none of those prefixes are present at the
+     beginning of the string, LOG_ERR is chosen.
+
+     On Win32, the LOG_* levels are mapped according to this:
+
+	LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR	=> EVENTLOG_ERROR_TYPE
+	LOG_WARNING				=> EVENTLOG_WARNING_TYPE
+	LOG_NOTICE, LOG_INFO, LOG_DEBUG		=> EVENTLOG_INFORMATION_TYPE
+
+     [Richard Levitte]
+
+  *) Made it possible to reconfigure with just the configuration
+     argument "reconf" or "reconfigure".  The command line arguments
+     are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
+     and are retrieved from there when reconfiguring.
+     [Richard Levitte]
+
+  *) MD4 implemented.
+     [Assar Westerlund <assar@sics.se>, Richard Levitte]
+
+  *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
+     [Richard Levitte]
+
+  *) The obj_dat.pl script was messing up the sorting of object
+     names. The reason was that it compared the quoted version
+     of strings as a result "OCSP" > "OCSP Signing" because
+     " > SPACE. Changed script to store unquoted versions of
+     names and add quotes on output. It was also omitting some
+     names from the lookup table if they were given a default
+     value (that is if SN is missing it is given the same
+     value as LN and vice versa), these are now added on the
+     grounds that if an object has a name we should be able to
+     look it up. Finally added warning output when duplicate
+     short or long names are found.
+     [Steve Henson]
+
+  *) Changes needed for Tandem NSK.
+     [Scott Uroff <scott@xypro.com>]
+
+  *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
+     RSA_padding_check_SSLv23(), special padding was never detected
+     and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
+     version rollback attacks was not effective.
+
+     In s23_clnt.c, don't use special rollback-attack detection padding
+     (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
+     client; similarly, in s23_srvr.c, don't do the rollback check if
+     SSL 2.0 is the only protocol enabled in the server.
+     [Bodo Moeller]
+
+  *) Make it possible to get hexdumps of unprintable data with 'openssl
+     asn1parse'.  By implication, the functions ASN1_parse_dump() and
+     BIO_dump_indent() are added.
+     [Richard Levitte]
+
+  *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
+     these print out strings and name structures based on various
+     flags including RFC2253 support and proper handling of
+     multibyte characters. Added options to the 'x509' utility 
+     to allow the various flags to be set.
+     [Steve Henson]
+
+  *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
+     Also change the functions X509_cmp_current_time() and
+     X509_gmtime_adj() work with an ASN1_TIME structure,
+     this will enable certificates using GeneralizedTime in validity
+     dates to be checked.
+     [Steve Henson]
+
+  *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
+     negative public key encodings) on by default,
+     NO_NEG_PUBKEY_BUG can be set to disable it.
+     [Steve Henson]
+
+  *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
+     content octets. An i2c_ASN1_OBJECT is unnecessary because
+     the encoding can be trivially obtained from the structure.
+     [Steve Henson]
+
+  *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
+     not read locks (CRYPTO_r_[un]lock).
+     [Bodo Moeller]
+
+  *) A first attempt at creating official support for shared
+     libraries through configuration.  I've kept it so the
+     default is static libraries only, and the OpenSSL programs
+     are always statically linked for now, but there are
+     preparations for dynamic linking in place.
+     This has been tested on Linux and True64.
+     [Richard Levitte]
+
+  *) Randomness polling function for Win9x, as described in:
+     Peter Gutmann, Software Generation of Practically Strong
+     Random Numbers.
+     [Ulf M<>ller]
+
+  *) Fix so PRNG is seeded in req if using an already existing
+     DSA key.
+     [Steve Henson]
+
+  *) New options to smime application. -inform and -outform
+     allow alternative formats for the S/MIME message including
+     PEM and DER. The -content option allows the content to be
+     specified separately. This should allow things like Netscape
+     form signing output easier to verify.
+     [Steve Henson]
+
+  *) Fix the ASN1 encoding of tags using the 'long form'.
+     [Steve Henson]
+
+  *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
+     STRING types. These convert content octets to and from the
+     underlying type. The actual tag and length octets are
+     already assumed to have been read in and checked. These
+     are needed because all other string types have virtually
+     identical handling apart from the tag. By having versions
+     of the ASN1 functions that just operate on content octets
+     IMPLICIT tagging can be handled properly. It also allows
+     the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
+     and ASN1_INTEGER are identical apart from the tag.
+     [Steve Henson]
+
+  *) Change the handling of OID objects as follows:
+
+     - New object identifiers are inserted in objects.txt, following
+       the syntax given in objects.README.
+     - objects.pl is used to process obj_mac.num and create a new
+       obj_mac.h.
+     - obj_dat.pl is used to create a new obj_dat.h, using the data in
+       obj_mac.h.
+
+     This is currently kind of a hack, and the perl code in objects.pl
+     isn't very elegant, but it works as I intended.  The simplest way
+     to check that it worked correctly is to look in obj_dat.h and
+     check the array nid_objs and make sure the objects haven't moved
+     around (this is important!).  Additions are OK, as well as
+     consistent name changes. 
+     [Richard Levitte]
+
+  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
+     [Bodo Moeller]
+
+  *) Addition of the command line parameter '-rand file' to 'openssl req'.
+     The given file adds to whatever has already been seeded into the
+     random pool through the RANDFILE configuration file option or
+     environment variable, or the default random state file.
+     [Richard Levitte]
+
+  *) mkstack.pl now sorts each macro group into lexical order.
+     Previously the output order depended on the order the files
+     appeared in the directory, resulting in needless rewriting
+     of safestack.h .
+     [Steve Henson]
+
+  *) Patches to make OpenSSL compile under Win32 again. Mostly
+     work arounds for the VC++ problem that it treats func() as
+     func(void). Also stripped out the parts of mkdef.pl that
+     added extra typesafe functions: these no longer exist.
+     [Steve Henson]
+
+  *) Reorganisation of the stack code. The macros are now all 
+     collected in safestack.h . Each macro is defined in terms of
+     a "stack macro" of the form SKM_<name>(type, a, b). The 
+     DEBUG_SAFESTACK is now handled in terms of function casts,
+     this has the advantage of retaining type safety without the
+     use of additional functions. If DEBUG_SAFESTACK is not defined
+     then the non typesafe macros are used instead. Also modified the
+     mkstack.pl script to handle the new form. Needs testing to see
+     if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
+     the default if no major problems. Similar behaviour for ASN1_SET_OF
+     and PKCS12_STACK_OF.
+     [Steve Henson]
+
+  *) When some versions of IIS use the 'NET' form of private key the
+     key derivation algorithm is different. Normally MD5(password) is
+     used as a 128 bit RC4 key. In the modified case
+     MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
+     new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
+     as the old Netscape_RSA functions except they have an additional
+     'sgckey' parameter which uses the modified algorithm. Also added
+     an -sgckey command line option to the rsa utility. Thanks to 
+     Adrian Peck <bertie@ncipher.com> for posting details of the modified
+     algorithm to openssl-dev.
+     [Steve Henson]
+
+  *) The evp_local.h macros were using 'c.##kname' which resulted in
+     invalid expansion on some systems (SCO 5.0.5 for example).
+     Corrected to 'c.kname'.
+     [Phillip Porch <root@theporch.com>]
+
+  *) New X509_get1_email() and X509_REQ_get1_email() functions that return
+     a STACK of email addresses from a certificate or request, these look
+     in the subject name and the subject alternative name extensions and 
+     omit any duplicate addresses.
+     [Steve Henson]
+
+  *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
+     This makes DSA verification about 2 % faster.
+     [Bodo Moeller]
+
+  *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
+     (meaning that now 2^5 values will be precomputed, which is only 4 KB
+     plus overhead for 1024 bit moduli).
+     This makes exponentiations about 0.5 % faster for 1024 bit
+     exponents (as measured by "openssl speed rsa2048").
+     [Bodo Moeller]
+
+  *) Rename memory handling macros to avoid conflicts with other
+     software:
+          Malloc         =>  OPENSSL_malloc
+          Malloc_locked  =>  OPENSSL_malloc_locked
+          Realloc        =>  OPENSSL_realloc
+          Free           =>  OPENSSL_free
+     [Richard Levitte]
+
+  *) New function BN_mod_exp_mont_word for small bases (roughly 15%
+     faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
+     [Bodo Moeller]
+
+  *) CygWin32 support.
+     [John Jarvie <jjarvie@newsguy.com>]
+
+  *) The type-safe stack code has been rejigged. It is now only compiled
+     in when OpenSSL is configured with the DEBUG_SAFESTACK option and
+     by default all type-specific stack functions are "#define"d back to
+     standard stack functions. This results in more streamlined output
+     but retains the type-safety checking possibilities of the original
+     approach.
+     [Geoff Thorpe]
+
+  *) The STACK code has been cleaned up, and certain type declarations
+     that didn't make a lot of sense have been brought in line. This has
+     also involved a cleanup of sorts in safestack.h to more correctly
+     map type-safe stack functions onto their plain stack counterparts.
+     This work has also resulted in a variety of "const"ifications of
+     lots of the code, especially "_cmp" operations which should normally
+     be prototyped with "const" parameters anyway.
+     [Geoff Thorpe]
+
+  *) When generating bytes for the first time in md_rand.c, 'stir the pool'
+     by seeding with STATE_SIZE dummy bytes (with zero entropy count).
+     (The PRNG state consists of two parts, the large pool 'state' and 'md',
+     where all of 'md' is used each time the PRNG is used, but 'state'
+     is used only indexed by a cyclic counter. As entropy may not be
+     well distributed from the beginning, 'md' is important as a
+     chaining variable. However, the output function chains only half
+     of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
+     all of 'md', and seeding with STATE_SIZE dummy bytes will result
+     in all of 'state' being rewritten, with the new values depending
+     on virtually all of 'md'.  This overcomes the 80 bit limitation.)
+     [Bodo Moeller]
+
+  *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
+     the handshake is continued after ssl_verify_cert_chain();
+     otherwise, if SSL_VERIFY_NONE is set, remaining error codes
+     can lead to 'unexplainable' connection aborts later.
+     [Bodo Moeller; problem tracked down by Lutz Jaenicke]
+
+  *) Major EVP API cipher revision.
+     Add hooks for extra EVP features. This allows various cipher
+     parameters to be set in the EVP interface. Support added for variable
+     key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
+     setting of RC2 and RC5 parameters.
+
+     Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
+     ciphers.
+
+     Remove lots of duplicated code from the EVP library. For example *every*
+     cipher init() function handles the 'iv' in the same way according to the
+     cipher mode. They also all do nothing if the 'key' parameter is NULL and
+     for CFB and OFB modes they zero ctx->num.
+
+     New functionality allows removal of S/MIME code RC2 hack.
+
+     Most of the routines have the same form and so can be declared in terms
+     of macros.
+
+     By shifting this to the top level EVP_CipherInit() it can be removed from
+     all individual ciphers. If the cipher wants to handle IVs or keys
+     differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
+     flags.
+
+     Change lots of functions like EVP_EncryptUpdate() to now return a
+     value: although software versions of the algorithms cannot fail
+     any installed hardware versions can.
+     [Steve Henson]
+
+  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
+     this option is set, tolerate broken clients that send the negotiated
+     protocol version number instead of the requested protocol version
+     number.
+     [Bodo Moeller]
+
+  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
+     i.e. non-zero for export ciphersuites, zero otherwise.
+     Previous versions had this flag inverted, inconsistent with
+     rsa_tmp_cb (..._TMP_RSA_CB).
+     [Bodo Moeller; problem reported by Amit Chopra]
+
+  *) Add missing DSA library text string. Work around for some IIS
+     key files with invalid SEQUENCE encoding.
+     [Steve Henson]
+
+  *) Add a document (doc/standards.txt) that list all kinds of standards
+     and so on that are implemented in OpenSSL.
+     [Richard Levitte]
+
+  *) Enhance c_rehash script. Old version would mishandle certificates
+     with the same subject name hash and wouldn't handle CRLs at all.
+     Added -fingerprint option to crl utility, to support new c_rehash
+     features.
+     [Steve Henson]
+
+  *) Eliminate non-ANSI declarations in crypto.h and stack.h.
+     [Ulf M<>ller]
+
+  *) Fix for SSL server purpose checking. Server checking was
+     rejecting certificates which had extended key usage present
+     but no ssl client purpose.
+     [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
+
+  *) Make PKCS#12 code work with no password. The PKCS#12 spec
+     is a little unclear about how a blank password is handled.
+     Since the password in encoded as a BMPString with terminating
+     double NULL a zero length password would end up as just the
+     double NULL. However no password at all is different and is
+     handled differently in the PKCS#12 key generation code. NS
+     treats a blank password as zero length. MSIE treats it as no
+     password on export: but it will try both on import. We now do
+     the same: PKCS12_parse() tries zero length and no password if
+     the password is set to "" or NULL (NULL is now a valid password:
+     it wasn't before) as does the pkcs12 application.
+     [Steve Henson]
+
+  *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
+     perror when PEM_read_bio_X509_REQ fails, the error message must
+     be obtained from the error queue.
+     [Bodo Moeller]
+
+  *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
+     it in ERR_remove_state if appropriate, and change ERR_get_state
+     accordingly to avoid race conditions (this is necessary because
+     thread_hash is no longer constant once set).
+     [Bodo Moeller]
+
+  *) Bugfix for linux-elf makefile.one.
+     [Ulf M<>ller]
+
+  *) RSA_get_default_method() will now cause a default
+     RSA_METHOD to be chosen if one doesn't exist already.
+     Previously this was only set during a call to RSA_new()
+     or RSA_new_method(NULL) meaning it was possible for
+     RSA_get_default_method() to return NULL.
+     [Geoff Thorpe]
+
+  *) Added native name translation to the existing DSO code
+     that will convert (if the flag to do so is set) filenames
+     that are sufficiently small and have no path information
+     into a canonical native form. Eg. "blah" converted to
+     "libblah.so" or "blah.dll" etc.
+     [Geoff Thorpe]
+
+  *) New function ERR_error_string_n(e, buf, len) which is like
+     ERR_error_string(e, buf), but writes at most 'len' bytes
+     including the 0 terminator.  For ERR_error_string_n, 'buf'
+     may not be NULL.
+     [Damien Miller <djm@mindrot.org>, Bodo Moeller]
+
+  *) CONF library reworked to become more general.  A new CONF
+     configuration file reader "class" is implemented as well as a
+     new functions (NCONF_*, for "New CONF") to handle it.  The now
+     old CONF_* functions are still there, but are reimplemented to
+     work in terms of the new functions.  Also, a set of functions
+     to handle the internal storage of the configuration data is
+     provided to make it easier to write new configuration file
+     reader "classes" (I can definitely see something reading a
+     configuration file in XML format, for example), called _CONF_*,
+     or "the configuration storage API"...
+
+     The new configuration file reading functions are:
+
+        NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
+        NCONF_get_section, NCONF_get_string, NCONF_get_numbre
+
+        NCONF_default, NCONF_WIN32
+
+        NCONF_dump_fp, NCONF_dump_bio
+
+     NCONF_default and NCONF_WIN32 are method (or "class") choosers,
+     NCONF_new creates a new CONF object.  This works in the same way
+     as other interfaces in OpenSSL, like the BIO interface.
+     NCONF_dump_* dump the internal storage of the configuration file,
+     which is useful for debugging.  All other functions take the same
+     arguments as the old CONF_* functions wth the exception of the
+     first that must be a `CONF *' instead of a `LHASH *'.
+
+     To make it easer to use the new classes with the old CONF_* functions,
+     the function CONF_set_default_method is provided.
+     [Richard Levitte]
+
+  *) Add '-tls1' option to 'openssl ciphers', which was already
+     mentioned in the documentation but had not been implemented.
+     (This option is not yet really useful because even the additional
+     experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
+     [Bodo Moeller]
+
+  *) Initial DSO code added into libcrypto for letting OpenSSL (and
+     OpenSSL-based applications) load shared libraries and bind to
+     them in a portable way.
+     [Geoff Thorpe, with contributions from Richard Levitte]
+
+ Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
+
+  *) Make sure _lrotl and _lrotr are only used with MSVC.
+
+  *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
+     (the default implementation of RAND_status).
+
+  *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
+     to '-clrext' (= clear extensions), as intended and documented.
+     [Bodo Moeller; inconsistency pointed out by Michael Attili
+     <attili@amaxo.com>]
+
+  *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
+     was larger than the MD block size.      
+     [Steve Henson, pointed out by Yost William <YostW@tce.com>]
 
   *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
      fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()

Configure

@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -23,15 +23,30 @@ my $usage="Usage: Configure [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
 #
+# no-hw-xxx     do not compile support for specific crypto hardware.
+#               Generic OpenSSL-style methods relating to this support
+#               are always compiled but return NULL if the hardware
+#               support isn't compiled.
+# no-hw         do not compile support for any crypto hardware.
 # rsaref        use RSAref
 # [no-]threads  [don't] try to create a library that is suitable for
 #               multithreaded applications (default is "threads" if we
 #               know how to do it)
+# [no-]shared	[don't] try to create shared libraries when supported.
+#               IT IS NOT RECOMMENDED TO USE "shared"!  Since this is a
+#               development branch, the positions of the ENGINE symbols
+#               in the transfer vector are constantly moving, so binary
+#               backward compatibility can't be guaranteed in any way.
 # no-asm        do not use assembler
+# no-dso        do not compile in any native shared-library methods. This
+#               will ensure that all methods just return NULL.
 # 386           generate 80386 code
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
 # -<xxx> +<xxx> compiler options are passed through 
 #
+# DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items
+#		provided to stack calls. Generates unique stack functions for
+#		each possible stack type.
 # DES_PTR	use pointer lookup vs arrays in the DES in crypto/des/des_locl.h
 # DES_RISC1	use different DES_ENCRYPT macro that helps reduce register
 #		dependancies but needs to more registers, good for RISC CPU's
@@ -86,9 +101,13 @@ my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:as
 # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
 # So the md5_locl.h file has an undef B_ENDIAN if sun is defined
 
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag
 
 my %table=(
+# File 'TABLE' (created by 'make TABLE') contains the data from this list,
+# formatted for better readability.
+
+
 #"b",		"${tcc}:${tflags}::${tlib}:${bits1}:${tbn_mul}::",
 #"bl-4c-2c",	"${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:${tbn_mul}::",
 #"bl-4c-ri",	"${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:${tbn_mul}::",
@@ -96,15 +115,15 @@ my %table=(
 
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown):-lsocket -lnsl::::",
-"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::",
-"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
-"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
-"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
+"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:-DBIO_PAIR_DEBUG -DL_ENDIAN -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:::",
+"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
 "dist",		"cc:-O::(unknown):::::",
 
 # Basic configs that should work on any (32 and less bit) box
@@ -117,32 +136,32 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::",
-"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o:",
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::",
-"debug-solaris-sparcv9-gcc","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o::",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
-"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:::",
+"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
-"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::",
-"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::",
-"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
+"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
-"debug-solaris-sparcv8-cc","cc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::",
-"debug-solaris-sparcv9-cc","cc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Linux setups
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
@@ -168,11 +187,11 @@ my %table=(
 # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
 # './Configure irix-[g]cc' manually.
 # -mips4 flag is added by ./config when appropriate.
-"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
-"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
+"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
+"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
 # N64 ABI builds.
-"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
 
 #### Unified HP-UX ANSI C configs.
 # Special notes:
@@ -202,32 +221,43 @@ my %table=(
 #   crypto/sha/sha_lcl.h.
 #					<appro@fy.chalmers.se>
 #
-"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
-"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
-"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:::",
+#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
+# Since there is mention of this in shlib/hpux10-cc.sh
+"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
+"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
+"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn",
+
+# More attempts at unified 10.X and 11.X targets for HP C compiler.
+#
+# Chris Ruemmler <ruemmler@cup.hp.com>
+# Kevin Steves <ks@hp.se>
+"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl",
+"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn",
+"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl",
 
 # HPUX 9.X config.
 # Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
 # egcs.  gcc 2.8.1 is also broken.
 
-"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
 # please report your OS and compiler version to the openssl-bugs@openssl.org
 # mailing list.
-"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 
-"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # If hpux-gcc fails, try this one:
-"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 
 # HPUX 10.X config.  Supports threads.
-"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
-"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 
-"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # If hpux10-gcc fails, try this one:
-"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 
 # HPUX 11.X from www.globus.org.
 # Only works on PA-RISC 2.0 cpus, and not optimized.  Why?
@@ -235,13 +265,16 @@ my %table=(
 #"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::",
 # Use unified settings above instead.
 
+#### HP MPE/iX http://jazz.external.hp.com/src/openssl/
+"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+
 # Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with
 # the new compiler
 # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
-"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o::",
-"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::",
-"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::",
-"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
+"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared::.so",
+"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared::.so",
+"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared::.so",
+"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
@@ -256,44 +289,60 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
-"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
-"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
 
 # assembler versions -- currently defunct:
 ##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::",
 
 # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
 # bn86-elf.o file file since it is hand tweaked assembler.
-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-linux-elf","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mips",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
 "linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
+"linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::",
-"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
-"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
-"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:",
-"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
-"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "nextstep",	"cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 # NCR MP-RAS UNIX ver 02.03.01
 "ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
 
-# UnixWare 2.0
-"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+# QNX 4
+"qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:",
+
+# Linux on ARM
+"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
+# UnixWare 2.0x fails destest with -O
+"unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium:-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+
+# UnixWare 2.1
+"unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 
 # UnixWare 7
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 
 # IBM's AIX.
-"aix-cc",   "cc:-O -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
+"aix-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
 "aix-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
+"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
 
 #
 # Cray T90 (SDSC)
@@ -323,9 +372,13 @@ my %table=(
 "dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::",
 "dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 
+# SCO 3 - Tim Rice <tim@multitalents.net>
+"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the
 # SCO cc.
 "sco5-cc",  "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
+"sco5-cc-pentium",  "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 
 # Sinix/ReliantUNIX RM400
@@ -339,22 +392,24 @@ my %table=(
 
 # Windows NT, Microsoft Visual C++ 4.0
 
-"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::",
-"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::",
+"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
+"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
 "VC-WIN16","cl:::(unknown)::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-W31-16","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 "VC-W31-32","cl:::::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-MSDOS","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
 # Borland C++ 4.5
-"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX:::",
+"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX::::::::::win32",
 "BC-16","bcc:::(unknown)::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
-# CygWin32
+# Mingw32
 # (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
 # and its library files in util/pl/*)
-"CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:",
-"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:",
+"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+
+# CygWin32
+"CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::",
@@ -363,25 +418,30 @@ my %table=(
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::",
 
 # Some OpenBSD from Bob Beck <beck@obtuse.com>
-"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::",
-"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::",
-"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::",
+"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 ##### MacOS X (a.k.a. Rhapsody) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 
+##### Sony NEWS-OS 4.x
+"newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
+
 );
 
 my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
-	BC-16 CygWin32 Mingw32);
+	BC-16 Mingw32);
 
 my $prefix="";
 my $openssldir="";
 my $install_prefix="";
 my $no_threads=0;
+my $no_shared=1;
 my $threads=0;
 my $no_asm=0;
+my $no_dso=0;
 my @skip=();
 my $Makefile="Makefile.ssl";
 my $des_locl="crypto/des/des_locl.h";
@@ -403,24 +463,46 @@ my $md5_obj="";
 my $sha1_obj="";
 my $rmd160_obj="";
 my $processor="";
-my $ranlib;
+my $default_ranlib;
 my $perl;
 
-$ranlib=&which("ranlib") or $ranlib="true";
+$default_ranlib= &which("ranlib") or $default_ranlib="true";
 $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
   or $perl="perl";
 
 &usage if ($#ARGV < 0);
 
-my $flags="";
-my $depflags="";
-my $openssl_algorithm_defines="";
-my $openssl_thread_defines="";
-my $openssl_other_defines="";
-my $libs="";
-my $target="";
-my $options="";
-foreach (@ARGV)
+my $flags;
+my $depflags;
+my $openssl_algorithm_defines;
+my $openssl_thread_defines;
+my $openssl_other_defines;
+my $libs;
+my $target;
+my $options;
+my $symlink;
+
+my @argvcopy=@ARGV;
+my $argvstring="";
+my $argv_unprocessed=1;
+
+while($argv_unprocessed)
+	{
+	$flags="";
+	$depflags="";
+	$openssl_algorithm_defines="";
+	$openssl_thread_defines="";
+	$openssl_other_defines="";
+	$libs="";
+	$target="";
+	$options="";
+	$symlink=1;
+
+	$argv_unprocessed=0;
+	$argvstring=join(' ',@argvcopy);
+
+PROCESS_ARGS:
+	foreach (@argvcopy)
 		{
 		s /^-no-/no-/; # some people just can't read the instructions
 		if (/^no-asm$/)
@@ -429,10 +511,30 @@ foreach (@ARGV)
 			$flags .= "-DNO_ASM ";
 			$openssl_other_defines .= "#define NO_ASM\n";
 			}
+		elsif (/^no-hw-(.+)$/)
+			{
+			my $hw=$1;
+			$hw =~ tr/[a-z]/[A-Z]/;
+			$flags .= "-DNO_HW_$hw ";
+			$openssl_other_defines .= "#define NO_HW_$hw\n";
+			}
+		elsif (/^no-hw$/)
+			{
+			$flags .= "-DNO_HW ";
+			$openssl_other_defines .= "#define NO_HW\n";
+			}
+		elsif (/^no-dso$/)
+			{ $no_dso=1; }
 		elsif (/^no-threads$/)
 			{ $no_threads=1; }
 		elsif (/^threads$/)
 			{ $threads=1; }
+		elsif (/^no-shared$/)
+			{ $no_shared=1; }
+		elsif (/^shared$/)
+			{ $no_shared=0; }
+		elsif (/^no-symlinks$/)
+			{ $symlink=0; }
 		elsif (/^no-(.+)$/)
 			{
 			my $algo=$1;
@@ -450,6 +552,29 @@ foreach (@ARGV)
 				$openssl_algorithm_defines .= "#define NO_MDC2\n";
 				}
 			}
+		elsif (/^reconfigure/ || /^reconf/)
+			{
+			if (open(IN,"<$Makefile"))
+				{
+				while (<IN>)
+					{
+					chop;
+					if (/^CONFIGURE_ARGS=(.*)/)
+						{
+						$argvstring=$1;
+						@argvcopy=split(' ',$argvstring);
+						die "Incorrect data to reconfigure, please do a normal configuration\n"
+							if (grep(/^reconf/,@argvcopy));
+						print "Reconfiguring with: $argvstring\n";
+						$argv_unprocessed=1;
+						close(IN);
+						last PROCESS_ARGS;
+						}
+					}
+				close(IN);
+				}
+			die "Insufficient data to reconfigure, please do a normal configuration\n";
+			}
 		elsif (/^386$/)
 			{ $processor=386; }
 		elsif (/^rsaref$/)
@@ -503,6 +628,7 @@ foreach (@ARGV)
 				$options .= " ".$_;
 			}
 		}
+	}
 }
 
 if ($target eq "TABLE") {
@@ -520,6 +646,8 @@ if ($target eq "LIST") {
 	exit 0;
 }
 
+print "Configuring for $target\n";
+
 &usage if (!defined($table{$target}));
 
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
@@ -537,10 +665,39 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
 print "IsWindows=$IsWindows\n";
 
 (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
- $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)=
-	split(/\s*:\s*/,$table{$target} . ":" x 20 , -1);
+ $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $shared_extension,my $ranlib)=
+	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 $cflags="$flags$cflags" if ($flags ne "");
 
+# The DSO code currently always implements all functions so that no
+# applications will have to worry about that from a compilation point
+# of view. However, the "method"s may return zero unless that platform
+# has support compiled in for them. Currently each method is enabled
+# by a define "DSO_<name>" ... we translate the "dso_scheme" config
+# string entry into using the following logic;
+my $dso_cflags;
+if (!$no_dso && $dso_scheme ne "")
+	{
+	$dso_scheme =~ tr/[a-z]/[A-Z]/;
+	if ($dso_scheme eq "DLFCN")
+		{
+		$dso_cflags = "-DDSO_DLFCN -DHAVE_DLFCN_H";
+		$openssl_other_defines .= "#define DSO_DLFCN\n";
+		$openssl_other_defines .= "#define HAVE_DLFCN_H\n";
+		}
+	elsif ($dso_scheme eq "DLFCN_NO_H")
+		{
+		$dso_cflags = "-DDSO_DLFCN";
+		$openssl_other_defines .= "#define DSO_DLFCN\n";
+		}
+	else
+		{
+		$dso_cflags = "-DDSO_$dso_scheme";
+		$openssl_other_defines .= "#define DSO_$dso_scheme\n";
+		}
+	$cflags = "$dso_cflags $cflags";
+	}
+
 my $thread_cflags;
 my $thread_defines;
 if ($thread_cflag ne "(unknown)" && !$no_threads)
@@ -583,6 +740,29 @@ if ($threads)
 		$openssl_thread_defines .= $thread_defines;
 	}
 
+# You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
+my $shared_mark = "";
+if ($shared_target ne "")
+	{
+	if ($shared_cflag ne "")
+		{
+		$cflags = "$shared_cflag $cflags";
+		}
+	if (!$no_shared)
+		{
+		#$shared_mark = "\$(SHARED_LIBS)";
+		}
+	}
+else
+	{
+	$no_shared = 1;
+	}
+
+if ($ranlib eq "")
+	{
+	$ranlib = $default_ranlib;
+	}
+
 #my ($bn1)=split(/\s+/,$bn_obj);
 #$bn1 = "" unless defined $bn1;
 #$bn1=$bn_asm unless ($bn1 =~ /\.o$/);
@@ -614,13 +794,20 @@ if ($rmd160_obj =~ /\.o$/)
 my $version = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
+my $shlib_version_number = "unknown";
+my $shlib_version_history = "unknown";
+my $shlib_major = "unknown";
+my $shlib_minor = "unknown";
 
 open(IN,'<crypto/opensslv.h') || die "unable to read opensslv.h:$!\n";
 while (<IN>)
 	{
 	$version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /;
+	$shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/;
+	$shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/;
 	}
 close(IN);
+if ($shlib_version_history ne "") { $shlib_version_history .= ":"; }
 
 if ($version =~ /(^[0-9]*)\.([0-9\.]*)/)
 	{
@@ -628,6 +815,12 @@ if ($version =~ /(^[0-9]*)\.([0-9\.]*)/)
 	$minor=$2;
 	}
 
+if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
+	{
+	$shlib_major=$1;
+	$shlib_minor=$2;
+	}
+
 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
 open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
@@ -646,11 +839,17 @@ while (<IN>)
 	s/^VERSION=.*/VERSION=$version/;
 	s/^MAJOR=.*/MAJOR=$major/;
 	s/^MINOR=.*/MINOR=$minor/;
+	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
+	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
+	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
+	s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/;
+	s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/;
 	s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
 	s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
 	s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
 	s/^PLATFORM=.*$/PLATFORM=$target/;
 	s/^OPTIONS=.*$/OPTIONS=$options/;
+	s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/;
 	s/^CC=.*$/CC= $cc/;
 	s/^CFLAG=.*$/CFLAG= $cflags/;
 	s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
@@ -667,6 +866,10 @@ while (<IN>)
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
 	s/^PERL=.*/PERL= $perl/;
+	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
+	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
+	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+	s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.so.\$(SHLIB_MAJOR) .so/ if ($shared_extension ne "" && $shared_extension !~ /^\.s[ol]$/);
 	print OUT $_."\n";
 	}
 close(IN);
@@ -849,16 +1052,18 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?;
+	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
+		if $symlink;
 	### (system 'make depend') == 0 or exit $? if $depflags ne "";
 	# Run "make depend" manually if you want to be able to delete
 	# the source code files of ciphers you left out.
-	&dofile("tools/c_rehash",$openssldir,'^DIR=',	'DIR=%s',);
 	if ( $perl =~ m@^/@) {
+	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
 	} else {
 	    # No path for Perl known ...
+	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}	    
@@ -950,8 +1155,10 @@ sub print_table_entry
 
 	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,
 	my $bn_obj,my $des_obj,my $bf_obj,
-	$md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)=
-	split(/\s*:\s*/,$table{$target} . ":" x 20 , -1);
+	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
+	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
+	my $shared_extension,my $ranlib)=
+	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 			
 	print <<EOF
 
@@ -971,5 +1178,10 @@ sub print_table_entry
 \$rc4_obj      = $rc4_obj
 \$rmd160_obj   = $rmd160_obj
 \$rc5_obj      = $rc5_obj
+\$dso_scheme   = $dso_scheme
+\$shared_target= $shared_target
+\$shared_cflag = $shared_cflag
+\$shared_extension = $shared_extension
+\$ranlib       = $ranlib
 EOF
 	}

FAQ

@@ -9,13 +9,30 @@ OpenSSL  -  Frequently Asked Questions
 * Why do I get a "PRNG not seeded" error message?
 * Why does the linker complain about undefined symbols?
 * Where can I get a compiled version of OpenSSL?
+* I've compiled a program under Windows and it crashes: why?
+* How do I read or write a DER encoded buffer using the ASN1 functions?
+* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
+* I've called <some function> and it fails, why?
+* I just get a load of numbers for the error output, what do they mean?
+* Why do I get errors about unknown algorithms?
+* How do I create certificates or certificate requests?
+* Why can't I create certificate requests?
+* Why does <SSL program> fail with a certificate verify error?
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+* How can I create DSA certificates?
+* Why can't I make an SSL connection using a DSA certificate?
+* How can I remove the passphrase on a private key?
 * Why can't the OpenSSH configure script detect OpenSSL?
+* Why does the OpenSSL test fail with "bc: command not found"?
+* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+* Why does the OpenSSL compilation fail on Alpha True64 Unix?
+* Why does the OpenSSL compilation fail with "ar: command not found"?
 
 
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.5 was released on February 28th, 2000.
+OpenSSL 0.9.6 was released on September 24th, 2000.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -71,12 +88,6 @@ offer legal advice.
 You can configure OpenSSL so as not to use RC5 and IDEA by using
  ./config no-rc5 no-idea
 
-Until the RSA patent expires, U.S. users may want to use
- ./config no-rc5 no-idea no-rsa
-
-Please note that you will *not* be able to communicate with most of
-the popular web browsers without RSA support.
-
 
 * Is OpenSSL thread-safe?
 
@@ -103,17 +114,28 @@ OpenSSL functions that need randomness report an error if the random
 number generator has not been seeded with at least 128 bits of
 randomness.  If this error occurs, please contact the author of the
 application you are using.  It is likely that it never worked
-correctly.  OpenSSL 0.9.5 makes the error visible by refusing to
-perform potentially insecure encryption.
+correctly.  OpenSSL 0.9.5 and later make the error visible by refusing
+to perform potentially insecure encryption.
+
+On systems without /dev/urandom, it is a good idea to use the Entropy
+Gathering Demon; see the RAND_egd() manpage for details.
 
 Most components of the openssl command line tool try to use the
 file $HOME/.rnd (or $RANDFILE, if this environment variable is set)
 for seeding the PRNG.  If this file does not exist or is too short,
 the "PRNG not seeded" error message may occur.
-Note that the command "openssl rsa" in OpenSSL 0.9.5 does not do this
-and will fail on systems without /dev/urandom when trying to
-password-encrypt an RSA key!  This is a bug in the library;
-try a later snaphost instead.
+
+[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version
+0.9.5 does not do this and will fail on systems without /dev/urandom
+when trying to password-encrypt an RSA key!  This is a bug in the
+library; try a later version instead.]
+
+For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
+installing the SUNski package from Sun patch 105710-01 (Sparc) which
+adds a /dev/random device and make sure it gets used, usually through
+$RANDFILE.  There are probably similar patches for the other Solaris
+versions.  However, be warned that /dev/random is usually a blocking
+device, which may have some effects on OpenSSL.
 
 
 * Why does the linker complain about undefined symbols?
@@ -153,6 +175,152 @@ on how to obtain and install the free GNU C compiler.
 A number of Linux and *BSD distributions include OpenSSL.
 
 
+* I've compiled a program under Windows and it crashes: why?
+
+This is usually because you've missed the comment in INSTALL.W32. You
+must link with the multithreaded DLL version of the VC++ runtime library
+otherwise the conflict will cause a program to crash: typically on the
+first BIO related read or write operation.
+
+
+* How do I read or write a DER encoded buffer using the ASN1 functions?
+
+You have two options. You can either use a memory BIO in conjunction
+with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the
+i2d_XXX(), d2i_XXX() functions directly. Since these are often the
+cause of grief here are some code fragments using PKCS7 as an example:
+
+unsigned char *buf, *p;
+int len;
+
+len = i2d_PKCS7(p7, NULL);
+buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
+p = buf;
+i2d_PKCS7(p7, &p);
+
+At this point buf contains the len bytes of the DER encoding of
+p7.
+
+The opposite assumes we already have len bytes in buf:
+
+unsigned char *p;
+p = buf;
+p7 = d2i_PKCS7(NULL, &p, len);
+
+At this point p7 contains a valid PKCS7 structure of NULL if an error
+occurred. If an error occurred ERR_print_errors(bio) should give more
+information.
+
+The reason for the temporary variable 'p' is that the ASN1 functions
+increment the passed pointer so it is ready to read or write the next
+structure. This is often a cause of problems: without the temporary
+variable the buffer pointer is changed to point just after the data
+that has been read or written. This may well be uninitialized data
+and attempts to free the buffer will have unpredictable results
+because it no longer points to the same address.
+
+
+* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
+
+This usually happens when you try compiling something using the PKCS#12
+macros with a C++ compiler. There is hardly ever any need to use the
+PKCS#12 macros in a program, it is much easier to parse and create
+PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
+documented in doc/openssl.txt and with examples in demos/pkcs12. The
+'pkcs12' application has to use the macros because it prints out 
+debugging information.
+
+
+* I've called <some function> and it fails, why?
+
+Before submitting a report or asking in one of the mailing lists, you
+should try to determine the cause. In particular, you should call
+ERR_print_errors() or ERR_print_errors_fp() after the failed call
+and see if the message helps. Note that the problem may occur earlier
+than you think -- you should check for errors after every call where
+it is possible, otherwise the actual problem may be hidden because
+some OpenSSL functions clear the error state.
+
+
+* I just get a load of numbers for the error output, what do they mean?
+
+The actual format is described in the ERR_print_errors() manual page.
+You should call the function ERR_load_crypto_strings() before hand and
+the message will be output in text form. If you can't do this (for example
+it is a pre-compiled binary) you can use the errstr utility on the error
+code itself (the hex digits after the second colon).
+
+
+* Why do I get errors about unknown algorithms?
+
+This can happen under several circumstances such as reading in an
+encrypted private key or attempting to decrypt a PKCS#12 file. The cause
+is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information.
+
+
+* How do I create certificates or certificate requests?
+
+Check out the CA.pl(1) manual page. This provides a simple wrapper round
+the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
+out the manual pages for the individual utilities and the certificate
+extensions documentation (currently in doc/openssl.txt).
+
+
+* Why can't I create certificate requests?
+
+You typically get the error:
+
+	unable to find 'distinguished_name' in config
+	problems making Certificate Request
+
+This is because it can't find the configuration file. Check out the
+DIAGNOSTICS section of req(1) for more information.
+
+
+* Why does <SSL program> fail with a certificate verify error?
+
+This problem is usually indicated by log messages saying something like
+"unable to get local issuer certificate" or "self signed certificate".
+When a certificate is verified its root CA must be "trusted" by OpenSSL
+this typically means that the CA certificate must be placed in a directory
+or file and the relevant program configured to read it. The OpenSSL program
+'verify' behaves in a similar way and issues similar error messages: check
+the verify(1) program manual page for more information.
+
+
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+
+This is almost certainly because you are using an old "export grade" browser
+which only supports weak encryption. Upgrade your browser to support 128 bit
+ciphers.
+
+
+* How can I create DSA certificates?
+
+Check the CA.pl(1) manual page for a DSA certificate example.
+
+
+* Why can't I make an SSL connection to a server using a DSA certificate?
+
+Typically you'll see a message saying there are no shared ciphers when
+the same setup works fine with an RSA certificate. There are two possible
+causes. The client may not support connections to DSA servers most web
+browsers (including Netscape and MSIE) only support connections to servers
+supporting RSA cipher suites. The other cause is that a set of DH parameters
+has not been supplied to the server. DH parameters can be created with the
+dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
+check the source to s_server in apps/s_server.c for an example.
+
+
+* How can I remove the passphrase on a private key?
+
+Firstly you should be really *really* sure you want to do this. Leaving
+a private key unencrypted is a major security risk. If you decide that
+you do have to do this check the EXAMPLES sections of the rsa(1) and
+dsa(1) manual pages.
+
+
 * Why can't the OpenSSH configure script detect OpenSSL?
 
 There is a problem with OpenSSH 1.2.2p1, in that the configure script
@@ -160,6 +328,7 @@ can't find the installed OpenSSL libraries.  The problem is actually
 a small glitch that is easily solved with the following patch to be
 applied to the OpenSSH distribution:
 
+----- snip:start -----
 --- openssh-1.2.2p1/configure.in.orig	Thu Mar 23 18:56:58 2000
 +++ openssh-1.2.2p1/configure.in	Thu Mar 23 18:55:05 2000
 @@ -152,10 +152,10 @@
@@ -190,4 +359,74 @@ applied to the OpenSSH distribution:
  		fi
  	fi
  	LIBS="$LIBS -lcrypto"
+----- snip:end -----
+
+
+* Why does the OpenSSL test fail with "bc: command not found"?
+
+You didn't install "bc", the Unix calculator.  If you want to run the
+tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
+
+
+* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+
+On some SCO installations or versions, bc has a bug that gets triggered when
+you run the test suite (using "make test").  The message returned is "bc:
+1 not implemented".  The best way to deal with this is to find another
+implementation of bc and compile/install it.  For example, GNU bc (see
+http://www.gnu.org/software/software.html for download instructions) can
+be safely used.
+
+
+* Why does the OpenSSL compilation fail on Alpha True64 Unix?
+
+On some Alpha installations running True64 Unix and Compaq C, the compilation
+of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
+memory to continue compilation.'  As far as the tests have shown, this may be
+a compiler bug.  What happens is that it eats up a lot of resident memory
+to build something, probably a table.  The problem is clearly in the
+optimization code, because if one eliminates optimization completely (-O0),
+the compilation goes through (and the compiler consumes about 2MB of resident
+memory instead of 240MB or whatever one's limit is currently).
+
+There are three options to solve this problem:
+
+1. set your current data segment size soft limit higher.  Experience shows
+that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
+this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
+kbytes to set the limit to.
+
+2. If you have a hard limit that is lower than what you need and you can't
+get it changed, you can compile all of OpenSSL with -O0 as optimization
+level.  This is however not a very nice thing to do for those who expect to
+get the best result from OpenSSL.  A bit more complicated solution is the
+following:
+
+----- snip:start -----
+  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
+       sed -e 's/ -O[0-9] / -O0 /'`"
+  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
+  make
+----- snip:end -----
+
+This will only compile sha_dgst.c with -O0, the rest with the optimization
+level chosen by the configuration process.  When the above is done, do the
+test and installation and you're set.
+
+
+* Why does the OpenSSL compilation fail with "ar: command not found"?
+
+Getting this message is quite usual on Solaris 2, because Sun has hidden
+away 'ar' and other development commands in directories that aren't in
+$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
+quickest way to fix this is to do the following (it assumes you use sh
+or any sh-compatible shell):
+
+----- snip:start -----
+  PATH=${PATH}:/usr/ccs/bin; export PATH
+----- snip:end -----
+
+and then redo the compilation.  What you should really do is make sure
+'/usr/ccs/bin' is permanently in your $PATH, for example through your
+'.profile' (again, assuming you use a sh-compatible shell).
 

INSTALL

@@ -33,7 +33,8 @@
  Configuration Options
  ---------------------
 
- There are several options to ./config to customize the build:
+ There are several options to ./config (or ./Configure) to customize
+ the build:
 
   --prefix=DIR  Install in DIR/bin, DIR/lib, DIR/include/openssl.
 	        Configuration files used by OpenSSL will be in DIR/ssl
@@ -52,6 +53,15 @@
                 This will usually require additional system-dependent options!
                 See "Note on multi-threading" below.
 
+  no-shared     Don't try to create shared libraries.
+
+  shared        In addition to the usual static libraries, create shared
+                libraries on platforms where it's supported.  See "Note on
+                shared libraries" below.  THIS IS NOT RECOMMENDED!  Since
+                this is a development branch, the positions of the ENGINE
+                symbols in the transfer vector are constantly moving, so
+                binary backward compatibility can't be guaranteed in any way.
+
   no-asm        Do not use assembler code.
 
   386           Use the 80386 instruction set only (the default x86 code is
@@ -117,9 +127,12 @@
      OpenSSL binary ("openssl"). The libraries will be built in the top-level
      directory, and the binary will be in the "apps" directory.
 
-     If "make" fails, please report the problem to <openssl-bugs@openssl.org>
-     (note that your message will be forwarded to a public mailing list).
-     Include the output of "make report" in your message.
+     If "make" fails, look at the output.  There may be reasons for
+     the failure that isn't a problem in OpenSSL itself (like missing
+     standard headers).  If it is a problem with OpenSSL itself, please
+     report the problem to <openssl-bugs@openssl.org> (note that your
+     message will be forwarded to a public mailing list).  Include the
+     output of "make report" in your message.
 
      [If you encounter assembler error messages, try the "no-asm"
      configuration option as an immediate fix.]
@@ -131,10 +144,13 @@
 
        $ make test
 
-    If a test fails, try removing any compiler optimization flags from
-    the CFLAGS line in Makefile.ssl and run "make clean; make". Please
-    send a bug report to <openssl-bugs@openssl.org>, including the
-    output of "make report".
+     If a test fails, look at the output.  There may be reasons for
+     the failure that isn't a problem in OpenSSL itself (like a missing
+     or malfunctioning bc).  If it is a problem with OpenSSL itself,
+     try removing any compiler optimization flags from the CFLAGS line
+     in Makefile.ssl and run "make clean; make". Please send a bug
+     report to <openssl-bugs@openssl.org>, including the output of
+     "make report".
 
   4. If everything tests ok, install OpenSSL with
 
@@ -252,3 +268,14 @@
  you can still use "no-threads" to suppress an annoying warning message
  from the Configure script.)
 
+
+ Note on shared libraries
+ ------------------------
+
+ For some systems, the OpenSSL Configure script knows what is needed to
+ build shared libraries for libcrypto and libssl.  On these systems,
+ the shared libraries are currently not created by default, but giving
+ the option "shared" will get them created.  This method supports Makefile
+ targets for shared library creation, like linux-shared.  Those targets
+ can currently be used on their own just as well, but this is expected
+ to change in future versions of OpenSSL.

INSTALL.VMS

@@ -82,12 +82,17 @@ directory.  The syntax is trhe following:
       RSAREF    compile using the RSAREF Library
       NORSAREF  compile without using RSAREF
 
-Note 1: The RSAREF libraries are NOT INCLUDED and you have to
-        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-        get the ".tar-Z" file as the ".zip" file doesn't have the
-        directory structure stored.  You have to extract the file
-        into the [.RSAREF] directory as that is where the scripts
-        will look for the files.
+Note 0: The RASREF library IS NO LONGER NEEDED.  The RSA patent
+        expires September 20, 2000, and RSA Security chose to make
+        the algorithm public domain two weeks before that.
+
+Note 1: If you still want to use RSAREF, the library is NOT INCLUDED
+        and you have to download it.  RSA Security doesn't carry it
+        any more, but there are a number of places where you can find
+        it.  You have to get the ".tar-Z" file as the ".zip" file
+        doesn't have the directory structure stored.  You have to
+        extract the file into the [.RSAREF] directory as that is where
+        the scripts will look for the files.
 
 Note 2: I have never done this, so I've no idea if it works or not.
 
@@ -129,7 +134,7 @@ Currently, the logical names supported are:
                         used.  This is good to try if something doesn't work.
       OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm
                         will not be implemented.  Supported algorithms to
-                        do this with are: RSA, DSA, DH, MD2, MD5, RIPEMD,
+                        do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
                         SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
                         SSL2.  So, for example, having the logical name
                         OPENSSL_NO_RSA with the value YES means that the

INSTALL.W32

@@ -108,8 +108,8 @@
 
  * Compiler installation:
 
-   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/gnu-win32/
-   mingw32/egcs-1.1.2/egcs-1.1.2-mingw32.zip>. GNU make is at
+   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
+   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. GNU make is at
    <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
    make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
    C:\egcs-1.1.2\mingw32.bat to set the PATH.
@@ -134,6 +134,81 @@
    > cd out
    > ..\ms\test
 
+ GNU C (CygWin32)
+ ---------------
+
+ CygWin32 provides a bash shell and GNU tools environment running on
+ NT 4.0, Windows 9x and Windows 2000. Consequently, a make of OpenSSL
+ with CygWin is closer to a GNU bash environment such as Linux rather
+ than other W32 makes that are based on a single makefile approach.
+ CygWin32 implements Posix/Unix calls through cygwin1.dll, and is
+ contrasted to Mingw32 which links dynamically to msvcrt.dll or
+ crtdll.dll.
+
+ To build OpenSSL using CygWin32:
+
+ * Install CygWin32 (see http://sourceware.cygnus.com/cygwin)
+
+ * Install Perl and ensure it is in the path
+
+ * Run the CygWin bash shell
+
+ * $ tar zxvf openssl-x.x.x.tar.gz
+   $ cd openssl-x.x.x
+   $ ./Configure no-threads CygWin32
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install
+
+ This will create a default install in /usr/local/ssl.
+
+ CygWin32 Notes:
+
+ "make test" and normal file operations may fail in directories
+ mounted as text (i.e. mount -t c:\somewhere /home) due to CygWin
+ stripping of carriage returns. To avoid this ensure that a binary
+ mount is used, e.g. mount -b c:\somewhere /home.
+
+ As of version 1.1.1 CygWin32 is relatively unstable in its handling
+ of cr/lf issues. These make procedures succeeded with versions 1.1 and
+ the snapshot 20000524 (Slow!).
+
+ "bc" is not provided in the CygWin32 distribution.  This causes a
+ non-fatal error in "make test" but is otherwise harmless.  If
+ desired, GNU bc can be built with CygWin32 without change.
+
+
+ Installation
+ ------------
+
+ There's currently no real installation procedure for Win32.  There are,
+ however, some suggestions:
+
+    - do nothing.  The include files are found in the inc32/ subdirectory,
+      all binaries are found in out32dll/ or out32/ depending if you built
+      dynamic or static libraries.
+
+    - do as is written in INSTALL.Win32 that comes with modssl:
+
+	$ md c:\openssl 
+	$ md c:\openssl\bin
+	$ md c:\openssl\lib
+	$ md c:\openssl\include
+	$ md c:\openssl\include\openssl
+	$ copy /b inc32\*               c:\openssl\include\openssl
+	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
+	$ copy /b out32dll\libeay32.lib c:\openssl\lib
+	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
+	$ copy /b out32dll\libeay32.dll c:\openssl\bin
+	$ copy /b out32dll\openssl.exe  c:\openssl\bin
+
+      Of course, you can choose another device than c:.  C: is used here
+      because that's usually the first (and often only) harddisk device.
+      Note: in the modssl INSTALL.Win32, p: is used rather than c:.
+
+
  Troubleshooting
  ---------------
 

LICENSE

@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

Makefile.org

@@ -5,8 +5,16 @@
 VERSION=
 MAJOR=
 MINOR=
+SHLIB_VERSION_NUMBER=
+SHLIB_VERSION_HISTORY=
+SHLIB_MAJOR=
+SHLIB_MINOR=
+SHLIB_EXT=
 PLATFORM=dist
 OPTIONS=
+CONFIGURE_ARGS=
+SHLIB_TARGET=
+
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -55,7 +63,7 @@ AR=ar r
 RANLIB= ranlib
 PERL= perl
 TAR= tar
-TARFLAGS= --norecurse
+TARFLAGS= --no-recursion
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
@@ -142,14 +150,18 @@ RMD160_ASM_OBJ= asm/rm86-out.o
 #RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
 #RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
 
-DIRS=   crypto ssl rsaref apps test tools
+# When we're prepared to use shared libraries in the programs we link here
+# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
+SHLIB_MARK=
+
+DIRS=   crypto ssl rsaref $(SHLIB_MARK) apps test tools
 SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
 SDIRS=  \
-	md2 md5 sha mdc2 hmac ripemd \
+	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh \
+	bn rsa dsa dh dso engine \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
 
@@ -166,6 +178,10 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
+SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
+SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_LIBS=
+SHARED_LIBS_LINK_EXTS=
 
 GENERAL=        Makefile
 BASENAME=       openssl
@@ -175,38 +191,92 @@ WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os.h e_os2.h
 HEADER=         e_os.h
 
-all: Makefile.ssl
-	@for i in $(DIRS) ;\
-	do \
-	(cd $$i && echo "making all in $$i..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
-	done
-	-@# cd crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
-	-@# cd perl; $(PERL) Makefile.PL; make
+# When we're prepared to use shared libraries in the programs we link here
+# we might remove 'clean-shared' from the targets to perform at this stage
+
+all: clean-shared Makefile.ssl sub_all
 
 sub_all:
-	@for i in $(DIRS) ;\
+	@for i in $(DIRS); \
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
 		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
-	done;
+	else \
+		$(MAKE) $$i; \
+	fi; \
+	done; \
+	if echo "$(DIRS)" | \
+	    grep '\(^\| \)\(crypto\|ssl\)\( \|$$\)' > /dev/null 2>&1 && \
+	   [ -n "$(SHARED_LIBS)" ]; then \
+		$(MAKE) $(SHARED_LIBS); \
+	fi
 
-linux-shared:
-	for i in ${SHLIBDIRS}; do \
-	rm -f lib$$i.a lib$$i.so \
-		lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
-	${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
-	( set -x; ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
-		-Wl,-S,-soname=lib$$i.so.${MAJOR} \
+libcrypto$(SHLIB_EXT): libcrypto.a
+	@if [ "$(SHLIB_TARGET)" != "" ]; then \
+		$(MAKE) SHLIBDIRS=crypto build-shared; \
+	else \
+		echo "There's no support for shared libraries on this platform" >&2; \
+	fi
+libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
+	@if [ "$(SHLIB_TARGET)" != "" ]; then \
+		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
+	else \
+		echo "There's no support for shared libraries on this platform" >&2; \
+	fi
+
+clean-shared:
+	@for i in $(SHLIBDIRS); do \
+		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
+			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
+			for j in $${tmp:-x}; do \
+				( set -x; rm -f lib$$i$$j ); \
+			done; \
+		fi; \
+		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
+	done
+
+link-shared:
+	@for i in $(SHLIBDIRS); do \
+		prev=lib$$i$(SHLIB_EXT); \
+		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
+			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
+			for j in $${tmp:-x}; do \
+				( set -x; ln -s -f $$prev lib$$i$$j ); \
+				prev=lib$$i$$j; \
+			done; \
+		fi; \
+	done
+
+build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
+
+do_bsd-gcc-shared: linux-shared
+do_linux-shared:
+	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	( set -x; ${CC}  -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		-Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR} \
 		-Wl,--whole-archive lib$$i.a \
-		-Wl,--no-whole-archive -lc ) || exit 1; \
-	rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
-	done;
-	@set -x; \
-	for i in ${SHLIBDIRS}; do \
-	ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
-	ln -s lib$$i.so.${MAJOR} lib$$i.so; \
-	done;
+		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
+	libs="$$libs -l$$i"; \
+	done
+
+# This assumes that GNU utilities are *not* used
+do_true64-shared:
+	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	( set -x; ${CC}  -shared -no_archive -o lib$$i.so \
+		-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
+		-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
+	libs="$$libs -l$$i"; \
+	done
+
+# This assumes that GNU utilities are *not* used
+do_solaris-shared:
+	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	( set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		-h lib$$i.so.${SHLIB_MAJOR} \
+		-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+	libs="$$libs -l$$i"; \
+	done
 
 Makefile.ssl: Makefile.org
 	@echo "Makefile.ssl is older than Makefile.org."
@@ -220,9 +290,11 @@ clean:
 	rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making clean in $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
 		rm -f $(LIBS); \
+	fi; \
 	done;
 	rm -f *.a *.o speed.* *.map *.so .pure core
 	rm -f $(TARFILE)
@@ -239,8 +311,10 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making 'files' in $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
+	fi; \
 	done;
 
 links:
@@ -248,21 +322,25 @@ links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@for i in $(DIRS); do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making links in $$i..." && \
 		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+	fi; \
 	done;
 
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dclean in $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
+	fi; \
 	done;
 
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs)
 	touch rehash.time
 
 test:   tests
@@ -278,41 +356,52 @@ report:
 depend:
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
+	fi; \
 	done;
 
 lint:
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making lint $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
+	fi; \
 	done;
 
 tags:
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making tags $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
+	fi; \
 	done;
 
 errors:
 	perl util/mkerr.pl -recurse -write
 
+stacks:
+	perl util/mkstack.pl -write
+
 util/libeay.num::
 	perl util/mkdef.pl crypto update
 
 util/ssleay.num::
 	perl util/mkdef.pl ssl update
 
-crypto/objects/obj_dat.h: crypto/objects/objects.h crypto/objects/obj_dat.pl
-	perl crypto/objects/obj_dat.pl crypto/objects/objects.h crypto/objects/obj_dat.h
+crypto/objects/obj_dat.h: crypto/objects/obj_mac.h crypto/objects/obj_dat.pl
+	perl crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
+crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt 
+	perl crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	perl Configure TABLE) > TABLE
 
-update: depend errors util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
 
 tar:
 	@$(TAR) $(TARFLAGS) -cvf - \
@@ -347,16 +436,34 @@ install: all install_docs
 	done;
 	@for i in $(DIRS) ;\
 	do \
+	if [ -d "$$i" ]; then \
 		(cd $$i; echo "installing $$i..."; \
 		$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \
+	fi; \
 	done
 	@for i in $(LIBS) ;\
 	do \
+		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+		fi \
 	done
+	@if [ -n "$(SHARED_LIBS)" ]; then \
+		tmp="$(SHARED_LIBS)"; \
+		for i in $${tmp:-x}; \
+		do \
+			if [ -f "$$i" ]; then \
+			(       echo installing $$i; \
+				cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+				chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			fi \
+		done; \
+		(	here="`pwd`"; \
+			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+			make -f $$here/Makefile link-shared ); \
+	fi
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -383,11 +490,4 @@ install_docs:
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
 
-shlib: all
-	if [ ! -d shlib_dir ] ; then mkdir shlib_dir ; else rm -f shlib_dir/* ; fi
-	cd shlib_dir ; ar -x ../libcrypto.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libcrypto.so.0.9 \
-            -o ./libcrypto.so.0.9.4 && rm *.o
-	cd shlib_dir ; ar -x ../libssl.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libssl.so.0.9 \
-            -o ./libssl.so.0.9.4 && rm *.o
-
 # DO NOT DELETE THIS LINE -- make depend depends on it.

NEWS

@@ -5,6 +5,21 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+
+      o Some documentation for BIO and SSL libraries.
+      o Enhanced chain verification using key identifiers.
+      o New sign and verify options to 'dgst' application.
+      o Support for DER and PEM encoded messages in 'smime' application.
+      o New 'rsautl' application, low level RSA utility.
+      o MD4 now included.
+      o Bugfix for SSL rollback padding check.
+      o Support for external crypto devices [1].
+      o Enhanced EVP interface.
+
+    [1] The support for external crypto devices is currently a separate
+        distribution.  See the file README.ENGINE.
+
   Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
 
       o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.5a-beta2  23 Mar 2000
+ OpenSSL 0.9.6a-beta2 [engine] 21 Mar 2001
 
  Copyright (c) 1998-2000 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -99,13 +99,12 @@
  country.  The file contains some of the patents that we know about or are
  rumoured to exist. This is not a definitive list.
 
- RSA Data Security holds software patents on the RSA and RC5 algorithms.  If
- their ciphers are used used inside the USA (and Japan?), you must contact RSA
- Data Security for licensing conditions. Their web page is
- http://www.rsa.com/.
+ RSA Security holds software patents on the RC5 algorithm.  If you
+ intend to use this cipher, you must contact RSA Security for
+ licensing conditions. Their web page is http://www.rsasecurity.com/.
 
- RC4 is a trademark of RSA Data Security, so use of this label should perhaps
- only be used with RSA Data Security's permission. 
+ RC4 is a trademark of RSA Security, so use of this label should perhaps
+ only be used with RSA Security's permission. 
 
  The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
  Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They should
@@ -119,9 +118,6 @@
  a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
  INSTALL.VMS.
 
- For people in the USA, it is possible to compile OpenSSL to use RSA Inc.'s
- public key library, RSAREF, by configuring OpenSSL with the option "rsaref".
-
  Read the documentation in the doc/ directory.  It is quite rough, but it
  lists the functions, you will probably have to look at the code to work out
  how to used them. Look at the example programs.
@@ -167,6 +163,9 @@
  the string "[PATCH]" in the subject. Please be sure to include a
  textual explanation of what your patch does.
 
+ Note: For legal reasons, contributions from the US can be accepted only
+ if a copy of the patch is sent to crypt@bxa.doc.gov
+
  The preferred format for changes is "diff -u" output. You might
  generate it like this:
 
@@ -174,4 +173,4 @@
  # [your changes]
  # ./Configure dist; make clean
  # cd ..
- # diff -urN openssl-orig openssl-work > mydiffs.patch
+ # diff -ur openssl-orig openssl-work > mydiffs.patch

README.ENGINE

@@ -0,0 +1,63 @@
+
+  ENGINE
+  ======
+
+  With OpenSSL 0.9.6, a new component has been added to support external 
+  crypto devices, for example accelerator cards.  The component is called
+  ENGINE, and has still a pretty experimental status and almost no
+  documentation.  It's designed to be faily easily extensible by the
+  calling programs.
+
+  There's currently built-in support for the following crypto devices:
+
+      o CryptoSwift
+      o Compaq Atalla
+      o nCipher CHIL
+
+  A number of things are still needed and are being worked on:
+
+      o An openssl utility command to handle or at least check available
+        engines.
+      o A better way of handling the methods that are handled by the
+        engines.
+      o Documentation!
+
+  What already exists is fairly stable as far as it has been tested, but
+  the test base has been a bit small most of the time.
+
+  Because of this experimental status and what's lacking, the ENGINE
+  component is not yet part of the default OpenSSL distribution.  However,
+  we have made a separate kit for those who want to try this out, to be
+  found in the same places as the default OpenSSL distribution, but with
+  "-engine-" being part of the kit file name.  For example, version 0.9.6
+  is distributed in the following two files:
+
+      openssl-0.9.6.tar.gz
+      openssl-engine-0.9.6.tar.gz
+
+  NOTES
+  =====
+
+  openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do
+  not need to download both.
+
+  openssl-engine-0.9.6.tar.gz is usable even if you don't have an external
+  crypto device.  The internal OpenSSL functions are contained in the
+  engine "openssl", and will be used by default.
+
+  No external crypto device is chosen unless you say so.  You have actively
+  tell the openssl utility commands to use it through a new command line
+  switch called "-engine".  And if you want to use the ENGINE library to
+  do something similar, you must also explicitely choose an external crypto
+  device, or the built-in crypto routines will be used, just as in the
+  default OpenSSL distribution.
+
+
+  PROBLEMS
+  ========
+
+  It seems like the ENGINE part doesn't work too well with Cryptoswift on
+  Win32.  A quick test done right before the release showed that trying
+  "openssl speed -engine cswift" generated errors.  If the DSO gets enabled,
+  an attempt is made to write at memory address 0x00000002.
+

STATUS

@@ -1,19 +1,43 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2000/03/21 20:42:35 $
+  ______________                           $Date: 2001/03/21 18:18:51 $
 
   DEVELOPMENT STATE
 
-    o  OpenSSL 0.9.5a: Under development...
-                       0.9.5a-beta1 is available.
-                        sunos-gcc                       - failed (ssize_t)
-                        ultrix-gcc, ultrix-cc           - failed (ssize_t)
-                        sco5-cc                         - bc fails in test
-			VC-Win32 (MSVC6SP3, nasm)       - failed (fixed) 
-			FreeBSD-elf (i686-pc-freebsd3.2)- failed (fixed)
-			HPUX (hpux-parisc-cc w/ +02)	- passed
-			OpenBSD-x86			- passed
-			solaris-sparcv9-cc		- passed
+    o  OpenSSL 0.9.6a: In development...
+                       Beta 1 released on March 13th, 2001
+	HP-UX 10.20 (hpux-parisc-cc)		- PASSED [normal+engine]
+	HP-UX 10.20 (hpux-parisc-gcc)		- PASSED [normal+engine]
+	HP-UX 11.00 32bit (hpux-parisc-gcc)	- FAILED [engine]
+		"openssl speed rsa1024 -engine cswift" fails unless
+		libswift.sl is renamed to libswift.so.
+		[CORRECTED]
+	HP MPE/iX				- PASSED [presumed normal]
+	Linux 2.2.17 SMP (linux-elf)		- PASSED [normal+engine]
+	Windows (VC-WIN32)			- FAILED [presumed normal]
+		Missing line in ms/32all.bat:
+			perl util\mkfiles.pl >MINFO
+		[CORRECTED]
+		In randfile.c, line 214, signed and unsigned int are mixed.
+		[CORRECTED]
+		In s_client.c and s_server.c, RAND_status() needs to get
+		declared (#include <openssl/rand.h>)
+		[CORRECTED]
+	OpenVMS (any version)			- FAILED [normal+engine]
+		Missing instructions in building script.
+		[CORRECTED]
+	AIX 4.3					- FAILED [engine]
+		Needs -DDSO_DLFCN and -DHAVE_DLFCN_H to work.
+		[CORRECTED] (but will not be automagically configured)
+	Irix 6.5.11				- FAILED [presumed normal]
+		BN_sqr test fails.
+        solaris64-sparcv9-cc (SunOS 5.8)        - PASSED [normal+engine]
+	BSDI 4.0.1 (bsdi-elf-gcc)		- FAILED [engine]
+		Needs -DDSO_DLFCN, -DHAVE_DLFCN_H and -ldl to work.
+		[CORRECTED]
+	mingw32 w/ gcc 2.95.2			- PASSED [presumed normal]
+    o  OpenSSL 0.9.6:  Released on September 24th, 2000
+    o  OpenSSL 0.9.5a: Released on April      1st, 2000
     o  OpenSSL 0.9.5:  Released on February  28th, 2000
     o  OpenSSL 0.9.4:  Released on August    09th, 1999
     o  OpenSSL 0.9.3a: Released on May       29th, 1999
@@ -30,11 +54,19 @@
   IN PROGRESS
 
     o Steve is currently working on (in no particular order):
+        ASN1 code redesign, butchery, replacement.
+        EVP cipher enhancement.
         Proper (or at least usable) certificate chain verification.
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
         Various X509 issues: character sets, certificate request extensions.
-	Documentation for the openssl utility.
+    o Geoff and Richard are currently working on:
+	ENGINE (the new code that gives hardware support among others).
+    o Richard is currently working on:
+	UTIL (a new set of library functions to support some higher level
+	      functionality that is currently missing).
+	Dynamic thread-lock support.
+	Shared library support for VMS.
 
   NEEDS PATCH
 
@@ -87,20 +119,6 @@
                to date.
                Paul +1
 
-    o The EVP and ASN1 stuff is a mess. Currently you have one EVP_CIPHER
-      structure for each cipher. This may make sense for things like DES but
-      for variable length ciphers like RC2 and RC4 it is NBG. Need a way to
-      use the EVP interface and set up the cipher parameters. The ASN1 stuff
-      is also foo wrt ciphers whose AlgorithmIdentifier has more than just
-      an IV in it (e.g. RC2, RC5). This also means that EVP_Seal and EVP_Open
-      don't work unless the key length matches the fixed value (some vendors
-      use a key length decided by the size of the RSA encrypted key and expect
-      RC2 to adapt).
-
-    o ERR_error_string(..., buf) does not know how large buf is,
-      there should be ERR_error_string_n(..., buf, bufsize)
-      or similar.
-
   WISHES
 
     o 

VMS/install.com

@@ -34,10 +34,8 @@ $	IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
 $	IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
 	   CREATE/DIR/LOG WRK_SSLROOT:[VMS]
 $
-$	EXHEADER := vms_idhacks.h
-$
-$	COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
-$	SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'EXHEADER'
+$	IF F$SEARCH("WRK_SSLINCLUDE:vms_idhacks.h") .NES. "" THEN -
+	   DELETE WRK_SSLINCLUDE:vms_idhacks.h;*
 $
 $	OPEN/WRITE SF WRK_SSLROOT:[VMS]OPENSSL_STARTUP.COM
 $	WRITE SYS$OUTPUT "%OPEN-I-CREATED,  ",F$SEARCH("WRK_SSLROOT:[VMS]OPENSSL_STARTUP.COM")," created."

VMS/vms_idhacks.h

@@ -1,198 +0,0 @@
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#ifndef HEADER_VMS_IDHACKS_H
-#define HEADER_VMS_IDHACKS_H
-
-#ifdef VMS
-
-/* Hack a long name in crypto/asn1/a_mbstr.c */
-#define ASN1_STRING_set_default_mask_asc ASN1_STRING_set_def_mask_asc
-/* Hack the names created with DECLARE_STACK_OF(PKCS7_SIGNER_INFO) */
-#define sk_PKCS7_SIGNER_INFO_new		sk_PKCS7_SIGINF_new
-#define sk_PKCS7_SIGNER_INFO_new_null		sk_PKCS7_SIGINF_new_null
-#define sk_PKCS7_SIGNER_INFO_free		sk_PKCS7_SIGINF_free
-#define sk_PKCS7_SIGNER_INFO_num		sk_PKCS7_SIGINF_num
-#define sk_PKCS7_SIGNER_INFO_value		sk_PKCS7_SIGINF_value
-#define sk_PKCS7_SIGNER_INFO_set		sk_PKCS7_SIGINF_set
-#define sk_PKCS7_SIGNER_INFO_zero		sk_PKCS7_SIGINF_zero
-#define sk_PKCS7_SIGNER_INFO_push		sk_PKCS7_SIGINF_push
-#define sk_PKCS7_SIGNER_INFO_unshift		sk_PKCS7_SIGINF_unshift
-#define sk_PKCS7_SIGNER_INFO_find		sk_PKCS7_SIGINF_find
-#define sk_PKCS7_SIGNER_INFO_delete		sk_PKCS7_SIGINF_delete
-#define sk_PKCS7_SIGNER_INFO_delete_ptr		sk_PKCS7_SIGINF_delete_ptr
-#define sk_PKCS7_SIGNER_INFO_insert		sk_PKCS7_SIGINF_insert
-#define sk_PKCS7_SIGNER_INFO_set_cmp_func	sk_PKCS7_SIGINF_set_cmp_func
-#define sk_PKCS7_SIGNER_INFO_dup		sk_PKCS7_SIGINF_dup
-#define sk_PKCS7_SIGNER_INFO_pop_free		sk_PKCS7_SIGINF_pop_free
-#define sk_PKCS7_SIGNER_INFO_shift		sk_PKCS7_SIGINF_shift
-#define sk_PKCS7_SIGNER_INFO_pop		sk_PKCS7_SIGINF_pop
-#define sk_PKCS7_SIGNER_INFO_sort		sk_PKCS7_SIGINF_sort
-
-/* Hack the names created with DECLARE_STACK_OF(PKCS7_RECIP_INFO) */
-#define sk_PKCS7_RECIP_INFO_new			sk_PKCS7_RECINF_new
-#define sk_PKCS7_RECIP_INFO_new_null		sk_PKCS7_RECINF_new_null
-#define sk_PKCS7_RECIP_INFO_free		sk_PKCS7_RECINF_free
-#define sk_PKCS7_RECIP_INFO_num			sk_PKCS7_RECINF_num
-#define sk_PKCS7_RECIP_INFO_value		sk_PKCS7_RECINF_value
-#define sk_PKCS7_RECIP_INFO_set			sk_PKCS7_RECINF_set
-#define sk_PKCS7_RECIP_INFO_zero		sk_PKCS7_RECINF_zero
-#define sk_PKCS7_RECIP_INFO_push		sk_PKCS7_RECINF_push
-#define sk_PKCS7_RECIP_INFO_unshift		sk_PKCS7_RECINF_unshift
-#define sk_PKCS7_RECIP_INFO_find		sk_PKCS7_RECINF_find
-#define sk_PKCS7_RECIP_INFO_delete		sk_PKCS7_RECINF_delete
-#define sk_PKCS7_RECIP_INFO_delete_ptr		sk_PKCS7_RECINF_delete_ptr
-#define sk_PKCS7_RECIP_INFO_insert		sk_PKCS7_RECINF_insert
-#define sk_PKCS7_RECIP_INFO_set_cmp_func	sk_PKCS7_RECINF_set_cmp_func
-#define sk_PKCS7_RECIP_INFO_dup			sk_PKCS7_RECINF_dup
-#define sk_PKCS7_RECIP_INFO_pop_free		sk_PKCS7_RECINF_pop_free
-#define sk_PKCS7_RECIP_INFO_shift		sk_PKCS7_RECINF_shift
-#define sk_PKCS7_RECIP_INFO_pop			sk_PKCS7_RECINF_pop
-#define sk_PKCS7_RECIP_INFO_sort		sk_PKCS7_RECINF_sort
-
-/* Hack the names created with DECLARE_STACK_OF(ASN1_STRING_TABLE) */
-#define sk_ASN1_STRING_TABLE_new		sk_ASN1_STRTAB_new
-#define sk_ASN1_STRING_TABLE_new_null		sk_ASN1_STRTAB_new_null
-#define sk_ASN1_STRING_TABLE_free		sk_ASN1_STRTAB_free
-#define sk_ASN1_STRING_TABLE_num		sk_ASN1_STRTAB_num
-#define sk_ASN1_STRING_TABLE_value		sk_ASN1_STRTAB_value
-#define sk_ASN1_STRING_TABLE_set		sk_ASN1_STRTAB_set
-#define sk_ASN1_STRING_TABLE_zero		sk_ASN1_STRTAB_zero
-#define sk_ASN1_STRING_TABLE_push		sk_ASN1_STRTAB_push
-#define sk_ASN1_STRING_TABLE_unshift		sk_ASN1_STRTAB_unshift
-#define sk_ASN1_STRING_TABLE_find		sk_ASN1_STRTAB_find
-#define sk_ASN1_STRING_TABLE_delete		sk_ASN1_STRTAB_delete
-#define sk_ASN1_STRING_TABLE_delete_ptr		sk_ASN1_STRTAB_delete_ptr
-#define sk_ASN1_STRING_TABLE_insert		sk_ASN1_STRTAB_insert
-#define sk_ASN1_STRING_TABLE_set_cmp_func	sk_ASN1_STRTAB_set_cmp_func
-#define sk_ASN1_STRING_TABLE_dup		sk_ASN1_STRTAB_dup
-#define sk_ASN1_STRING_TABLE_pop_free		sk_ASN1_STRTAB_pop_free
-#define sk_ASN1_STRING_TABLE_shift		sk_ASN1_STRTAB_shift
-#define sk_ASN1_STRING_TABLE_pop		sk_ASN1_STRTAB_pop
-#define sk_ASN1_STRING_TABLE_sort		sk_ASN1_STRTAB_sort
-
-/* Hack the names created with DECLARE_STACK_OF(ACCESS_DESCRIPTION) */
-#define sk_ACCESS_DESCRIPTION_new		sk_ACC_DESC_new
-#define sk_ACCESS_DESCRIPTION_new_null		sk_ACC_DESC_new_null
-#define sk_ACCESS_DESCRIPTION_free		sk_ACC_DESC_free
-#define sk_ACCESS_DESCRIPTION_num		sk_ACC_DESC_num
-#define sk_ACCESS_DESCRIPTION_value		sk_ACC_DESC_value
-#define sk_ACCESS_DESCRIPTION_set		sk_ACC_DESC_set
-#define sk_ACCESS_DESCRIPTION_zero		sk_ACC_DESC_zero
-#define sk_ACCESS_DESCRIPTION_push		sk_ACC_DESC_push
-#define sk_ACCESS_DESCRIPTION_unshift		sk_ACC_DESC_unshift
-#define sk_ACCESS_DESCRIPTION_find		sk_ACC_DESC_find
-#define sk_ACCESS_DESCRIPTION_delete		sk_ACC_DESC_delete
-#define sk_ACCESS_DESCRIPTION_delete_ptr	sk_ACC_DESC_delete_ptr
-#define sk_ACCESS_DESCRIPTION_insert		sk_ACC_DESC_insert
-#define sk_ACCESS_DESCRIPTION_set_cmp_func	sk_ACC_DESC_set_cmp_func
-#define sk_ACCESS_DESCRIPTION_dup		sk_ACC_DESC_dup
-#define sk_ACCESS_DESCRIPTION_pop_free		sk_ACC_DESC_pop_free
-#define sk_ACCESS_DESCRIPTION_shift		sk_ACC_DESC_shift
-#define sk_ACCESS_DESCRIPTION_pop		sk_ACC_DESC_pop
-#define sk_ACCESS_DESCRIPTION_sort		sk_ACC_DESC_sort
-
-/* Hack the names created with DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS) */
-#define sk_CRYPTO_EX_DATA_FUNCS_new		sk_CRYPT_EX_DATFNS_new
-#define sk_CRYPTO_EX_DATA_FUNCS_new_null	sk_CRYPT_EX_DATFNS_new_null
-#define sk_CRYPTO_EX_DATA_FUNCS_free		sk_CRYPT_EX_DATFNS_free
-#define sk_CRYPTO_EX_DATA_FUNCS_num		sk_CRYPT_EX_DATFNS_num
-#define sk_CRYPTO_EX_DATA_FUNCS_value		sk_CRYPT_EX_DATFNS_value
-#define sk_CRYPTO_EX_DATA_FUNCS_set		sk_CRYPT_EX_DATFNS_set
-#define sk_CRYPTO_EX_DATA_FUNCS_zero		sk_CRYPT_EX_DATFNS_zero
-#define sk_CRYPTO_EX_DATA_FUNCS_push		sk_CRYPT_EX_DATFNS_push
-#define sk_CRYPTO_EX_DATA_FUNCS_unshift		sk_CRYPT_EX_DATFNS_unshift
-#define sk_CRYPTO_EX_DATA_FUNCS_find		sk_CRYPT_EX_DATFNS_find
-#define sk_CRYPTO_EX_DATA_FUNCS_delete		sk_CRYPT_EX_DATFNS_delete
-#define sk_CRYPTO_EX_DATA_FUNCS_delete_ptr	sk_CRYPT_EX_DATFNS_delete_ptr
-#define sk_CRYPTO_EX_DATA_FUNCS_insert		sk_CRYPT_EX_DATFNS_insert
-#define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func	sk_CRYPT_EX_DATFNS_set_cmp_func
-#define sk_CRYPTO_EX_DATA_FUNCS_dup		sk_CRYPT_EX_DATFNS_dup
-#define sk_CRYPTO_EX_DATA_FUNCS_pop_free	sk_CRYPT_EX_DATFNS_pop_free
-#define sk_CRYPTO_EX_DATA_FUNCS_shift		sk_CRYPT_EX_DATFNS_shift
-#define sk_CRYPTO_EX_DATA_FUNCS_pop		sk_CRYPT_EX_DATFNS_pop
-#define sk_CRYPTO_EX_DATA_FUNCS_sort		sk_CRYPT_EX_DATFNS_sort
-
-/* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO) */
-#define i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO	i2d_ASN1_SET_OF_PKCS7_SIGINF
-#define d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO	d2i_ASN1_SET_OF_PKCS7_SIGINF
-
-/* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO) */
-#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO	i2d_ASN1_SET_OF_PKCS7_RECGINF
-#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO	d2i_ASN1_SET_OF_PKCS7_RECGINF
-
-/* Hack the names created with DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION) */
-#define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION	i2d_ASN1_SET_OF_ACC_DESC
-#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION	d2i_ASN1_SET_OF_ACC_DESC
-
-/* Hack the names created with DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE) */
-#define PEM_read_NETSCAPE_CERT_SEQUENCE		PEM_read_NS_CERT_SEQUENCE
-#define PEM_write_NETSCAPE_CERT_SEQUENCE	PEM_write_NS_CERT_SEQUENCE
-#define PEM_read_bio_NETSCAPE_CERT_SEQUENCE	PEM_read_bio_NS_CERT_SEQUENCE
-#define PEM_write_bio_NETSCAPE_CERT_SEQUENCE	PEM_write_bio_NS_CERT_SEQUENCE
-#define PEM_write_cb_bio_NETSCAPE_CERT_SEQUENCE	PEM_write_cb_bio_NS_CERT_SEQUENCE
-
-/* Hack the names created with DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO) */
-#define PEM_read_PKCS8_PRIV_KEY_INFO		PEM_read_P8_PRIV_KEY_INFO
-#define PEM_write_PKCS8_PRIV_KEY_INFO		PEM_write_P8_PRIV_KEY_INFO
-#define PEM_read_bio_PKCS8_PRIV_KEY_INFO	PEM_read_bio_P8_PRIV_KEY_INFO
-#define PEM_write_bio_PKCS8_PRIV_KEY_INFO	PEM_write_bio_P8_PRIV_KEY_INFO
-#define PEM_write_cb_bio_PKCS8_PRIV_KEY_INFO	PEM_wrt_cb_bio_P8_PRIV_KEY_INFO
-
-/* Hack other PEM names */
-#define PEM_write_bio_PKCS8PrivateKey_nid	PEM_write_bio_PKCS8PrivKey_nid
-
-#endif /* defined VMS */
-
-#endif /* ! defined HEADER_VMS_IDHACKS_H */

apps/CA.pl.in

@@ -36,6 +36,7 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
+$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
 $DAYS="-days 365";
 $REQ="openssl req $SSLEAY_CONFIG";
 $CA="openssl ca $SSLEAY_CONFIG";
@@ -116,6 +117,11 @@ foreach (@ARGV) {
 							"-infiles newreq.pem");
 	    $RET=$?;
 	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^(-signCA)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+					"-extensions v3_ca -infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed CA certificate is in newcert.pem\n";
 	} elsif (/^-signcert$/) {
 	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
 								"-out tmp.pem");

apps/app_rand.c

@@ -177,7 +177,9 @@ long app_RAND_load_files(char *name)
 		if (*n == '\0') break;
 
 		egd=RAND_egd(n);
-		if (egd > 0) tot+=egd;
+		if (egd > 0)
+			tot+=egd;
+		else
 			tot+=RAND_load_file(n,-1);
 		if (last) break;
 		}

apps/apps.c

@@ -64,6 +64,11 @@
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/safestack.h>
 
 #ifdef WINDOWS
 #  include "bss_file.c"
@@ -91,8 +96,8 @@ int args_from_file(char *file, int *argc, char **argv[])
 	*argv=NULL;
 
 	len=(unsigned int)stbuf.st_size;
-	if (buf != NULL) Free(buf);
-	buf=(char *)Malloc(len+1);
+	if (buf != NULL) OPENSSL_free(buf);
+	buf=(char *)OPENSSL_malloc(len+1);
 	if (buf == NULL) return(0);
 
 	len=fread(buf,1,len,fp);
@@ -102,8 +107,8 @@ int args_from_file(char *file, int *argc, char **argv[])
 	i=0;
 	for (p=buf; *p; p++)
 		if (*p == '\n') i++;
-	if (arg != NULL) Free(arg);
-	arg=(char **)Malloc(sizeof(char *)*(i*2));
+	if (arg != NULL) OPENSSL_free(arg);
+	arg=(char **)OPENSSL_malloc(sizeof(char *)*(i*2));
 
 	*argv=arg;
 	num=0;
@@ -159,6 +164,14 @@ int str2fmt(char *s)
 		return(FORMAT_PEM);
 	else if ((*s == 'N') || (*s == 'n'))
 		return(FORMAT_NETSCAPE);
+	else if ((*s == 'S') || (*s == 's'))
+		return(FORMAT_SMIME);
+	else if ((*s == '1')
+		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
+		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
+		return(FORMAT_PKCS12);
+	else if ((*s == 'E') || (*s == 'e'))
+		return(FORMAT_ENGINE);
 	else
 		return(FORMAT_UNDEF);
 	}
@@ -266,7 +279,7 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	if (arg->count == 0)
 		{
 		arg->count=20;
-		arg->data=(char **)Malloc(sizeof(char *)*arg->count);
+		arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count);
 		}
 	for (i=0; i<arg->count; i++)
 		arg->data[i]=NULL;
@@ -285,7 +298,7 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		if (num >= arg->count)
 			{
 			arg->count+=20;
-			arg->data=(char **)Realloc(arg->data,
+			arg->data=(char **)OPENSSL_realloc(arg->data,
 				sizeof(char *)*arg->count);
 			if (argc == 0) return(0);
 			}
@@ -414,3 +427,352 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)
 	if(tmp) *tmp = 0;
 	return BUF_strdup(tpass);
 }
+
+int add_oid_section(BIO *err, LHASH *conf)
+{	
+	char *p;
+	STACK_OF(CONF_VALUE) *sktmp;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
+	if(!(sktmp = CONF_get_section(conf, p))) {
+		BIO_printf(err, "problem loading oid section %s\n", p);
+		return 0;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
+		cnf = sk_CONF_VALUE_value(sktmp, i);
+		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
+			BIO_printf(err, "problem creating object %s=%s\n",
+							 cnf->name, cnf->value);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+X509 *load_cert(BIO *err, char *file, int format)
+	{
+	ASN1_HEADER *ah=NULL;
+	BUF_MEM *buf=NULL;
+	X509 *x=NULL;
+	BIO *cert;
+
+	if ((cert=BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+
+	if (file == NULL)
+		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(cert,file) <= 0)
+			{
+			perror(file);
+			goto end;
+			}
+		}
+
+	if 	(format == FORMAT_ASN1)
+		x=d2i_X509_bio(cert,NULL);
+	else if (format == FORMAT_NETSCAPE)
+		{
+		unsigned char *p,*op;
+		int size=0,i;
+
+		/* We sort of have to do it this way because it is sort of nice
+		 * to read the header first and check it, then
+		 * try to read the certificate */
+		buf=BUF_MEM_new();
+		for (;;)
+			{
+			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
+				goto end;
+			i=BIO_read(cert,&(buf->data[size]),1024*10);
+			size+=i;
+			if (i == 0) break;
+			if (i < 0)
+				{
+				perror("reading certificate");
+				goto end;
+				}
+			}
+		p=(unsigned char *)buf->data;
+		op=p;
+
+		/* First load the header */
+		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
+			goto end;
+		if ((ah->header == NULL) || (ah->header->data == NULL) ||
+			(strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data,
+			ah->header->length) != 0))
+			{
+			BIO_printf(err,"Error reading header on certificate\n");
+			goto end;
+			}
+		/* header is ok, so now read the object */
+		p=op;
+		ah->meth=X509_asn1_meth();
+		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
+			goto end;
+		x=(X509 *)ah->data;
+		ah->data=NULL;
+		}
+	else if (format == FORMAT_PEM)
+		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
+	else if (format == FORMAT_PKCS12)
+		{
+		PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
+
+		PKCS12_parse(p12, NULL, NULL, &x, NULL);
+		PKCS12_free(p12);
+		p12 = NULL;
+		}
+	else	{
+		BIO_printf(err,"bad input format specified for input cert\n");
+		goto end;
+		}
+end:
+	if (x == NULL)
+		{
+		BIO_printf(err,"unable to load certificate\n");
+		ERR_print_errors(err);
+		}
+	if (ah != NULL) ASN1_HEADER_free(ah);
+	if (cert != NULL) BIO_free(cert);
+	if (buf != NULL) BUF_MEM_free(buf);
+	return(x);
+	}
+
+EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass)
+	{
+	BIO *key=NULL;
+	EVP_PKEY *pkey=NULL;
+
+	if (file == NULL)
+		{
+		BIO_printf(err,"no keyfile specified\n");
+		goto end;
+		}
+	key=BIO_new(BIO_s_file());
+	if (key == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+	if (BIO_read_filename(key,file) <= 0)
+		{
+		perror(file);
+		goto end;
+		}
+	if (format == FORMAT_ASN1)
+		{
+		pkey=d2i_PrivateKey_bio(key, NULL);
+		}
+	else if (format == FORMAT_PEM)
+		{
+		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,pass);
+		}
+	else if (format == FORMAT_PKCS12)
+		{
+		PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
+
+		PKCS12_parse(p12, pass, &pkey, NULL, NULL);
+		PKCS12_free(p12);
+		p12 = NULL;
+		}
+	else
+		{
+		BIO_printf(err,"bad input format specified for key\n");
+		goto end;
+		}
+ end:
+	if (key != NULL) BIO_free(key);
+	if (pkey == NULL)
+		BIO_printf(err,"unable to load Private Key\n");
+	return(pkey);
+	}
+
+EVP_PKEY *load_pubkey(BIO *err, char *file, int format)
+	{
+	BIO *key=NULL;
+	EVP_PKEY *pkey=NULL;
+
+	if (file == NULL)
+		{
+		BIO_printf(err,"no keyfile specified\n");
+		goto end;
+		}
+	key=BIO_new(BIO_s_file());
+	if (key == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+	if (BIO_read_filename(key,file) <= 0)
+		{
+		perror(file);
+		goto end;
+		}
+	if (format == FORMAT_ASN1)
+		{
+		pkey=d2i_PUBKEY_bio(key, NULL);
+		}
+	else if (format == FORMAT_PEM)
+		{
+		pkey=PEM_read_bio_PUBKEY(key,NULL,NULL,NULL);
+		}
+	else
+		{
+		BIO_printf(err,"bad input format specified for key\n");
+		goto end;
+		}
+ end:
+	if (key != NULL) BIO_free(key);
+	if (pkey == NULL)
+		BIO_printf(err,"unable to load Public Key\n");
+	return(pkey);
+	}
+
+STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
+	{
+	BIO *certs;
+	int i;
+	STACK_OF(X509) *othercerts = NULL;
+	STACK_OF(X509_INFO) *allcerts = NULL;
+	X509_INFO *xi;
+
+	if((certs = BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+
+	if (file == NULL)
+		BIO_set_fp(certs,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(certs,file) <= 0)
+			{
+			perror(file);
+			goto end;
+			}
+		}
+
+	if      (format == FORMAT_PEM)
+		{
+		othercerts = sk_X509_new_null();
+		if(!othercerts)
+			{
+			sk_X509_free(othercerts);
+			othercerts = NULL;
+			goto end;
+			}
+		allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
+		for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
+			{
+			xi = sk_X509_INFO_value (allcerts, i);
+			if (xi->x509)
+				{
+				sk_X509_push(othercerts, xi->x509);
+				xi->x509 = NULL;
+				}
+			}
+		goto end;
+		}
+	else	{
+		BIO_printf(err,"bad input format specified for input cert\n");
+		goto end;
+		}
+end:
+	if (othercerts == NULL)
+		{
+		BIO_printf(err,"unable to load certificates\n");
+		ERR_print_errors(err);
+		}
+	if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
+	if (certs != NULL) BIO_free(certs);
+	return(othercerts);
+	}
+
+typedef struct {
+	char *name;
+	unsigned long flag;
+	unsigned long mask;
+} NAME_EX_TBL;
+
+int set_name_ex(unsigned long *flags, const char *arg)
+{
+	char c;
+	const NAME_EX_TBL *ptbl, ex_tbl[] = {
+		{ "esc_2253", ASN1_STRFLGS_ESC_2253, 0},
+		{ "esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
+		{ "esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
+		{ "use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
+		{ "utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
+		{ "ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
+		{ "show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
+		{ "dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
+		{ "dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
+		{ "dump_der", ASN1_STRFLGS_DUMP_DER, 0},
+		{ "compat", XN_FLAG_COMPAT, 0xffffffffL},
+		{ "sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
+		{ "sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
+		{ "sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
+		{ "sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
+		{ "dn_rev", XN_FLAG_DN_REV, 0},
+		{ "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
+		{ "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
+		{ "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
+		{ "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
+		{ "space_eq", XN_FLAG_SPC_EQ, 0},
+		{ "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
+		{ "RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
+		{ "oneline", XN_FLAG_ONELINE, 0xffffffffL},
+		{ "multiline", XN_FLAG_MULTILINE, 0xffffffffL},
+		{ NULL, 0, 0}
+	};
+
+	c = arg[0];
+
+	if(c == '-') {
+		c = 0;
+		arg++;
+	} else if (c == '+') {
+		c = 1;
+		arg++;
+	} else c = 1;
+
+	for(ptbl = ex_tbl; ptbl->name; ptbl++) {
+		if(!strcmp(arg, ptbl->name)) {
+			*flags &= ~ptbl->mask;
+			if(c) *flags |= ptbl->flag;
+			else *flags &= ~ptbl->flag;
+			return 1;
+		}
+	}
+	return 0;
+}
+
+void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
+{
+	char buf[256];
+	char mline = 0;
+	int indent = 0;
+	if(title) BIO_puts(out, title);
+	if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+		mline = 1;
+		indent = 4;
+	}
+	if(lflags == XN_FLAG_COMPAT) {
+		X509_NAME_oneline(nm,buf,256);
+		BIO_puts(out,buf);
+		BIO_puts(out, "\n");
+	} else {
+		if(mline) BIO_puts(out, "\n");
+		X509_NAME_print_ex(out, nm, indent, lflags);
+		BIO_puts(out, "\n");
+	}
+}
+

apps/apps.h

@@ -65,6 +65,8 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
 
 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
 int app_RAND_write_file(const char *file, BIO *bio_e);
@@ -98,7 +100,6 @@ extern BIO *bio_err;
 #else
 
 #define MAIN(a,v)	PROG(a,v)
-#include <openssl/conf.h>
 extern LHASH *config;
 extern char *default_config_file;
 extern BIO *bio_err;
@@ -144,13 +145,27 @@ void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
 #ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
+void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags);
 #endif
+int set_name_ex(unsigned long *flags, const char *arg);
 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
+int add_oid_section(BIO *err, LHASH *conf);
+X509 *load_cert(BIO *err, char *file, int format);
+EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass);
+EVP_PKEY *load_pubkey(BIO *err, char *file, int format);
+STACK_OF(X509) *load_certs(BIO *err, char *file, int format);
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
 #define FORMAT_PEM      3
 #define FORMAT_NETSCAPE 4
+#define FORMAT_PKCS12   5
+#define FORMAT_SMIME    6
+/* Since this is currently inofficial, let's give it a high number */
+#define FORMAT_ENGINE   127
+
+#define NETSCAPE_CERT_HDR	"certificate"
 
 #define APP_PASS_LEN	1024
 

apps/asn1pars.c

@@ -88,7 +88,7 @@ int MAIN(int argc, char **argv)
 	unsigned int length=0;
 	long num,tmplen;
 	BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
-	int informat,indent=0, noout = 0;
+	int informat,indent=0, noout = 0, dump = 0;
 	char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
 	unsigned char *tmpbuf;
 	BUF_MEM *buf=NULL;
@@ -108,7 +108,7 @@ int MAIN(int argc, char **argv)
 	argv++;
 	if ((osk=sk_new_null()) == NULL)
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto end;
 		}
 	while (argc >= 1)
@@ -149,6 +149,16 @@ int MAIN(int argc, char **argv)
 			length= atoi(*(++argv));
 			if (length == 0) goto bad;
 			}
+		else if (strcmp(*argv,"-dump") == 0)
+			{
+			dump= -1;
+			}
+		else if (strcmp(*argv,"-dlimit") == 0)
+			{
+			if (--argc < 1) goto bad;
+			dump= atoi(*(++argv));
+			if (dump <= 0) goto bad;
+			}
 		else if (strcmp(*argv,"-strparse") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -176,6 +186,8 @@ bad:
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
 		BIO_printf(bio_err," -i            indent entries\n");
+		BIO_printf(bio_err," -dump         dump unknown data in hex form\n");
+		BIO_printf(bio_err," -dlimit arg   dump the first arg bytes of unknown data in hex form\n");
 		BIO_printf(bio_err," -oid file     file of extra oid definitions\n");
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
@@ -194,6 +206,12 @@ bad:
 		goto end;
 		}
 	BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+#ifdef VMS
+	{
+	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	out = BIO_push(tmpbio, out);
+	}
+#endif
 
 	if (oidfile != NULL)
 		{
@@ -293,7 +311,8 @@ bad:
 		}
 	}
 	if (!noout &&
-	    !ASN1_parse(out,(unsigned char *)&(str[offset]),length,indent))
+	    !ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length,
+		    indent,dump))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
@@ -302,7 +321,7 @@ bad:
 end:
 	BIO_free(derout);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (b64 != NULL) BIO_free(b64);
 	if (ret != 0)
 		ERR_print_errors(bio_err);

apps/ca-cert.srl

@@ -1 +1 @@
-05
+07

apps/ca.c

@@ -74,6 +74,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #ifndef W_OK
 #  ifdef VMS
@@ -167,6 +168,7 @@ static char *ca_usage[]={
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
+" -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };
 
@@ -176,7 +178,6 @@ extern int EF_PROTECT_BELOW;
 extern int EF_ALIGNMENT;
 #endif
 
-static int add_oid_section(LHASH *conf);
 static void lookup_fail(char *name,char *tag);
 static unsigned long index_serial_hash(char **a);
 static int index_serial_cmp(char **a, char **b);
@@ -217,7 +218,8 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-	char *key=NULL;
+	ENGINE *e = NULL;
+	char *key=NULL,*passargin=NULL;
 	int total=0;
 	int total_done=0;
 	int badops=0;
@@ -263,12 +265,13 @@ int MAIN(int argc, char **argv)
 	long l;
 	const EVP_MD *dgst=NULL;
 	STACK_OF(CONF_VALUE) *attribs=NULL;
-	STACK *cert_sk=NULL;
+	STACK_OF(X509) *cert_sk=NULL;
 	BIO *hex=NULL;
 #undef BSIZE
 #define BSIZE 256
 	MS_STATIC char buf[3][BSIZE];
 	char *randfile=NULL;
+	char *engine = NULL;
 
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -334,6 +337,11 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			keyfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passargin= *(++argv);
+			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -415,6 +423,11 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			crl_ext= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else
 			{
 bad:
@@ -435,6 +448,24 @@ bad:
 
 	ERR_load_crypto_strings();
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto err;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto err;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	/*****************************************************************/
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
@@ -498,7 +529,7 @@ bad:
 				BIO_free(oid_bio);
 				}
 			}
-		if(!add_oid_section(conf)) 
+		if(!add_oid_section(bio_err,conf)) 
 			{
 			ERR_print_errors(bio_err);
 			goto err;
@@ -527,6 +558,11 @@ bad:
 		lookup_fail(section,ENV_PRIVATE_KEY);
 		goto err;
 		}
+	if(!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
+		{
+		BIO_printf(bio_err,"Error getting password\n");
+		goto err;
+		}
 	if (BIO_read_filename(in,keyfile) <= 0)
 		{
 		perror(keyfile);
@@ -681,6 +717,12 @@ bad:
 	if (verbose)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
 		TXT_DB_write(out,db);
 		BIO_printf(bio_err,"%d entries loaded from the database\n",
 			db->data->num);
@@ -715,7 +757,15 @@ bad:
 				}
 			}
 		else
+			{
 			BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+#ifdef VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			Sout = BIO_push(tmpbio, Sout);
+			}
+#endif
+			}
 		}
 
 	if (req)
@@ -808,7 +858,7 @@ bad:
 			{
 			if ((f=BN_bn2hex(serial)) == NULL) goto err;
 			BIO_printf(bio_err,"next serial number is %s\n",f);
-			Free(f);
+			OPENSSL_free(f);
 			}
 
 		if ((attribs=CONF_get_section(conf,policy)) == NULL)
@@ -817,9 +867,9 @@ bad:
 			goto err;
 			}
 
-		if ((cert_sk=sk_new_null()) == NULL)
+		if ((cert_sk=sk_X509_new_null()) == NULL)
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
 		if (spkac_file != NULL)
@@ -834,9 +884,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				if (outfile)
@@ -858,9 +908,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -877,9 +927,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -896,9 +946,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -907,7 +957,7 @@ bad:
 		 * and a data base and serial number that need
 		 * updating */
 
-		if (sk_num(cert_sk) > 0)
+		if (sk_X509_num(cert_sk) > 0)
 			{
 			if (!batch)
 				{
@@ -923,7 +973,7 @@ bad:
 					}
 				}
 
-			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_num(cert_sk));
+			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
 
 			strncpy(buf[0],serialfile,BSIZE-4);
 
@@ -955,12 +1005,12 @@ bad:
 	
 		if (verbose)
 			BIO_printf(bio_err,"writing new certificates\n");
-		for (i=0; i<sk_num(cert_sk); i++)
+		for (i=0; i<sk_X509_num(cert_sk); i++)
 			{
 			int k;
 			unsigned char *n;
 
-			x=(X509 *)sk_value(cert_sk,i);
+			x=sk_X509_value(cert_sk,i);
 
 			j=x->cert_info->serialNumber->length;
 			p=(char *)x->cert_info->serialNumber->data;
@@ -999,7 +1049,7 @@ bad:
 			write_new_certificate(Sout,x, output_der, notext);
 			}
 
-		if (sk_num(cert_sk))
+		if (sk_X509_num(cert_sk))
 			{
 			/* Rename the database and the serial file */
 			strncpy(buf[2],serialfile,BSIZE-4);
@@ -1011,7 +1061,7 @@ bad:
 #endif
 
 			BIO_free(in);
-			BIO_free(out);
+			BIO_free_all(out);
 			in=NULL;
 			out=NULL;
 			if (rename(serialfile,buf[2]) < 0)
@@ -1228,12 +1278,12 @@ bad:
 	ret=0;
 err:
 	BIO_free(hex);
-	BIO_free(Cout);
-	BIO_free(Sout);
-	BIO_free(out);
+	BIO_free_all(Cout);
+	BIO_free_all(Sout);
+	BIO_free_all(out);
 	BIO_free(in);
 
-	sk_pop_free(cert_sk,X509_free);
+	sk_X509_pop_free(cert_sk,X509_free);
 
 	if (ret) ERR_print_errors(bio_err);
 	app_RAND_write_file(randfile, bio_err);
@@ -1345,7 +1395,7 @@ static int save_serial(char *serialfile, BIGNUM *serial)
 	BIO_puts(out,"\n");
 	ret=1;
 err:
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (ai != NULL) ASN1_INTEGER_free(ai);
 	return(ret);
 	}
@@ -1580,7 +1630,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	/* Ok, now we check the 'policy' stuff. */
 	if ((subject=X509_NAME_new()) == NULL)
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 
@@ -1678,7 +1728,7 @@ again2:
 					{
 					if (push != NULL)
 						X509_NAME_ENTRY_free(push);
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -1700,7 +1750,7 @@ again2:
 	row[DB_serial]=BN_bn2hex(serial);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 
@@ -1841,32 +1891,32 @@ again2:
 		goto err;
 
 	/* We now just add it to the database */
-	row[DB_type]=(char *)Malloc(2);
+	row[DB_type]=(char *)OPENSSL_malloc(2);
 
 	tm=X509_get_notAfter(ret);
-	row[DB_exp_date]=(char *)Malloc(tm->length+1);
+	row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
 	memcpy(row[DB_exp_date],tm->data,tm->length);
 	row[DB_exp_date][tm->length]='\0';
 
 	row[DB_rev_date]=NULL;
 
 	/* row[DB_serial] done already */
-	row[DB_file]=(char *)Malloc(8);
+	row[DB_file]=(char *)OPENSSL_malloc(8);
 	/* row[DB_name] done already */
 
 	if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
 		(row[DB_file] == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 	strcpy(row[DB_file],"unknown");
 	row[DB_type][0]='V';
 	row[DB_type][1]='\0';
 
-	if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+	if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 
@@ -1886,7 +1936,7 @@ again2:
 	ok=1;
 err:
 	for (i=0; i<DB_NUMBER; i++)
-		if (row[i] != NULL) Free(row[i]);
+		if (row[i] != NULL) OPENSSL_free(row[i]);
 
 	if (CAname != NULL)
 		X509_NAME_free(CAname);
@@ -2100,28 +2150,6 @@ static int check_time_format(char *str)
 	return(ASN1_UTCTIME_check(&tm));
 	}
 
-static int add_oid_section(LHASH *hconf)
-{	
-	char *p;
-	STACK_OF(CONF_VALUE) *sktmp;
-	CONF_VALUE *cnf;
-	int i;
-	if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1;
-	if(!(sktmp = CONF_get_section(hconf, p))) {
-		BIO_printf(bio_err, "problem loading oid section %s\n", p);
-		return 0;
-	}
-	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
-		cnf = sk_CONF_VALUE_value(sktmp, i);
-		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
-			BIO_printf(bio_err, "problem creating object %s=%s\n",
-							 cnf->name, cnf->value);
-			return 0;
-		}
-	}
-	return 1;
-}
-
 static int do_revoke(X509 *x509, TXT_DB *db)
 {
 	ASN1_UTCTIME *tm=NULL, *revtm=NULL;
@@ -2137,7 +2165,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 	BN_free(bn);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 	/* We have to lookup by serial number because name lookup
@@ -2149,33 +2177,33 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 		BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
 
 		/* We now just add it to the database */
-		row[DB_type]=(char *)Malloc(2);
+		row[DB_type]=(char *)OPENSSL_malloc(2);
 
 		tm=X509_get_notAfter(x509);
-		row[DB_exp_date]=(char *)Malloc(tm->length+1);
+		row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
 		memcpy(row[DB_exp_date],tm->data,tm->length);
 		row[DB_exp_date][tm->length]='\0';
 
 		row[DB_rev_date]=NULL;
 
 		/* row[DB_serial] done already */
-		row[DB_file]=(char *)Malloc(8);
+		row[DB_file]=(char *)OPENSSL_malloc(8);
 
 		/* row[DB_name] done already */
 
 		if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
 			(row[DB_file] == NULL))
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
 		strcpy(row[DB_file],"unknown");
 		row[DB_type][0]='V';
 		row[DB_type][1]='\0';
 
-		if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+		if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
 
@@ -2218,7 +2246,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 		revtm=X509_gmtime_adj(revtm,0);
 		rrow[DB_type][0]='R';
 		rrow[DB_type][1]='\0';
-		rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
+		rrow[DB_rev_date]=(char *)OPENSSL_malloc(revtm->length+1);
 		memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
 		rrow[DB_rev_date][revtm->length]='\0';
 		ASN1_UTCTIME_free(revtm);
@@ -2228,7 +2256,7 @@ err:
 	for (i=0; i<DB_NUMBER; i++)
 		{
 		if (row[i] != NULL) 
-			Free(row[i]);
+			OPENSSL_free(row[i]);
 		}
 	return(ok);
 }

apps/ciphers.c

@@ -74,6 +74,7 @@ static char *ciphers_usage[]={
 " -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
 " -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
+" -tls1       - TLS1 mode\n",
 NULL
 };
 
@@ -107,6 +108,12 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifdef VMS
+	{
+	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	STDout = BIO_push(tmpbio, STDout);
+	}
+#endif
 
 	argc--;
 	argv++;
@@ -121,6 +128,10 @@ int MAIN(int argc, char **argv)
 #ifndef NO_SSL3
 		else if (strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
+#endif
+#ifndef NO_TLS1
+		else if (strcmp(*argv,"-tls1") == 0)
+			meth=TLSv1_client_method();
 #endif
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 			 (strcmp(*argv,"-?") == 0))
@@ -190,7 +201,7 @@ err:
 end:
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (ssl != NULL) SSL_free(ssl);
-	if (STDout != NULL) BIO_free(STDout);
+	if (STDout != NULL) BIO_free_all(STDout);
 	EXIT(ret);
 	}
 

apps/crl.c

@@ -104,6 +104,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
+	int fingerprint = 0;
 	char **pp,buf[256];
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
@@ -111,6 +112,7 @@ int MAIN(int argc, char **argv)
 	X509_OBJECT xobj;
 	EVP_PKEY *pkey;
 	int do_ver = 0;
+	const EVP_MD *md_alg,*digest=EVP_md5();
 
 	apps_startup();
 
@@ -120,7 +122,15 @@ int MAIN(int argc, char **argv)
 
 	if (bio_out == NULL)
 		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+			{
 			BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			bio_out = BIO_push(tmpbio, bio_out);
+			}
+#endif
+			}
 
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
@@ -183,6 +193,13 @@ int MAIN(int argc, char **argv)
 			nextupdate= ++num;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
+		else if (strcmp(*argv,"-fingerprint") == 0)
+			fingerprint= ++num;
+		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
+			{
+			/* ok */
+			digest=md_alg;
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -274,6 +291,26 @@ bad:
 					BIO_printf(bio_out,"NONE");
 				BIO_printf(bio_out,"\n");
 				}
+			if (fingerprint == i)
+				{
+				int j;
+				unsigned int n;
+				unsigned char md[EVP_MAX_MD_SIZE];
+
+				if (!X509_CRL_digest(x,digest,md,&n))
+					{
+					BIO_printf(bio_err,"out of memory\n");
+					goto end;
+					}
+				BIO_printf(bio_out,"%s Fingerprint=",
+						OBJ_nid2sn(EVP_MD_type(digest)));
+				for (j=0; j<(int)n; j++)
+					{
+					BIO_printf(bio_out,"%02X%c",md[j],
+						(j+1 == (int)n)
+						?'\n':':');
+					}
+				}
 			}
 		}
 
@@ -285,7 +322,15 @@ bad:
 		}
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -311,8 +356,8 @@ bad:
 	if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
 	ret=0;
 end:
-	BIO_free(out);
-	BIO_free(bio_out);
+	BIO_free_all(out);
+	BIO_free_all(bio_out);
 	bio_out=NULL;
 	X509_CRL_free(x);
 	if(store) {

apps/crl2p7.c

@@ -141,7 +141,7 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-certfile") == 0)
 			{
 			if (--argc < 1) goto bad;
-			if(!certflst) certflst = sk_new(NULL);
+			if(!certflst) certflst = sk_new_null();
 			sk_push(certflst,*(++argv));
 			}
 		else
@@ -215,15 +215,15 @@ bad:
 	p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
 
 	if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
-	if ((crl_stack=sk_X509_CRL_new(NULL)) == NULL) goto end;
+	if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
 	p7s->crl=crl_stack;
 	if (crl != NULL)
 		{
 		sk_X509_CRL_push(crl_stack,crl);
-		crl=NULL; /* now part of p7 for Freeing */
+		crl=NULL; /* now part of p7 for OPENSSL_freeing */
 		}
 
-	if ((cert_stack=sk_X509_new(NULL)) == NULL) goto end;
+	if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
 	p7s->cert=cert_stack;
 
 	if(certflst) for(i = 0; i < sk_num(certflst); i++) {
@@ -239,7 +239,15 @@ bad:
 	sk_free(certflst);
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -266,7 +274,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (p7 != NULL) PKCS7_free(p7);
 	if (crl != NULL) X509_CRL_free(crl);
 
@@ -327,7 +335,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
 
 	ret=count;
 end:
- 	/* never need to Free x */
+ 	/* never need to OPENSSL_free x */
 	if (in != NULL) BIO_free(in);
 	if (sk != NULL) sk_X509_INFO_free(sk);
 	return(ret);

apps/dgst.c

@@ -66,6 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef BUFSIZE
 #define BUFSIZE	1024*8
@@ -73,26 +74,36 @@
 #undef PROG
 #define PROG	dgst_main
 
-void do_fp(unsigned char *buf,BIO *f,int sep);
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout,
+		EVP_PKEY *key, unsigned char *sigin, int siglen);
 
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	unsigned char *buf=NULL;
 	int i,err=0;
 	const EVP_MD *md=NULL,*m;
 	BIO *in=NULL,*inp;
 	BIO *bmd=NULL;
+	BIO *out = NULL;
 	const char *name;
 #define PROG_NAME_SIZE  16
 	char pname[PROG_NAME_SIZE];
 	int separator=0;
 	int debug=0;
+	const char *outfile = NULL, *keyfile = NULL;
+	const char *sigfile = NULL, *randfile = NULL;
+	char out_bin = -1, want_pub = 0, do_verify = 0;
+	EVP_PKEY *sigkey = NULL;
+	unsigned char *sigbuf = NULL;
+	int siglen = 0;
+	char *engine=NULL;
 
 	apps_startup();
 
-	if ((buf=(unsigned char *)Malloc(BUFSIZE)) == NULL)
+	if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -113,6 +124,48 @@ int MAIN(int argc, char **argv)
 		if ((*argv)[0] != '-') break;
 		if (strcmp(*argv,"-c") == 0)
 			separator=1;
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) break;
+			randfile=*(++argv);
+			}
+		else if (strcmp(*argv,"-out") == 0)
+			{
+			if (--argc < 1) break;
+			outfile=*(++argv);
+			}
+		else if (strcmp(*argv,"-sign") == 0)
+			{
+			if (--argc < 1) break;
+			keyfile=*(++argv);
+			}
+		else if (strcmp(*argv,"-verify") == 0)
+			{
+			if (--argc < 1) break;
+			keyfile=*(++argv);
+			want_pub = 1;
+			do_verify = 1;
+			}
+		else if (strcmp(*argv,"-prverify") == 0)
+			{
+			if (--argc < 1) break;
+			keyfile=*(++argv);
+			do_verify = 1;
+			}
+		else if (strcmp(*argv,"-signature") == 0)
+			{
+			if (--argc < 1) break;
+			sigfile=*(++argv);
+			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) break;
+			engine= *(++argv);
+			}
+		else if (strcmp(*argv,"-hex") == 0)
+			out_bin = 0;
+		else if (strcmp(*argv,"-binary") == 0)
+			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
 		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
@@ -126,14 +179,31 @@ int MAIN(int argc, char **argv)
 	if (md == NULL)
 		md=EVP_md5();
 
+	if(do_verify && !sigfile) {
+		BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
+		err = 1; 
+		goto end;
+	}
+
 	if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
 		{
 		BIO_printf(bio_err,"unknown option '%s'\n",*argv);
 		BIO_printf(bio_err,"options are\n");
 		BIO_printf(bio_err,"-c              to output the digest with separating colons\n");
 		BIO_printf(bio_err,"-d              to output debug info\n");
+		BIO_printf(bio_err,"-hex            output as hex dump\n");
+		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
+		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
+		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
+		BIO_printf(bio_err,"-signature file signature to verify\n");
+		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
+
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
 			LN_md5,LN_md5);
+		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+			LN_md4,LN_md4);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_md2,LN_md2);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
@@ -148,6 +218,24 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
 	if (debug)
@@ -163,6 +251,80 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 
+	if(out_bin == -1) {
+		if(keyfile) out_bin = 1;
+		else out_bin = 0;
+	}
+
+	if(randfile)
+		app_RAND_load_file(randfile, bio_err, 0);
+
+	if(outfile) {
+		if(out_bin)
+			out = BIO_new_file(outfile, "wb");
+		else    out = BIO_new_file(outfile, "w");
+	} else {
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+	}
+
+	if(!out) {
+		BIO_printf(bio_err, "Error opening output file %s\n", 
+					outfile ? outfile : "(stdout)");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+	if(keyfile) {
+		BIO *keybio;
+		keybio = BIO_new_file(keyfile, "r");
+		if(!keybio) {
+			BIO_printf(bio_err, "Error opening key file %s\n",
+								keyfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+		
+		if(want_pub) 
+			sigkey = PEM_read_bio_PUBKEY(keybio, NULL, NULL, NULL);
+		else sigkey = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
+		BIO_free(keybio);
+		if(!sigkey) {
+			BIO_printf(bio_err, "Error reading key file %s\n",
+								keyfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if(sigfile && sigkey) {
+		BIO *sigbio;
+		sigbio = BIO_new_file(sigfile, "rb");
+		siglen = EVP_PKEY_size(sigkey);
+		sigbuf = OPENSSL_malloc(siglen);
+		if(!sigbio) {
+			BIO_printf(bio_err, "Error opening signature file %s\n",
+								sigfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+		siglen = BIO_read(sigbio, sigbuf, siglen);
+		BIO_free(sigbio);
+		if(siglen <= 0) {
+			BIO_printf(bio_err, "Error reading signature file %s\n",
+								sigfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+		
+
+
 	/* we use md as a filter, reading from 'in' */
 	BIO_set_md(bmd,md);
 	inp=BIO_push(bmd,in);
@@ -170,7 +332,7 @@ int MAIN(int argc, char **argv)
 	if (argc == 0)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-		do_fp(buf,inp,separator);
+		do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, siglen);
 		}
 	else
 		{
@@ -183,8 +345,9 @@ int MAIN(int argc, char **argv)
 				err++;
 				continue;
 				}
-			printf("%s(%s)= ",name,argv[i]);
-			do_fp(buf,inp,separator);
+			if(!out_bin) BIO_printf(out, "%s(%s)= ",name,argv[i]);
+			do_fp(out, buf,inp,separator, out_bin, sigkey, 
+								sigbuf, siglen);
 			(void)BIO_reset(bmd);
 			}
 		}
@@ -192,14 +355,18 @@ end:
 	if (buf != NULL)
 		{
 		memset(buf,0,BUFSIZE);
-		Free(buf);
+		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
+	BIO_free_all(out);
+	EVP_PKEY_free(sigkey);
+	if(sigbuf) OPENSSL_free(sigbuf);
 	if (bmd != NULL) BIO_free(bmd);
 	EXIT(err);
 	}
 
-void do_fp(unsigned char *buf, BIO *bp, int sep)
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout,
+			EVP_PKEY *key, unsigned char *sigin, int siglen)
 	{
 	int len;
 	int i;
@@ -209,14 +376,44 @@ void do_fp(unsigned char *buf, BIO *bp, int sep)
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
 		if (i <= 0) break;
 		}
+	if(sigin)
+		{
+		EVP_MD_CTX *ctx;
+		BIO_get_md_ctx(bp, &ctx);
+		i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
+		if(i > 0) BIO_printf(out, "Verified OK\n");
+		else if(i == 0) BIO_printf(out, "Verification Failure\n");
+		else
+			{
+			BIO_printf(bio_err, "Error Verifying Data\n");
+			ERR_print_errors(bio_err);
+			}
+		return;
+		}
+	if(key)
+		{
+		EVP_MD_CTX *ctx;
+		BIO_get_md_ctx(bp, &ctx);
+		if(!EVP_SignFinal(ctx, buf, (unsigned int *)&len, key)) 
+			{
+			BIO_printf(bio_err, "Error Signing Data\n");
+			ERR_print_errors(bio_err);
+			return;
+			}
+		}
+	else
 		len=BIO_gets(bp,(char *)buf,BUFSIZE);
 
+	if(binout) BIO_write(out, buf, len);
+	else 
+		{
 		for (i=0; i<len; i++)
 			{
 			if (sep && (i != 0))
-			putc(':',stdout);
-		printf("%02x",buf[i]);
+				BIO_printf(out, ":");
+			BIO_printf(out, "%02x",buf[i]);
+			}
+		BIO_printf(out, "\n");
 		}
-	printf("\n");
 	}
 

apps/dh.c

@@ -69,6 +69,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	dh_main
@@ -87,11 +88,12 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
-	char *infile,*outfile,*prog;
+	char *infile,*outfile,*prog,*engine;
 
 	apps_startup();
 
@@ -99,6 +101,7 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 
+	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -129,6 +132,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -160,11 +168,30 @@ bad:
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 
 	ERR_load_crypto_strings();
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -184,7 +211,15 @@ bad:
 			}
 		}
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -251,10 +286,10 @@ bad:
 
 		len=BN_num_bytes(dh->p);
 		bits=BN_num_bits(dh->p);
-		data=(unsigned char *)Malloc(len);
+		data=(unsigned char *)OPENSSL_malloc(len);
 		if (data == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			goto end;
 			}
 		l=BN_bn2bin(dh->p,data);
@@ -285,7 +320,7 @@ bad:
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
 		printf("\t\treturn(NULL);\n");
 		printf("\treturn(dh);\n\t}\n");
-		Free(data);
+		OPENSSL_free(data);
 		}
 
 
@@ -309,7 +344,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	EXIT(ret);
 	}

apps/dh1024.pem

@@ -1,5 +1,10 @@
 -----BEGIN DH PARAMETERS-----
-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq
-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx
-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC
+MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
+jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
+ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
 -----END DH PARAMETERS-----
+
+These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.

apps/dh2048.pem

@@ -0,0 +1,12 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV
+89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50
+T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb
+zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX
+Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT
+CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==
+-----END DH PARAMETERS-----
+
+These are the 2048 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.

apps/dh4096.pem

@@ -0,0 +1,18 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
+l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
+Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
+Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
+VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
+alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
+sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
+ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
+OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
+AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
+KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
+-----END DH PARAMETERS-----
+
+These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.

apps/dh512.pem

@@ -0,0 +1,9 @@
+-----BEGIN DH PARAMETERS-----
+MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
+XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
+-----END DH PARAMETERS-----
+
+These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.

apps/dhparam.c

@@ -121,6 +121,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #ifndef NO_DSA
 #include <openssl/dsa.h>
@@ -148,6 +149,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 #ifndef NO_DSA
@@ -156,7 +158,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
-	char *inrand=NULL;
+	char *inrand=NULL,*engine=NULL;
 	int num = 0, g = 0;
 
 	apps_startup();
@@ -195,6 +197,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -240,6 +247,7 @@ bad:
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
@@ -249,6 +257,24 @@ bad:
 
 	ERR_load_crypto_strings();
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (g && !num)
 		num = DEFBITS;
 
@@ -391,7 +417,15 @@ bad:
 		goto end;
 		}
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -432,10 +466,10 @@ bad:
 
 		len=BN_num_bytes(dh->p);
 		bits=BN_num_bits(dh->p);
-		data=(unsigned char *)Malloc(len);
+		data=(unsigned char *)OPENSSL_malloc(len);
 		if (data == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			goto end;
 			}
 		printf("#ifndef HEADER_DH_H\n"
@@ -472,7 +506,7 @@ bad:
 		if (dh->length)
 			printf("\tdh->length = %d;\n", dh->length);
 		printf("\treturn(dh);\n\t}\n");
-		Free(data);
+		OPENSSL_free(data);
 		}
 
 
@@ -496,7 +530,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	EXIT(ret);
 	}

apps/dsa.c

@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	dsa_main
@@ -87,6 +88,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	DSA *dsa=NULL;
 	int i,badops=0;
@@ -94,7 +96,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,noout=0;
 	int pubin = 0, pubout = 0;
-	char *infile,*outfile,*prog;
+	char *infile,*outfile,*prog,*engine;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	int modulus=0;
@@ -105,6 +107,7 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 
+	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -145,6 +148,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -176,6 +184,7 @@ bad:
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef NO_IDEA
@@ -189,6 +198,24 @@ bad:
 
 	ERR_load_crypto_strings();
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
@@ -233,7 +260,15 @@ bad:
 		}
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -281,10 +316,10 @@ bad:
 		ret=0;
 end:
 	if(in != NULL) BIO_free(in);
-	if(out != NULL) BIO_free(out);
+	if(out != NULL) BIO_free_all(out);
 	if(dsa != NULL) DSA_free(dsa);
-	if(passin) Free(passin);
-	if(passout) Free(passout);
+	if(passin) OPENSSL_free(passin);
+	if(passout) OPENSSL_free(passout);
 	EXIT(ret);
 	}
 #endif

apps/dsaparam.c

@@ -69,6 +69,7 @@
 #include <openssl/dsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	dsaparam_main
@@ -90,11 +91,12 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DSA *dsa=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,noout=0,C=0,ret=1;
-	char *infile,*outfile,*prog,*inrand=NULL;
+	char *infile,*outfile,*prog,*inrand=NULL,*engine=NULL;
 	int numbits= -1,num,genkey=0;
 	int need_rand=0;
 
@@ -205,7 +207,15 @@ bad:
 			}
 		}
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -260,10 +270,10 @@ bad:
 		bits_p=BN_num_bits(dsa->p);
 		bits_q=BN_num_bits(dsa->q);
 		bits_g=BN_num_bits(dsa->g);
-		data=(unsigned char *)Malloc(len+20);
+		data=(unsigned char *)OPENSSL_malloc(len+20);
 		if (data == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			goto end;
 			}
 		l=BN_bn2bin(dsa->p,data);
@@ -303,7 +313,7 @@ bad:
 		printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
 			bits_p,bits_p);
 		printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
-		printf("\t\treturn(NULL);\n");
+		printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
 		printf("\treturn(dsa);\n\t}\n");
 		}
 
@@ -347,7 +357,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	EXIT(ret);
 	}

apps/enc.c

@@ -70,6 +70,7 @@
 #include <openssl/md5.h>
 #endif
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 int set_hex(char *in,unsigned char *out,int size);
 #undef SIZE
@@ -84,6 +85,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	static const char magic[]="Salted__";
 	char mbuf[8];	/* should be 1 smaller than magic */
 	char *strbuf=NULL;
@@ -101,6 +103,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  16
 	char pname[PROG_NAME_SIZE];
+	char *engine = NULL;
 
 	apps_startup();
 
@@ -141,6 +144,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passarg= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if	(strcmp(*argv,"-d") == 0)
 			enc=0;
 		else if	(strcmp(*argv,"-p") == 0)
@@ -241,6 +249,7 @@ bad:
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
+			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");
 
 			BIO_printf(bio_err,"Cipher Types\n");
 			BIO_printf(bio_err,"des     : 56 bit key DES encryption\n");
@@ -314,6 +323,24 @@ bad:
 		argv++;
 		}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (bufsize != NULL)
 		{
 		unsigned long n;
@@ -343,11 +370,11 @@ bad:
 		if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize);
 		}
 
-	strbuf=Malloc(SIZE);
-	buff=(unsigned char *)Malloc(EVP_ENCODE_LENGTH(bsize));
+	strbuf=OPENSSL_malloc(SIZE);
+	buff=(unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize));
 	if ((buff == NULL) || (strbuf == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize));
+		BIO_printf(bio_err,"OPENSSL_malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize));
 		goto end;
 		}
 
@@ -416,7 +443,15 @@ bad:
 
 
 	if (outf == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outf) <= 0)
@@ -581,13 +616,13 @@ bad:
 		}
 end:
 	ERR_print_errors(bio_err);
-	if (strbuf != NULL) Free(strbuf);
-	if (buff != NULL) Free(buff);
+	if (strbuf != NULL) OPENSSL_free(strbuf);
+	if (buff != NULL) OPENSSL_free(buff);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (benc != NULL) BIO_free(benc);
 	if (b64 != NULL) BIO_free(b64);
-	if(pass) Free(pass);
+	if(pass) OPENSSL_free(pass);
 	EXIT(ret);
 	}
 

apps/errstr.c

@@ -91,12 +91,18 @@ int MAIN(int argc, char **argv)
 		out=BIO_new(BIO_s_file());
 		if ((out != NULL) && BIO_set_fp(out,stdout,BIO_NOCLOSE))
 			{
+#ifdef VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			out = BIO_push(tmpbio, out);
+			}
+#endif
 			lh_node_stats_bio((LHASH *)ERR_get_string_table(),out);
 			lh_stats_bio((LHASH *)ERR_get_string_table(),out);
 			lh_node_usage_stats_bio((LHASH *)
 				ERR_get_string_table(),out);
 			}
-		if (out != NULL) BIO_free(out);
+		if (out != NULL) BIO_free_all(out);
 		argc--;
 		argv++;
 		}
@@ -104,7 +110,10 @@ int MAIN(int argc, char **argv)
 	for (i=1; i<argc; i++)
 		{
 		if (sscanf(argv[i],"%lx",&l))
-			printf("%s\n",ERR_error_string(l,buf));
+			{
+			ERR_error_string_n(l, buf, sizeof buf);
+			printf("%s\n",buf);
+			}
 		else
 			{
 			printf("%s: bad error code\n",argv[i]);

apps/gendh.c

@@ -70,6 +70,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #define DEFBITS	512
 #undef PROG
@@ -81,11 +82,13 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
+	char *engine=NULL;
 	BIO *out=NULL;
 
 	apps_startup();
@@ -110,6 +113,11 @@ int MAIN(int argc, char **argv)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -125,15 +133,34 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
 		BIO_printf(bio_err," -out file - output the key to 'file\n");
-		BIO_printf(bio_err," -2    use 2 as the generator value\n");
-	/*	BIO_printf(bio_err," -3    use 3 as the generator value\n"); */
-		BIO_printf(bio_err," -5    use 5 as the generator value\n");
+		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
+	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
+		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
+		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 		
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
@@ -142,7 +169,15 @@ bad:
 		}
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -174,7 +209,7 @@ bad:
 end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	EXIT(ret);
 	}

apps/gendsa.c

@@ -68,6 +68,7 @@
 #include <openssl/dsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #define DEFBITS	512
 #undef PROG
@@ -77,6 +78,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
@@ -84,6 +86,7 @@ int MAIN(int argc, char **argv)
 	char *passargout = NULL, *passout = NULL;
 	BIO *out=NULL,*in=NULL;
 	EVP_CIPHER *enc=NULL;
+	char *engine=NULL;
 
 	apps_startup();
 
@@ -106,6 +109,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -145,6 +153,7 @@ bad:
 #ifndef NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
+		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
@@ -153,6 +162,24 @@ bad:
 		goto end;
 		}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -178,7 +205,15 @@ bad:
 	if (out == NULL) goto end;
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -209,9 +244,9 @@ end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
-	if(passout) Free(passout);
+	if(passout) OPENSSL_free(passout);
 	EXIT(ret);
 	}
 #endif

apps/genrsa.c

@@ -69,6 +69,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #define DEFBITS	512
 #undef PROG
@@ -80,6 +81,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,num=DEFBITS;
@@ -88,6 +90,7 @@ int MAIN(int argc, char **argv)
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
 	char *passargout = NULL, *passout = NULL;
+	char *engine=NULL;
 	char *inrand=NULL;
 	BIO *out=NULL;
 
@@ -114,8 +117,13 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-3") == 0)
 			f4=3;
-		else if (strcmp(*argv,"-F4") == 0)
+		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -154,6 +162,7 @@ bad:
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
@@ -167,8 +176,34 @@ bad:
 		goto err;
 	}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto err;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto err;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -178,7 +213,8 @@ bad:
 			}
 		}
 
-	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
@@ -212,8 +248,8 @@ bad:
 	ret=0;
 err:
 	if (rsa != NULL) RSA_free(rsa);
-	if (out != NULL) BIO_free(out);
-	if(passout) Free(passout);
+	if (out != NULL) BIO_free_all(out);
+	if(passout) OPENSSL_free(passout);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	EXIT(ret);

apps/makeapps.com

@@ -154,13 +154,13 @@ $! Define The Application Files.
 $!
 $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
 	      "CA;PKCS7;CRL2P7;CRL;"+-
-	      "RSA;DSA;DSAPARAM;"+-
+	      "RSA;RSAUTL;DSA;DSAPARAM;"+-
 	      "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
 	      "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
 	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND"
 $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,-
 	       CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
-	       RSA.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
+	       RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
 	       X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
 	       S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
 	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ

apps/nseq.c

@@ -119,11 +119,18 @@ int MAIN(int argc, char **argv)
 				 "Can't open output file %s\n", outfile);
 			goto end;
 		}
-	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
+	} else {
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+	}
 	if (toseq) {
 		seq = NETSCAPE_CERT_SEQUENCE_new();
-		seq->certs = sk_X509_new(NULL);
+		seq->certs = sk_X509_new_null();
 		while((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) 
 		    sk_X509_push(seq->certs,x509);
 
@@ -152,7 +159,7 @@ int MAIN(int argc, char **argv)
 	ret = 0;
 end:
 	BIO_free(in);
-	BIO_free(out);
+	BIO_free_all(out);
 	NETSCAPE_CERT_SEQUENCE_free(seq);
 
 	EXIT(ret);

apps/openssl.c

@@ -101,6 +101,8 @@ int main(int Argc, char *Argv[])
 	arg.data=NULL;
 	arg.count=0;
 
+	if (getenv("OPENSSL_DEBUG_MEMORY") != NULL)
+		CRYPTO_malloc_debug_init();
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 	apps_startup();
@@ -201,7 +203,7 @@ end:
 		config=NULL;
 		}
 	if (prog != NULL) lh_free(prog);
-	if (arg.data != NULL) Free(arg.data);
+	if (arg.data != NULL) OPENSSL_free(arg.data);
 	ERR_remove_state(0);
 
 	EVP_cleanup();
@@ -236,13 +238,19 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])
 	else if ((strncmp(argv[0],"no-",3)) == 0)
 		{
 		BIO *bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		bio_stdout = BIO_push(tmpbio, bio_stdout);
+		}
+#endif
 		f.name=argv[0]+3;
 		ret = (lh_retrieve(prog,&f) != NULL);
 		if (!ret)
 			BIO_printf(bio_stdout, "%s\n", argv[0]);
 		else
 			BIO_printf(bio_stdout, "%s\n", argv[0]+3);
-		BIO_free(bio_stdout);
+		BIO_free_all(bio_stdout);
 		goto end;
 		}
 	else if ((strcmp(argv[0],"quit") == 0) ||
@@ -267,11 +275,17 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])
 		else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */
 			list_type = FUNC_TYPE_CIPHER;
 		bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		bio_stdout = BIO_push(tmpbio, bio_stdout);
+		}
+#endif
 		
 		for (fp=functions; fp->name != NULL; fp++)
 			if (fp->type == list_type)
 				BIO_printf(bio_stdout, "%s\n", fp->name);
-		BIO_free(bio_stdout);
+		BIO_free_all(bio_stdout);
 		ret=0;
 		goto end;
 		}

apps/passwd.c

@@ -1,10 +1,10 @@
 /* apps/passwd.c */
 
 #if defined NO_MD5 || defined CHARSET_EBCDIC
-# define NO_APR1
+# define NO_MD5CRYPT_1
 #endif
 
-#if !defined(NO_DES) || !defined(NO_APR1)
+#if !defined(NO_DES) || !defined(NO_MD5CRYPT_1)
 
 #include <assert.h>
 #include <string.h>
@@ -19,7 +19,7 @@
 #ifndef NO_DES
 # include <openssl/des.h>
 #endif
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
 # include <openssl/md5.h>
 #endif
 
@@ -42,10 +42,11 @@ static unsigned const char cov_2char[64]={
 
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out, int quiet, int table, int reverse,
-	size_t pw_maxlen, int usecrypt, int useapr1);
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1);
 
-/* -crypt        - standard Unix password algorithm (default, only choice)
- * -apr1         - MD5-based password algorithm
+/* -crypt        - standard Unix password algorithm (default)
+ * -1            - MD5-based password algorithm
+ * -apr1         - MD5-based password algorithm, Apache variant
  * -salt string  - salt
  * -in file      - read passwords from file
  * -stdin        - read passwords from stdin
@@ -63,11 +64,12 @@ int MAIN(int argc, char **argv)
 	int in_stdin = 0;
 	char *salt = NULL, *passwd = NULL, **passwds = NULL;
 	char *salt_malloc = NULL, *passwd_malloc = NULL;
+	size_t passwd_malloc_size = 0;
 	int pw_source_defined = 0;
 	BIO *in = NULL, *out = NULL;
 	int i, badopt, opt_done;
 	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
-	int usecrypt = 0, useapr1 = 0;
+	int usecrypt = 0, use1 = 0, useapr1 = 0;
 	size_t pw_maxlen = 0;
 
 	apps_startup();
@@ -79,6 +81,12 @@ int MAIN(int argc, char **argv)
 	if (out == NULL)
 		goto err;
 	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+#ifdef VMS
+	{
+	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	out = BIO_push(tmpbio, out);
+	}
+#endif
 
 	badopt = 0, opt_done = 0;
 	i = 0;
@@ -86,6 +94,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (strcmp(argv[i], "-crypt") == 0)
 			usecrypt = 1;
+		else if (strcmp(argv[i], "-1") == 0)
+			use1 = 1;
 		else if (strcmp(argv[i], "-apr1") == 0)
 			useapr1 = 1;
 		else if (strcmp(argv[i], "-salt") == 0)
@@ -137,17 +147,17 @@ int MAIN(int argc, char **argv)
 			badopt = 1;
 		}
 
-	if (!usecrypt && !useapr1) /* use default */
+	if (!usecrypt && !use1 && !useapr1) /* use default */
 		usecrypt = 1;
-	if (usecrypt + useapr1 > 1) /* conflict */
+	if (usecrypt + use1 + useapr1 > 1) /* conflict */
 		badopt = 1;
 
 	/* reject unsupported algorithms */
 #ifdef NO_DES
 	if (usecrypt) badopt = 1;
 #endif
-#ifdef NO_APR1
-	if (useapr1) badopt = 1;
+#ifdef NO_MD5CRYPT_1
+	if (use1 || useapr1) badopt = 1;
 #endif
 
 	if (badopt) 
@@ -157,8 +167,9 @@ int MAIN(int argc, char **argv)
 #ifndef NO_DES
 		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
 #endif
-#ifndef NO_APR1
-		BIO_printf(bio_err, "-apr1              MD5-based password algorithm\n");
+#ifndef NO_MD5CRYPT_1
+		BIO_printf(bio_err, "-1                 MD5-based password algorithm\n");
+		BIO_printf(bio_err, "-apr1              MD5-based password algorithm, Apache variant\n");
 #endif
 		BIO_printf(bio_err, "-salt string       use provided salt\n");
 		BIO_printf(bio_err, "-in file           read passwords from file\n");
@@ -190,13 +201,16 @@ int MAIN(int argc, char **argv)
 	
 	if (usecrypt)
 		pw_maxlen = 8;
-	else if (useapr1)
+	else if (use1 || useapr1)
 		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
 
 	if (passwds == NULL)
 		{
 		/* no passwords on the command line */
-		passwd = passwd_malloc = Malloc(pw_maxlen + 1);
+
+		passwd_malloc_size = pw_maxlen + 2;
+		/* longer than necessary so that we can warn about truncation */
+		passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size);
 		if (passwd_malloc == NULL)
 			goto err;
 		}
@@ -208,7 +222,7 @@ int MAIN(int argc, char **argv)
 		
 		passwds = passwds_static;
 		if (in == NULL)
-			if (EVP_read_pw_string(passwd_malloc, pw_maxlen + 1, "Password: ", 0) != 0)
+			if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", 0) != 0)
 				goto err;
 		passwds[0] = passwd_malloc;
 		}
@@ -222,7 +236,7 @@ int MAIN(int argc, char **argv)
 			{
 			passwd = *passwds++;
 			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-				quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+				quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 				goto err;
 			}
 		while (*passwds != NULL);
@@ -251,33 +265,41 @@ int MAIN(int argc, char **argv)
 					}
 				
 				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-					quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+					quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 					goto err;
 				}
 			done = (r <= 0);
 			}
 		while (!done);
 		}
+	ret = 0;
 
 err:
 	ERR_print_errors(bio_err);
 	if (salt_malloc)
-		Free(salt_malloc);
+		OPENSSL_free(salt_malloc);
 	if (passwd_malloc)
-		Free(passwd_malloc);
+		OPENSSL_free(passwd_malloc);
 	if (in)
 		BIO_free(in);
 	if (out)
-		BIO_free(out);
+		BIO_free_all(out);
 	EXIT(ret);
 	}
 
 
-#ifndef NO_APR1
-/* MD5-based password algorithm compatible to the one found in Apache
- * (should probably be available as a library function;
- * then the static buffer would not be acceptable) */
-static char *apr1_crypt(const char *passwd, const char *salt)
+#ifndef NO_MD5CRYPT_1
+/* MD5-based password algorithm (should probably be available as a library
+ * function; then the static buffer would not be acceptable).
+ * For magic string "1", this should be compatible to the MD5-based BSD
+ * password algorithm.
+ * For 'magic' string "apr1", this is compatible to the MD5-based Apache
+ * password algorithm.
+ * (Apparently, the Apache password algorithm is identical except that the
+ * 'magic' string was changed -- the laziest application of the NIH principle
+ * I've ever encountered.)
+ */
+static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 	{
 	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
 	unsigned char buf[MD5_DIGEST_LENGTH];
@@ -287,16 +309,22 @@ static char *apr1_crypt(const char *passwd, const char *salt)
 	size_t passwd_len, salt_len;
 
 	passwd_len = strlen(passwd);
-	strcpy(out_buf, "$apr1$");
+	out_buf[0] = '$';
+	out_buf[1] = 0;
+	assert(strlen(magic) <= 4); /* "1" or "apr1" */
+	strncat(out_buf, magic, 4);
+	strncat(out_buf, "$", 1);
 	strncat(out_buf, salt, 8);
 	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
-	salt_out = out_buf + 6;
+	salt_out = out_buf + 2 + strlen(magic);
 	salt_len = strlen(salt_out);
 	assert(salt_len <= 8);
 	
 	MD5_Init(&md);
 	MD5_Update(&md, passwd, passwd_len);
-	MD5_Update(&md, "$apr1$", 6);
+	MD5_Update(&md, "$", 1);
+	MD5_Update(&md, magic, strlen(magic));
+	MD5_Update(&md, "$", 1);
 	MD5_Update(&md, salt_out, salt_len);
 	
 	 {
@@ -380,7 +408,7 @@ static char *apr1_crypt(const char *passwd, const char *salt)
 
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out,	int quiet, int table, int reverse,
-	size_t pw_maxlen, int usecrypt, int useapr1)
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1)
 	{
 	char *hash = NULL;
 
@@ -395,7 +423,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 			{
 			if (*salt_malloc_p == NULL)
 				{
-				*salt_p = *salt_malloc_p = Malloc(3);
+				*salt_p = *salt_malloc_p = OPENSSL_malloc(3);
 				if (*salt_malloc_p == NULL)
 					goto err;
 				}
@@ -411,14 +439,14 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 			}
 #endif /* !NO_DES */
 
-#ifndef NO_APR1
-		if (useapr1)
+#ifndef NO_MD5CRYPT_1
+		if (use1 || useapr1)
 			{
 			int i;
 			
 			if (*salt_malloc_p == NULL)
 				{
-				*salt_p = *salt_malloc_p = Malloc(9);
+				*salt_p = *salt_malloc_p = OPENSSL_malloc(9);
 				if (*salt_malloc_p == NULL)
 					goto err;
 				}
@@ -429,7 +457,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
 			(*salt_p)[8] = 0;
 			}
-#endif /* !NO_APR1 */
+#endif /* !NO_MD5CRYPT_1 */
 		}
 	
 	assert(*salt_p != NULL);
@@ -448,9 +476,9 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	if (usecrypt)
 		hash = des_crypt(passwd, *salt_p);
 #endif
-#ifndef NO_APR1
-	if (useapr1)
-		hash = apr1_crypt(passwd, *salt_p);
+#ifndef NO_MD5CRYPT_1
+	if (use1 || useapr1)
+		hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
 #endif
 	assert(hash != NULL);
 

apps/pca-cert.srl

@@ -1 +1 @@
-01
+07

apps/pem_mail.c

@@ -1,170 +0,0 @@
-/* apps/pem_mail.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef NO_RSA
-#include <stdio.h>
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/err.h>
-#include <openssl/pem.h>
-#include "apps.h"
-
-#undef PROG
-#define PROG	pem_mail_main
-
-static char *usage[]={
-"usage: pem_mail args\n",
-"\n",
-" -in arg         - input file - default stdin\n",
-" -out arg        - output file - default stdout\n",
-" -cert arg       - the certificate to use\n",
-" -key arg        - the private key to use\n",
-" -MIC           - sign the message\n",
-" -enc arg        - encrypt with one of cbc-des\n",
-NULL
-};
-
-
-typedef struct lines_St
-	{
-	char *line;
-	struct lines_st *next;
-	} LINES;
-
-int main(int argc, char **argv)
-	{
-	FILE *in;
-	RSA *rsa=NULL;
-	EVP_MD_CTX ctx;
-	unsigned int mic=0,i,n;
-	unsigned char buf[1024*15];
-	char *prog,*infile=NULL,*outfile=NULL,*key=NULL;
-	int badops=0;
-
-	apps_startup();
-
-	prog=argv[0];
-	argc--;
-	argv++;
-	while (argc >= 1)
-		{
-		if (strcmp(*argv,"-key") == 0)
-			{
-			if (--argc < 1) goto bad;
-			key= *(++argv);
-			}
-		else if (strcmp(*argv,"-in") == 0)
-			{
-			if (--argc < 1) goto bad;
-			infile= *(++argv);
-			}
-		else if (strcmp(*argv,"-out") == 0)
-			{
-			if (--argc < 1) goto bad;
-			outfile= *(++argv);
-			}
-		else if (strcmp(*argv,"-mic") == 0)
-			mic=1;
-		else
-			{
-			BIO_printf(bio_err,"unknown option %s\n",*argv);
-			badops=1;
-			break;
-			}
-		argc--;
-		argv++;
-		}
-
-	if (badops)
-		{
-bad:
-		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
-		BIO_printf(bio_err,"where options  are\n");
-		EXIT(1);
-		}
-
-	if (key == NULL)
-		{ BIO_printf(bio_err,"you need to specify a key\n"); EXIT(1); }
-	in=fopen(key,"r");
-	if (in == NULL) { perror(key); EXIT(1); }
-	rsa=PEM_read_RSAPrivateKey(in,NULL,NULL);
-	if (rsa == NULL)
-		{
-		BIO_printf(bio_err,"unable to load Private Key\n");
-		ERR_print_errors(bio_err);
-		EXIT(1);
-		}
-	fclose(in);
-
-	PEM_SignInit(&ctx,EVP_md5());
-	for (;;)
-		{
-		i=fread(buf,1,1024*10,stdin);
-		if (i <= 0) break;
-		PEM_SignUpdate(&ctx,buf,i);
-		}
-	if (!PEM_SignFinal(&ctx,buf,&n,rsa)) goto err;
-	BIO_printf(bio_err,"%s\n",buf);
-	EXIT(0);
-err:
-	ERR_print_errors(bio_err);
-	EXIT(1);
-	}
-#endif

apps/pkcs12.c

@@ -66,6 +66,7 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
+#include <openssl/engine.h>
 
 #define PROG pkcs12_main
 
@@ -78,9 +79,10 @@ EVP_CIPHER *enc;
 #define CLCERTS		0x8
 #define CACERTS		0x10
 
-int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
+int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
-int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass,
+			  int passlen, int options, char *pempass);
 int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
 int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
 void hex_prin(BIO *out, unsigned char *buf, int len);
@@ -91,6 +93,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
+    ENGINE *e = NULL;
     char *infile=NULL, *outfile=NULL, *keyname = NULL;	
     char *certfile=NULL;
     BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
@@ -116,6 +119,8 @@ int MAIN(int argc, char **argv)
     char *passargin = NULL, *passargout = NULL, *passarg = NULL;
     char *passin = NULL, *passout = NULL;
     char *inrand = NULL;
+    char *CApath = NULL, *CAfile = NULL;
+    char *engine=NULL;
 
     apps_startup();
 
@@ -195,7 +200,7 @@ int MAIN(int argc, char **argv)
 		} else if (!strcmp (*args, "-caname")) {
 		    if (args[1]) {
 			args++;	
-			if (!canames) canames = sk_new(NULL);
+			if (!canames) canames = sk_new_null();
 			sk_push(canames, *args);
 		    } else badarg = 1;
 		} else if (!strcmp (*args, "-in")) {
@@ -224,6 +229,21 @@ int MAIN(int argc, char **argv)
 			passarg = *args;
 		    	noprompt = 1;
 		    } else badarg = 1;
+		} else if (!strcmp(*args,"-CApath")) {
+		    if (args[1]) {
+			args++;	
+			CApath = *args;
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-CAfile")) {
+		    if (args[1]) {
+			args++;	
+			CAfile = *args;
+		    } else badarg = 1;
+		} else if (!strcmp(*args,"-engine")) {
+		    if (args[1]) {
+			args++;	
+			engine = *args;
+		    } else badarg = 1;
 		} else badarg = 1;
 
 	} else badarg = 1;
@@ -237,6 +257,8 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-chain        add certificate chain\n");
 	BIO_printf (bio_err, "-inkey file   private key if not infile\n");
 	BIO_printf (bio_err, "-certfile f   add all certs in f\n");
+	BIO_printf (bio_err, "-CApath arg   - PEM format directory of CA's\n");
+	BIO_printf (bio_err, "-CAfile arg   - PEM format file of CA's\n");
 	BIO_printf (bio_err, "-name \"name\"  use name as friendly name\n");
 	BIO_printf (bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
 	BIO_printf (bio_err, "-in  infile   input filename\n");
@@ -265,12 +287,27 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-password p   set import/export password source\n");
 	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
 	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
+	BIO_printf (bio_err, "-engine e     use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
 	BIO_printf(bio_err,  "              the random number generator\n");
     	goto end;
     }
 
+    if (engine != NULL) {
+	if((e = ENGINE_by_id(engine)) == NULL) {
+	    BIO_printf(bio_err,"invalid engine \"%s\"\n", engine);
+	    goto end;
+	}
+	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+	    BIO_printf(bio_err,"can't use that engine\n");
+	    goto end;
+	}
+	BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+	/* Free our "structural" reference. */
+	ENGINE_free(e);
+    }
+
     if(passarg) {
 	if(export_cert) passargout = passarg;
 	else passargin = passarg;
@@ -336,8 +373,15 @@ int MAIN(int argc, char **argv)
     CRYPTO_push_info("write files");
 #endif
 
-    if (!outfile) out = BIO_new_fp(stdout, BIO_NOCLOSE);
-    else out = BIO_new_file(outfile, "wb");
+    if (!outfile) {
+	out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+	{
+	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	    out = BIO_push(tmpbio, out);
+	}
+#endif
+    } else out = BIO_new_file(outfile, "wb");
     if (!out) {
 	BIO_printf(bio_err, "Error opening output file %s\n",
 						outfile ? outfile : "<stdout>");
@@ -359,20 +403,22 @@ int MAIN(int argc, char **argv)
     }
 
     if (export_cert) {
-	EVP_PKEY *key;
-	STACK *bags, *safes;
-	PKCS12_SAFEBAG *bag;
-	PKCS8_PRIV_KEY_INFO *p8;
-	PKCS7 *authsafe;
+	EVP_PKEY *key = NULL;
+	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
+	STACK_OF(PKCS7) *safes = NULL;
+	PKCS12_SAFEBAG *bag = NULL;
+	PKCS8_PRIV_KEY_INFO *p8 = NULL;
+	PKCS7 *authsafe = NULL;
 	X509 *ucert = NULL;
 	STACK_OF(X509) *certs=NULL;
-	char *catmp;
+	char *catmp = NULL;
 	int i;
 	unsigned char keyid[EVP_MAX_MD_SIZE];
 	unsigned int keyidlen = 0;
 
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("process -export_cert");
+	CRYPTO_push_info("reading private key");
 #endif
 	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);
 	if (!inkey) (void) BIO_reset(in);
@@ -380,18 +426,28 @@ int MAIN(int argc, char **argv)
 	if (!key) {
 		BIO_printf (bio_err, "Error loading private key\n");
 		ERR_print_errors(bio_err);
-		goto end;
+		goto export_end;
 	}
 
-	certs = sk_X509_new(NULL);
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("reading certs from input");
+#endif
+
+	certs = sk_X509_new_null();
 
 	/* Load in all certs in input file */
 	if(!cert_load(in, certs)) {
 		BIO_printf(bio_err, "Error loading certificates from input\n");
 		ERR_print_errors(bio_err);
-		goto end;
+		goto export_end;
 	}
 
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("reading certs from input 2");
+#endif
+
 	for(i = 0; i < sk_X509_num(certs); i++) {
 		ucert = sk_X509_value(certs, i);
 		if(X509_check_private_key(ucert, key)) {
@@ -399,40 +455,67 @@ int MAIN(int argc, char **argv)
 			break;
 		}
 	}
-
 	if(!keyidlen) {
+		ucert = NULL;
 		BIO_printf(bio_err, "No certificate matches private key\n");
-		goto end;
+		goto export_end;
 	}
 	
-	bags = sk_new (NULL);
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("reading certs from certfile");
+#endif
+
+	bags = sk_PKCS12_SAFEBAG_new_null ();
 
 	/* Add any more certificates asked for */
 	if (certsin) {
 		if(!cert_load(certsin, certs)) {
 			BIO_printf(bio_err, "Error loading certificates from certfile\n");
 			ERR_print_errors(bio_err);
-			goto end;
+			goto export_end;
 		}
 	    	BIO_free(certsin);
  	}
 
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("building chain");
+#endif
+
 	/* If chaining get chain from user cert */
 	if (chain) {
         	int vret;
 		STACK_OF(X509) *chain2;
-		vret = get_cert_chain (ucert, &chain2);
-		if (vret) {
-			BIO_printf (bio_err, "Error %s getting chain.\n",
-					X509_verify_cert_error_string(vret));
-			goto end;
+		X509_STORE *store = X509_STORE_new();
+		if (!store)
+			{
+			BIO_printf (bio_err, "Memory allocation error\n");
+			goto export_end;
 			}
+		if (!X509_STORE_load_locations(store, CAfile, CApath))
+			X509_STORE_set_default_paths (store);
+
+		vret = get_cert_chain (ucert, store, &chain2);
+		X509_STORE_free(store);
+
+		if (!vret) {
 		    /* Exclude verified certificate */
 		    for (i = 1; i < sk_X509_num (chain2) ; i++) 
 			sk_X509_push(certs, sk_X509_value (chain2, i));
-		sk_X509_free(chain2);
-			
 		}
+		sk_X509_free(chain2);
+		if (vret) {
+			BIO_printf (bio_err, "Error %s getting chain.\n",
+					X509_verify_cert_error_string(vret));
+			goto export_end;
+		}			
+    	}
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("building bags");
+#endif
 
 	/* We now have loads of certificates: include them all */
 	for(i = 0; i < sk_X509_num(certs); i++) {
@@ -445,59 +528,101 @@ int MAIN(int argc, char **argv)
 			PKCS12_add_localkeyid(bag, keyid, keyidlen);
 		} else if((catmp = sk_shift(canames))) 
 				PKCS12_add_friendlyname(bag, catmp, -1);
-		sk_push(bags, (char *)bag);
+		sk_PKCS12_SAFEBAG_push(bags, bag);
 	}
 	sk_X509_pop_free(certs, X509_free);
-	if (canames) sk_free(canames);
+	certs = NULL;
+	/* ucert is part of certs so it is already freed */
+	ucert = NULL;
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("encrypting bags");
+#endif
 
 	if(!noprompt &&
 		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
 	    BIO_printf (bio_err, "Can't read Password\n");
-	    goto end;
+	    goto export_end;
         }
 	if (!twopass) strcpy(macpass, pass);
 	/* Turn certbags into encrypted authsafe */
 	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
 								 iter, bags);
-	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	bags = NULL;
 
 	if (!authsafe) {
 		ERR_print_errors (bio_err);
-		goto end;
+		goto export_end;
 	}
 
-	safes = sk_new (NULL);
-	sk_push (safes, (char *)authsafe);
+	safes = sk_PKCS7_new_null ();
+	sk_PKCS7_push (safes, authsafe);
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("building shrouded key bag");
+#endif
 
 	/* Make a shrouded key bag */
 	p8 = EVP_PKEY2PKCS8 (key);
-	EVP_PKEY_free(key);
 	if(keytype) PKCS8_add_keyusage(p8, keytype);
 	bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
 	PKCS8_PRIV_KEY_INFO_free(p8);
+	p8 = NULL;
         if (name) PKCS12_add_friendlyname (bag, name, -1);
 	PKCS12_add_localkeyid (bag, keyid, keyidlen);
-	bags = sk_new(NULL);
-	sk_push (bags, (char *)bag);
+	bags = sk_PKCS12_SAFEBAG_new_null();
+	sk_PKCS12_SAFEBAG_push (bags, bag);
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("encrypting shrouded key bag");
+#endif
+
 	/* Turn it into unencrypted safe bag */
 	authsafe = PKCS12_pack_p7data (bags);
-	sk_pop_free(bags, PKCS12_SAFEBAG_free);
-	sk_push (safes, (char *)authsafe);
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	bags = NULL;
+	sk_PKCS7_push (safes, authsafe);
+
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("building pkcs12");
+#endif
 
 	p12 = PKCS12_init (NID_pkcs7_data);
 
 	M_PKCS12_pack_authsafes (p12, safes);
 
-	sk_pop_free(safes, PKCS7_free);
+	sk_PKCS7_pop_free(safes, PKCS7_free);
+	safes = NULL;
 
 	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
 
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_push_info("writing pkcs12");
+#endif
+
 	i2d_PKCS12_bio (out, p12);
 
-	PKCS12_free(p12);
-
 	ret = 0;
 
+    export_end:
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+	CRYPTO_pop_info();
+	CRYPTO_push_info("process -export_cert: freeing");
+#endif
+
+	if (key) EVP_PKEY_free(key);
+	if (certs) sk_X509_pop_free(certs, X509_free);
+	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
+	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+	if (ucert) X509_free(ucert);
+
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 #endif
@@ -528,11 +653,16 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
     CRYPTO_push_info("verify MAC");
 #endif
-	if (!PKCS12_verify_mac (p12, mpass, -1)) {
+	/* If we enter empty password try no password first */
+	if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
+		/* If mac and crypto pass the same set it to NULL too */
+		if(!twopass) cpass = NULL;
+	} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
 	    BIO_printf (bio_err, "Mac verify error: invalid password?\n");
 	    ERR_print_errors (bio_err);
 	    goto end;
-	} else BIO_printf (bio_err, "MAC verified OK\n");
+	}
+	BIO_printf (bio_err, "MAC verified OK\n");
 #ifdef CRYPTO_MDEBUG
     CRYPTO_pop_info();
 #endif
@@ -549,29 +679,32 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
     CRYPTO_pop_info();
 #endif
-    PKCS12_free(p12);
     ret = 0;
  end:
+    if (p12) PKCS12_free(p12);
     if(export_cert || inrand) app_RAND_write_file(NULL, bio_err);
 #ifdef CRYPTO_MDEBUG
     CRYPTO_remove_all_info();
 #endif
     BIO_free(in);
-    BIO_free(out);
-    if(passin) Free(passin);
-    if(passout) Free(passout);
+    BIO_free_all(out);
+    if (canames) sk_free(canames);
+    if(passin) OPENSSL_free(passin);
+    if(passout) OPENSSL_free(passout);
     EXIT(ret);
 }
 
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 	     int passlen, int options, char *pempass)
 {
-	STACK *asafes, *bags;
+	STACK_OF(PKCS7) *asafes;
+	STACK_OF(PKCS12_SAFEBAG) *bags;
 	int i, bagnid;
 	PKCS7 *p7;
+
 	if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
-	for (i = 0; i < sk_num (asafes); i++) {
-		p7 = (PKCS7 *) sk_value (asafes, i);
+	for (i = 0; i < sk_PKCS7_num (asafes); i++) {
+		p7 = sk_PKCS7_value (asafes, i);
 		bagnid = OBJ_obj2nid (p7->type);
 		if (bagnid == NID_pkcs7_data) {
 			bags = M_PKCS12_unpack_p7data (p7);
@@ -587,23 +720,25 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 		if (!bags) return 0;
 	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
 						 options, pempass)) {
-			sk_pop_free (bags, PKCS12_SAFEBAG_free);
+			sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
 			return 0;
 		}
-		sk_pop_free (bags, PKCS12_SAFEBAG_free);
+		sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
 	}
-	sk_pop_free (asafes, PKCS7_free);
+	sk_PKCS7_pop_free (asafes, PKCS7_free);
 	return 1;
 }
 
-int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
-	     int passlen, int options, char *pempass)
+int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
+			   char *pass, int passlen, int options, char *pempass)
 {
 	int i;
-	for (i = 0; i < sk_num (bags); i++) {
+	for (i = 0; i < sk_PKCS12_SAFEBAG_num (bags); i++) {
 		if (!dump_certs_pkeys_bag (out,
-			 (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
-					 	options, pempass)) return 0;
+					   sk_PKCS12_SAFEBAG_value (bags, i),
+					   pass, passlen,
+					   options, pempass))
+		    return 0;
 	}
 	return 1;
 }
@@ -679,15 +814,12 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 
 /* Hope this is OK .... */
 
-int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
+int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
 {
-	X509_STORE *store;
 	X509_STORE_CTX store_ctx;
 	STACK_OF(X509) *chn;
 	int i;
 
-	store = X509_STORE_new ();
-	X509_STORE_set_default_paths (store);
 	X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
 	if (X509_verify_cert(&store_ctx) <= 0) {
 		i = X509_STORE_CTX_get_error (&store_ctx);
@@ -698,7 +830,6 @@ int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
 	*chain = chn;
 err:
 	X509_STORE_CTX_cleanup(&store_ctx);
-	X509_STORE_free(store);
 	
 	return i;
 }	
@@ -722,10 +853,22 @@ int cert_load(BIO *in, STACK_OF(X509) *sk)
 	int ret;
 	X509 *cert;
 	ret = 0;
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_push_info("cert_load(): reading one cert");
+#endif
 	while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+#ifdef CRYPTO_MDEBUG
+		CRYPTO_pop_info();
+#endif
 		ret = 1;
 		sk_X509_push(sk, cert);
+#ifdef CRYPTO_MDEBUG
+		CRYPTO_push_info("cert_load(): reading one cert");
+#endif
 	}
+#ifdef CRYPTO_MDEBUG
+	CRYPTO_pop_info();
+#endif
 	if(ret) ERR_clear_error();
 	return ret;
 }
@@ -763,18 +906,18 @@ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name)
         			value = uni2asc(av->value.bmpstring->data,
                                 	       av->value.bmpstring->length);
 				BIO_printf(out, "%s\n", value);
-				Free(value);
+				OPENSSL_free(value);
 				break;
 
 				case V_ASN1_OCTET_STRING:
-				hex_prin(out, av->value.bit_string->data,
-					av->value.bit_string->length);
+				hex_prin(out, av->value.octet_string->data,
+					av->value.octet_string->length);
 				BIO_printf(out, "\n");	
 				break;
 
 				case V_ASN1_BIT_STRING:
-				hex_prin(out, av->value.octet_string->data,
-					av->value.octet_string->length);
+				hex_prin(out, av->value.bit_string->data,
+					av->value.bit_string->length);
 				BIO_printf(out, "\n");	
 				break;
 

apps/pkcs7.c

@@ -67,6 +67,7 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	pkcs7_main
@@ -82,6 +83,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
@@ -89,6 +91,7 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
 	int ret=0;
+	char *engine=NULL;
 
 	apps_startup();
 
@@ -132,6 +135,11 @@ int MAIN(int argc, char **argv)
 			text=1;
 		else if (strcmp(*argv,"-print_certs") == 0)
 			print_certs=1;
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -154,11 +162,30 @@ bad:
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		EXIT(1);
 		}
 
 	ERR_load_crypto_strings();
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -196,7 +223,15 @@ bad:
 		}
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -280,6 +315,6 @@ bad:
 end:
 	if (p7 != NULL) PKCS7_free(p7);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	EXIT(ret);
 	}

apps/pkcs8.c

@@ -62,6 +62,7 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
+#include <openssl/engine.h>
 
 #include "apps.h"
 #define PROG pkcs8_main
@@ -70,6 +71,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
+	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -85,9 +87,13 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *pkey;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
+	char *engine=NULL;
+
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
+
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
@@ -138,6 +144,11 @@ int MAIN(int argc, char **argv)
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
+		else if (strcmp(*args,"-engine") == 0)
+			{
+			if (!args[1]) goto bad;
+			engine= *(++args);
+			}
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
@@ -170,9 +181,28 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
 		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		return (1);
 	}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			return (1);
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			return (1);
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		return (1);
@@ -194,8 +224,15 @@ int MAIN(int argc, char **argv)
 				 "Can't open output file %s\n", outfile);
 			return (1);
 		}
-	} else out = BIO_new_fp (stdout, BIO_NOCLOSE);
-
+	} else {
+		out = BIO_new_fp (stdout, BIO_NOCLOSE);
+#ifdef VMS
+		{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			out = BIO_push(tmpbio, out);
+		}
+#endif
+	}
 	if (topk8) {
 		if(informat == FORMAT_PEM)
 			pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, passin);
@@ -253,9 +290,9 @@ int MAIN(int argc, char **argv)
 		}
 		PKCS8_PRIV_KEY_INFO_free (p8inf);
 		EVP_PKEY_free(pkey);
-		BIO_free(out);
-		if(passin) Free(passin);
-		if(passout) Free(passout);
+		BIO_free_all(out);
+		if(passin) OPENSSL_free(passin);
+		if(passout) OPENSSL_free(passout);
 		return (0);
 	}
 
@@ -336,10 +373,10 @@ int MAIN(int argc, char **argv)
 	}
 
 	EVP_PKEY_free(pkey);
-	BIO_free(out);
+	BIO_free_all(out);
 	BIO_free(in);
-	if(passin) Free(passin);
-	if(passout) Free(passout);
+	if(passin) OPENSSL_free(passin);
+	if(passout) OPENSSL_free(passout);
 
 	return (0);
 }

apps/progs.h

@@ -14,6 +14,7 @@ extern int errstr_main(int argc,char *argv[]);
 extern int ca_main(int argc,char *argv[]);
 extern int crl_main(int argc,char *argv[]);
 extern int rsa_main(int argc,char *argv[]);
+extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
@@ -67,6 +68,9 @@ FUNCTION functions[] = {
 #ifndef NO_RSA
 	{FUNC_TYPE_GENERAL,"rsa",rsa_main},
 #endif
+#ifndef NO_RSA
+	{FUNC_TYPE_GENERAL,"rsautl",rsautl_main},
+#endif
 #ifndef NO_DSA
 	{FUNC_TYPE_GENERAL,"dsa",dsa_main},
 #endif
@@ -106,6 +110,7 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
 	{FUNC_TYPE_MD,"md2",dgst_main},
+	{FUNC_TYPE_MD,"md4",dgst_main},
 	{FUNC_TYPE_MD,"md5",dgst_main},
 	{FUNC_TYPE_MD,"sha",dgst_main},
 	{FUNC_TYPE_MD,"sha1",dgst_main},

apps/progs.pl

@@ -29,7 +29,7 @@ foreach (@ARGV)
 	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
 	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
 		{ print "#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))\n${str}#endif\n"; } 
-	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) ) 
+	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
 		{ print "#ifndef NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef NO_DSA\n${str}#endif\n"; }
@@ -41,7 +41,7 @@ foreach (@ARGV)
 		{ print $str; }
 	}
 
-foreach ("md2","md5","sha","sha1","mdc2","rmd160")
+foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160")
 	{
 	push(@files,$_);
 	printf "\t{FUNC_TYPE_MD,\"%s\",dgst_main},\n",$_;

apps/rand.c

@@ -9,6 +9,7 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG rand_main
@@ -23,6 +24,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
@@ -30,6 +32,7 @@ int MAIN(int argc, char **argv)
 	int base64 = 0;
 	BIO *out = NULL;
 	int num = -1;
+	char *engine=NULL;
 
 	apps_startup();
 
@@ -48,6 +51,13 @@ int MAIN(int argc, char **argv)
 			else
 				badopt = 1;
 			}
+		if (strcmp(argv[i], "-engine") == 0)
+			{
+			if ((argv[i+1] != NULL) && (engine == NULL))
+				engine = argv[++i];
+			else
+				badopt = 1;
+			}
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
@@ -62,7 +72,7 @@ int MAIN(int argc, char **argv)
 			else
 				badopt = 1;
 			}
-		else if (isdigit(argv[i][0]))
+		else if (isdigit((unsigned char)argv[i][0]))
 			{
 			if (num < 0)
 				{
@@ -85,11 +95,30 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-out file             - write to file\n");
+		BIO_printf(bio_err," -engine e             - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, "-base64               - encode output\n");
 		goto err;
 		}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto err;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto err;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
@@ -101,7 +130,15 @@ int MAIN(int argc, char **argv)
 	if (outfile != NULL)
 		r = BIO_write_filename(out, outfile);
 	else
+		{
 		r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	if (r <= 0)
 		goto err;
 

apps/req.c

@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #define SECTION		"req"
 
@@ -102,6 +103,7 @@
  * -config file	- Load configuration file.
  * -key file	- make a request using key in file (or use it for verification).
  * -keyform	- key file format.
+ * -rand file(s) - load the file(s) into the PRNG.
  * -newkey	- make a key and a request.
  * -modulus	- print RSA modulus.
  * -x509	- output a self signed X509 structure instead.
@@ -125,7 +127,6 @@ static void MS_CALLBACK req_cb(int p,int n,void *arg);
 #endif
 static int req_check_len(int len,int min,int max);
 static int check_end(char *str, char *end);
-static int add_oid_section(LHASH *conf);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
 static LHASH *config=NULL;
@@ -140,6 +141,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 #ifndef NO_DSA
 	DSA *dsa_params=NULL;
 #endif
@@ -152,10 +154,12 @@ int MAIN(int argc, char **argv)
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
 	int nodes=0,kludge=0,newhdr=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+	char *engine=NULL;
 	char *extensions = NULL;
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
 	int modulus=0;
+	char *inrand=NULL;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	char *p;
@@ -194,6 +198,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -239,6 +248,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
 		else if (strcmp(*argv,"-newkey") == 0)
 			{
 			int is_numeric;
@@ -369,9 +383,13 @@ bad:
 		BIO_printf(bio_err," -verify        verify signature on REQ\n");
 		BIO_printf(bio_err," -modulus       RSA modulus\n");
 		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
+		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -key file	use the private key contained in file\n");
 		BIO_printf(bio_err," -keyform arg   key file format\n");
 		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
+		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,"                load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
 
@@ -457,7 +475,7 @@ bad:
 				}
 			}
 		}
-		if(!add_oid_section(req_conf)) goto end;
+		if(!add_oid_section(bio_err, req_conf)) goto end;
 
 	if ((md_alg == NULL) &&
 		((p=CONF_get_string(req_conf,SECTION,"default_md")) != NULL))
@@ -513,7 +531,36 @@ bad:
 	if ((in == NULL) || (out == NULL))
 		goto end;
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (keyfile != NULL)
+		{
+		if (keyform == FORMAT_ENGINE)
+			{
+			if (!e)
+				{
+				BIO_printf(bio_err,"no engine specified\n");
+				goto end;
+				}
+			pkey = ENGINE_load_private_key(e, keyfile, NULL);
+			}
+		else
 			{
 			if (BIO_read_filename(in,keyfile) <= 0)
 				{
@@ -525,25 +572,34 @@ bad:
 				pkey=d2i_PrivateKey_bio(in,NULL);
 			else if (keyform == FORMAT_PEM)
 				{
-			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,passin);
+				pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,
+					passin);
 				}
 			else
 				{
 				BIO_printf(bio_err,"bad input format specified for X509 request\n");
 				goto end;
 				}
+			}
 
 		if (pkey == NULL)
 			{
 			BIO_printf(bio_err,"unable to load Private key\n");
 			goto end;
 			}
+                if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
+			{
+			char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
+			app_RAND_load_file(randfile, bio_err, 0);
+                	}
 		}
 
 	if (newreq && (pkey == NULL))
 		{
 		char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
 		app_RAND_load_file(randfile, bio_err, 0);
+		if (inrand)
+			app_RAND_load_files(inrand);
 	
 		if (newkey <= 0)
 			{
@@ -593,6 +649,12 @@ bad:
 			{
 			BIO_printf(bio_err,"writing new private key to stdout\n");
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			out = BIO_push(tmpbio, out);
+			}
+#endif
 			}
 		else
 			{
@@ -663,16 +725,15 @@ loop:
 
 	if (newreq || x509)
 		{
-#ifndef NO_DSA
-		if (pkey->type == EVP_PKEY_DSA)
-			digest=EVP_dss1();
-#endif
-
 		if (pkey == NULL)
 			{
 			BIO_printf(bio_err,"you need to specify a private key\n");
 			goto end;
 			}
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+			digest=EVP_dss1();
+#endif
 		if (req == NULL)
 			{
 			req=X509_REQ_new();
@@ -788,7 +849,15 @@ loop:
 		}
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if ((keyout != NULL) && (strcmp(outfile,keyout) == 0))
@@ -874,12 +943,12 @@ end:
 		}
 	if ((req_conf != NULL) && (req_conf != config)) CONF_free(req_conf);
 	BIO_free(in);
-	BIO_free(out);
+	BIO_free_all(out);
 	EVP_PKEY_free(pkey);
 	X509_REQ_free(req);
 	X509_free(x509ss);
-	if(passargin && passin) Free(passin);
-	if(passargout && passout) Free(passout);
+	if(passargin && passin) OPENSSL_free(passin);
+	if(passargout && passout) OPENSSL_free(passout);
 	OBJ_cleanup();
 #ifndef NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
@@ -1083,7 +1152,11 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
 		 * multiple instances 
 		 */
 		for(p = v->name; *p ; p++) 
+#ifndef CHARSET_EBCDIC
 			if ((*p == ':') || (*p == ',') || (*p == '.')) {
+#else
+			if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) {
+#endif
 				p++;
 				if(*p) type = p;
 				break;
@@ -1199,6 +1272,9 @@ start:
 		return(0);
 		}
 	buf[--i]='\0';
+#ifdef CHARSET_EBCDIC
+	ebcdic2ascii(buf, buf, i);
+#endif
 	if(!req_check_len(i, min, max)) goto start;
 
 	if(!X509_REQ_add1_attr_by_NID(req, nid, MBSTRING_ASC,
@@ -1256,25 +1332,3 @@ static int check_end(char *str, char *end)
 	tmp = str + slen - elen;
 	return strcmp(tmp, end);
 }
-
-static int add_oid_section(LHASH *conf)
-{	
-	char *p;
-	STACK_OF(CONF_VALUE) *sktmp;
-	CONF_VALUE *cnf;
-	int i;
-	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
-	if(!(sktmp = CONF_get_section(conf, p))) {
-		BIO_printf(bio_err, "problem loading oid section %s\n", p);
-		return 0;
-	}
-	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
-		cnf = sk_CONF_VALUE_value(sktmp, i);
-		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
-			BIO_printf(bio_err, "problem creating object %s=%s\n",
-							 cnf->name, cnf->value);
-			return 0;
-		}
-	}
-	return 1;
-}

apps/rsa.c

@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	rsa_main
@@ -90,9 +91,10 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
-	int i,badops=0;
+	int i,badops=0, sgckey=0;
 	const EVP_CIPHER *enc=NULL;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,check=0,noout=0;
@@ -100,6 +102,7 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
+	char *engine=NULL;
 	int modulus=0;
 
 	apps_startup();
@@ -148,6 +151,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
+		else if (strcmp(*argv,"-sgckey") == 0)
+			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv,"-pubout") == 0)
@@ -178,6 +188,7 @@ bad:
 		BIO_printf(bio_err," -inform arg     input format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -outform arg    output format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -in arg         input file\n");
+		BIO_printf(bio_err," -sgckey         Use IIS SGC key format\n");
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
@@ -192,11 +203,30 @@ bad:
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 
 	ERR_load_crypto_strings();
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
@@ -254,7 +284,7 @@ bad:
 				}
 			}
 		p=(unsigned char *)buf->data;
-		rsa=d2i_Netscape_RSA(NULL,&p,(long)size,NULL);
+		rsa=d2i_RSA_NET(NULL,&p,(long)size,NULL, sgckey);
 		BUF_MEM_free(buf);
 		}
 #endif
@@ -275,7 +305,15 @@ bad:
 		}
 
 	if (outfile == NULL)
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+		{
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		out = BIO_push(tmpbio, out);
+		}
+#endif
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -344,16 +382,16 @@ bad:
 		int size;
 
 		i=1;
-		size=i2d_Netscape_RSA(rsa,NULL,NULL);
-		if ((p=(unsigned char *)Malloc(size)) == NULL)
+		size=i2d_RSA_NET(rsa,NULL,NULL, sgckey);
+		if ((p=(unsigned char *)OPENSSL_malloc(size)) == NULL)
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto end;
 			}
 		pp=p;
-		i2d_Netscape_RSA(rsa,&p,NULL);
+		i2d_RSA_NET(rsa,&p,NULL, sgckey);
 		BIO_write(out,(char *)pp,size);
-		Free(pp);
+		OPENSSL_free(pp);
 		}
 #endif
 	else if (outformat == FORMAT_PEM) {
@@ -374,10 +412,10 @@ bad:
 		ret=0;
 end:
 	if(in != NULL) BIO_free(in);
-	if(out != NULL) BIO_free(out);
+	if(out != NULL) BIO_free_all(out);
 	if(rsa != NULL) RSA_free(rsa);
-	if(passin) Free(passin);
-	if(passout) Free(passout);
+	if(passin) OPENSSL_free(passin);
+	if(passout) OPENSSL_free(passout);
 	EXIT(ret);
 	}
 #else /* !NO_RSA */

apps/rsautl.c

@@ -0,0 +1,319 @@
+/* rsautl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef NO_RSA
+
+#include "apps.h"
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/engine.h>
+
+#define RSA_SIGN 	1
+#define RSA_VERIFY 	2
+#define RSA_ENCRYPT 	3
+#define RSA_DECRYPT 	4
+
+#define KEY_PRIVKEY	1
+#define KEY_PUBKEY	2
+#define KEY_CERT	3
+
+static void usage(void);
+
+#undef PROG
+
+#define PROG rsautl_main
+
+int MAIN(int argc, char **);
+
+int MAIN(int argc, char **argv)
+{
+	ENGINE *e = NULL;
+	BIO *in = NULL, *out = NULL;
+	char *infile = NULL, *outfile = NULL;
+	char *keyfile = NULL;
+	char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
+	int keyform = FORMAT_PEM;
+	char need_priv = 0, badarg = 0, rev = 0;
+	char hexdump = 0, asn1parse = 0;
+	X509 *x;
+	EVP_PKEY *pkey = NULL;
+	RSA *rsa = NULL;
+	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
+	int rsa_inlen, rsa_outlen = 0;
+	int keysize;
+	char *engine=NULL;
+
+	int ret = 1;
+
+	argc--;
+	argv++;
+
+	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+	ERR_load_crypto_strings();
+	OpenSSL_add_all_algorithms();
+	pad = RSA_PKCS1_PADDING;
+	
+	while(argc >= 1)
+	{
+		if (!strcmp(*argv,"-in")) {
+			if (--argc < 1) badarg = 1;
+                        infile= *(++argv);
+		} else if (!strcmp(*argv,"-out")) {
+			if (--argc < 1) badarg = 1;
+			outfile= *(++argv);
+		} else if(!strcmp(*argv, "-inkey")) {
+			if (--argc < 1) badarg = 1;
+			keyfile = *(++argv);
+		} else if(!strcmp(*argv, "-engine")) {
+			if (--argc < 1) badarg = 1;
+			engine = *(++argv);
+		} else if(!strcmp(*argv, "-pubin")) {
+			key_type = KEY_PUBKEY;
+		} else if(!strcmp(*argv, "-certin")) {
+			key_type = KEY_CERT;
+		} 
+		else if(!strcmp(*argv, "-asn1parse")) asn1parse = 1;
+		else if(!strcmp(*argv, "-hexdump")) hexdump = 1;
+		else if(!strcmp(*argv, "-raw")) pad = RSA_NO_PADDING;
+		else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
+		else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
+		else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
+		else if(!strcmp(*argv, "-sign")) {
+			rsa_mode = RSA_SIGN;
+			need_priv = 1;
+		} else if(!strcmp(*argv, "-verify")) rsa_mode = RSA_VERIFY;
+		else if(!strcmp(*argv, "-rev")) rev = 1;
+		else if(!strcmp(*argv, "-encrypt")) rsa_mode = RSA_ENCRYPT;
+		else if(!strcmp(*argv, "-decrypt")) {
+			rsa_mode = RSA_DECRYPT;
+			need_priv = 1;
+		} else badarg = 1;
+		if(badarg) {
+			usage();
+			goto end;
+		}
+		argc--;
+		argv++;
+	}
+
+	if(need_priv && (key_type != KEY_PRIVKEY)) {
+		BIO_printf(bio_err, "A private key is needed for this operation\n");
+		goto end;
+	}
+
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
+/* FIXME: seed PRNG only if needed */
+	app_RAND_load_file(NULL, bio_err, 0);
+	
+	switch(key_type) {
+		case KEY_PRIVKEY:
+		pkey = load_key(bio_err, keyfile, keyform, NULL);
+		break;
+
+		case KEY_PUBKEY:
+		pkey = load_pubkey(bio_err, keyfile, keyform);
+		break;
+
+		case KEY_CERT:
+		x = load_cert(bio_err, keyfile, keyform);
+		if(x) {
+			pkey = X509_get_pubkey(x);
+			X509_free(x);
+		}
+		break;
+	}
+
+	if(!pkey) {
+		BIO_printf(bio_err, "Error loading key\n");
+		return 1;
+	}
+
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	EVP_PKEY_free(pkey);
+
+	if(!rsa) {
+		BIO_printf(bio_err, "Error getting RSA key\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+
+
+	if(infile) {
+		if(!(in = BIO_new_file(infile, "rb"))) {
+			BIO_printf(bio_err, "Error Reading Input File\n");
+			ERR_print_errors(bio_err);	
+			goto end;
+		}
+	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+	if(outfile) {
+		if(!(out = BIO_new_file(outfile, "wb"))) {
+			BIO_printf(bio_err, "Error Reading Output File\n");
+			ERR_print_errors(bio_err);	
+			goto end;
+		}
+	} else {
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+		{
+		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		    out = BIO_push(tmpbio, out);
+		}
+#endif
+	}
+
+	keysize = RSA_size(rsa);
+
+	rsa_in = OPENSSL_malloc(keysize * 2);
+	rsa_out = OPENSSL_malloc(keysize);
+
+	/* Read the input data */
+	rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
+	if(rsa_inlen <= 0) {
+		BIO_printf(bio_err, "Error reading input Data\n");
+		exit(1);
+	}
+	if(rev) {
+		int i;
+		unsigned char ctmp;
+		for(i = 0; i < rsa_inlen/2; i++) {
+			ctmp = rsa_in[i];
+			rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
+			rsa_in[rsa_inlen - 1 - i] = ctmp;
+		}
+	}
+	switch(rsa_mode) {
+
+		case RSA_VERIFY:
+			rsa_outlen  = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+		break;
+
+		case RSA_SIGN:
+			rsa_outlen  = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+		break;
+
+		case RSA_ENCRYPT:
+			rsa_outlen  = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+		break;
+
+		case RSA_DECRYPT:
+			rsa_outlen  = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+		break;
+
+	}
+
+	if(rsa_outlen <= 0) {
+		BIO_printf(bio_err, "RSA operation error\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
+	ret = 0;
+	if(asn1parse) {
+		if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
+			ERR_print_errors(bio_err);
+		}
+	} else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen);
+	else BIO_write(out, rsa_out, rsa_outlen);
+	end:
+	RSA_free(rsa);
+	BIO_free(in);
+	BIO_free_all(out);
+	if(rsa_in) OPENSSL_free(rsa_in);
+	if(rsa_out) OPENSSL_free(rsa_out);
+	return ret;
+}
+
+static void usage()
+{
+	BIO_printf(bio_err, "Usage: rsautl [options]\n");
+	BIO_printf(bio_err, "-in file        input file\n");
+	BIO_printf(bio_err, "-out file       output file\n");
+	BIO_printf(bio_err, "-inkey file     input key\n");
+	BIO_printf(bio_err, "-pubin          input is an RSA public\n");
+	BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
+	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
+	BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
+	BIO_printf(bio_err, "-raw            use no padding\n");
+	BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
+	BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
+	BIO_printf(bio_err, "-sign           sign with private key\n");
+	BIO_printf(bio_err, "-verify         verify with public key\n");
+	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
+	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
+	BIO_printf(bio_err, "-hexdump        hex dump output\n");
+}
+
+#endif

apps/s_client.c

@@ -79,6 +79,8 @@ typedef unsigned int u_int;
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/engine.h>
 #include "s_apps.h"
 
 #ifdef WINDOWS
@@ -152,7 +154,8 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err,"                 command to see what is available\n");
-
+	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}
 
 int MAIN(int, char **);
@@ -179,6 +182,9 @@ int MAIN(int argc, char **argv)
 	int prexit = 0;
 	SSL_METHOD *meth=NULL;
 	BIO *sbio;
+	char *inrand=NULL;
+	char *engine_id=NULL;
+	ENGINE *e=NULL;
 #ifdef WINDOWS
 	struct timeval tv;
 #endif
@@ -201,8 +207,8 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
-	if (	((cbuf=Malloc(BUFSIZZ)) == NULL) ||
-		((sbuf=Malloc(BUFSIZZ)) == NULL))
+	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
+		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -316,6 +322,16 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-nbio") == 0)
 			{ c_nbio=1; }
 #endif
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
+		else if	(strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine_id = *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -332,7 +348,14 @@ bad:
 		goto end;
 		}
 
-	app_RAND_load_file(NULL, bio_err, 0);
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+		&& !RAND_status())
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
 
 	if (bio_c_out == NULL)
 		{
@@ -349,6 +372,30 @@ bad:
 
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
+
+	if (engine_id != NULL)
+		{
+		if((e = ENGINE_by_id(engine_id)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (c_debug)
+			{
+			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
+				0, bio_err, 0);
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine_id);
+		ENGINE_free(e);
+		}
+
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -523,7 +570,7 @@ re_start:
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
-					if(!i && (!_kbhit() || !read_tty) ) continue;
+					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					 NULL,NULL);
 			}
@@ -689,7 +736,7 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 			}
 
 #ifdef WINDOWS
-		else if (_kbhit())
+		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 #else
 		else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
@@ -753,8 +800,8 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
-	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); Free(cbuf); }
-	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); Free(sbuf); }
+	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
+	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (bio_c_out != NULL)
 		{
 		BIO_free(bio_c_out);

apps/s_server.c

@@ -83,6 +83,8 @@ typedef unsigned int u_int;
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
+#include <openssl/rand.h>
+#include <openssl/engine.h>
 #include "s_apps.h"
 
 #ifdef WINDOWS
@@ -176,6 +178,7 @@ static int s_debug=0;
 static int s_quiet=0;
 
 static int hack=0;
+static char *engine_id=NULL;
 
 #ifdef MONOLITH
 static void s_server_init(void)
@@ -198,6 +201,7 @@ static void s_server_init(void)
 	s_debug=0;
 	s_quiet=0;
 	hack=0;
+	engine_id=NULL;
 	}
 #endif
 
@@ -242,6 +246,8 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}
 
 static int local_argc=0;
@@ -285,7 +291,7 @@ static int ebcdic_new(BIO *bi)
 {
 	EBCDIC_OUTBUFF *wbuf;
 
-	wbuf = (EBCDIC_OUTBUFF *)Malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+	wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
 	wbuf->alloced = 1024;
 	wbuf->buff[0] = '\0';
 
@@ -299,7 +305,7 @@ static int ebcdic_free(BIO *a)
 {
 	if (a == NULL) return(0);
 	if (a->ptr != NULL)
-		Free(a->ptr);
+		OPENSSL_free(a->ptr);
 	a->ptr=NULL;
 	a->init=0;
 	a->flags=0;
@@ -336,8 +342,8 @@ static int ebcdic_write(BIO *b, char *in, int inl)
 		num = num + num;  /* double the size */
 		if (num < inl)
 			num = inl;
-		Free(wbuf);
-		wbuf=(EBCDIC_OUTBUFF *)Malloc(sizeof(EBCDIC_OUTBUFF) + num);
+		OPENSSL_free(wbuf);
+		wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
 
 		wbuf->alloced = num;
 		wbuf->buff[0] = '\0';
@@ -411,6 +417,9 @@ int MAIN(int argc, char *argv[])
 	int no_tmp_rsa=0,no_dhe=0,nocert=0;
 	int state=0;
 	SSL_METHOD *meth=NULL;
+	char *inrand=NULL;
+	char *engine_id=NULL;
+	ENGINE *e=NULL;
 #ifndef NO_DH
 	DH *dh=NULL;
 #endif
@@ -565,6 +574,16 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-tls1") == 0)
 			{ meth=TLSv1_server_method(); }
 #endif
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine_id= *(++argv);
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -581,7 +600,14 @@ bad:
 		goto end;
 		}
 
-	app_RAND_load_file(NULL, bio_err, 0);
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+		&& !RAND_status())
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
 
 	if (bio_s_out == NULL)
 		{
@@ -609,6 +635,29 @@ bad:
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
 
+	if (engine_id != NULL)
+		{
+		if((e = ENGINE_by_id(engine_id)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if (s_debug)
+			{
+			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
+				0, bio_err, 0);
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine_id);
+		ENGINE_free(e);
+		}
+
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -676,6 +725,7 @@ bad:
 
 #ifndef NO_RSA
 #if 1
+	if (!no_tmp_rsa)
 		SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
 #else
 	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
@@ -766,7 +816,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	struct timeval tv;
 #endif
 
-	if ((buf=Malloc(bufsize)) == NULL)
+	if ((buf=OPENSSL_malloc(bufsize)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto err;
@@ -1028,7 +1078,7 @@ err:
 	if (buf != NULL)
 		{
 		memset(buf,0,bufsize);
-		Free(buf);
+		OPENSSL_free(buf);
 		}
 	if (ret >= 0)
 		BIO_printf(bio_s_out,"ACCEPT\n");
@@ -1145,7 +1195,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 	BIO *io,*ssl_bio,*sbio;
 	long total_bytes;
 
-	buf=Malloc(bufsize);
+	buf=OPENSSL_malloc(bufsize);
 	if (buf == NULL) return(0);
 	io=BIO_new(BIO_f_buffer());
 	ssl_bio=BIO_new(BIO_f_ssl());
@@ -1474,7 +1524,7 @@ err:
 	if (ret >= 0)
 		BIO_printf(bio_s_out,"ACCEPT\n");
 
-	if (buf != NULL) Free(buf);
+	if (buf != NULL) OPENSSL_free(buf);
 	if (io != NULL) BIO_free_all(io);
 /*	if (ssl_bio != NULL) BIO_free(ssl_bio);*/
 	return(ret);

apps/s_socket.c

@@ -209,9 +209,11 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port)
 	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
 	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 
+#ifndef MPE
 	i=0;
 	i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
 	if (i < 0) { perror("keepalive"); return(0); }
+#endif
 
 	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
 		{ close(s); perror("connect"); return(0); }
@@ -241,7 +243,7 @@ int do_server(int port, int *ret, int (*cb)(), char *context)
 			return(0);
 			}
 		i=(*cb)(name,sock, context);
-		if (name != NULL) Free(name);
+		if (name != NULL) OPENSSL_free(name);
 		SHUTDOWN2(sock);
 		if (i < 0)
 			{
@@ -372,9 +374,9 @@ redoit:
 		}
 	else
 		{
-		if ((*host=(char *)Malloc(strlen(h1->h_name)+1)) == NULL)
+		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			return(0);
 			}
 		strcpy(*host,h1->h_name);

apps/server.pem

@@ -1,17 +1,17 @@
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4
-MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
+MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
 A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
 cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
 Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9
-JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO
-IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ
-FUGcPZf9ND22Etc+AQ==
+Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
+GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
+k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
+itAE+OjGF+PFKbwX8Q==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD

apps/sess_id.c

@@ -206,7 +206,15 @@ bad:
 			}
 
 		if (outfile == NULL)
+			{
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			out = BIO_push(tmpbio, out);
+			}
+#endif
+			}
 		else
 			{
 			if (BIO_write_filename(out,outfile) <= 0)
@@ -262,7 +270,7 @@ bad:
 		}
 	ret=0;
 end:
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (x != NULL) SSL_SESSION_free(x);
 	EXIT(ret);
 	}

apps/smime.c

@@ -64,12 +64,10 @@
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG smime_main
-static X509 *load_cert(char *file);
-static EVP_PKEY *load_key(char *file, char *pass);
-static STACK_OF(X509) *load_certs(char *file);
 static X509_STORE *setup_verify(char *CAfile, char *CApath);
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
 
@@ -84,13 +82,14 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
+	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
 	char *inmode = "r", *outmode = "w";
 	char *infile = NULL, *outfile = NULL;
 	char *signerfile = NULL, *recipfile = NULL;
-	char *certfile = NULL, *keyfile = NULL;
+	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
 	EVP_CIPHER *cipher = NULL;
 	PKCS7 *p7 = NULL;
 	X509_STORE *store = NULL;
@@ -105,8 +104,10 @@ int MAIN(int argc, char **argv)
 	char *passargin = NULL, *passin = NULL;
 	char *inrand = NULL;
 	int need_rand = 0;
-	args = argv + 1;
+	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
+	char *engine=NULL;
 
+	args = argv + 1;
 	ret = 1;
 
 	while (!badarg && *args && *args[0] == '-') {
@@ -143,6 +144,8 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_NOATTR;
 		else if (!strcmp (*args, "-nodetach")) 
 				flags &= ~PKCS7_DETACHED;
+		else if (!strcmp (*args, "-nosmimecap"))
+				flags |= PKCS7_NOSMIMECAP;
 		else if (!strcmp (*args, "-binary"))
 				flags |= PKCS7_BINARY;
 		else if (!strcmp (*args, "-nosigs"))
@@ -153,6 +156,11 @@ int MAIN(int argc, char **argv)
 				inrand = *args;
 			} else badarg = 1;
 			need_rand = 1;
+		} else if (!strcmp(*args,"-engine")) {
+			if (args[1]) {
+				args++;
+				engine = *args;
+			} else badarg = 1;
 		} else if (!strcmp(*args,"-passin")) {
 			if (args[1]) {
 				args++;
@@ -208,11 +216,26 @@ int MAIN(int argc, char **argv)
 				args++;
 				infile = *args;
 			} else badarg = 1;
+		} else if (!strcmp (*args, "-inform")) {
+			if (args[1]) {
+				args++;
+				informat = str2fmt(*args);
+			} else badarg = 1;
+		} else if (!strcmp (*args, "-outform")) {
+			if (args[1]) {
+				args++;
+				outformat = str2fmt(*args);
+			} else badarg = 1;
 		} else if (!strcmp (*args, "-out")) {
 			if (args[1]) {
 				args++;
 				outfile = *args;
 			} else badarg = 1;
+		} else if (!strcmp (*args, "-content")) {
+			if (args[1]) {
+				args++;
+				contfile = *args;
+			} else badarg = 1;
 		} else badarg = 1;
 		args++;
 	}
@@ -264,14 +287,18 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-signer file   signer certificate file\n");
 		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
 		BIO_printf (bio_err, "-in file       input file\n");
+		BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
 		BIO_printf (bio_err, "-out file      output file\n");
+		BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
+		BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
 		BIO_printf (bio_err, "-to addr       to address\n");
 		BIO_printf (bio_err, "-from ad       from address\n");
 		BIO_printf (bio_err, "-subject s     subject\n");
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,  "               the random number generator\n");
@@ -279,6 +306,24 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -295,9 +340,12 @@ int MAIN(int argc, char **argv)
 
 	if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
 
-	if(flags & PKCS7_BINARY) {
-		if(operation & SMIME_OP) inmode = "rb";
-		else outmode = "rb";
+	if(operation & SMIME_OP) {
+		if(flags & PKCS7_BINARY) inmode = "rb";
+		if(outformat == FORMAT_ASN1) outmode = "wb";
+	} else {
+		if(flags & PKCS7_BINARY) outmode = "wb";
+		if(informat == FORMAT_ASN1) inmode = "rb";
 	}
 
 	if(operation == SMIME_ENCRYPT) {
@@ -311,7 +359,7 @@ int MAIN(int argc, char **argv)
 		}
 		encerts = sk_X509_new_null();
 		while (*args) {
-			if(!(cert = load_cert(*args))) {
+			if(!(cert = load_cert(bio_err,*args,FORMAT_PEM))) {
 				BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
 				goto end;
 			}
@@ -322,14 +370,14 @@ int MAIN(int argc, char **argv)
 	}
 
 	if(signerfile && (operation == SMIME_SIGN)) {
-		if(!(signer = load_cert(signerfile))) {
+		if(!(signer = load_cert(bio_err,signerfile,FORMAT_PEM))) {
 			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
 			goto end;
 		}
 	}
 
 	if(certfile) {
-		if(!(other = load_certs(certfile))) {
+		if(!(other = load_certs(bio_err,certfile,FORMAT_PEM))) {
 			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
 			ERR_print_errors(bio_err);
 			goto end;
@@ -337,7 +385,7 @@ int MAIN(int argc, char **argv)
 	}
 
 	if(recipfile && (operation == SMIME_DECRYPT)) {
-		if(!(recip = load_cert(recipfile))) {
+		if(!(recip = load_cert(bio_err,recipfile,FORMAT_PEM))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
 			ERR_print_errors(bio_err);
 			goto end;
@@ -351,7 +399,7 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;
 
 	if(keyfile) {
-		if(!(key = load_key(keyfile, passin))) {
+		if(!(key = load_key(bio_err,keyfile, FORMAT_PEM, passin))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
@@ -372,7 +420,15 @@ int MAIN(int argc, char **argv)
 				 "Can't open output file %s\n", outfile);
 			goto end;
 		}
-	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	} else {
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+		{
+		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		    out = BIO_push(tmpbio, out);
+		}
+#endif
+	}
 
 	if(operation == SMIME_VERIFY) {
 		if(!(store = setup_verify(CAfile, CApath))) goto end;
@@ -386,10 +442,28 @@ int MAIN(int argc, char **argv)
 		p7 = PKCS7_sign(signer, key, other, in, flags);
 		BIO_reset(in);
 	} else {
-		if(!(p7 = SMIME_read_PKCS7(in, &indata))) {
+		if(informat == FORMAT_SMIME) 
+			p7 = SMIME_read_PKCS7(in, &indata);
+		else if(informat == FORMAT_PEM) 
+			p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+		else if(informat == FORMAT_ASN1) 
+			p7 = d2i_PKCS7_bio(in, NULL);
+		else {
+			BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
+			goto end;
+		}
+
+		if(!p7) {
 			BIO_printf(bio_err, "Error reading S/MIME message\n");
 			goto end;
 		}
+		if(contfile) {
+			BIO_free(indata);
+			if(!(indata = BIO_new_file(contfile, "rb"))) {
+				BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+				goto end;
+			}
+		}
 	}
 
 	if(!p7) {
@@ -425,7 +499,16 @@ int MAIN(int argc, char **argv)
 		if(to) BIO_printf(out, "To: %s\n", to);
 		if(from) BIO_printf(out, "From: %s\n", from);
 		if(subject) BIO_printf(out, "Subject: %s\n", subject);
+		if(outformat == FORMAT_SMIME) 
 			SMIME_write_PKCS7(out, p7, in, flags);
+		else if(outformat == FORMAT_PEM) 
+			PEM_write_bio_PKCS7(out,p7);
+		else if(outformat == FORMAT_ASN1) 
+			i2d_PKCS7_bio(out,p7);
+		else {
+			BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
+			goto end;
+		}
 	}
 	ret = 0;
 end:
@@ -442,54 +525,11 @@ end:
 	PKCS7_free(p7);
 	BIO_free(in);
 	BIO_free(indata);
-	BIO_free(out);
-	if(passin) Free(passin);
+	BIO_free_all(out);
+	if(passin) OPENSSL_free(passin);
 	return (ret);
 }
 
-static X509 *load_cert(char *file)
-{
-	BIO *in;
-	X509 *cert;
-	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
-	BIO_free(in);
-	return cert;
-}
-
-static EVP_PKEY *load_key(char *file, char *pass)
-{
-	BIO *in;
-	EVP_PKEY *key;
-	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
-	BIO_free(in);
-	return key;
-}
-
-static STACK_OF(X509) *load_certs(char *file)
-{
-	BIO *in;
-	int i;
-	STACK_OF(X509) *othercerts;
-	STACK_OF(X509_INFO) *allcerts;
-	X509_INFO *xi;
-	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	othercerts = sk_X509_new(NULL);
-	if(!othercerts) return NULL;
-	allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
-	for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
-		xi = sk_X509_INFO_value (allcerts, i);
-		if (xi->x509) {
-			sk_X509_push(othercerts, xi->x509);
-			xi->x509 = NULL;
-		}
-	}
-	sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
-	BIO_free(in);
-	return othercerts;
-}
-
 static X509_STORE *setup_verify(char *CAfile, char *CApath)
 {
 	X509_STORE *store;

apps/speed.c

@@ -81,17 +81,27 @@
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
-#define TIMES
+#if defined(__FreeBSD__)
+# define USE_TOD
+#elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+# define TIMES
+#endif
+#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE)
+# define TIMEB
 #endif
 
 #ifndef _IRIX
-#include <time.h>
+# include <time.h>
 #endif
 #ifdef TIMES
-#include <sys/types.h>
-#include <sys/times.h>
+# include <sys/types.h>
+# include <sys/times.h>
+#endif
+#ifdef USE_TOD
+# include <sys/time.h>
+# include <sys/resource.h>
 #endif
 
 /* Depending on the VMS version, the tms structure is perhaps defined.
@@ -102,10 +112,14 @@
 #undef TIMES
 #endif
 
-#ifndef TIMES
+#ifdef TIMEB
 #include <sys/timeb.h>
 #endif
 
+#if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD)
+#error "It seems neither struct tms nor struct timeb is supported in this platform!"
+#endif
+
 #if defined(sun) || defined(__ultrix)
 #define _POSIX_SOURCE
 #include <limits.h>
@@ -121,6 +135,9 @@
 #ifndef NO_MDC2
 #include <openssl/mdc2.h>
 #endif
+#ifndef NO_MD4
+#include <openssl/md4.h>
+#endif
 #ifndef NO_MD5
 #include <openssl/md5.h>
 #endif
@@ -178,7 +195,7 @@
 #define BUFSIZE	((long)1024*8+1)
 int run=0;
 
-static double Time_F(int s);
+static double Time_F(int s, int usertime);
 static void print_message(char *s,long num,int length);
 static void pkey_print_message(char *str,char *str2,long num,int bits,int sec);
 #ifdef SIGALRM
@@ -202,10 +219,54 @@ static SIGRETTYPE sig_done(int sig)
 #define START	0
 #define STOP	1
 
-static double Time_F(int s)
+static double Time_F(int s, int usertime)
 	{
 	double ret;
-#ifdef TIMES
+
+#ifdef USE_TOD
+	if(usertime)
+	    {
+		static struct rusage tstart,tend;
+
+		if (s == START)
+			{
+			getrusage(RUSAGE_SELF,&tstart);
+			return(0);
+			}
+		else
+			{
+			long i;
+
+			getrusage(RUSAGE_SELF,&tend);
+			i=(long)tend.ru_utime.tv_usec-(long)tstart.ru_utime.tv_usec;
+			ret=((double)(tend.ru_utime.tv_sec-tstart.ru_utime.tv_sec))
+			  +((double)i)/1000000.0;
+			return((ret < 0.001)?0.001:ret);
+			}
+		}
+	else
+		{
+		static struct timeval tstart,tend;
+		long i;
+
+		if (s == START)
+			{
+			gettimeofday(&tstart,NULL);
+			return(0);
+			}
+		else
+			{
+			gettimeofday(&tend,NULL);
+			i=(long)tend.tv_usec-(long)tstart.tv_usec;
+			ret=((double)(tend.tv_sec-tstart.tv_sec))+((double)i)/1000000.0;
+			return((ret < 0.001)?0.001:ret);
+			}
+		}
+#else  /* ndef USE_TOD */
+		
+# ifdef TIMES
+	if (usertime)
+		{
 		static struct tms tstart,tend;
 
 		if (s == START)
@@ -219,7 +280,13 @@ static double Time_F(int s)
 			ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
 			return((ret < 1e-3)?1e-3:ret);
 			}
-#else /* !times() */
+		}
+# endif /* times() */
+# if defined(TIMES) && defined(TIMEB)
+	else
+# endif
+# ifdef TIMEB
+		{
 		static struct timeb tstart,tend;
 		long i;
 
@@ -235,6 +302,8 @@ static double Time_F(int s)
 			ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
 			return((ret < 0.001)?0.001:ret);
 			}
+		}
+# endif
 #endif
 	}
 
@@ -242,21 +311,25 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e;
 	unsigned char *buf=NULL,*buf2=NULL;
 	int mret=1;
-#define ALGOR_NUM	14
+#define ALGOR_NUM	15
 #define SIZE_NUM	5
 #define RSA_NUM		4
 #define DSA_NUM		3
 	long count,rsa_count;
 	int i,j,k;
-	unsigned rsa_num,rsa_num2;
+	unsigned rsa_num;
 #ifndef NO_MD2
 	unsigned char md2[MD2_DIGEST_LENGTH];
 #endif
 #ifndef NO_MDC2
 	unsigned char mdc2[MDC2_DIGEST_LENGTH];
 #endif
+#ifndef NO_MD4
+	unsigned char md4[MD4_DIGEST_LENGTH];
+#endif
 #ifndef NO_MD5
 	unsigned char md5[MD5_DIGEST_LENGTH];
 	unsigned char hmac[MD5_DIGEST_LENGTH];
@@ -298,23 +371,24 @@ int MAIN(int argc, char **argv)
 #endif
 #define	D_MD2		0
 #define	D_MDC2		1
-#define	D_MD5		2
-#define	D_HMAC		3
-#define	D_SHA1		4
-#define D_RMD160	5
-#define	D_RC4		6
-#define	D_CBC_DES	7
-#define	D_EDE3_DES	8
-#define	D_CBC_IDEA	9
-#define	D_CBC_RC2	10
-#define	D_CBC_RC5	11
-#define	D_CBC_BF	12
-#define	D_CBC_CAST	13
+#define	D_MD4		2
+#define	D_MD5		3
+#define	D_HMAC		4
+#define	D_SHA1		5
+#define D_RMD160	6
+#define	D_RC4		7
+#define	D_CBC_DES	8
+#define	D_EDE3_DES	9
+#define	D_CBC_IDEA	10
+#define	D_CBC_RC2	11
+#define	D_CBC_RC5	12
+#define	D_CBC_BF	13
+#define	D_CBC_CAST	14
 	double d,results[ALGOR_NUM][SIZE_NUM];
 	static int lengths[SIZE_NUM]={8,64,256,1024,8*1024};
 	long c[ALGOR_NUM][SIZE_NUM];
 	static char *names[ALGOR_NUM]={
-		"md2","mdc2","md5","hmac(md5)","sha1","rmd160","rc4",
+		"md2","mdc2","md4","md5","hmac(md5)","sha1","rmd160","rc4",
 		"des cbc","des ede3","idea cbc",
 		"rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc"};
 #define	R_DSA_512	0
@@ -345,6 +419,11 @@ int MAIN(int argc, char **argv)
 	int dsa_doit[DSA_NUM];
 	int doit[ALGOR_NUM];
 	int pr_header=0;
+	int usertime=1;
+
+#ifndef TIMES
+	usertime=-1;
+#endif
 
 	apps_startup();
 	memset(results, 0, sizeof(results));
@@ -362,7 +441,7 @@ int MAIN(int argc, char **argv)
 		rsa_key[i]=NULL;
 #endif
 
-	if ((buf=(unsigned char *)Malloc((int)BUFSIZE)) == NULL)
+	if ((buf=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -370,7 +449,7 @@ int MAIN(int argc, char **argv)
 #ifndef NO_DES
 	buf_as_des_cblock = (des_cblock *)buf;
 #endif
-	if ((buf2=(unsigned char *)Malloc((int)BUFSIZE)) == NULL)
+	if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -391,6 +470,39 @@ int MAIN(int argc, char **argv)
 	argv++;
 	while (argc)
 		{
+		if	((argc > 0) && (strcmp(*argv,"-elapsed") == 0))
+			usertime = 0;
+		else
+		if	((argc > 0) && (strcmp(*argv,"-engine") == 0))
+			{
+			argc--;
+			argv++;
+			if(argc == 0)
+				{
+				BIO_printf(bio_err,"no engine given\n");
+				goto end;
+				}
+			if((e = ENGINE_by_id(*argv)) == NULL)
+				{
+				BIO_printf(bio_err,"invalid engine \"%s\"\n",
+					*argv);
+				goto end;
+				}
+			if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+				{
+				BIO_printf(bio_err,"can't use that engine\n");
+				goto end;
+				}
+			BIO_printf(bio_err,"engine \"%s\" set.\n", *argv);
+			/* Free our "structural" reference. */
+			ENGINE_free(e);
+			/* It will be increased again further down.  We just
+			   don't want speed to confuse an engine with an
+			   algorithm, especially when none is given (which
+			   means all of them should be run) */
+			j--;
+			}
+		else
 #ifndef NO_MD2
 		if	(strcmp(*argv,"md2") == 0) doit[D_MD2]=1;
 		else
@@ -399,6 +511,10 @@ int MAIN(int argc, char **argv)
 			if (strcmp(*argv,"mdc2") == 0) doit[D_MDC2]=1;
 		else
 #endif
+#ifndef NO_MD4
+			if (strcmp(*argv,"md4") == 0) doit[D_MD4]=1;
+		else
+#endif
 #ifndef NO_MD5
 			if (strcmp(*argv,"md5") == 0) doit[D_MD5]=1;
 		else
@@ -434,7 +550,7 @@ int MAIN(int argc, char **argv)
 #ifdef RSAref
 			if (strcmp(*argv,"rsaref") == 0) 
 			{
-			RSA_set_default_method(RSA_PKCS1_RSAref());
+			RSA_set_default_openssl_method(RSA_PKCS1_RSAref());
 			j--;
 			}
 		else
@@ -442,7 +558,7 @@ int MAIN(int argc, char **argv)
 #ifndef RSA_NULL
 			if (strcmp(*argv,"openssl") == 0) 
 			{
-			RSA_set_default_method(RSA_PKCS1_SSLeay());
+			RSA_set_default_openssl_method(RSA_PKCS1_SSLeay());
 			j--;
 			}
 		else
@@ -510,8 +626,34 @@ int MAIN(int argc, char **argv)
 		else
 #endif
 			{
-			BIO_printf(bio_err,"bad value, pick one of\n");
-			BIO_printf(bio_err,"md2      mdc2	md5      hmac      sha1    rmd160\n");
+			BIO_printf(bio_err,"Error: bad option or value\n");
+			BIO_printf(bio_err,"\n");
+			BIO_printf(bio_err,"Available values:\n");
+#ifndef NO_MD2
+			BIO_printf(bio_err,"md2      ");
+#endif
+#ifndef NO_MDC2
+			BIO_printf(bio_err,"mdc2     ");
+#endif
+#ifndef NO_MD4
+			BIO_printf(bio_err,"md4      ");
+#endif
+#ifndef NO_MD5
+			BIO_printf(bio_err,"md5      ");
+#ifndef NO_HMAC
+			BIO_printf(bio_err,"hmac     ");
+#endif
+#endif
+#ifndef NO_SHA1
+			BIO_printf(bio_err,"sha1     ");
+#endif
+#ifndef NO_RIPEMD160
+			BIO_printf(bio_err,"rmd160");
+#endif
+#if !defined(NO_MD2) || !defined(NO_MDC2) || !defined(NO_MD4) || !defined(NO_MD5) || !defined(NO_SHA1) || !defined(NO_RIPEMD160)
+			BIO_printf(bio_err,"\n");
+#endif
+
 #ifndef NO_IDEA
 			BIO_printf(bio_err,"idea-cbc ");
 #endif
@@ -524,20 +666,49 @@ int MAIN(int argc, char **argv)
 #ifndef NO_BF
 			BIO_printf(bio_err,"bf-cbc");
 #endif
-#if !defined(NO_IDEA) && !defined(NO_RC2) && !defined(NO_BF) && !defined(NO_RC5)
+#if !defined(NO_IDEA) || !defined(NO_RC2) || !defined(NO_BF) || !defined(NO_RC5)
 			BIO_printf(bio_err,"\n");
 #endif
+
 			BIO_printf(bio_err,"des-cbc  des-ede3 ");
 #ifndef NO_RC4
 			BIO_printf(bio_err,"rc4");
 #endif
+			BIO_printf(bio_err,"\n");
+
 #ifndef NO_RSA
-			BIO_printf(bio_err,"\nrsa512   rsa1024  rsa2048  rsa4096\n");
+			BIO_printf(bio_err,"rsa512   rsa1024  rsa2048  rsa4096\n");
 #endif
+
 #ifndef NO_DSA
-			BIO_printf(bio_err,"\ndsa512   dsa1024  dsa2048\n");
+			BIO_printf(bio_err,"dsa512   dsa1024  dsa2048\n");
 #endif
-			BIO_printf(bio_err,"idea     rc2      des      rsa    blowfish\n");
+
+#ifndef NO_IDEA
+			BIO_printf(bio_err,"idea     ");
+#endif
+#ifndef NO_RC2
+			BIO_printf(bio_err,"rc2      ");
+#endif
+#ifndef NO_DES
+			BIO_printf(bio_err,"des      ");
+#endif
+#ifndef NO_RSA
+			BIO_printf(bio_err,"rsa      ");
+#endif
+#ifndef NO_BF
+			BIO_printf(bio_err,"blowfish");
+#endif
+#if !defined(NO_IDEA) || !defined(NO_RC2) || !defined(NO_DES) || !defined(NO_RSA) || !defined(NO_BF)
+			BIO_printf(bio_err,"\n");
+#endif
+
+			BIO_printf(bio_err,"\n");
+			BIO_printf(bio_err,"Available options:\n");
+#ifdef TIMES
+			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
+#endif
+			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 			goto end;
 			}
 		argc--;
@@ -557,10 +728,13 @@ int MAIN(int argc, char **argv)
 	for (i=0; i<ALGOR_NUM; i++)
 		if (doit[i]) pr_header++;
 
-#ifndef TIMES
+	if (usertime == 0)
+		BIO_printf(bio_err,"You have chosen to measure elapsed time instead of user CPU time.\n");
+	if (usertime <= 0)
+		{
 		BIO_printf(bio_err,"To get the most accurate results, try to run this\n");
 		BIO_printf(bio_err,"program when this computer is idle.\n");
-#endif
+		}
 
 #ifndef NO_RSA
 	for (i=0; i<RSA_NUM; i++)
@@ -624,14 +798,15 @@ int MAIN(int argc, char **argv)
 	do	{
 		long i;
 		count*=2;
-		Time_F(START);
+		Time_F(START,usertime);
 		for (i=count; i; i--)
 			des_ecb_encrypt(buf_as_des_cblock,buf_as_des_cblock,
 				&(sch[0]),DES_ENCRYPT);
-		d=Time_F(STOP);
+		d=Time_F(STOP,usertime);
 		} while (d <3);
 	c[D_MD2][0]=count/10;
 	c[D_MDC2][0]=count/10;
+	c[D_MD4][0]=count;
 	c[D_MD5][0]=count;
 	c[D_HMAC][0]=count;
 	c[D_SHA1][0]=count;
@@ -649,6 +824,7 @@ int MAIN(int argc, char **argv)
 		{
 		c[D_MD2][i]=c[D_MD2][0]*4*lengths[0]/lengths[i];
 		c[D_MDC2][i]=c[D_MDC2][0]*4*lengths[0]/lengths[i];
+		c[D_MD4][i]=c[D_MD4][0]*4*lengths[0]/lengths[i];
 		c[D_MD5][i]=c[D_MD5][0]*4*lengths[0]/lengths[i];
 		c[D_HMAC][i]=c[D_HMAC][0]*4*lengths[0]/lengths[i];
 		c[D_SHA1][i]=c[D_SHA1][0]*4*lengths[0]/lengths[i];
@@ -725,10 +901,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MD2],c[D_MD2][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MD2][j]); count++)
 				MD2(buf,(unsigned long)lengths[j],&(md2[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MD2],d);
 			results[D_MD2][j]=((double)count)/d*lengths[j];
@@ -741,10 +917,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MDC2],c[D_MDC2][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MDC2][j]); count++)
 				MDC2(buf,(unsigned long)lengths[j],&(mdc2[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MDC2],d);
 			results[D_MDC2][j]=((double)count)/d*lengths[j];
@@ -752,16 +928,33 @@ int MAIN(int argc, char **argv)
 		}
 #endif
 
+#ifndef NO_MD4
+	if (doit[D_MD4])
+		{
+		for (j=0; j<SIZE_NUM; j++)
+			{
+			print_message(names[D_MD4],c[D_MD4][j],lengths[j]);
+			Time_F(START,usertime);
+			for (count=0,run=1; COND(c[D_MD4][j]); count++)
+				MD4(&(buf[0]),(unsigned long)lengths[j],&(md4[0]));
+			d=Time_F(STOP,usertime);
+			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
+				count,names[D_MD4],d);
+			results[D_MD4][j]=((double)count)/d*lengths[j];
+			}
+		}
+#endif
+
 #ifndef NO_MD5
 	if (doit[D_MD5])
 		{
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MD5],c[D_MD5][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MD5][j]); count++)
 				MD5(&(buf[0]),(unsigned long)lengths[j],&(md5[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MD5],d);
 			results[D_MD5][j]=((double)count)/d*lengths[j];
@@ -779,14 +972,14 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_HMAC],c[D_HMAC][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_HMAC][j]); count++)
 				{
 				HMAC_Init(&hctx,NULL,0,NULL);
                                 HMAC_Update(&hctx,buf,lengths[j]);
                                 HMAC_Final(&hctx,&(hmac[0]),NULL);
 				}
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_HMAC],d);
 			results[D_HMAC][j]=((double)count)/d*lengths[j];
@@ -799,10 +992,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_SHA1],c[D_SHA1][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_SHA1][j]); count++)
 				SHA1(buf,(unsigned long)lengths[j],&(sha[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_SHA1],d);
 			results[D_SHA1][j]=((double)count)/d*lengths[j];
@@ -815,10 +1008,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_RMD160],c[D_RMD160][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_RMD160][j]); count++)
 				RIPEMD160(buf,(unsigned long)lengths[j],&(rmd160[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_RMD160],d);
 			results[D_RMD160][j]=((double)count)/d*lengths[j];
@@ -831,11 +1024,11 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_RC4],c[D_RC4][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_RC4][j]); count++)
 				RC4(&rc4_ks,(unsigned int)lengths[j],
 					buf,buf);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_RC4],d);
 			results[D_RC4][j]=((double)count)/d*lengths[j];
@@ -848,11 +1041,11 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_DES],c[D_CBC_DES][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_DES][j]); count++)
 				des_ncbc_encrypt(buf,buf,lengths[j],sch,
 						 &iv,DES_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_DES],d);
 			results[D_CBC_DES][j]=((double)count)/d*lengths[j];
@@ -864,12 +1057,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_EDE3_DES],c[D_EDE3_DES][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_EDE3_DES][j]); count++)
 				des_ede3_cbc_encrypt(buf,buf,lengths[j],
 						     sch,sch2,sch3,
 						     &iv,DES_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_EDE3_DES],d);
 			results[D_EDE3_DES][j]=((double)count)/d*lengths[j];
@@ -882,12 +1075,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_IDEA],c[D_CBC_IDEA][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_IDEA][j]); count++)
 				idea_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&idea_ks,
 					iv,IDEA_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_IDEA],d);
 			results[D_CBC_IDEA][j]=((double)count)/d*lengths[j];
@@ -900,12 +1093,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_RC2],c[D_CBC_RC2][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_RC2][j]); count++)
 				RC2_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&rc2_ks,
 					iv,RC2_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_RC2],d);
 			results[D_CBC_RC2][j]=((double)count)/d*lengths[j];
@@ -918,12 +1111,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_RC5],c[D_CBC_RC5][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_RC5][j]); count++)
 				RC5_32_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&rc5_ks,
 					iv,RC5_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_RC5],d);
 			results[D_CBC_RC5][j]=((double)count)/d*lengths[j];
@@ -936,12 +1129,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_BF],c[D_CBC_BF][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_BF][j]); count++)
 				BF_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&bf_ks,
 					iv,BF_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_BF],d);
 			results[D_CBC_BF][j]=((double)count)/d*lengths[j];
@@ -954,12 +1147,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_CAST],c[D_CBC_CAST][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_CAST][j]); count++)
 				CAST_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&cast_ks,
 					iv,CAST_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_CAST],d);
 			results[D_CBC_CAST][j]=((double)count)/d*lengths[j];
@@ -974,49 +1167,73 @@ int MAIN(int argc, char **argv)
 		int ret;
 		if (!rsa_doit[j]) continue;
 		ret=RSA_sign(NID_md5_sha1, buf,36, buf2, &rsa_num, rsa_key[j]);
-		pkey_print_message("private","rsa",rsa_c[j][0],rsa_bits[j],
+		if (ret == 0)
+			{
+			BIO_printf(bio_err,"RSA sign failure.  No RSA sign will be done.\n");
+			ERR_print_errors(bio_err);
+			rsa_count=1;
+			}
+		else
+			{
+			pkey_print_message("private","rsa",
+				rsa_c[j][0],rsa_bits[j],
 				RSA_SECONDS);
 /*			RSA_blinding_on(rsa_key[j],NULL); */
-		Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(rsa_c[j][0]); count++)
 				{
-			ret=RSA_sign(NID_md5_sha1, buf,36, buf2, &rsa_num,
-								 rsa_key[j]);
-			if (ret <= 0)
+				ret=RSA_sign(NID_md5_sha1, buf,36, buf2,
+					&rsa_num, rsa_key[j]);
+				if (ret == 0)
 					{
-				BIO_printf(bio_err,"RSA private encrypt failure\n");
+					BIO_printf(bio_err,
+						"RSA sign failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
-		d=Time_F(STOP);
-		BIO_printf(bio_err,"%ld %d bit private RSA's in %.2fs\n",
+			d=Time_F(STOP,usertime);
+			BIO_printf(bio_err,
+				"%ld %d bit private RSA's in %.2fs\n",
 				count,rsa_bits[j],d);
 			rsa_results[j][0]=d/(double)count;
 			rsa_count=count;
+			}
 
 #if 1
 		ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]);
-		pkey_print_message("public","rsa",rsa_c[j][1],rsa_bits[j],
-			RSA_SECONDS);
-		Time_F(START);
-		for (count=0,run=1; COND(rsa_c[j][1]); count++)
-			{
-			ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num,
-								rsa_key[j]);
 		if (ret <= 0)
 			{
-				BIO_printf(bio_err,"RSA verify failure\n");
+			BIO_printf(bio_err,"RSA verify failure.  No RSA verify will be done.\n");
+			ERR_print_errors(bio_err);
+			rsa_doit[j] = 0;
+			}
+		else
+			{
+			pkey_print_message("public","rsa",
+				rsa_c[j][1],rsa_bits[j],
+				RSA_SECONDS);
+			Time_F(START,usertime);
+			for (count=0,run=1; COND(rsa_c[j][1]); count++)
+				{
+				ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
+					rsa_num, rsa_key[j]);
+				if (ret == 0)
+					{
+					BIO_printf(bio_err,
+						"RSA verify failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
-		d=Time_F(STOP);
-		BIO_printf(bio_err,"%ld %d bit public RSA's in %.2fs\n",
+			d=Time_F(STOP,usertime);
+			BIO_printf(bio_err,
+				"%ld %d bit public RSA's in %.2fs\n",
 				count,rsa_bits[j],d);
 			rsa_results[j][1]=d/(double)count;
+			}
 #endif
 
 		if (rsa_count <= 1)
@@ -1038,54 +1255,77 @@ int MAIN(int argc, char **argv)
 	for (j=0; j<DSA_NUM; j++)
 		{
 		unsigned int kk;
+		int ret;
 
 		if (!dsa_doit[j]) continue;
 		DSA_generate_key(dsa_key[j]);
 /*		DSA_sign_setup(dsa_key[j],NULL); */
-		rsa_num=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
+		ret=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
 			&kk,dsa_key[j]);
-		pkey_print_message("sign","dsa",dsa_c[j][0],dsa_bits[j],
+		if (ret == 0)
+			{
+			BIO_printf(bio_err,"DSA sign failure.  No DSA sign will be done.\n");
+			ERR_print_errors(bio_err);
+			rsa_count=1;
+			}
+		else
+			{
+			pkey_print_message("sign","dsa",
+				dsa_c[j][0],dsa_bits[j],
 				DSA_SECONDS);
-		Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(dsa_c[j][0]); count++)
 				{
-			rsa_num=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
+				ret=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
 					&kk,dsa_key[j]);
-			if (rsa_num == 0)
+				if (ret == 0)
 					{
-				BIO_printf(bio_err,"DSA sign failure\n");
+					BIO_printf(bio_err,
+						"DSA sign failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
-		d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %d bit DSA signs in %.2fs\n",
 				count,dsa_bits[j],d);
 			dsa_results[j][0]=d/(double)count;
 			rsa_count=count;
+			}
 
-		rsa_num2=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
+		ret=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
 			kk,dsa_key[j]);
-		pkey_print_message("verify","dsa",dsa_c[j][1],dsa_bits[j],
+		if (ret <= 0)
+			{
+			BIO_printf(bio_err,"DSA verify failure.  No DSA verify will be done.\n");
+			ERR_print_errors(bio_err);
+			dsa_doit[j] = 0;
+			}
+		else
+			{
+			pkey_print_message("verify","dsa",
+				dsa_c[j][1],dsa_bits[j],
 				DSA_SECONDS);
-		Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(dsa_c[j][1]); count++)
 				{
-			rsa_num2=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
+				ret=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
 					kk,dsa_key[j]);
-			if (rsa_num2 == 0)
+				if (ret <= 0)
 					{
-				BIO_printf(bio_err,"DSA verify failure\n");
+					BIO_printf(bio_err,
+						"DSA verify failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
-		d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %d bit DSA verify in %.2fs\n",
 				count,dsa_bits[j],d);
 			dsa_results[j][1]=d/(double)count;
+			}
 
 		if (rsa_count <= 1)
 			{
@@ -1173,8 +1413,9 @@ int MAIN(int argc, char **argv)
 #endif
 	mret=0;
 end:
-	if (buf != NULL) Free(buf);
-	if (buf2 != NULL) Free(buf2);
+	ERR_print_errors(bio_err);
+	if (buf != NULL) OPENSSL_free(buf);
+	if (buf2 != NULL) OPENSSL_free(buf2);
 #ifndef NO_RSA
 	for (i=0; i<RSA_NUM; i++)
 		if (rsa_key[i] != NULL)

apps/spkac.c

@@ -69,6 +69,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	spkac_main
@@ -81,6 +82,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int i,badops=0, ret = 1;
 	BIO *in = NULL,*out = NULL, *key = NULL;
 	int verify=0,noout=0,pubkey=0;
@@ -91,6 +93,7 @@ int MAIN(int argc, char **argv)
 	LHASH *conf = NULL;
 	NETSCAPE_SPKI *spki = NULL;
 	EVP_PKEY *pkey = NULL;
+	char *engine=NULL;
 
 	apps_startup();
 
@@ -136,6 +139,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			spksect= *(++argv);
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-pubkey") == 0)
@@ -161,6 +169,7 @@ bad:
 		BIO_printf(bio_err," -noout         don't print SPKAC\n");
 		BIO_printf(bio_err," -pubkey        output public key\n");
 		BIO_printf(bio_err," -verify        verify SPKAC signature\n");
+		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 
@@ -170,6 +179,24 @@ bad:
 		goto end;
 	}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if(keyfile) {
 		if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
 		else key = BIO_new_fp(stdin, BIO_NOCLOSE);
@@ -192,7 +219,15 @@ bad:
 		spkstr = NETSCAPE_SPKI_b64_encode(spki);
 
 		if (outfile) out = BIO_new_file(outfile, "w");
-		else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+		else {
+			out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+			{
+			    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			    out = BIO_push(tmpbio, out);
+			}
+#endif
+		}
 
 		if(!out) {
 			BIO_printf(bio_err, "Error opening output file\n");
@@ -200,7 +235,7 @@ bad:
 			goto end;
 		}
 		BIO_printf(out, "SPKAC=%s\n", spkstr);
-		Free(spkstr);
+		OPENSSL_free(spkstr);
 		ret = 0;
 		goto end;
 	}
@@ -241,7 +276,15 @@ bad:
 	}
 
 	if (outfile) out = BIO_new_file(outfile, "w");
-	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	else {
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+		{
+		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+		    out = BIO_push(tmpbio, out);
+		}
+#endif
+	}
 
 	if(!out) {
 		BIO_printf(bio_err, "Error opening output file\n");
@@ -268,9 +311,9 @@ end:
 	CONF_free(conf);
 	NETSCAPE_SPKI_free(spki);
 	BIO_free(in);
-	BIO_free(out);
+	BIO_free_all(out);
 	BIO_free(key);
 	EVP_PKEY_free(pkey);
-	if(passin) Free(passin);
+	if(passin) OPENSSL_free(passin);
 	EXIT(ret);
 	}

apps/verify.c

@@ -65,26 +65,29 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG	verify_main
 
 static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
-static int check(X509_STORE *ctx,char *file, STACK_OF(X509)*other, int purpose);
+static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose);
 static STACK_OF(X509) *load_untrusted(char *file);
-static int v_verbose=0;
+static int v_verbose=0, issuer_checks = 0;
 
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int i,ret=1;
 	int purpose = -1;
 	char *CApath=NULL,*CAfile=NULL;
-	char *untfile = NULL;
-	STACK_OF(X509) *untrusted = NULL;
+	char *untfile = NULL, *trustfile = NULL;
+	STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
+	char *engine=NULL;
 
 	cert_ctx=X509_STORE_new();
 	if (cert_ctx == NULL) goto end;
@@ -132,8 +135,20 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				untfile= *(++argv);
 				}
+			else if (strcmp(*argv,"-trusted") == 0)
+				{
+				if (argc-- < 1) goto end;
+				trustfile= *(++argv);
+				}
+			else if (strcmp(*argv,"-engine") == 0)
+				{
+				if (--argc < 1) goto end;
+				engine= *(++argv);
+				}
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
+			else if (strcmp(*argv,"-issuer_checks") == 0)
+				issuer_checks=1;
 			else if (strcmp(*argv,"-verbose") == 0)
 				v_verbose=1;
 			else if (argv[0][0] == '-')
@@ -147,6 +162,24 @@ int MAIN(int argc, char **argv)
 			break;
 		}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
 	if (lookup == NULL) abort();
 	if (CAfile) {
@@ -179,14 +212,22 @@ int MAIN(int argc, char **argv)
 		}
 	}
 
-	if (argc < 1) check(cert_ctx, NULL, untrusted, purpose);
+	if(trustfile) {
+		if(!(trusted = load_untrusted(trustfile))) {
+			BIO_printf(bio_err, "Error loading untrusted file %s\n", trustfile);
+			ERR_print_errors(bio_err);
+			goto end;
+		}
+	}
+
+	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose);
 	else
 		for (i=0; i<argc; i++)
-			check(cert_ctx,argv[i], untrusted, purpose);
+			check(cert_ctx,argv[i], untrusted, trusted, purpose);
 	ret=0;
 end:
 	if (ret == 1) {
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] cert1 cert2 ...\n");
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-engine e] cert1 cert2 ...\n");
 		BIO_printf(bio_err,"recognized usages:\n");
 		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
 			X509_PURPOSE *ptmp;
@@ -197,10 +238,11 @@ end:
 	}
 	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
 	sk_X509_pop_free(untrusted, X509_free);
+	sk_X509_pop_free(trusted, X509_free);
 	EXIT(ret);
 	}
 
-static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, int purpose)
+static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose)
 	{
 	X509 *x=NULL;
 	BIO *in=NULL;
@@ -242,7 +284,10 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, int purpos
 		goto end;
 		}
 	X509_STORE_CTX_init(csc,ctx,x,uchain);
+	if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
 	if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
+	if(issuer_checks)
+		X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CB_ISSUER_CHECK);
 	i=X509_verify_cert(csc);
 	X509_STORE_CTX_free(csc);
 

apps/x509.c

@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #undef PROG
 #define PROG x509_main
@@ -81,8 +82,6 @@
 #define	POSTFIX	".srl"
 #define DEF_DAYS	30
 
-#define CERT_HDR	"certificate"
-
 static char *x509_usage[]={
 "usage: x509 args\n",
 " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
@@ -97,6 +96,7 @@ static char *x509_usage[]={
 " -hash           - print hash value\n",
 " -subject        - print subject DN\n",
 " -issuer         - print issuer DN\n",
+" -email          - print email address(es)\n",
 " -startdate      - notBefore field\n",
 " -enddate        - notAfter field\n",
 " -purpose        - print out certificate purposes\n",
@@ -113,6 +113,8 @@ static char *x509_usage[]={
 " -addreject arg  - reject certificate for a given purpose\n",
 " -setalias arg   - set certificate alias\n",
 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
+" -checkend arg   - check whether the cert expires in the next arg seconds\n",
+"                   exit 1 if so, 0 if not\n",
 " -signkey arg    - self sign cert with arg\n",
 " -x509toreq      - output a certification request object\n",
 " -req            - input is a certificate request, sign and output.\n",
@@ -126,13 +128,13 @@ static char *x509_usage[]={
 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
 " -extfile        - configuration file with X509V3 extensions to add\n",
 " -extensions     - section from config file with X509V3 extensions to add\n",
-" -crlext         - delete extensions before signing and input certificate\n",
+" -clrext         - delete extensions before signing and input certificate\n",
+" -nameopt arg    - various certificate name options\n",
+" -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };
 
 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static EVP_PKEY *load_key(char *file, int format, char *passin);
-static X509 *load_cert(char *file, int format);
 static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
 						LHASH *conf, char *section);
 static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
@@ -145,6 +147,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
+	ENGINE *e = NULL;
 	int ret=1;
 	X509_REQ *req=NULL;
 	X509 *x=NULL,*xca=NULL;
@@ -159,7 +162,7 @@ int MAIN(int argc, char **argv)
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *alias=NULL;
 	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
-	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
+	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
 	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
 	int C=0;
 	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
@@ -173,6 +176,9 @@ int MAIN(int argc, char **argv)
 	LHASH *extconf = NULL;
 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
 	int need_rand = 0;
+	int checkend=0,checkoffset=0;
+	unsigned long nmflag = 0;
+	char *engine=NULL;
 
 	reqfile=0;
 
@@ -181,6 +187,12 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifdef VMS
+	{
+	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	STDout = BIO_push(tmpbio, STDout);
+	}
+#endif
 
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
@@ -289,24 +301,26 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-addtrust") == 0)
 			{
 			if (--argc < 1) goto bad;
-			if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+			if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
+				{
 				BIO_printf(bio_err,
 					"Invalid trust object value %s\n", *argv);
 				goto bad;
 				}
-			if(!trust) trust = sk_ASN1_OBJECT_new_null();
+			if (!trust) trust = sk_ASN1_OBJECT_new_null();
 			sk_ASN1_OBJECT_push(trust, objtmp);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-addreject") == 0)
 			{
 			if (--argc < 1) goto bad;
-			if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+			if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
+				{
 				BIO_printf(bio_err,
 					"Invalid reject object value %s\n", *argv);
 				goto bad;
 				}
-			if(!reject) reject = sk_ASN1_OBJECT_new_null();
+			if (!reject) reject = sk_ASN1_OBJECT_new_null();
 			sk_ASN1_OBJECT_push(reject, objtmp);
 			trustout = 1;
 			}
@@ -316,14 +330,26 @@ int MAIN(int argc, char **argv)
 			alias= *(++argv);
 			trustout = 1;
 			}
+		else if (strcmp(*argv,"-nameopt") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
+			}
 		else if (strcmp(*argv,"-setalias") == 0)
 			{
 			if (--argc < 1) goto bad;
 			alias= *(++argv);
 			trustout = 1;
 			}
+		else if (strcmp(*argv,"-engine") == 0)
+			{
+			if (--argc < 1) goto bad;
+			engine= *(++argv);
+			}
 		else if (strcmp(*argv,"-C") == 0)
 			C= ++num;
+		else if (strcmp(*argv,"-email") == 0)
+			email= ++num;
 		else if (strcmp(*argv,"-serial") == 0)
 			serial= ++num;
 		else if (strcmp(*argv,"-modulus") == 0)
@@ -353,6 +379,12 @@ int MAIN(int argc, char **argv)
 			startdate= ++num;
 		else if (strcmp(*argv,"-enddate") == 0)
 			enddate= ++num;
+		else if (strcmp(*argv,"-checkend") == 0)
+			{
+			if (--argc < 1) goto bad;
+			checkoffset=atoi(*(++argv));
+			checkend=1;
+			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-trustout") == 0)
@@ -365,8 +397,15 @@ int MAIN(int argc, char **argv)
 			aliasout= ++num;
 		else if (strcmp(*argv,"-CAcreateserial") == 0)
 			CA_createserial= ++num;
-		else if (strcmp(*argv,"-crlext") == 0)
+		else if (strcmp(*argv,"-clrext") == 0)
 			clrext = 1;
+#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
+		else if (strcmp(*argv,"-crlext") == 0)
+			{
+			BIO_printf(bio_err,"use -clrext instead of -crlext\n");
+			clrext = 1;
+			}
+#endif
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
@@ -390,12 +429,31 @@ bad:
 		goto end;
 		}
 
+	if (engine != NULL)
+		{
+		if((e = ENGINE_by_id(engine)) == NULL)
+			{
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
+				engine);
+			goto end;
+			}
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(bio_err,"can't use that engine\n");
+			goto end;
+			}
+		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+
 	if (need_rand)
 		app_RAND_load_file(NULL, bio_err, 0);
 
 	ERR_load_crypto_strings();
 
-	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+		{
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
 		}
@@ -414,10 +472,12 @@ bad:
 		goto end;
 		}
 
-	if (extfile) {
+	if (extfile)
+		{
 		long errorline;
 		X509V3_CTX ctx2;
-		if (!(extconf=CONF_load(NULL,extfile,&errorline))) {
+		if (!(extconf=CONF_load(NULL,extfile,&errorline)))
+			{
 			if (errorline <= 0)
 				BIO_printf(bio_err,
 					"error loading the config file '%s'\n",
@@ -428,11 +488,12 @@ bad:
 							,errorline,extfile);
 			goto end;
 			}
-		if(!extsect && !(extsect = CONF_get_string(extconf, "default",
+		if (!extsect && !(extsect = CONF_get_string(extconf, "default",
 					 "extensions"))) extsect = "default";
 		X509V3_set_ctx_test(&ctx2);
 		X509V3_set_conf_lhash(&ctx2, extconf);
-		if(!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL)) {
+		if (!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL))
+			{
 			BIO_printf(bio_err,
 				"Error Loading extension section %s\n",
 								 extsect);
@@ -467,13 +528,18 @@ bad:
 			if (BIO_read_filename(in,infile) <= 0)
 				{
 				perror(infile);
+				BIO_free(in);
 				goto end;
 				}
 			}
 		req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
 		BIO_free(in);
 
-		if (req == NULL) { perror(infile); goto end; }
+		if (req == NULL)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
 
 		if (	(req->req_info == NULL) ||
 			(req->req_info->pubkey == NULL) ||
@@ -505,8 +571,7 @@ bad:
 		else
 			BIO_printf(bio_err,"Signature ok\n");
 
-		X509_NAME_oneline(req->req_info->subject,buf,256);
-		BIO_printf(bio_err,"subject=%s\n",buf);
+		print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
 
 		if ((x=X509_new()) == NULL) goto end;
 		ci=x->cert_info;
@@ -523,12 +588,12 @@ bad:
 		EVP_PKEY_free(pkey);
 		}
 	else
-		x=load_cert(infile,informat);
+		x=load_cert(bio_err,infile,informat);
 
 	if (x == NULL) goto end;
 	if (CA_flag)
 		{
-		xca=load_cert(CAfile,CAformat);
+		xca=load_cert(bio_err,CAfile,CAformat);
 		if (xca == NULL) goto end;
 		}
 
@@ -544,7 +609,15 @@ bad:
 			goto end;
 			}
 		if (outfile == NULL)
+			{
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifdef VMS
+			{
+			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+			out = BIO_push(tmpbio, out);
+			}
+#endif
+			}
 		else
 			{
 			if (BIO_write_filename(out,outfile) <= 0)
@@ -555,20 +628,24 @@ bad:
 			}
 		}
 
-	if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
+	if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
 
-	if(clrtrust) X509_trust_clear(x);
-	if(clrreject) X509_reject_clear(x);
+	if (clrtrust) X509_trust_clear(x);
+	if (clrreject) X509_reject_clear(x);
 
-	if(trust) {
-		for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
+	if (trust)
+		{
+		for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
+			{
 			objtmp = sk_ASN1_OBJECT_value(trust, i);
 			X509_add1_trust_object(x, objtmp);
 			}
 		}
 
-	if(reject) {
-		for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
+	if (reject)
+		{
+		for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
+			{
 			objtmp = sk_ASN1_OBJECT_value(reject, i);
 			X509_add1_reject_object(x, objtmp);
 			}
@@ -580,15 +657,13 @@ bad:
 			{
 			if (issuer == i)
 				{
-				X509_NAME_oneline(X509_get_issuer_name(x),
-					buf,256);
-				BIO_printf(STDout,"issuer= %s\n",buf);
+				print_name(STDout, "issuer= ",
+					X509_get_issuer_name(x), nmflag);
 				}
 			else if (subject == i) 
 				{
-				X509_NAME_oneline(X509_get_subject_name(x),
-					buf,256);
-				BIO_printf(STDout,"subject=%s\n",buf);
+				print_name(STDout, "subject= ",
+					X509_get_subject_name(x), nmflag);
 				}
 			else if (serial == i)
 				{
@@ -596,11 +671,20 @@ bad:
 				i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
 				BIO_printf(STDout,"\n");
 				}
+			else if (email == i) 
+				{
+				int j;
+				STACK *emlst;
+				emlst = X509_get1_email(x);
+				for (j = 0; j < sk_num(emlst); j++)
+					BIO_printf(STDout, "%s\n", sk_value(emlst, j));
+				X509_email_free(emlst);
+				}
 			else if (aliasout == i)
 				{
 				unsigned char *alstr;
 				alstr = X509_alias_get0(x, NULL);
-				if(alstr) BIO_printf(STDout,"%s\n", alstr);
+				if (alstr) BIO_printf(STDout,"%s\n", alstr);
 				else BIO_puts(STDout,"<No Alias>\n");
 				}
 			else if (hash == i)
@@ -612,7 +696,7 @@ bad:
 				X509_PURPOSE *ptmp;
 				int j;
 				BIO_printf(STDout, "Certificate purposes:\n");
-				for(j = 0; j < X509_PURPOSE_get_count(); j++)
+				for (j = 0; j < X509_PURPOSE_get_count(); j++)
 					{
 					ptmp = X509_PURPOSE_get0(j);
 					purpose_print(STDout, x, ptmp);
@@ -675,7 +759,7 @@ bad:
 				BIO_printf(STDout,"/* issuer :%s */\n",buf);
 
 				z=i2d_X509(x,NULL);
-				m=Malloc(z);
+				m=OPENSSL_malloc(z);
 
 				d=(unsigned char *)m;
 				z=i2d_X509_NAME(X509_get_subject_name(x),&d);
@@ -713,7 +797,7 @@ bad:
 				if (y%16 != 0) BIO_printf(STDout,"\n");
 				BIO_printf(STDout,"};\n");
 
-				Free(m);
+				OPENSSL_free(m);
 				}
 			else if (text == i)
 				{
@@ -758,7 +842,8 @@ bad:
 				BIO_printf(bio_err,"Getting Private key\n");
 				if (Upkey == NULL)
 					{
-					Upkey=load_key(keyfile,keyformat, passin);
+					Upkey=load_key(bio_err,
+						keyfile,keyformat, passin);
 					if (Upkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -775,7 +860,8 @@ bad:
 				BIO_printf(bio_err,"Getting CA Private Key\n");
 				if (CAkeyfile != NULL)
 					{
-					CApkey=load_key(CAkeyfile,CAkeyformat, passin);
+					CApkey=load_key(bio_err,
+						CAkeyfile,CAkeyformat, passin);
 					if (CApkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -801,7 +887,8 @@ bad:
 					}
 				else
 					{
-					pk=load_key(keyfile,FORMAT_PEM, passin);
+					pk=load_key(bio_err,
+						keyfile,FORMAT_PEM, passin);
 					if (pk == NULL) goto end;
 					}
 
@@ -827,6 +914,23 @@ bad:
 			}
 		}
 
+	if (checkend)
+		{
+		time_t tnow=time(NULL);
+
+		if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
+			{
+			BIO_printf(out,"Certificate will expire\n");
+			ret=1;
+			}
+		else
+			{
+			BIO_printf(out,"Certificate will not expire\n");
+			ret=0;
+			}
+		goto end;
+		}
+
 	if (noout)
 		{
 		ret=0;
@@ -835,16 +939,18 @@ bad:
 
 	if 	(outformat == FORMAT_ASN1)
 		i=i2d_X509_bio(out,x);
-	else if (outformat == FORMAT_PEM) {
-		if(trustout) i=PEM_write_bio_X509_AUX(out,x);
+	else if (outformat == FORMAT_PEM)
+		{
+		if (trustout) i=PEM_write_bio_X509_AUX(out,x);
 		else i=PEM_write_bio_X509(out,x);
-	} else if (outformat == FORMAT_NETSCAPE)
+		}
+	else if (outformat == FORMAT_NETSCAPE)
 		{
 		ASN1_HEADER ah;
 		ASN1_OCTET_STRING os;
 
-		os.data=(unsigned char *)CERT_HDR;
-		os.length=strlen(CERT_HDR);
+		os.data=(unsigned char *)NETSCAPE_CERT_HDR;
+		os.length=strlen(NETSCAPE_CERT_HDR);
 		ah.header= &os;
 		ah.data=(char *)x;
 		ah.meth=X509_asn1_meth();
@@ -856,7 +962,8 @@ bad:
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
-	if (!i) {
+	if (!i)
+		{
 		BIO_printf(bio_err,"unable to write certificate\n");
 		ERR_print_errors(bio_err);
 		goto end;
@@ -867,8 +974,8 @@ end:
 		app_RAND_write_file(NULL, bio_err);
 	OBJ_cleanup();
 	CONF_free(extconf);
-	BIO_free(out);
-	BIO_free(STDout);
+	BIO_free_all(out);
+	BIO_free_all(STDout);
 	X509_STORE_free(ctx);
 	X509_REQ_free(req);
 	X509_free(x);
@@ -878,7 +985,7 @@ end:
 	X509_REQ_free(rq);
 	sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
 	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
-	if(passin) Free(passin);
+	if (passin) OPENSSL_free(passin);
 	EXIT(ret);
 	}
 
@@ -900,7 +1007,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	EVP_PKEY_free(upkey);
 
 	X509_STORE_CTX_init(&xsc,ctx,x,NULL);
-	buf=Malloc(EVP_PKEY_size(pkey)*2+
+	buf=OPENSSL_malloc(EVP_PKEY_size(pkey)*2+
 		((serialfile == NULL)
 			?(strlen(CAfile)+strlen(POSTFIX)+1)
 			:(strlen(serialfile)))+1);
@@ -1005,16 +1112,18 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
 		goto end;
 
-	if(clrext) {
-		while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+	if (clrext)
+		{
+		while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
 		}
 
-	if(conf) {
+	if (conf)
+		{
 		X509V3_CTX ctx2;
 		X509_set_version(x,2); /* version 3 certificate */
                 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
                 X509V3_set_conf_lhash(&ctx2, conf);
-                if(!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
+                if (!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
 		}
 
 	if (!X509_sign(x,pkey,digest)) goto end;
@@ -1023,16 +1132,15 @@ end:
 	X509_STORE_CTX_cleanup(&xsc);
 	if (!ret)
 		ERR_print_errors(bio_err);
-	if (buf != NULL) Free(buf);
+	if (buf != NULL) OPENSSL_free(buf);
 	if (bs != NULL) ASN1_INTEGER_free(bs);
 	if (io != NULL)	BIO_free(io);
 	if (serial != NULL) BN_free(serial);
-	return(ret);
+	return ret;
 	}
 
 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 	{
-	char buf[256];
 	int err;
 	X509 *err_cert;
 
@@ -1041,7 +1149,7 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 	 * final ok == 1 calls to this function */
 	err=X509_STORE_CTX_get_error(ctx);
 	if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
-		return(1);
+		return 1;
 
 	/* BAD we should have gotten an error.  Normally if everything
 	 * worked X509_STORE_CTX_get_error(ctx) will still be set to
@@ -1049,147 +1157,19 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 	if (ok)
 		{
 		BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
-		return(0);
+		return 0;
 		}
 	else
 		{
 		err_cert=X509_STORE_CTX_get_current_cert(ctx);
-		X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
-		BIO_printf(bio_err,"%s\n",buf);
+		print_name(bio_err, NULL, X509_get_subject_name(err_cert),0);
 		BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
 			err,X509_STORE_CTX_get_error_depth(ctx),
 			X509_verify_cert_error_string(err));
-		return(1);
+		return 1;
 		}
 	}
 
-static EVP_PKEY *load_key(char *file, int format, char *passin)
-	{
-	BIO *key=NULL;
-	EVP_PKEY *pkey=NULL;
-
-	if (file == NULL)
-		{
-		BIO_printf(bio_err,"no keyfile specified\n");
-		goto end;
-		}
-	key=BIO_new(BIO_s_file());
-	if (key == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}
-	if (BIO_read_filename(key,file) <= 0)
-		{
-		perror(file);
-		goto end;
-		}
-	if (format == FORMAT_ASN1)
-		{
-		pkey=d2i_PrivateKey_bio(key, NULL);
-		}
-	else if (format == FORMAT_PEM)
-		{
-		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
-		}
-	else
-		{
-		BIO_printf(bio_err,"bad input format specified for key\n");
-		goto end;
-		}
-end:
-	if (key != NULL) BIO_free(key);
-	if (pkey == NULL)
-		BIO_printf(bio_err,"unable to load Private Key\n");
-	return(pkey);
-	}
-
-static X509 *load_cert(char *file, int format)
-	{
-	ASN1_HEADER *ah=NULL;
-	BUF_MEM *buf=NULL;
-	X509 *x=NULL;
-	BIO *cert;
-
-	if ((cert=BIO_new(BIO_s_file())) == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}
-
-	if (file == NULL)
-		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
-	else
-		{
-		if (BIO_read_filename(cert,file) <= 0)
-			{
-			perror(file);
-			goto end;
-			}
-		}
-	if 	(format == FORMAT_ASN1)
-		x=d2i_X509_bio(cert,NULL);
-	else if (format == FORMAT_NETSCAPE)
-		{
-		unsigned char *p,*op;
-		int size=0,i;
-
-		/* We sort of have to do it this way because it is sort of nice
-		 * to read the header first and check it, then
-		 * try to read the certificate */
-		buf=BUF_MEM_new();
-		for (;;)
-			{
-			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
-				goto end;
-			i=BIO_read(cert,&(buf->data[size]),1024*10);
-			size+=i;
-			if (i == 0) break;
-			if (i < 0)
-				{
-				perror("reading certificate");
-				goto end;
-				}
-			}
-		p=(unsigned char *)buf->data;
-		op=p;
-
-		/* First load the header */
-		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
-			goto end;
-		if ((ah->header == NULL) || (ah->header->data == NULL) ||
-			(strncmp(CERT_HDR,(char *)ah->header->data,
-			ah->header->length) != 0))
-			{
-			BIO_printf(bio_err,"Error reading header on certificate\n");
-			goto end;
-			}
-		/* header is ok, so now read the object */
-		p=op;
-		ah->meth=X509_asn1_meth();
-		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
-			goto end;
-		x=(X509 *)ah->data;
-		ah->data=NULL;
-		}
-	else if (format == FORMAT_PEM)
-		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
-	else	{
-		BIO_printf(bio_err,"bad input format specified for input cert\n");
-		goto end;
-		}
-end:
-	if (x == NULL)
-		{
-		BIO_printf(bio_err,"unable to load certificate\n");
-		ERR_print_errors(bio_err);
-		}
-	if (ah != NULL) ASN1_HEADER_free(ah);
-	if (cert != NULL) BIO_free(cert);
-	if (buf != NULL) BUF_MEM_free(buf);
-	return(x);
-	}
-
 /* self sign */
 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 
 						LHASH *conf, char *section)
@@ -1213,21 +1193,23 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *dig
 		goto err;
 
 	if (!X509_set_pubkey(x,pkey)) goto err;
-	if(clrext) {
-		while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+	if (clrext)
+		{
+		while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
 		}
-	if(conf) {
+	if (conf)
+		{
 		X509V3_CTX ctx;
 		X509_set_version(x,2); /* version 3 certificate */
                 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
                 X509V3_set_conf_lhash(&ctx, conf);
-                if(!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
+                if (!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
 		}
 	if (!X509_sign(x,pkey,digest)) goto err;
-	return(1);
+	return 1;
 err:
 	ERR_print_errors(bio_err);
-	return(0);
+	return 0;
 	}
 
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
@@ -1236,10 +1218,11 @@ static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
 	char *pname;
 	id = X509_PURPOSE_get_id(pt);
 	pname = X509_PURPOSE_get0_name(pt);
-	for(i = 0; i < 2; i++) {
+	for (i = 0; i < 2; i++)
+		{
 		idret = X509_check_purpose(cert, id, i);
 		BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 
-		if(idret == 1) BIO_printf(bio, "Yes\n");
+		if (idret == 1) BIO_printf(bio, "Yes\n");
 		else if (idret == 0) BIO_printf(bio, "No\n");
 		else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
 		}

config

@@ -49,10 +49,18 @@ if [ "x$XREL" != "x" ]; then
 		echo "whatever-whatever-sco5"; exit 0
 		;;
 	    4.2MP)
-		if [ "x$VERSION" = "x2.1.1" ]; then
+		if [ "x$VERSION" = "x2.01" ]; then
+		    echo "${MACHINE}-whatever-unixware201"; exit 0
+		elif [ "x$VERSION" = "x2.02" ]; then
+		    echo "${MACHINE}-whatever-unixware202"; exit 0
+		elif [ "x$VERSION" = "x2.03" ]; then
+		    echo "${MACHINE}-whatever-unixware203"; exit 0
+		elif [ "x$VERSION" = "x2.1.1" ]; then
 		    echo "${MACHINE}-whatever-unixware211"; exit 0
 		elif [ "x$VERSION" = "x2.1.2" ]; then
 		    echo "${MACHINE}-whatever-unixware212"; exit 0
+		elif [ "x$VERSION" = "x2.1.3" ]; then
+		    echo "${MACHINE}-whatever-unixware213"; exit 0
 		else
 		    echo "${MACHINE}-whatever-unixware2"; exit 0
 		fi
@@ -71,6 +79,10 @@ fi
 # Now we simply scan though... In most cases, the SYSTEM info is enough
 #
 case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
+    MPE/iX:*)
+	MACHINE=`echo "$MACHINE" | sed -e 's/-/_/g'`
+	echo "parisc-hp-MPE/iX"; exit 0
+	;;
     A/UX:*)
 	echo "m68k-apple-aux3"; exit 0
 	;;
@@ -164,7 +176,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
         ;;
 
     NetBSD:*:*:*386*)
-        echo "`sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whateve\r-netbsd"; exit 0
+        echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
 	;;
 
     NetBSD:*)
@@ -181,11 +193,11 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 
     QNX:*)
 	case "$VERSION" in
-	    423)
-		echo "${MACHINE}-qssl-qnx32"
+	    4*)
+		echo "${MACHINE}-whatever-qnx4"
 		;;
 	    *)
-		echo "${MACHINE}-qssl-qnx"
+		echo "${MACHINE}-whatever-qnx"
 		;;
 	esac
 	exit 0
@@ -200,7 +212,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	;;
 
     SunOS:5.*)
-	echo "${MACHINE}-sun-solaris2"; exit 0
+	echo "${MACHINE}-whatever-solaris2"; exit 0
 	;;
 
     SunOS:*)
@@ -247,6 +259,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-v11-${SYSTEM}"; exit 0;
 	;;
 
+    NEWS-OS:4.*)
+	echo "mips-sony-newsos4"; exit 0;
+	;;
+
 esac
 
 #
@@ -292,8 +308,6 @@ TEST="false"
 for i
 do
 case "$i" in 
-# shared library support (behnke@trustcenter.de)
--shared) SHARED=true;;
 -d*) PREFIX="debug-";;
 -t*) TEST="true";;
 -h*) TEST="true"; cat <<EOF
@@ -387,10 +401,16 @@ case "$GUESSOS" in
 	;;
   mips4-sgi-irix64)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
-	echo "         invoke './Configre irix64-mips4-$CC' *manually*."
-	echo "         Type Ctrl-C if you don't want to continue."
+	echo "         invoke './Configure irix64-mips4-$CC' *manually*."
+	echo "         Type return if you want to continue, Ctrl-C to abort."
 	read waste < /dev/tty
+        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        CPU=${CPU:-0}
+        if [ $CPU -ge 5000 ]; then
                 options="$options -mips4"
+        else
+                options="$options -mips3"
+        fi
 	OUT="irix-mips3-$CC"
 	;;
   alpha-*-linux2)
@@ -409,6 +429,7 @@ case "$GUESSOS" in
 	;;
   mips-*-linux?) OUT="linux-mips" ;;
   ppc-*-linux2) OUT="linux-ppc" ;;
+  m68k-*-linux*) OUT="linux-m68k" ;;
   ia64-*-linux?) OUT="linux-ia64" ;;
   ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
   sparc64-*-linux2)
@@ -416,32 +437,34 @@ case "$GUESSOS" in
 	#till 64-bit glibc for SPARC is operational:-(
 	#echo "WARNING! If you wish to build 64-bit library, then you have to"
 	#echo "         invoke './Configure linux64-sparcv9' *manually*."
-	#echo "         Type Ctrl-C if you don't want to continue."
+	#echo "         Type return if you want to continue, Ctrl-C to abort."
 	#read waste < /dev/tty
 	OUT="linux-sparcv9" ;;
   sparc-*-linux2)
-	KARCH=`awk '/type/{print$3}' /proc/cpuinfo`
+	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
 	case ${KARCH:-sun4} in
 	sun4u*)	OUT="linux-sparcv9" ;;
 	sun4m)	OUT="linux-sparcv8" ;;
 	sun4d)	OUT="linux-sparcv8" ;;
 	*)	OUT="linux-sparcv7" ;;
 	esac ;;
+  arm*-*-linux2) OUT="linux-elf-arm" ;;
+  s390-*-linux2) OUT="linux-s390" ;;
   *-*-linux2) OUT="linux-elf" ;;
   *-*-linux1) OUT="linux-aout" ;;
-  sun4u*-sun-solaris2)
+  sun4u*-*-solaris2)
 	ISA64=`(isalist) 2>/dev/null | grep sparcv9`
 	if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then
 		echo "WARNING! If you wish to build 64-bit library, then you have to"
 		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
-		echo "         Type Ctrl-C if you don't want to continue."
+		echo "         Type return if you want to continue, Ctrl-C to abort."
 		read waste < /dev/tty
 	fi
 	OUT="solaris-sparcv9-$CC" ;;
-  sun4m-sun-solaris2)	OUT="solaris-sparcv8-$CC" ;;
-  sun4d-sun-solaris2)	OUT="solaris-sparcv8-$CC" ;;
-  sun4*-sun-solaris2)	OUT="solaris-sparcv7-$CC" ;;
-  *86*-sun-solaris2) OUT="solaris-x86-$CC" ;;
+  sun4m-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
+  sun4d-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
+  sun4*-*-solaris2)	OUT="solaris-sparcv7-$CC" ;;
+  *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
   *-*-sunos4) OUT="sunos-$CC" ;;
   alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
   *-freebsd[3-9]*) OUT="FreeBSD-elf" ;;
@@ -458,9 +481,12 @@ case "$GUESSOS" in
   *-*-unixware7) OUT="unixware-7" ;;
   *-*-UnixWare7) OUT="unixware-7" ;;
   *-*-Unixware7) OUT="unixware-7" ;;
-  *-*-unixware[1-2]*) OUT="unixware-2.0" ;;
-  *-*-UnixWare[1-2]*) OUT="unixware-2.0" ;;
-  *-*-Unixware[1-2]*) OUT="unixware-2.0" ;;
+  *-*-unixware20*) OUT="unixware-2.0" ;;
+  *-*-unixware21*) OUT="unixware-2.1" ;;
+  *-*-UnixWare20*) OUT="unixware-2.0" ;;
+  *-*-UnixWare21*) OUT="unixware-2.1" ;;
+  *-*-Unixware20*) OUT="unixware-2.0" ;;
+  *-*-Unixware21*) OUT="unixware-2.1" ;;
   BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
   RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
   *-siemens-sysv4) OUT="SINIX" ;;
@@ -470,14 +496,21 @@ case "$GUESSOS" in
   # these are all covered by the catchall below
   # *-aix) OUT="aix-$CC" ;;
   # *-dgux) OUT="dgux" ;;
+  mips-sony-newsos4) OUT="newsos4-gcc" ;;
   *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 
+# NB: This atalla support has been superceded by the ENGINE support
+# That contains its own header and definitions anyway. Support can
+# be enabled or disabled on any supported platform without external
+# headers, eg. by adding the "hw-atalla" switch to ./config or
+# perl Configure
+#
 # See whether we can compile Atalla support
-if [ -f /usr/include/atasi.h ]
-then
-  options="$options -DATALLA"
-fi
+#if [ -f /usr/include/atasi.h ]
+#then
+#  options="$options -DATALLA"
+#fi
 
 #get some basic shared lib support (behnke@trustcenter.de)
 case "$OUT" in
@@ -503,17 +536,6 @@ then
   sleep 5
   OUT=linux-sparcv8
 fi
-# To start with $OUT is never i86pc-sun-solaris2. Secondly why
-# ban *all* assembler implementation if it can't stand only one,
-# SHA-0 implementation.
-#if [ "$OUT" = "i86pc-sun-solaris2" ]
-#then
-#  ASM=`as -V /dev/null 2>&1`
-#  case "$ASM" in
-#    GNU*) ;;
-#    *) options="$options no-asm" ; echo "WARNING: You need the GNU assembler to use OpenSSL assembler code." ; echo "Sun as is not supported on Solaris x86." ;;
-#  esac
-#fi
 
 case "$GUESSOS" in
   i386-*) options="$options 386" ;;

crypto/Makefile.ssl

@@ -27,19 +27,19 @@ LIBS=
 
 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh \
+	bn rsa dsa dh dso engine \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
 
 GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o
+LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
 
 SRC= $(LIBSRC)
 
-EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h
+EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h
 HEADER=	cryptlib.h buildinf.h md32_common.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@@ -90,7 +90,8 @@ links:
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 libs:
@@ -155,41 +156,48 @@ dclean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-cpt_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
+cpt_err.o: ../include/openssl/bio.h ../include/openssl/crypto.h
+cpt_err.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cpt_err.o: ../include/openssl/stack.h
+cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-cryptlib.o: cryptlib.h
+cryptlib.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+cryptlib.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cryptlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-cversion.o: buildinf.h cryptlib.h
+cversion.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+cversion.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cversion.o: ../include/openssl/stack.h ../include/openssl/symhacks.h buildinf.h
+cversion.o: cryptlib.h
 ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-ex_data.o: ../include/openssl/stack.h cryptlib.h
+ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h cryptlib.h
+mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-mem_dbg.o: ../include/openssl/stack.h cryptlib.h
+mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
+uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
+uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+uid.o: ../include/openssl/symhacks.h

crypto/asn1/a_bitstr.c

@@ -70,13 +70,27 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
 { return M_ASN1_BIT_STRING_set(x, d, len); }
 
 int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
+{
+	int len, ret;
+	len = i2c_ASN1_BIT_STRING(a, NULL);	
+	ret=ASN1_object_size(0,len,V_ASN1_BIT_STRING);
+	if(pp) {
+		ASN1_put_object(pp,0,len,V_ASN1_BIT_STRING,V_ASN1_UNIVERSAL);
+		i2c_ASN1_BIT_STRING(a, pp);	
+	}
+	return ret;
+}
+
+int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	{
-	int ret,j,r,bits,len;
+	int ret,j,bits,len;
 	unsigned char *p,*d;
 
 	if (a == NULL) return(0);
 
 	len=a->length;
+	ret=1+len;
+	if (pp == NULL) return(ret);
 
 	if (len > 0)
 		{
@@ -104,36 +118,27 @@ int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 		}
 	else
 		bits=0;
-	ret=1+len;
-	r=ASN1_object_size(0,ret,V_ASN1_BIT_STRING);
-	if (pp == NULL) return(r);
 	p= *pp;
 
-	ASN1_put_object(&p,0,ret,V_ASN1_BIT_STRING,V_ASN1_UNIVERSAL);
 	*(p++)=(unsigned char)bits;
 	d=a->data;
 	memcpy(p,d,len);
 	p+=len;
 	if (len > 0) p[-1]&=(0xff<<bits);
 	*pp=p;
-	return(r);
+	return(ret);
 	}
 
+
+/* Convert DER encoded ASN1 BIT_STRING to ASN1_BIT_STRING structure */
 ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	     long length)
-	{
-	ASN1_BIT_STRING *ret=NULL;
-	unsigned char *p,*s;
+{
+	unsigned char *p;
 	long len;
-	int inf,tag,xclass;
 	int i;
-
-	if ((a == NULL) || ((*a) == NULL))
-		{
-		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
-		}
-	else
-		ret=(*a);
+	int inf,tag,xclass;
+	ASN1_BIT_STRING *ret;
 
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
@@ -149,7 +154,30 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 		goto err;
 		}
 	if (len < 1) { i=ASN1_R_STRING_TOO_SHORT; goto err; }
+	ret = c2i_ASN1_BIT_STRING(a, &p, len);
+	if(ret) *pp = p;
+	return ret;
+err:
+	ASN1err(ASN1_F_D2I_ASN1_BIT_STRING,i);
+	return(NULL);
 
+}
+
+ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
+	     long len)
+	{
+	ASN1_BIT_STRING *ret=NULL;
+	unsigned char *p,*s;
+	int i;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
 	i= *(p++);
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
@@ -159,7 +187,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
-		s=(unsigned char *)Malloc((int)len);
+		s=(unsigned char *)OPENSSL_malloc((int)len);
 		if (s == NULL)
 			{
 			i=ERR_R_MALLOC_FAILURE;
@@ -173,7 +201,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 		s=NULL;
 
 	ret->length=(int)len;
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->data=s;
 	ret->type=V_ASN1_BIT_STRING;
 	if (a != NULL) (*a)=ret;
@@ -204,13 +232,13 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 		{
 		if (!value) return(1); /* Don't need to set */
 		if (a->data == NULL)
-			c=(unsigned char *)Malloc(w+1);
+			c=(unsigned char *)OPENSSL_malloc(w+1);
 		else
-			c=(unsigned char *)Realloc(a->data,w+1);
+			c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
 		if (c == NULL) return(0);
+		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
 		a->data=c;
 		a->length=w+1;
-		c[w]=0;
 	}
 	a->data[w]=((a->data[w])&iv)|v;
 	while ((a->length > 0) && (a->data[a->length-1] == 0))

crypto/asn1/a_bytes.c

@@ -111,7 +111,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
 
 	if (len != 0)
 		{
-		s=(unsigned char *)Malloc((int)len+1);
+		s=(unsigned char *)OPENSSL_malloc((int)len+1);
 		if (s == NULL)
 			{
 			i=ERR_R_MALLOC_FAILURE;
@@ -124,7 +124,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
 	else
 		s=NULL;
 
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->length=(int)len;
 	ret->data=s;
 	ret->type=tag;
@@ -218,8 +218,8 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 			{
 			if ((ret->length < len) || (ret->data == NULL))
 				{
-				if (ret->data != NULL) Free(ret->data);
-				s=(unsigned char *)Malloc((int)len + 1);
+				if (ret->data != NULL) OPENSSL_free(ret->data);
+				s=(unsigned char *)OPENSSL_malloc((int)len + 1);
 				if (s == NULL)
 					{
 					i=ERR_R_MALLOC_FAILURE;
@@ -235,7 +235,7 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 		else
 			{
 			s=NULL;
-			if (ret->data != NULL) Free(ret->data);
+			if (ret->data != NULL) OPENSSL_free(ret->data);
 			}
 
 		ret->length=(int)len;
@@ -310,14 +310,14 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 	if (!asn1_Finish(c)) goto err;
 
 	a->length=num;
-	if (a->data != NULL) Free(a->data);
+	if (a->data != NULL) OPENSSL_free(a->data);
 	a->data=(unsigned char *)b.data;
 	if (os != NULL) ASN1_STRING_free(os);
 	return(1);
 err:
 	ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE,c->error);
 	if (os != NULL) ASN1_STRING_free(os);
-	if (b.data != NULL) Free(b.data);
+	if (b.data != NULL) OPENSSL_free(b.data);
 	return(0);
 	}
 

crypto/asn1/a_digest.c

@@ -77,14 +77,14 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
 	unsigned char *str,*p;
 
 	i=i2d(data,NULL);
-	if ((str=(unsigned char *)Malloc(i)) == NULL) return(0);
+	if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0);
 	p=str;
 	i2d(data,&p);
 
 	EVP_DigestInit(&ctx,type);
 	EVP_DigestUpdate(&ctx,str,i);
 	EVP_DigestFinal(&ctx,md,len);
-	Free(str);
+	OPENSSL_free(str);
 	return(1);
 	}
 

crypto/asn1/a_dup.c

@@ -71,13 +71,13 @@ char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
 	if (x == NULL) return(NULL);
 
 	i=(long)i2d(x,NULL);
-	b=(unsigned char *)Malloc((unsigned int)i+10);
+	b=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
 	if (b == NULL)
 		{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	i=i2d(x,&p);
 	p= b;
 	ret=d2i(NULL,&p,i);
-	Free(b);
+	OPENSSL_free(b);
 	return(ret);
 	}

crypto/asn1/a_enum.c

@@ -71,88 +71,28 @@ ASN1_ENUMERATED *ASN1_ENUMERATED_new(void)
 void ASN1_ENUMERATED_free(ASN1_ENUMERATED *x)
 { M_ASN1_ENUMERATED_free(x); }
 
+
 int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
-	{
-	int pad=0,ret,r,i,t;
-	unsigned char *p,*n,pb=0;
-
-	if ((a == NULL) || (a->data == NULL)) return(0);
-	t=a->type;
-	if (a->length == 0)
-		ret=1;
-	else
-		{
-		ret=a->length;
-		i=a->data[0];
-		if ((t == V_ASN1_ENUMERATED) && (i > 127)) {
-			pad=1;
-			pb=0;
-		} else if(t == V_ASN1_NEG_ENUMERATED) {
-			if(i>128) {
-				pad=1;
-				pb=0xFF;
-			} else if(i == 128) {
-				for(i = 1; i < a->length; i++) if(a->data[i]) {
-						pad=1;
-						pb=0xFF;
-						break;
-				}
-			}
-		}
-		ret+=pad;
-		}
-	r=ASN1_object_size(0,ret,V_ASN1_ENUMERATED);
-	if (pp == NULL) return(r);
-	p= *pp;
-
-	ASN1_put_object(&p,0,ret,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
-	if (pad) *(p++)=pb;
-	if (a->length == 0)
-		*(p++)=0;
-	else if (t == V_ASN1_ENUMERATED)
-		{
-		memcpy(p,a->data,(unsigned int)a->length);
-		p+=a->length;
-		}
-	else {
-		/* Begin at the end of the encoding */
-		n=a->data + a->length - 1;
-		p += a->length - 1;
-		i = a->length;
-		/* Copy zeros to destination as long as source is zero */
-		while(!*n) {
-			*(p--) = 0;
-			n--;
-			i--;
-		}
-		/* Complement and increment next octet */
-		*(p--) = ((*(n--)) ^ 0xff) + 1;
-		i--;
-		/* Complement any octets left */
-		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
-		p += a->length;
-	}
-
-	*pp=p;
-	return(r);
+{
+	int len, ret;
+	if(!a) return 0;
+	len = i2c_ASN1_INTEGER(a, NULL);	
+	ret=ASN1_object_size(0,len,V_ASN1_ENUMERATED);
+	if(pp) {
+		ASN1_put_object(pp,0,len,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
+		i2c_ASN1_INTEGER(a, pp);	
 	}
+	return ret;
+}
 
 ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 	     long length)
-	{
-	ASN1_ENUMERATED *ret=NULL;
-	unsigned char *p,*to,*s;
+{
+	unsigned char *p;
 	long len;
-	int inf,tag,xclass;
 	int i;
-
-	if ((a == NULL) || ((*a) == NULL))
-		{
-		if ((ret=M_ASN1_ENUMERATED_new()) == NULL) return(NULL);
-		ret->type=V_ASN1_ENUMERATED;
-		}
-	else
-		ret=(*a);
+	int inf,tag,xclass;
+	ASN1_ENUMERATED *ret;
 
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
@@ -167,70 +107,17 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 		i=ASN1_R_EXPECTING_AN_ENUMERATED;
 		goto err;
 		}
-
-	/* We must Malloc stuff, even for 0 bytes otherwise it
-	 * signifies a missing NULL parameter. */
-	s=(unsigned char *)Malloc((int)len+1);
-	if (s == NULL)
-		{
-		i=ERR_R_MALLOC_FAILURE;
-		goto err;
+	ret = c2i_ASN1_INTEGER(a, &p, len);
+	if(ret) {
+		ret->type = (V_ASN1_NEG & ret->type) | V_ASN1_ENUMERATED;
+		*pp = p;
 	}
-	to=s;
-	if(!len) {
-		/* Strictly speaking this is an illegal ENUMERATED but we
-		 * tolerate it.
-		 */
-		ret->type=V_ASN1_ENUMERATED;
-	} else if (*p & 0x80) /* a negative number */
-		{
-		ret->type=V_ASN1_NEG_ENUMERATED;
-		if ((*p == 0xff) && (len != 1)) {
-			p++;
-			len--;
-		}
-		i = len;
-		p += i - 1;
-		to += i - 1;
-		while((!*p) && i) {
-			*(to--) = 0;
-			i--;
-			p--;
-		}
-		if(!i) {
-			*s = 1;
-			s[len] = 0;
-			p += len;
-			len++;
-		} else {
-			*(to--) = (*(p--) ^ 0xff) + 1;
-			i--;
-			for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
-			p += len;
-		}
-	} else {
-		ret->type=V_ASN1_ENUMERATED;
-		if ((*p == 0) && (len != 1))
-			{
-			p++;
-			len--;
-			}
-		memcpy(s,p,(int)len);
-		p+=len;
-	}
-
-	if (ret->data != NULL) Free(ret->data);
-	ret->data=s;
-	ret->length=(int)len;
-	if (a != NULL) (*a)=ret;
-	*pp=p;
-	return(ret);
+	return ret;
 err:
 	ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
-	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		M_ASN1_ENUMERATED_free(ret);
 	return(NULL);
-	}
+
+}
 
 int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 	{
@@ -242,8 +129,8 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 	if (a->length < (sizeof(long)+1))
 		{
 		if (a->data != NULL)
-			Free(a->data);
-		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+			OPENSSL_free(a->data);
+		if ((a->data=(unsigned char *)OPENSSL_malloc(sizeof(long)+1)) != NULL)
 			memset((char *)a->data,0,sizeof(long)+1);
 		}
 	if (a->data == NULL)
@@ -318,7 +205,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)Malloc(len+4);
+	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
@@ -332,6 +219,6 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
 
 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
 		ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN,ASN1_R_BN_LIB);
-	if(ai->type == V_ASN1_NEG_ENUMERATED) bn->neg = 1;
+	else if(ai->type == V_ASN1_NEG_ENUMERATED) ret->neg = 1;
 	return(ret);
 	}

crypto/asn1/a_gentm.c

@@ -212,10 +212,10 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 	p=(char *)s->data;
 	if ((p == NULL) || (s->length < 16))
 		{
-		p=Malloc(20);
+		p=OPENSSL_malloc(20);
 		if (p == NULL) return(NULL);
 		if (s->data != NULL)
-			Free(s->data);
+			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
 		}
 

crypto/asn1/a_hdr.c

@@ -115,5 +115,5 @@ void ASN1_HEADER_free(ASN1_HEADER *a)
 	M_ASN1_OCTET_STRING_free(a->header);
 	if (a->meth != NULL)
 		a->meth->destroy(a->data);
-	Free(a);
+	OPENSSL_free(a);
 	}

crypto/asn1/a_i2d_fp.c

@@ -86,7 +86,7 @@ int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
 	int i,j=0,n,ret=1;
 
 	n=i2d(x,NULL);
-	b=(char *)Malloc(n);
+	b=(char *)OPENSSL_malloc(n);
 	if (b == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_I2D_BIO,ERR_R_MALLOC_FAILURE);
@@ -108,6 +108,6 @@ int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
 		j+=i;
 		n-=i;
 		}
-	Free(b);
+	OPENSSL_free(b);
 	return(ret);
 	}

crypto/asn1/a_int.c

@@ -72,8 +72,23 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
 { return M_ASN1_INTEGER_cmp(x,y);}
 
+/* Output ASN1 INTEGER including tag+length */
+
+int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+{
+	int len, ret;
+	if(!a) return 0;
+	len = i2c_ASN1_INTEGER(a, NULL);	
+	ret=ASN1_object_size(0,len,V_ASN1_INTEGER);
+	if(pp) {
+		ASN1_put_object(pp,0,len,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
+		i2c_ASN1_INTEGER(a, pp);	
+	}
+	return ret;
+}
+
 /* 
- * This converts an ASN1 INTEGER into its DER encoding.
+ * This converts an ASN1 INTEGER into its content encoding.
  * The internal representation is an ASN1_STRING whose data is a big endian
  * representation of the value, ignoring the sign. The sign is determined by
  * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative. 
@@ -97,23 +112,23 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
  * followed by optional zeros isn't padded.
  */
 
-int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 	{
-	int pad=0,ret,r,i,t;
+	int pad=0,ret,i,neg;
 	unsigned char *p,*n,pb=0;
 
 	if ((a == NULL) || (a->data == NULL)) return(0);
-	t=a->type;
+	neg=a->type & V_ASN1_NEG;
 	if (a->length == 0)
 		ret=1;
 	else
 		{
 		ret=a->length;
 		i=a->data[0];
-		if ((t == V_ASN1_INTEGER) && (i > 127)) {
+		if (!neg && (i > 127)) {
 			pad=1;
 			pb=0;
-		} else if(t == V_ASN1_NEG_INTEGER) {
+		} else if(neg) {
 			if(i>128) {
 				pad=1;
 				pb=0xFF;
@@ -131,14 +146,12 @@ int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 		}
 		ret+=pad;
 		}
-	r=ASN1_object_size(0,ret,V_ASN1_INTEGER);
-	if (pp == NULL) return(r);
+	if (pp == NULL) return(ret);
 	p= *pp;
 
-	ASN1_put_object(&p,0,ret,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
 	if (pad) *(p++)=pb;
 	if (a->length == 0) *(p++)=0;
-	else if (t == V_ASN1_INTEGER) memcpy(p,a->data,(unsigned int)a->length);
+	else if (!neg) memcpy(p,a->data,(unsigned int)a->length);
 	else {
 		/* Begin at the end of the encoding */
 		n=a->data + a->length - 1;
@@ -157,30 +170,22 @@ int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
 	}
 
-	*pp+=r;
-	return(r);
+	*pp+=ret;
+	return(ret);
 	}
 
+/* Convert DER encoded ASN1 INTEGER to ASN1_INTEGER structure */
 ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 	     long length)
-	{
-	ASN1_INTEGER *ret=NULL;
-	unsigned char *p,*to,*s, *pend;
+{
+	unsigned char *p;
 	long len;
-	int inf,tag,xclass;
 	int i;
-
-	if ((a == NULL) || ((*a) == NULL))
-		{
-		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
-		ret->type=V_ASN1_INTEGER;
-		}
-	else
-		ret=(*a);
+	int inf,tag,xclass;
+	ASN1_INTEGER *ret;
 
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
-	pend = p + len;
 	if (inf & 0x80)
 		{
 		i=ASN1_R_BAD_OBJECT_HEADER;
@@ -192,10 +197,39 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		i=ASN1_R_EXPECTING_AN_INTEGER;
 		goto err;
 		}
+	ret = c2i_ASN1_INTEGER(a, &p, len);
+	if(ret) *pp = p;
+	return ret;
+err:
+	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
+	return(NULL);
 
-	/* We must Malloc stuff, even for 0 bytes otherwise it
+}
+
+
+/* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */
+
+ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
+	     long len)
+	{
+	ASN1_INTEGER *ret=NULL;
+	unsigned char *p,*to,*s, *pend;
+	int i;
+
+	if ((a == NULL) || ((*a) == NULL))
+		{
+		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
+		ret->type=V_ASN1_INTEGER;
+		}
+	else
+		ret=(*a);
+
+	p= *pp;
+	pend = p + len;
+
+	/* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it
 	 * signifies a missing NULL parameter. */
-	s=(unsigned char *)Malloc((int)len+1);
+	s=(unsigned char *)OPENSSL_malloc((int)len+1);
 	if (s == NULL)
 		{
 		i=ERR_R_MALLOC_FAILURE;
@@ -248,7 +282,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		memcpy(s,p,(int)len);
 	}
 
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -261,6 +295,7 @@ err:
 	return(NULL);
 	}
 
+
 /* This is a version of d2i_ASN1_INTEGER that ignores the sign bit of
  * ASN1 integers: some broken software can encode a positive INTEGER
  * with its MSB set as negative (it doesn't add a padding zero).
@@ -297,9 +332,9 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		goto err;
 		}
 
-	/* We must Malloc stuff, even for 0 bytes otherwise it
+	/* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it
 	 * signifies a missing NULL parameter. */
-	s=(unsigned char *)Malloc((int)len+1);
+	s=(unsigned char *)OPENSSL_malloc((int)len+1);
 	if (s == NULL)
 		{
 		i=ERR_R_MALLOC_FAILURE;
@@ -317,7 +352,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		p+=len;
 	}
 
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -340,8 +375,8 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 	if (a->length < (sizeof(long)+1))
 		{
 		if (a->data != NULL)
-			Free(a->data);
-		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+			OPENSSL_free(a->data);
+		if ((a->data=(unsigned char *)OPENSSL_malloc(sizeof(long)+1)) != NULL)
 			memset((char *)a->data,0,sizeof(long)+1);
 		}
 	if (a->data == NULL)
@@ -416,7 +451,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)Malloc(len+4);
+	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
@@ -430,6 +465,9 @@ BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai, BIGNUM *bn)
 
 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
 		ASN1err(ASN1_F_ASN1_INTEGER_TO_BN,ASN1_R_BN_LIB);
-	if(ai->type == V_ASN1_NEG_INTEGER) bn->neg = 1;
+	else if(ai->type == V_ASN1_NEG_INTEGER) ret->neg = 1;
 	return(ret);
 	}
+
+IMPLEMENT_STACK_OF(ASN1_INTEGER)
+IMPLEMENT_ASN1_SET_OF(ASN1_INTEGER)

crypto/asn1/a_mbstr.c

@@ -92,6 +92,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 {
 	int str_type;
 	int ret;
+	char free_out;
 	int outform, outlen;
 	ASN1_STRING *dest;
 	unsigned char *p;
@@ -180,14 +181,16 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	}
 	if(!out) return str_type;
 	if(*out) {
+		free_out = 0;
 		dest = *out;
 		if(dest->data) {
 			dest->length = 0;
-			Free(dest->data);
+			OPENSSL_free(dest->data);
 			dest->data = NULL;
 		}
 		dest->type = str_type;
 	} else {
+		free_out = 1;
 		dest = ASN1_STRING_type_new(str_type);
 		if(!dest) {
 			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
@@ -228,8 +231,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		cpyfunc = cpy_utf8;
 		break;
 	}
-	if(!(p = Malloc(outlen + 1))) {
-		ASN1_STRING_free(dest);
+	if(!(p = OPENSSL_malloc(outlen + 1))) {
+		if(free_out) ASN1_STRING_free(dest);
 		ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
 		return -1;
 	}
@@ -258,8 +261,8 @@ static int traverse_string(const unsigned char *p, int len, int inform,
 			value |= *p++;
 			len -= 2;
 		} else if(inform == MBSTRING_UNIV) {
-			value = *p++ << 24;
-			value |= *p++ << 16;
+			value = ((unsigned long)*p++) << 24;
+			value |= ((unsigned long)*p++) << 16;
 			value |= *p++ << 8;
 			value |= *p++;
 			len -= 4;
@@ -382,9 +385,16 @@ static int is_printable(unsigned long value)
 	/* Note: we can't use 'isalnum' because certain accented 
 	 * characters may count as alphanumeric in some environments.
 	 */
+#ifndef CHARSET_EBCDIC
 	if((ch >= 'a') && (ch <= 'z')) return 1;
 	if((ch >= 'A') && (ch <= 'Z')) return 1;
 	if((ch >= '0') && (ch <= '9')) return 1;
 	if ((ch == ' ') || strchr("'()+,-./:=?", ch)) return 1;
+#else /*CHARSET_EBCDIC*/
+	if((ch >= os_toascii['a']) && (ch <= os_toascii['z'])) return 1;
+	if((ch >= os_toascii['A']) && (ch <= os_toascii['Z'])) return 1;
+	if((ch >= os_toascii['0']) && (ch <= os_toascii['9'])) return 1;
+	if ((ch == os_toascii[' ']) || strchr("'()+,-./:=?", os_toebcdic[ch])) return 1;
+#endif /*CHARSET_EBCDIC*/
 	return 0;
 }

crypto/asn1/a_object.c

@@ -65,11 +65,12 @@
 int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 	{
 	unsigned char *p;
+	int objsize;
 
 	if ((a == NULL) || (a->data == NULL)) return(0);
 
-	if (pp == NULL)
-		return(ASN1_object_size(0,a->length,V_ASN1_OBJECT));
+	objsize = ASN1_object_size(0,a->length,V_ASN1_OBJECT);
+	if (pp == NULL) return objsize;
 
 	p= *pp;
 	ASN1_put_object(&p,0,a->length,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);
@@ -77,7 +78,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 	p+=a->length;
 
 	*pp=p;
-	return(a->length);
+	return(objsize);
 	}
 
 int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
@@ -190,24 +191,13 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 
 ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 	     long length)
-	{
-	ASN1_OBJECT *ret=NULL;
+{
 	unsigned char *p;
 	long len;
 	int tag,xclass;
 	int inf,i;
-
-	/* only the ASN1_OBJECTs from the 'table' will have values
-	 * for ->sn or ->ln */
-	if ((a == NULL) || ((*a) == NULL) ||
-		!((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC))
-		{
-		if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL);
-		}
-	else	ret=(*a);
-
+	ASN1_OBJECT *ret = NULL;
 	p= *pp;
-
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
 	if (inf & 0x80)
 		{
@@ -220,10 +210,36 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 		i=ASN1_R_EXPECTING_AN_OBJECT;
 		goto err;
 		}
+	ret = c2i_ASN1_OBJECT(a, &p, len);
+	if(ret) *pp = p;
+	return ret;
+err:
+	ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
+	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+		ASN1_OBJECT_free(ret);
+	return(NULL);
+}
+ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
+	     long len)
+	{
+	ASN1_OBJECT *ret=NULL;
+	unsigned char *p;
+	int i;
+
+	/* only the ASN1_OBJECTs from the 'table' will have values
+	 * for ->sn or ->ln */
+	if ((a == NULL) || ((*a) == NULL) ||
+		!((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC))
+		{
+		if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL);
+		}
+	else	ret=(*a);
+
+	p= *pp;
 	if ((ret->data == NULL) || (ret->length < len))
 		{
-		if (ret->data != NULL) Free(ret->data);
-		ret->data=(unsigned char *)Malloc(len ? (int)len : 1);
+		if (ret->data != NULL) OPENSSL_free(ret->data);
+		ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
 		ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
 		if (ret->data == NULL)
 			{ i=ERR_R_MALLOC_FAILURE; goto err; }
@@ -249,7 +265,7 @@ ASN1_OBJECT *ASN1_OBJECT_new(void)
 	{
 	ASN1_OBJECT *ret;
 
-	ret=(ASN1_OBJECT *)Malloc(sizeof(ASN1_OBJECT));
+	ret=(ASN1_OBJECT *)OPENSSL_malloc(sizeof(ASN1_OBJECT));
 	if (ret == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_OBJECT_NEW,ERR_R_MALLOC_FAILURE);
@@ -270,19 +286,19 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a)
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS)
 		{
 #ifndef CONST_STRICT /* disable purely for compile-time strict const checking. Doing this on a "real" compile will cause memory leaks */
-		if (a->sn != NULL) Free((void *)a->sn);
-		if (a->ln != NULL) Free((void *)a->ln);
+		if (a->sn != NULL) OPENSSL_free((void *)a->sn);
+		if (a->ln != NULL) OPENSSL_free((void *)a->ln);
 #endif
 		a->sn=a->ln=NULL;
 		}
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA)
 		{
-		if (a->data != NULL) Free(a->data);
+		if (a->data != NULL) OPENSSL_free(a->data);
 		a->data=NULL;
 		a->length=0;
 		}
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC)
-		Free(a);
+		OPENSSL_free(a);
 	}
 
 ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,

crypto/asn1/a_set.c

@@ -116,7 +116,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}
 
         pStart  = p; /* Catch the beg of Setblobs*/
-        rgSetBlob = (MYBLOB *)Malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+        rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
 we will store the SET blobs */
 
         for (i=0; i<sk_num(a); i++)
@@ -133,7 +133,7 @@ SetBlob
  /* Now we have to sort the blobs. I am using a simple algo.
     *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
         qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        pTempMem = Malloc(totSize);
+        pTempMem = OPENSSL_malloc(totSize);
 
 /* Copy to temp mem */
         p = pTempMem;
@@ -145,20 +145,20 @@ SetBlob
 
 /* Copy back to user mem*/
         memcpy(pStart, pTempMem, totSize);
-        Free(pTempMem);
-        Free(rgSetBlob);
+        OPENSSL_free(pTempMem);
+        OPENSSL_free(rgSetBlob);
 
         return(r);
         }
 
 STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-	     char *(*func)(), void (*free_func)(), int ex_tag, int ex_class)
+	     char *(*func)(), void (*free_func)(void *), int ex_tag, int ex_class)
 	{
 	ASN1_CTX c;
 	STACK *ret=NULL;
 
 	if ((a == NULL) || ((*a) == NULL))
-		{ if ((ret=sk_new(NULL)) == NULL) goto err; }
+		{ if ((ret=sk_new_null()) == NULL) goto err; }
 	else
 		ret=(*a);
 

crypto/asn1/a_sign.c

@@ -108,9 +108,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 			}
 		}
 	inl=i2d(data,NULL);
-	buf_in=(unsigned char *)Malloc((unsigned int)inl);
+	buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl);
 	outll=outl=EVP_PKEY_size(pkey);
-	buf_out=(unsigned char *)Malloc((unsigned int)outl);
+	buf_out=(unsigned char *)OPENSSL_malloc((unsigned int)outl);
 	if ((buf_in == NULL) || (buf_out == NULL))
 		{
 		outl=0;
@@ -129,7 +129,7 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
 		goto err;
 		}
-	if (signature->data != NULL) Free(signature->data);
+	if (signature->data != NULL) OPENSSL_free(signature->data);
 	signature->data=buf_out;
 	buf_out=NULL;
 	signature->length=outl;
@@ -141,8 +141,8 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	memset(&ctx,0,sizeof(ctx));
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); Free(buf_in); }
+		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); Free(buf_out); }
+		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}

crypto/asn1/a_strex.c

@@ -0,0 +1,533 @@
+/* a_strex.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+#include "charmap.h"
+
+/* ASN1_STRING_print_ex() and X509_NAME_print_ex().
+ * Enhanced string and name printing routines handling
+ * multibyte characters, RFC2253 and a host of other
+ * options.
+ */
+
+
+#define CHARTYPE_BS_ESC		(ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
+
+
+/* Three IO functions for sending data to memory, a BIO and
+ * and a FILE pointer.
+ */
+
+int send_mem_chars(void *arg, const void *buf, int len)
+{
+	unsigned char **out = arg;
+	if(!out) return 1;
+	memcpy(*out, buf, len);
+	*out += len;
+	return 1;
+}
+
+int send_bio_chars(void *arg, const void *buf, int len)
+{
+	if(!arg) return 1;
+	if(BIO_write(arg, buf, len) != len) return 0;
+	return 1;
+}
+
+int send_fp_chars(void *arg, const void *buf, int len)
+{
+	if(!arg) return 1;
+	if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
+	return 1;
+}
+
+typedef int char_io(void *arg, const void *buf, int len);
+
+/* This function handles display of
+ * strings, one character at a time.
+ * It is passed an unsigned long for each
+ * character because it could come from 2 or even
+ * 4 byte forms.
+ */
+
+static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
+{
+	unsigned char chflgs, chtmp;
+	char tmphex[11];
+	if(c > 0xffff) {
+		BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+		if(!io_ch(arg, tmphex, 10)) return -1;
+		return 10;
+	}
+	if(c > 0xff) {
+		BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+		if(!io_ch(arg, tmphex, 6)) return -1;
+		return 6;
+	}
+	chtmp = (unsigned char)c;
+	if(chtmp > 0x7f) chflgs = flags & ASN1_STRFLGS_ESC_MSB;
+	else chflgs = char_type[chtmp] & flags;
+	if(chflgs & CHARTYPE_BS_ESC) {
+		/* If we don't escape with quotes, signal we need quotes */
+		if(chflgs & ASN1_STRFLGS_ESC_QUOTE) {
+			if(do_quotes) *do_quotes = 1;
+			if(!io_ch(arg, &chtmp, 1)) return -1;
+			return 1;
+		}
+		if(!io_ch(arg, "\\", 1)) return -1;
+		if(!io_ch(arg, &chtmp, 1)) return -1;
+		return 2;
+	}
+	if(chflgs & (ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB)) {
+		BIO_snprintf(tmphex, 11, "\\%02X", chtmp);
+		if(!io_ch(arg, tmphex, 3)) return -1;
+		return 3;
+	}
+	if(!io_ch(arg, &chtmp, 1)) return -1;
+	return 1;
+}
+
+#define BUF_TYPE_WIDTH_MASK	0x7
+#define BUF_TYPE_CONVUTF8	0x8
+
+/* This function sends each character in a buffer to
+ * do_esc_char(). It interprets the content formats
+ * and converts to or from UTF8 as appropriate.
+ */
+
+static int do_buf(unsigned char *buf, int buflen,
+			int type, unsigned char flags, char *quotes, char_io *io_ch, void *arg)
+{
+	int i, outlen, len;
+	unsigned char orflags, *p, *q;
+	unsigned long c;
+	p = buf;
+	q = buf + buflen;
+	outlen = 0;
+	while(p != q) {
+		if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253;
+		else orflags = 0;
+		switch(type & BUF_TYPE_WIDTH_MASK) {
+			case 4:
+			c = ((unsigned long)*p++) << 24;
+			c |= ((unsigned long)*p++) << 16;
+			c |= ((unsigned long)*p++) << 8;
+			c |= *p++;
+			break;
+
+			case 2:
+			c = ((unsigned long)*p++) << 8;
+			c |= *p++;
+			break;
+
+			case 1:
+			c = *p++;
+			break;
+			
+			case 0:
+			i = UTF8_getc(p, buflen, &c);
+			if(i < 0) return -1;	/* Invalid UTF8String */
+			p += i;
+			break;
+		}
+		if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
+		if(type & BUF_TYPE_CONVUTF8) {
+			unsigned char utfbuf[6];
+			int utflen;
+			utflen = UTF8_putc(utfbuf, 6, c);
+			for(i = 0; i < utflen; i++) {
+				/* We don't need to worry about setting orflags correctly
+				 * because if utflen==1 its value will be correct anyway 
+				 * otherwise each character will be > 0x7f and so the 
+				 * character will never be escaped on first and last.
+				 */
+				len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags), quotes, io_ch, arg);
+				if(len < 0) return -1;
+				outlen += len;
+			}
+		} else {
+			len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, io_ch, arg);
+			if(len < 0) return -1;
+			outlen += len;
+		}
+	}
+	return outlen;
+}
+
+/* This function hex dumps a buffer of characters */
+
+static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen)
+{
+	const static char hexdig[] = "0123456789ABCDEF";
+	unsigned char *p, *q;
+	char hextmp[2];
+	if(arg) {
+		p = buf;
+		q = buf + buflen;
+		while(p != q) {
+			hextmp[0] = hexdig[*p >> 4];
+			hextmp[1] = hexdig[*p & 0xf];
+			if(!io_ch(arg, hextmp, 2)) return -1;
+			p++;
+		}
+	}
+	return buflen << 1;
+}
+
+/* "dump" a string. This is done when the type is unknown,
+ * or the flags request it. We can either dump the content
+ * octets or the entire DER encoding. This uses the RFC2253
+ * #01234 format.
+ */
+
+int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+{
+	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
+	 * the DER encoding to readily obtained
+	 */
+	ASN1_TYPE t;
+	unsigned char *der_buf, *p;
+	int outlen, der_len;
+
+	if(!io_ch(arg, "#", 1)) return -1;
+	/* If we don't dump DER encoding just dump content octets */
+	if(!(lflags & ASN1_STRFLGS_DUMP_DER)) {
+		outlen = do_hex_dump(io_ch, arg, str->data, str->length);
+		if(outlen < 0) return -1;
+		return outlen + 1;
+	}
+	t.type = str->type;
+	t.value.ptr = (char *)str;
+	der_len = i2d_ASN1_TYPE(&t, NULL);
+	der_buf = OPENSSL_malloc(der_len);
+	if(!der_buf) return -1;
+	p = der_buf;
+	i2d_ASN1_TYPE(&t, &p);
+	outlen = do_hex_dump(io_ch, arg, der_buf, der_len);
+	OPENSSL_free(der_buf);
+	if(outlen < 0) return -1;
+	return outlen + 1;
+}
+
+/* Lookup table to convert tags to character widths,
+ * 0 = UTF8 encoded, -1 is used for non string types
+ * otherwise it is the number of bytes per character
+ */
+
+const static char tag2nbyte[] = {
+	-1, -1, -1, -1, -1,	/* 0-4 */
+	-1, -1, -1, -1, -1,	/* 5-9 */
+	-1, -1, 0, -1,		/* 10-13 */
+	-1, -1, -1, -1,		/* 15-17 */
+	-1, 1, 1,		/* 18-20 */
+	-1, 1, -1,-1,		/* 21-24 */
+	-1, 1, -1,		/* 25-27 */
+	4, -1, 2		/* 28-30 */
+};
+
+#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+		  ASN1_STRFLGS_ESC_QUOTE | \
+		  ASN1_STRFLGS_ESC_CTRL | \
+		  ASN1_STRFLGS_ESC_MSB)
+
+/* This is the main function, print out an
+ * ASN1_STRING taking note of various escape
+ * and display options. Returns number of
+ * characters written or -1 if an error
+ * occurred.
+ */
+
+static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str)
+{
+	int outlen, len;
+	int type;
+	char quotes;
+	unsigned char flags;
+	quotes = 0;
+	/* Keep a copy of escape flags */
+	flags = (unsigned char)(lflags & ESC_FLAGS);
+
+	type = str->type;
+
+	outlen = 0;
+
+
+	if(lflags & ASN1_STRFLGS_SHOW_TYPE) {
+		const char *tagname;
+		tagname = ASN1_tag2str(type);
+		outlen += strlen(tagname);
+		if(!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; 
+		outlen++;
+	}
+
+	/* Decide what to do with type, either dump content or display it */
+
+	/* Dump everything */
+	if(lflags & ASN1_STRFLGS_DUMP_ALL) type = -1;
+	/* Ignore the string type */
+	else if(lflags & ASN1_STRFLGS_IGNORE_TYPE) type = 1;
+	else {
+		/* Else determine width based on type */
+		if((type > 0) && (type < 31)) type = tag2nbyte[type];
+		else type = -1;
+		if((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN)) type = 1;
+	}
+
+	if(type == -1) {
+		len = do_dump(lflags, io_ch, arg, str);
+		if(len < 0) return -1;
+		outlen += len;
+		return outlen;
+	}
+
+	if(lflags & ASN1_STRFLGS_UTF8_CONVERT) {
+		/* Note: if string is UTF8 and we want
+		 * to convert to UTF8 then we just interpret
+		 * it as 1 byte per character to avoid converting
+		 * twice.
+		 */
+		if(!type) type = 1;
+		else type |= BUF_TYPE_CONVUTF8;
+	}
+
+	len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
+	if(outlen < 0) return -1;
+	outlen += len;
+	if(quotes) outlen += 2;
+	if(!arg) return outlen;
+	if(quotes && !io_ch(arg, "\"", 1)) return -1;
+	do_buf(str->data, str->length, type, flags, NULL, io_ch, arg);
+	if(quotes && !io_ch(arg, "\"", 1)) return -1;
+	return outlen;
+}
+
+/* Used for line indenting: print 'indent' spaces */
+
+static int do_indent(char_io *io_ch, void *arg, int indent)
+{
+	int i;
+	for(i = 0; i < indent; i++)
+			if(!io_ch(arg, " ", 1)) return 0;
+	return 1;
+}
+
+
+static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
+				int indent, unsigned long flags)
+{
+	int i, prev = -1, orflags, cnt;
+	int fn_opt, fn_nid;
+	ASN1_OBJECT *fn;
+	ASN1_STRING *val;
+	X509_NAME_ENTRY *ent;
+	char objtmp[80];
+	const char *objbuf;
+	int outlen, len;
+	char *sep_dn, *sep_mv, *sep_eq;
+	int sep_dn_len, sep_mv_len, sep_eq_len;
+	if(indent < 0) indent = 0;
+	outlen = indent;
+	if(!do_indent(io_ch, arg, indent)) return -1;
+	switch (flags & XN_FLAG_SEP_MASK)
+	{
+		case XN_FLAG_SEP_MULTILINE:
+		sep_dn = "\n";
+		sep_dn_len = 1;
+		sep_mv = " + ";
+		sep_mv_len = 3;
+		break;
+
+		case XN_FLAG_SEP_COMMA_PLUS:
+		sep_dn = ",";
+		sep_dn_len = 1;
+		sep_mv = "+";
+		sep_mv_len = 1;
+		indent = 0;
+		break;
+
+		case XN_FLAG_SEP_CPLUS_SPC:
+		sep_dn = ", ";
+		sep_dn_len = 2;
+		sep_mv = " + ";
+		sep_mv_len = 3;
+		indent = 0;
+		break;
+
+		case XN_FLAG_SEP_SPLUS_SPC:
+		sep_dn = "; ";
+		sep_dn_len = 2;
+		sep_mv = " + ";
+		sep_mv_len = 3;
+		indent = 0;
+		break;
+
+		default:
+		return -1;
+	}
+
+	if(flags & XN_FLAG_SPC_EQ) {
+		sep_eq = " = ";
+		sep_eq_len = 3;
+	} else {
+		sep_eq = "=";
+		sep_eq_len = 1;
+	}
+
+	fn_opt = flags & XN_FLAG_FN_MASK;
+
+	cnt = X509_NAME_entry_count(n);	
+	for(i = 0; i < cnt; i++) {
+		if(flags & XN_FLAG_DN_REV)
+				ent = X509_NAME_get_entry(n, cnt - i - 1);
+		else ent = X509_NAME_get_entry(n, i);
+		if(prev != -1) {
+			if(prev == ent->set) {
+				if(!io_ch(arg, sep_mv, sep_mv_len)) return -1;
+				outlen += sep_mv_len;
+			} else {
+				if(!io_ch(arg, sep_dn, sep_dn_len)) return -1;
+				outlen += sep_dn_len;
+				if(!do_indent(io_ch, arg, indent)) return -1;
+				outlen += indent;
+			}
+		}
+		prev = ent->set;
+		fn = X509_NAME_ENTRY_get_object(ent);
+		val = X509_NAME_ENTRY_get_data(ent);
+		fn_nid = OBJ_obj2nid(fn);
+		if(fn_opt != XN_FLAG_FN_NONE) {
+			int objlen;
+			if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
+				OBJ_obj2txt(objtmp, 80, fn, 1);
+				objbuf = objtmp;
+			} else {
+				if(fn_opt == XN_FLAG_FN_SN) 
+					objbuf = OBJ_nid2sn(fn_nid);
+				else if(fn_opt == XN_FLAG_FN_LN)
+					objbuf = OBJ_nid2ln(fn_nid);
+				else objbuf = "";
+			}
+			objlen = strlen(objbuf);
+			if(!io_ch(arg, objbuf, objlen)) return -1;
+			if(!io_ch(arg, sep_eq, sep_eq_len)) return -1;
+			outlen += objlen + sep_eq_len;
+		}
+		/* If the field name is unknown then fix up the DER dump
+		 * flag. We might want to limit this further so it will
+ 		 * DER dump on anything other than a few 'standard' fields.
+		 */
+		if((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) 
+					orflags = ASN1_STRFLGS_DUMP_ALL;
+		else orflags = 0;
+     
+		len = do_print_ex(io_ch, arg, flags | orflags, val);
+		if(len < 0) return -1;
+		outlen += len;
+	}
+	return outlen;
+}
+
+/* Wrappers round the main functions */
+
+int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
+{
+	return do_name_ex(send_bio_chars, out, nm, indent, flags);
+}
+
+
+int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
+{
+	return do_name_ex(send_fp_chars, fp, nm, indent, flags);
+}
+
+int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
+{
+	return do_print_ex(send_bio_chars, out, flags, str);
+}
+
+
+int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
+{
+	return do_print_ex(send_fp_chars, fp, flags, str);
+}
+
+/* Utility function: convert any string type to UTF8, returns number of bytes
+ * in output string or a negative error code
+ */
+
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
+{
+	ASN1_STRING stmp, *str = &stmp;
+	int mbflag, type, ret;
+	if(!*out || !in) return -1;
+	type = in->type;
+	if((type < 0) || (type > 30)) return -1;
+	mbflag = tag2nbyte[type];
+	if(mbflag == -1) return -1;
+	mbflag |= MBSTRING_FLAG;
+	stmp.data = NULL;
+	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
+	if(ret < 0) return ret;
+	if(out) *out = stmp.data;
+	return stmp.length;
+}

crypto/asn1/a_strnid.c

@@ -65,8 +65,9 @@
 
 static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
 static void st_free(ASN1_STRING_TABLE *tbl);
-static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b);
-static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
+static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
+			const ASN1_STRING_TABLE * const *b);
+static int table_cmp(const void *a, const void *b);
 
 
 /* This is the global mask for the mbstring functions: this is use to
@@ -132,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 	if(tbl) {
 		mask = tbl->mask;
 		if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
-		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask,
 					tbl->minsize, tbl->maxsize);
 	} else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
 	if(ret <= 0) return NULL;
@@ -173,14 +174,16 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
 };
 
-static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
+static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
+			const ASN1_STRING_TABLE * const *b)
 {
 	return (*a)->nid - (*b)->nid;
 }
 
-static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
+static int table_cmp(const void *a, const void *b)
 {
-	return a->nid - b->nid;
+	const ASN1_STRING_TABLE *sa = a, *sb = b;
+	return sa->nid - sb->nid;
 }
 
 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
@@ -192,7 +195,7 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
 	ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
 					(char *)tbl_standard, 
 			sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
-			sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+			sizeof(ASN1_STRING_TABLE), table_cmp);
 	if(ttmp) return ttmp;
 	if(!stable) return NULL;
 	idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
@@ -213,7 +216,7 @@ int ASN1_STRING_TABLE_add(int nid,
 		return 0;
 	}
 	if(!(tmp = ASN1_STRING_TABLE_get(nid))) {
-		tmp = Malloc(sizeof(ASN1_STRING_TABLE));
+		tmp = OPENSSL_malloc(sizeof(ASN1_STRING_TABLE));
 		if(!tmp) {
 			ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD,
 							ERR_R_MALLOC_FAILURE);
@@ -241,7 +244,7 @@ void ASN1_STRING_TABLE_cleanup(void)
 
 static void st_free(ASN1_STRING_TABLE *tbl)
 {
-	if(tbl->flags & STABLE_FLAGS_MALLOC) Free(tbl);
+	if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl);
 }
 
 IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)

crypto/asn1/a_time.c

@@ -113,11 +113,9 @@ ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length)
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 	{
 	struct tm *ts;
-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
 	struct tm data;
-#endif
 
-#if defined(THREADS) && !defined(WIN32)
 	gmtime_r(&t,&data);
 	ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */
 #else

crypto/asn1/a_type.c

@@ -123,6 +123,8 @@ int i2d_ASN1_TYPE(ASN1_TYPE *a, unsigned char **pp)
 		break;
 	case V_ASN1_SET:
 	case V_ASN1_SEQUENCE:
+	case V_ASN1_OTHER:
+	default:
 		if (a->value.set == NULL)
 			r=0;
 		else
@@ -159,6 +161,8 @@ ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **a, unsigned char **pp, long length)
 
 	inf=ASN1_get_object(&q,&len,&tag,&xclass,length);
 	if (inf & 0x80) goto err;
+	/* If not universal tag we've no idea what it is */
+	if(xclass != V_ASN1_UNIVERSAL) tag = V_ASN1_OTHER;
 	
 	ASN1_TYPE_component_free(ret);
 
@@ -245,6 +249,8 @@ ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **a, unsigned char **pp, long length)
 		break;
 	case V_ASN1_SET:
 	case V_ASN1_SEQUENCE:
+	case V_ASN1_OTHER:
+	default:
 		/* Sets and sequences are left complete */
 		if ((ret->value.set=ASN1_STRING_new()) == NULL) goto err;
 		ret->value.set->type=tag;
@@ -252,9 +258,6 @@ ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **a, unsigned char **pp, long length)
 		if (!ASN1_STRING_set(ret->value.set,p,(int)len)) goto err;
 		p+=len;
 		break;
-	default:
-		ASN1err(ASN1_F_D2I_ASN1_TYPE,ASN1_R_BAD_TYPE);
-		goto err;
 		}
 
 	ret->type=tag;
@@ -282,7 +285,7 @@ void ASN1_TYPE_free(ASN1_TYPE *a)
 	{
 	if (a == NULL) return;
 	ASN1_TYPE_component_free(a);
-	Free(a);
+	OPENSSL_free(a);
 	}
 
 int ASN1_TYPE_get(ASN1_TYPE *a)
@@ -312,6 +315,8 @@ static void ASN1_TYPE_component_free(ASN1_TYPE *a)
 		case V_ASN1_OBJECT:
 			ASN1_OBJECT_free(a->value.object);
 			break;
+		case V_ASN1_NULL:
+			break;
 		case V_ASN1_INTEGER:
 		case V_ASN1_NEG_INTEGER:
 		case V_ASN1_ENUMERATED:
@@ -333,10 +338,9 @@ static void ASN1_TYPE_component_free(ASN1_TYPE *a)
 		case V_ASN1_UNIVERSALSTRING:
 		case V_ASN1_BMPSTRING:
 		case V_ASN1_UTF8STRING:
-			ASN1_STRING_free((ASN1_STRING *)a->value.ptr);
-			break;
+		case V_ASN1_OTHER:
 		default:
-			/* MEMORY LEAK */
+			ASN1_STRING_free((ASN1_STRING *)a->value.ptr);
 			break;
 			}
 		a->type=0;

crypto/asn1/a_utctm.c

@@ -193,7 +193,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	{
 	char *p;
 	struct tm *ts;
-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
+
 	struct tm data;
 #endif
 
@@ -202,7 +203,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	if (s == NULL)
 		return(NULL);
 
-#if defined(THREADS) && !defined(WIN32)
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
 	gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
 	ts=&data;
 #else
@@ -248,10 +249,10 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	p=(char *)s->data;
 	if ((p == NULL) || (s->length < 14))
 		{
-		p=Malloc(20);
+		p=OPENSSL_malloc(20);
 		if (p == NULL) return(NULL);
 		if (s->data != NULL)
-			Free(s->data);
+			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
 		}
 
@@ -264,3 +265,84 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 #endif
 	return(s);
 	}
+
+
+int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
+	{
+	struct tm *tm;
+	int offset;
+	int year;
+
+#define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
+
+	if (s->data[12] == 'Z')
+		offset=0;
+	else
+		{
+		offset = g2(s->data+13)*60+g2(s->data+15);
+		if (s->data[12] == '-')
+			offset = -offset;
+		}
+
+	t -= offset*60; /* FIXME: may overflow in extreme cases */
+
+#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
+	{ struct tm data; gmtime_r(&t, &data); tm = &data; }
+#else
+	tm = gmtime(&t);
+#endif
+	
+#define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
+	year = g2(s->data);
+	if (year < 50)
+		year += 100;
+	return_cmp(year,              tm->tm_year);
+	return_cmp(g2(s->data+2) - 1, tm->tm_mon);
+	return_cmp(g2(s->data+4),     tm->tm_mday);
+	return_cmp(g2(s->data+6),     tm->tm_hour);
+	return_cmp(g2(s->data+8),     tm->tm_min);
+	return_cmp(g2(s->data+10),    tm->tm_sec);
+#undef g2
+#undef return_cmp
+
+	return 0;
+	}
+
+
+#if 0
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
+	{
+	struct tm tm;
+	int offset;
+
+	memset(&tm,'\0',sizeof tm);
+
+#define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
+	tm.tm_year=g2(s->data);
+	if(tm.tm_year < 50)
+		tm.tm_year+=100;
+	tm.tm_mon=g2(s->data+2)-1;
+	tm.tm_mday=g2(s->data+4);
+	tm.tm_hour=g2(s->data+6);
+	tm.tm_min=g2(s->data+8);
+	tm.tm_sec=g2(s->data+10);
+	if(s->data[12] == 'Z')
+		offset=0;
+	else
+		{
+		offset=g2(s->data+13)*60+g2(s->data+15);
+		if(s->data[12] == '-')
+			offset= -offset;
+		}
+#undef g2
+
+	return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone
+	                               * instead of UTC, and unless we rewrite OpenSSL
+				       * in Lisp we cannot locally change the timezone
+				       * without possibly interfering with other parts
+	                               * of the program. timegm, which uses UTC, is
+				       * non-standard.
+	                               * Also time_t is inappropriate for general
+	                               * UTC times because it may a 32 bit type. */
+	}
+#endif

crypto/asn1/a_utf8.c

@@ -133,7 +133,7 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
 		if( ((p[1] & 0xc0) != 0x80)
 		   || ((p[2] & 0xc0) != 0x80) 
 		   || ((p[3] & 0xc0) != 0x80) ) return -3;
-		value = (*p++ & 0x7) << 18;
+		value = ((unsigned long)(*p++ & 0x7)) << 18;
 		value |= (*p++ & 0x3f) << 12;
 		value |= (*p++ & 0x3f) << 6;
 		value |= *p++ & 0x3f;
@@ -145,9 +145,9 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
 		   || ((p[2] & 0xc0) != 0x80) 
 		   || ((p[3] & 0xc0) != 0x80) 
 		   || ((p[4] & 0xc0) != 0x80) ) return -3;
-		value = (*p++ & 0x3) << 24;
-		value |= (*p++ & 0x3f) << 18;
-		value |= (*p++ & 0x3f) << 12;
+		value = ((unsigned long)(*p++ & 0x3)) << 24;
+		value |= ((unsigned long)(*p++ & 0x3f)) << 18;
+		value |= ((unsigned long)(*p++ & 0x3f)) << 12;
 		value |= (*p++ & 0x3f) << 6;
 		value |= *p++ & 0x3f;
 		if(value < 0x200000) return -4;
@@ -159,10 +159,10 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
 		   || ((p[3] & 0xc0) != 0x80) 
 		   || ((p[4] & 0xc0) != 0x80) 
 		   || ((p[5] & 0xc0) != 0x80) ) return -3;
-		value = (*p++ & 0x1) << 30;
-		value |= (*p++ & 0x3f) << 24;
-		value |= (*p++ & 0x3f) << 18;
-		value |= (*p++ & 0x3f) << 12;
+		value = ((unsigned long)(*p++ & 0x1)) << 30;
+		value |= ((unsigned long)(*p++ & 0x3f)) << 24;
+		value |= ((unsigned long)(*p++ & 0x3f)) << 18;
+		value |= ((unsigned long)(*p++ & 0x3f)) << 12;
 		value |= (*p++ & 0x3f) << 6;
 		value |= *p++ & 0x3f;
 		if(value < 0x4000000) return -4;

crypto/asn1/a_verify.c

@@ -88,7 +88,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 		}
 	
 	inl=i2d(data,NULL);
-	buf_in=Malloc((unsigned int)inl);
+	buf_in=OPENSSL_malloc((unsigned int)inl);
 	if (buf_in == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_MALLOC_FAILURE);
@@ -101,7 +101,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
 	memset(buf_in,0,(unsigned int)inl);
-	Free(buf_in);
+	OPENSSL_free(buf_in);
 
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
 			(unsigned int)signature->length,pkey) <= 0)

crypto/asn1/asn1.h

@@ -59,17 +59,18 @@
 #ifndef HEADER_ASN1_H
 #define HEADER_ASN1_H
 
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
 #include <time.h>
+#ifndef NO_BIO
+#include <openssl/bio.h>
+#endif
 #include <openssl/bn.h>
 #include <openssl/stack.h>
 #include <openssl/safestack.h>
 
-#ifdef VMS
-#include <openssl/vms_idhacks.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
 #endif
 
 #define V_ASN1_UNIVERSAL		0x00
@@ -82,12 +83,15 @@ extern "C" {
 #define V_ASN1_PRIMATIVE_TAG		0x1f
 
 #define V_ASN1_APP_CHOOSE		-2	/* let the recipient choose */
+#define V_ASN1_OTHER			-3	/* used in ASN1_TYPE */
+
+#define V_ASN1_NEG			0x100	/* negative flag */
 
 #define V_ASN1_UNDEF			-1
 #define V_ASN1_EOC			0
 #define V_ASN1_BOOLEAN			1	/**/
 #define V_ASN1_INTEGER			2
-#define V_ASN1_NEG_INTEGER		(2+0x100)
+#define V_ASN1_NEG_INTEGER		(2 | V_ASN1_NEG)
 #define V_ASN1_BIT_STRING		3
 #define V_ASN1_OCTET_STRING		4
 #define V_ASN1_NULL			5
@@ -96,7 +100,7 @@ extern "C" {
 #define V_ASN1_EXTERNAL			8
 #define V_ASN1_REAL			9
 #define V_ASN1_ENUMERATED		10
-#define V_ASN1_NEG_ENUMERATED		(10+0x100)
+#define V_ASN1_NEG_ENUMERATED		(10 | V_ASN1_NEG)
 #define V_ASN1_UTF8STRING		12
 #define V_ASN1_SEQUENCE			16
 #define V_ASN1_SET			17
@@ -140,32 +144,10 @@ extern "C" {
 #define MBSTRING_UNIV		(MBSTRING_FLAG|3)
 #define MBSTRING_UTF8		(MBSTRING_FLAG|4)
 
-#define DECLARE_ASN1_SET_OF(type) \
-int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
-			   int (*func)(type *,unsigned char **), int ex_tag, \
-			   int ex_class, int is_set); \
-STACK_OF(type) *d2i_ASN1_SET_OF_##type(STACK_OF(type) **a,unsigned char **pp, \
-				       long length, \
-				       type *(*func)(type **, \
-						     unsigned char **,long), \
-				       void (*free_func)(type *), \
-				       int ex_tag,int ex_class);
+struct X509_algor_st;
 
-#define IMPLEMENT_ASN1_SET_OF(type) \
-int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
-			   int (*func)(type *,unsigned char **), int ex_tag, \
-			   int ex_class, int is_set) \
-    { return i2d_ASN1_SET((STACK *)a,pp,func,ex_tag,ex_class,is_set); } \
-STACK_OF(type) *d2i_ASN1_SET_OF_##type(STACK_OF(type) **a,unsigned char **pp, \
-				       long length, \
-				       type *(*func)(type **, \
-						     unsigned char **,long), \
-				       void (*free_func)(type *), \
-				       int ex_tag,int ex_class) \
-    { return (STACK_OF(type) *)d2i_ASN1_SET((STACK **)a,pp,length, \
-					    (char *(*)())func, \
-					    (void (*)())free_func, \
-					    ex_tag,ex_class); }
+#define DECLARE_ASN1_SET_OF(type) /* filled in by mkstack.pl */
+#define IMPLEMENT_ASN1_SET_OF(type) /* nothing, no longer needed */
 
 typedef struct asn1_ctx_st
 	{
@@ -254,6 +236,7 @@ DECLARE_STACK_OF(ASN1_STRING_TABLE)
 #define ASN1_BMPSTRING		ASN1_STRING
 #define ASN1_VISIBLESTRING	ASN1_STRING
 #define ASN1_UTF8STRING		ASN1_STRING
+#define ASN1_BOOLEAN		int
 #else
 typedef struct asn1_string_st ASN1_INTEGER;
 typedef struct asn1_string_st ASN1_ENUMERATED;
@@ -270,15 +253,99 @@ typedef struct asn1_string_st ASN1_TIME;
 typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
 typedef struct asn1_string_st ASN1_VISIBLESTRING;
 typedef struct asn1_string_st ASN1_UTF8STRING;
+typedef int ASN1_BOOLEAN;
 #endif
 
 typedef int ASN1_NULL;
 
+/* Parameters used by ASN1_STRING_print_ex() */
+
+/* These determine which characters to escape:
+ * RFC2253 special characters, control characters and
+ * MSB set characters
+ */
+
+#define ASN1_STRFLGS_ESC_2253		1
+#define ASN1_STRFLGS_ESC_CTRL		2
+#define ASN1_STRFLGS_ESC_MSB		4
+
+
+/* This flag determines how we do escaping: normally
+ * RC2253 backslash only, set this to use backslash and
+ * quote.
+ */
+
+#define ASN1_STRFLGS_ESC_QUOTE		8
+
+
+/* These three flags are internal use only. */
+
+/* Character is a valid PrintableString character */
+#define CHARTYPE_PRINTABLESTRING	0x10
+/* Character needs escaping if it is the first character */
+#define CHARTYPE_FIRST_ESC_2253		0x20
+/* Character needs escaping if it is the last character */
+#define CHARTYPE_LAST_ESC_2253		0x40
+
+/* NB the internal flags are safely reused below by flags
+ * handled at the top level.
+ */
+
+/* If this is set we convert all character strings
+ * to UTF8 first 
+ */
+
+#define ASN1_STRFLGS_UTF8_CONVERT	0x10
+
+/* If this is set we don't attempt to interpret content:
+ * just assume all strings are 1 byte per character. This
+ * will produce some pretty odd looking output!
+ */
+
+#define ASN1_STRFLGS_IGNORE_TYPE	0x20
+
+/* If this is set we include the string type in the output */
+#define ASN1_STRFLGS_SHOW_TYPE		0x40
+
+/* This determines which strings to display and which to
+ * 'dump' (hex dump of content octets or DER encoding). We can
+ * only dump non character strings or everything. If we
+ * don't dump 'unknown' they are interpreted as character
+ * strings with 1 octet per character and are subject to
+ * the usual escaping options.
+ */
+
+#define ASN1_STRFLGS_DUMP_ALL		0x80
+#define ASN1_STRFLGS_DUMP_UNKNOWN	0x100
+
+/* These determine what 'dumping' does, we can dump the
+ * content octets or the DER encoding: both use the
+ * RFC2253 #XXXXX notation.
+ */
+
+#define ASN1_STRFLGS_DUMP_DER		0x200
+
+/* All the string flags consistent with RFC2253,
+ * escaping control characters isn't essential in
+ * RFC2253 but it is advisable anyway.
+ */
+
+#define ASN1_STRFLGS_RFC2253	(ASN1_STRFLGS_ESC_2253 | \
+				ASN1_STRFLGS_ESC_CTRL | \
+				ASN1_STRFLGS_ESC_MSB | \
+				ASN1_STRFLGS_UTF8_CONVERT | \
+				ASN1_STRFLGS_DUMP_UNKNOWN | \
+				ASN1_STRFLGS_DUMP_DER)
+
+DECLARE_STACK_OF(ASN1_INTEGER)
+DECLARE_ASN1_SET_OF(ASN1_INTEGER)
+
 typedef struct asn1_type_st
 	{
 	int type;
 	union	{
 		char *ptr;
+		ASN1_BOOLEAN		boolean;
 		ASN1_STRING *		asn1_string;
 		ASN1_OBJECT *		object;
 		ASN1_INTEGER *		integer;
@@ -520,6 +587,8 @@ void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
 ASN1_OBJECT *	ASN1_OBJECT_new(void );
 void		ASN1_OBJECT_free(ASN1_OBJECT *a);
 int		i2d_ASN1_OBJECT(ASN1_OBJECT *a,unsigned char **pp);
+ASN1_OBJECT *	c2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
+			long length);
 ASN1_OBJECT *	d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
 			long length);
 
@@ -542,14 +611,17 @@ unsigned char * ASN1_STRING_data(ASN1_STRING *x);
 ASN1_BIT_STRING *	ASN1_BIT_STRING_new(void);
 void		ASN1_BIT_STRING_free(ASN1_BIT_STRING *a);
 int		i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
+int		i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
 ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
 			long length);
+ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
+			long length);
 int		ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d,
 			int length );
 int		ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value);
 int		ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n);
 
-#ifdef HEADER_BIO_H
+#ifndef NO_BIO
 int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
 				BIT_STRING_BITNAME *tbl, int indent);
 #endif
@@ -563,8 +635,11 @@ int 		d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length);
 ASN1_INTEGER *	ASN1_INTEGER_new(void);
 void		ASN1_INTEGER_free(ASN1_INTEGER *a);
 int		i2d_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
+int		i2c_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
 ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
 			long length);
+ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
+			long length);
 ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp,
 			long length);
 ASN1_INTEGER *	ASN1_INTEGER_dup(ASN1_INTEGER *x);
@@ -579,6 +654,10 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a,unsigned char **pp,
 int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
 int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); 
+int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
+#if 0
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
+#endif
 
 int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
@@ -673,10 +752,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
 int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
 			int (*func)(), int ex_tag, int ex_class, int is_set);
 STACK *		d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-			char *(*func)(), void (*free_func)(),
+			char *(*func)(), void (*free_func)(void *),
 			int ex_tag, int ex_class);
 
-#ifdef HEADER_BIO_H
+#ifndef NO_BIO
 int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a);
 int a2i_ASN1_INTEGER(BIO *bp,ASN1_INTEGER *bs,char *buf,int size);
 int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a);
@@ -729,16 +808,21 @@ char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x);
 #ifndef NO_FP_API
 char *ASN1_d2i_fp(char *(*xnew)(),char *(*d2i)(),FILE *fp,unsigned char **x);
 int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
+int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 #endif
 
-#ifdef HEADER_BIO_H
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
+
+#ifndef NO_BIO
 char *ASN1_d2i_bio(char *(*xnew)(),char *(*d2i)(),BIO *bp,unsigned char **x);
 int ASN1_i2d_bio(int (*i2d)(),BIO *out,unsigned char *x);
 int ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
 int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a);
 int ASN1_TIME_print(BIO *fp,ASN1_TIME *a);
 int ASN1_STRING_print(BIO *bp,ASN1_STRING *v);
+int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags);
 int ASN1_parse(BIO *bp,unsigned char *pp,long len,int indent);
+int ASN1_parse_dump(BIO *bp,unsigned char *pp,long len,int indent,int dump);
 #endif
 const char *ASN1_tag2str(int tag);
 
@@ -768,7 +852,7 @@ int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
 	unsigned char *data, int max_len);
 
 STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
-						 void (*free_func)() ); 
+						 void (*free_func)(void *) ); 
 unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
 			     int *len );
 void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)());

crypto/asn1/asn1_lib.c

@@ -181,7 +181,7 @@ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
 	     int xclass)
 	{
 	unsigned char *p= *pp;
-	int i;
+	int i, ttag;
 
 	i=(constructed)?V_ASN1_CONSTRUCTED:0;
 	i|=(xclass&V_ASN1_PRIVATE);
@@ -190,12 +190,15 @@ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
 	else
 		{
 		*(p++)=i|V_ASN1_PRIMITIVE_TAG;
-		while (tag > 0x7f)
+		for(i = 0, ttag = tag; ttag > 0; i++) ttag >>=7;
+		ttag = i;
+		while(i-- > 0)
 			{
-			*(p++)=(tag&0x7f)|0x80;
-			tag>>=7;
+			p[i] = tag & 0x7f;
+			if(i != (ttag - 1)) p[i] |= 0x80;
+			tag >>= 7;
 			}
-		*(p++)=(tag&0x7f);
+		p += ttag;
 		}
 	if ((constructed == 2) && (length == 0))
 		*(p++)=0x80; /* der_put_length would output 0 instead */
@@ -335,9 +338,9 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
 		{
 		c=str->data;
 		if (c == NULL)
-			str->data=Malloc(len+1);
+			str->data=OPENSSL_malloc(len+1);
 		else
-			str->data=Realloc(c,len+1);
+			str->data=OPENSSL_realloc(c,len+1);
 
 		if (str->data == NULL)
 			{
@@ -365,7 +368,7 @@ ASN1_STRING *ASN1_STRING_type_new(int type)
 	{
 	ASN1_STRING *ret;
 
-	ret=(ASN1_STRING *)Malloc(sizeof(ASN1_STRING));
+	ret=(ASN1_STRING *)OPENSSL_malloc(sizeof(ASN1_STRING));
 	if (ret == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_STRING_TYPE_NEW,ERR_R_MALLOC_FAILURE);
@@ -381,8 +384,8 @@ ASN1_STRING *ASN1_STRING_type_new(int type)
 void ASN1_STRING_free(ASN1_STRING *a)
 	{
 	if (a == NULL) return;
-	if (a->data != NULL) Free(a->data);
-	Free(a);
+	if (a->data != NULL) OPENSSL_free(a->data);
+	OPENSSL_free(a);
 	}
 
 int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)

crypto/asn1/asn1_mac.h

@@ -59,12 +59,12 @@
 #ifndef HEADER_ASN1_MAC_H
 #define HEADER_ASN1_MAC_H
 
+#include <openssl/asn1.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#include <openssl/asn1.h>
-
 #ifndef ASN1_MAC_ERR_LIB
 #define ASN1_MAC_ERR_LIB	ERR_LIB_ASN1
 #endif 
@@ -196,6 +196,9 @@ err:\
 	if ((a != NULL) && (sk_##type##_num(a) != 0)) \
 		M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
 
+#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \
+	if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
+
 #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
 	if ((c.slen != 0) && \
 		(M_ASN1_next == \
@@ -340,7 +343,7 @@ err:\
 
 /* New macros */
 #define M_ASN1_New_Malloc(ret,type) \
-	if ((ret=(type *)Malloc(sizeof(type))) == NULL) \
+	if ((ret=(type *)OPENSSL_malloc(sizeof(type))) == NULL) \
 		{ c.line=__LINE__; goto err2; }
 
 #define M_ASN1_New(arg,func) \
@@ -389,6 +392,9 @@ err:\
 		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
 			M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
 
+#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \
+		if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
+
 #define M_ASN1_I2D_len_IMP_SET(a,f,x) \
 		ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
 
@@ -452,6 +458,15 @@ err:\
 			ret+=ASN1_object_size(1,v,mtag); \
 			}
 
+#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
+		if (a)\
+			{ \
+			v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
+						 V_ASN1_UNIVERSAL, \
+						 IS_SEQUENCE); \
+			ret+=ASN1_object_size(1,v,mtag); \
+			}
+
 /* Put Macros */
 #define M_ASN1_I2D_put(a,f)	f(a,&p)
 
@@ -536,6 +551,14 @@ err:\
 					       IS_SEQUENCE); \
 			}
 
+#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
+		if (a) \
+			{ \
+			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
+			i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
+					       IS_SEQUENCE); \
+			}
+
 #define M_ASN1_I2D_seq_total() \
 		r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
 		if (pp == NULL) return(r); \

crypto/asn1/asn1_par.c

@@ -65,7 +65,7 @@
 static int asn1_print_info(BIO *bp, int tag, int xclass,int constructed,
 	int indent);
 static int asn1_parse2(BIO *bp, unsigned char **pp, long length,
-	int offset, int depth, int indent);
+	int offset, int depth, int indent, int dump);
 static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 	     int indent)
 	{
@@ -110,11 +110,16 @@ err:
 
 int ASN1_parse(BIO *bp, unsigned char *pp, long len, int indent)
 	{
-	return(asn1_parse2(bp,&pp,len,0,0,indent));
+	return(asn1_parse2(bp,&pp,len,0,0,indent,0));
+	}
+
+int ASN1_parse_dump(BIO *bp, unsigned char *pp, long len, int indent, int dump)
+	{
+	return(asn1_parse2(bp,&pp,len,0,0,indent,dump));
 	}
 
 static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
-	     int depth, int indent)
+	     int depth, int indent, int dump)
 	{
 	unsigned char *p,*ep,*tot,*op,*opp;
 	long len;
@@ -123,7 +128,13 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 	ASN1_OBJECT *o=NULL;
 	ASN1_OCTET_STRING *os=NULL;
 	/* ASN1_BMPSTRING *bmp=NULL;*/
+	int dump_indent;
 
+#if 0
+	dump_indent = indent;
+#else
+	dump_indent = 6;	/* Because we know BIO_dump_indent() */
+#endif
 	p= *pp;
 	tot=p+length;
 	op=p-1;
@@ -178,7 +189,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 					{
 					r=asn1_parse2(bp,&p,(long)(tot-p),
 						offset+(p - *pp),depth+1,
-						indent);
+						indent,dump);
 					if (r == 0) { ret=0; goto end; }
 					if ((r == 2) || (p >= tot)) break;
 					}
@@ -188,7 +199,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 					{
 					r=asn1_parse2(bp,&p,(long)len,
 						offset+(p - *pp),depth+1,
-						indent);
+						indent,dump);
 					if (r == 0) { ret=0; goto end; }
 					}
 			}
@@ -273,6 +284,20 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 							os->length) <= 0)
 							goto end;
 						}
+					if (!printable && (os->length > 0)
+						&& dump)
+						{
+						if (!nl) 
+							{
+							if (BIO_write(bp,"\n",1) <= 0)
+								goto end;
+							}
+						if (BIO_dump_indent(bp,(char *)opp,
+							((dump == -1 || dump > os->length)?os->length:dump),
+							dump_indent) <= 0)
+							goto end;
+						nl=1;
+						}
 					M_ASN1_OCTET_STRING_free(os);
 					os=NULL;
 					}
@@ -341,6 +366,19 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 					}
 				M_ASN1_ENUMERATED_free(bs);
 				}
+			else if (len > 0 && dump)
+				{
+				if (!nl) 
+					{
+					if (BIO_write(bp,"\n",1) <= 0)
+						goto end;
+					}
+				if (BIO_dump_indent(bp,(char *)p,
+					((dump == -1 || dump > len)?len:dump),
+					dump_indent) <= 0)
+					goto end;
+				nl=1;
+				}
 
 			if (!nl) 
 				{

crypto/asn1/asn_pack.c

@@ -65,7 +65,7 @@
 /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
 
 STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
-	     void (*free_func)())
+	     void (*free_func)(void *))
 {
     STACK *sk;
     unsigned char *pbuf;
@@ -77,7 +77,7 @@ STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
 }
 
 /* Turn a STACK structures into an ASN1 encoded SEQUENCE OF structure in a
- * Malloc'ed buffer
+ * OPENSSL_malloc'ed buffer
  */
 
 unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
@@ -90,7 +90,7 @@ unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
 		ASN1err(ASN1_F_ASN1_SEQ_PACK,ASN1_R_ENCODE_ERROR);
 		return NULL;
 	}
-	if (!(safe = Malloc (safelen))) {
+	if (!(safe = OPENSSL_malloc (safelen))) {
 		ASN1err(ASN1_F_ASN1_SEQ_PACK,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
@@ -134,7 +134,7 @@ ASN1_STRING *ASN1_pack_string (void *obj, int (*i2d)(), ASN1_STRING **oct)
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
 		return NULL;
 	}
-	if (!(p = Malloc (octmp->length))) {
+	if (!(p = OPENSSL_malloc (octmp->length))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}

crypto/asn1/charmap.h

@@ -0,0 +1,15 @@
+/* Auto generated with chartype.pl script.
+ * Mask of various character properties
+ */
+
+static unsigned char char_type[] = {
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+120, 0, 1,40, 0, 0, 0,16,16,16, 0,25,25,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 9, 9,16, 9,16,
+ 0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 0, 1, 0, 0, 0,
+ 0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 0, 0, 0, 0, 2
+};
+

crypto/asn1/charmap.pl

@@ -0,0 +1,80 @@
+#!/usr/local/bin/perl -w
+
+use strict;
+
+my ($i, @arr);
+
+# Set up an array with the type of ASCII characters
+# Each set bit represents a character property.
+
+# RFC2253 character properties
+my $RFC2253_ESC = 1;	# Character escaped with \
+my $ESC_CTRL	= 2;	# Escaped control character
+# These are used with RFC1779 quoting using "
+my $NOESC_QUOTE	= 8;	# Not escaped if quoted
+my $PSTRING_CHAR = 0x10;	# Valid PrintableString character
+my $RFC2253_FIRST_ESC = 0x20; # Escaped with \ if first character
+my $RFC2253_LAST_ESC = 0x40;  # Escaped with \ if last character
+
+for($i = 0; $i < 128; $i++) {
+	# Set the RFC2253 escape characters (control)
+	$arr[$i] = 0;
+	if(($i < 32) || ($i > 126)) {
+		$arr[$i] |= $ESC_CTRL;
+	}
+
+	# Some PrintableString characters
+	if(		   ( ( $i >= ord("a")) && ( $i <= ord("z")) )
+			|| (  ( $i >= ord("A")) && ( $i <= ord("Z")) )
+			|| (  ( $i >= ord("0")) && ( $i <= ord("9")) )  ) {
+		$arr[$i] |= $PSTRING_CHAR;
+	}
+}
+
+# Now setup the rest
+
+# Remaining RFC2253 escaped characters
+
+$arr[ord(" ")] |= $NOESC_QUOTE | $RFC2253_FIRST_ESC | $RFC2253_LAST_ESC;
+$arr[ord("#")] |= $NOESC_QUOTE | $RFC2253_FIRST_ESC;
+
+$arr[ord(",")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord("+")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord("\"")] |= $RFC2253_ESC;
+$arr[ord("\\")] |= $RFC2253_ESC;
+$arr[ord("<")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord(">")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord(";")] |= $NOESC_QUOTE | $RFC2253_ESC;
+
+# Remaining PrintableString characters
+
+$arr[ord(" ")] |= $PSTRING_CHAR;
+$arr[ord("'")] |= $PSTRING_CHAR;
+$arr[ord("(")] |= $PSTRING_CHAR;
+$arr[ord(")")] |= $PSTRING_CHAR;
+$arr[ord("+")] |= $PSTRING_CHAR;
+$arr[ord(",")] |= $PSTRING_CHAR;
+$arr[ord("-")] |= $PSTRING_CHAR;
+$arr[ord(".")] |= $PSTRING_CHAR;
+$arr[ord("/")] |= $PSTRING_CHAR;
+$arr[ord(":")] |= $PSTRING_CHAR;
+$arr[ord("=")] |= $PSTRING_CHAR;
+$arr[ord("?")] |= $PSTRING_CHAR;
+
+# Now generate the C code
+
+print <<EOF;
+/* Auto generated with chartype.pl script.
+ * Mask of various character properties
+ */
+
+static unsigned char char_type[] = {
+EOF
+
+for($i = 0; $i < 128; $i++) {
+	print("\n") if($i && (($i % 16) == 0));
+	printf("%2d", $arr[$i]);
+	print(",") if ($i != 127);
+}
+print("\n};\n\n");
+

crypto/asn1/d2i_dsap.c

@@ -64,7 +64,7 @@
 #include <openssl/objects.h>
 #include <openssl/asn1_mac.h>
 
-#ifdef NEG_PUBKEY_BUG
+#ifndef NO_NEG_PUBKEY_BUG
 #define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER
 #endif
 

crypto/asn1/d2i_r_pu.c

@@ -64,7 +64,7 @@
 #include <openssl/objects.h>
 #include <openssl/asn1_mac.h>
 
-#ifdef NEG_PUBKEY_BUG
+#ifndef NO_NEG_PUBKEY_BUG
 #define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER
 #endif
 

crypto/asn1/d2i_s_pr.c

@@ -92,6 +92,7 @@ DSA *d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length)
 		== NULL) goto err_bn;
 
 	M_ASN1_INTEGER_free(bs);
+	bs = NULL;
 
 	M_ASN1_D2I_Finish_2(a);
 err_bn: