Prepare to release 0.9.7g.

The tag till be OpenSSL_0_9_7g.

.cvsignore

@@ -15,3 +15,6 @@ cctest.a
 libcrypto.so.*
 libssl.so.*
 libcrypto.sha1
+libcrypto.a.sha1
+*.flc
+semantic.cache

CHANGES

@@ -2,6 +2,88 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
+
+  *) Fixes for newer kerberos headers. NB: the casts are needed because
+     the 'length' field is signed on one version and unsigned on another
+     with no (?) obvious way to tell the difference, without these VC++
+     complains. Also the "definition" of FAR (blank) is no longer included
+     nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+     some needed definitions.
+     [Steve Henson]
+
+  *) Undo Cygwin change.
+     [Ulf M<>ller]
+
+  *) Added support for proxy certificates according to RFC 3820.
+     Because they may be a security thread to unaware applications,
+     they must be explicitely allowed in run-time.  See
+     docs/HOWTO/proxy_certificates.txt for further information.
+     [Richard Levitte]
+
+ Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
+
+  *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
+     server and client random values. Previously
+     (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
+     less random data when sizeof(time_t) > 4 (some 64 bit platforms).
+
+     This change has negligible security impact because:
+
+     1. Server and client random values still have 24 bytes of pseudo random
+        data.
+
+     2. Server and client random values are sent in the clear in the initial
+        handshake.
+
+     3. The master secret is derived using the premaster secret (48 bytes in
+        size for static RSA ciphersuites) as well as client server and random
+        values.
+
+     The OpenSSL team would like to thank the UK NISCC for bringing this issue
+     to our attention. 
+
+     [Stephen Henson, reported by UK NISCC]
+
+  *) Use Windows randomness collection on Cygwin.
+     [Ulf M<>ller]
+
+  *) Fix hang in EGD/PRNGD query when communication socket is closed
+     prematurely by EGD/PRNGD.
+     [Darren Tucker <dtucker@zip.com.au> via Lutz J<>nicke, resolves #1014]
+
+  *) Prompt for pass phrases when appropriate for PKCS12 input format.
+     [Steve Henson]
+
+  *) Back-port of selected performance improvements from development
+     branch, as well as improved support for PowerPC platforms.
+     [Andy Polyakov]
+
+  *) Add lots of checks for memory allocation failure, error codes to indicate
+     failure and freeing up memory if a failure occurs.
+     [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson]
+
+  *) Add new -passin argument to dgst.
+     [Steve Henson]
+
+  *) Perform some character comparisons of different types in X509_NAME_cmp:
+     this is needed for some certificates that reencode DNs into UTF8Strings
+     (in violation of RFC3280) and can't or wont issue name rollover
+     certificates.
+     [Steve Henson]
+
+  *) Make an explicit check during certificate validation to see that
+     the CA setting in each certificate on the chain is correct.  As a
+     side effect always do the following basic checks on extensions,
+     not just when there's an associated purpose to the check:
+
+      - if there is an unhandled critical extension (unless the user
+        has chosen to ignore this fault)
+      - if the path length has been exceeded (if one is set at all)
+      - that certain extensions fit the associated purpose (if one has
+        been given)
+     [Richard Levitte]
+
  Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
 
   *) Avoid a race condition when CRLs are checked in a multi threaded 

Configure

@@ -169,9 +169,19 @@ my %table=(
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
 "solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -shared -static-libgcc might appear controversial, but modules taken
+# from static libgcc do not have relocations and linking them into our
+# shared objects doesn't have any negative side-effects. On the contrary,
+# doing so makes it possible to use gcc shared build with Sun C. Given
+# that gcc generates faster code [thanks to inline assembler], I would
+# actually recommend to consider using gcc shared build even with vendor
+# compiler:-)
+#						<appro@fy.chalmers.se>
+"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL::::::::::dlfcn:solaris-shared:-KPIC:-xarch=amd64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with GNU C setups
 "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -270,10 +280,10 @@ my %table=(
 "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # IA-64 targets
-"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
 # with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux64-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
@@ -393,13 +403,16 @@ my %table=(
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc32.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -bpowerpc64-linux is transient option, -m64 should be the one to use...
+"linux-ppc64",  "gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc64.o:::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
 "linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-em64t", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -422,7 +435,9 @@ my %table=(
 "qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
 
 # Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# ARM comes in both little- and big-endian flavors. The following line is
+# endian neutral, but ./config is free to throw in -D[BL]_ENDIAN...
+"linux-elf-arm","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # SCO/Caldera targets.
 #
@@ -449,11 +464,10 @@ my %table=(
 
 
 # IBM's AIX.
-"aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::",
-"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix3-cc",    "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
+"aix-gcc",    "gcc:-O3 -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:",
+"aix-cc",     "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-cc",   "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 
 #
 # Cray T90 and similar (SDSC)
@@ -516,17 +530,17 @@ my %table=(
 "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
 # MinGW
-"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll",
+"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll",
 
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:cygwin-shared:-D_WINDLL::.dll",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=\"/dev/urandom\\x24\":::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
@@ -549,7 +563,7 @@ my %table=(
 
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/osx_ppc32.o::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
@@ -936,8 +950,7 @@ print "Configuring for $target\n";
 
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
 
-$exe_ext=".exe" if ($target eq "Cygwin");
-$exe_ext=".exe" if ($target eq "DJGPP");
+$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw");
 $exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
@@ -1160,15 +1173,21 @@ if ($ranlib eq "")
 
 $bn_obj = $bn_asm unless $bn_obj ne "";
 
+my $fips_des_obj;
+my $fips_sha1_obj;
 if ($fips)
 	{
+	if ($des_obj =~ /\-elf\.o$/ && $no_shared) # FIPS DES module is not PIC
+		{
+		$fips_des_obj='asm/fips-dx86-elf.o';
+		$openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n";
+		}
+	else {	$fips_des_obj=$fips_des_enc;  }
+	$fips_sha1_obj='asm/sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/);
 	$des_obj=$sha1_obj="";
 	$openssl_other_defines.="#define OPENSSL_FIPS\n";
 	}
-$des_obj=$des_enc	unless (!$fips && $des_obj =~ /\.o$/);
-my $fips_des_obj='asm/fips-dx86-elf.o';
-$fips_des_obj=$fips_des_enc unless $processor eq '386';
-my $fips_sha1_obj='asm/sx86-elf.o' if $processor eq '386';
+$des_obj=$des_enc	unless ($des_obj =~ /\.o$/);
 $bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
@@ -1524,12 +1543,10 @@ EOF
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
-	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
 	} else {
 	    # No path for Perl known ...
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
-	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
 	if ($depflags ne "" && !$make_depend) {

FAQ

@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7e was released on October 25, 2004.
+OpenSSL 0.9.7g was released on April 11, 2005.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -472,6 +472,10 @@ This will only compile sha_dgst.c with -O0, the rest with the optimization
 level chosen by the configuration process.  When the above is done, do the
 test and installation and you're set.
 
+3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It
+should not be used and is not used in SSL/TLS nor any other recognized
+protocol in either case.
+
 
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 
@@ -788,9 +792,20 @@ that is allocated when an application starts up. Since such tables do not grow
 in size over time they are harmless.
 
 These internal tables can be freed up when an application closes using various
-functions.  Currently these include: EVP_cleanup(), ERR_remove_state(),
-ERR_free_strings(), ENGINE_cleanup(), CONF_modules_unload() and
-CRYPTO_cleanup_all_ex_data().
+functions.  Currently these include following:
+
+Thread-local cleanup functions:
+
+  ERR_remove_state()
+
+Application-global cleanup functions that are aware of usage (and therefore
+thread-safe):
+
+  ENGINE_cleanup() and CONF_modules_unload()
+
+"Brutal" (thread-unsafe) Application-global cleanup functions:
+
+  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
 
 
 ===============================================================================

INSTALL.DJGPP

@@ -3,32 +3,45 @@
  INSTALLATION ON THE DOS PLATFORM WITH DJGPP
  -------------------------------------------
 
- Openssl has been ported to DOS, but only with long filename support. If
- you wish to compile on native DOS with 8+3 filenames, you will have to
- tweak the installation yourself, including renaming files with illegal
- or duplicate names.
+ OpenSSL has been ported to DJGPP, a Unix look-alike 32-bit run-time
+ environment for 16-bit DOS, but only with long filename support.
+ If you wish to compile on native DOS with 8+3 filenames, you will
+ have to tweak the installation yourself, including renaming files
+ with illegal or duplicate names.
 
  You should have a full DJGPP environment installed, including the
  latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
  requires that PERL and BC also be installed.
 
- All of these can be obtained from the usual DJGPP mirror sites, such
- as "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to
- have the WATT-32 networking package installed before you try to compile
- openssl. This can be obtained from "http://www.bgnett.no/~giva/".
+ All of these can be obtained from the usual DJGPP mirror sites or
+ directly at "http://www.delorie.com/pub/djgpp". For help on which
+ files to download, see the DJGPP "ZIP PICKER" page at
+ "http://www.delorie.com/djgpp/zip-picker.html". You also need to have
+ the WATT-32 networking package installed before you try to compile
+ OpenSSL. This can be obtained from "http://www.bgnett.no/~giva/".
  The Makefile assumes that the WATT-32 code is in the directory
  specified by the environment variable WATT_ROOT. If you have watt-32
  in directory "watt32" under your main DJGPP directory, specify
  WATT_ROOT="/dev/env/DJDIR/watt32".
 
- To compile openssl, start your BASH shell. Then configure for DOS by
- running "./Configure" with appropriate arguments. The basic syntax for
- DOS is:
- ./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
- 
- You may run out of DPMI selectors when running in a DOS box under
- Windows. If so, just close the BASH shell, go back to Windows, and
- restart BASH. Then run "make" again.
+ To compile OpenSSL, start your BASH shell, then configure for DJGPP by
+ running "./Configure" with appropriate arguments:
 
- Building openssl under DJGPP has been tested with DJGPP 2.03,
- GCC 2.952, GCC 2.953, perl 5.005_02 and perl 5.006_01.
+	./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
+ 
+ And finally fire up "make". You may run out of DPMI selectors when
+ running in a DOS box under Windows. If so, just close the BASH
+ shell, go back to Windows, and restart BASH. Then run "make" again.
+
+ RUN-TIME CAVEAT LECTOR
+ --------------
+
+ Quoting FAQ:
+
+  "Cryptographic software needs a source of unpredictable data to work
+   correctly.  Many open source operating systems provide a "randomness
+   device" (/dev/urandom or /dev/random) that serves this purpose."
+
+ As of version 0.9.7f DJGPP port checks upon /dev/urandom$ for a 3rd
+ party "randomness" DOS driver. One such driver, NOISE.SYS, can be
+ obtained from "http://www.rahul.net/dkaufman/index.html".

Makefile.org

@@ -176,7 +176,7 @@ LIBKRB5=
 SHLIB_MARK=
 
 DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
-SHLIBDIRS= fips crypto ssl
+SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
 SDIRS=  objects \
@@ -227,7 +227,7 @@ all: Makefile sub_all openssl.pc
 
 sigs:	$(SIGS)
 libcrypto.a.sha1: libcrypto.a
-	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+	@if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
 		$(RANLIB) libcrypto.a; \
 		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
 	fi
@@ -334,11 +334,18 @@ do_cygwin-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
+	shlib=cyg$${i}-$(SHLIB_VERSION_NUMBER).dll; \
+	[ "$(PLATFORM)" = "mingw" ] && shlib=$${i}eay32.dll; \
+	[ -f apps/$$shlib ] && rm apps/$$shlib; \
+	[ -f test/$$shlib ] && rm test/$$shlib; \
+	base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0xFE00000; \
+	( set -x; ${CC} ${SHARED_LDFLAGS} \
+		-shared $$base -o $$shlib \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
-		-Wl,--no-whole-archive $$libs ) || exit 1; \
+		-Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \
+	cp -p $$shlib apps/; cp -p $$shlib test/; \
 	libs="-l$$i $$libs"; \
 	done
 
@@ -479,8 +486,8 @@ do_irix-shared:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( WHOLELIB="-all lib$$i.a -notall"; \
-		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \
+		( WHOLELIB="-all lib$$i.a -none"; \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-none"; \
 		  set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -505,13 +512,18 @@ do_hpux-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
+	if expr $(PLATFORM) : '.*ia64' > /dev/null; then \
+		shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+	else \
+		shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+	fi; \
+	[ -f $$shlib ] && rm -f $$shlib; \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
 		+vnocompatwarnings \
 		-b -z +s \
-		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		-o $$shlib +h $$shlib \
 		-Fl lib$$i.a -ldld -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+	chmod a=rx $$shlib; \
 	done
 
 # This assumes that GNU utilities are *not* used
@@ -528,12 +540,17 @@ do_hpux64-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
+	if expr $(PLATFORM) : '.*ia64' > /dev/null; then \
+		shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+	else \
+		shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+	fi; \
+	[ -f $$shlib ] && rm -f $$shlib; \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
 		-b -z \
-		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		-o $$shlib +h $$shlib \
 		+forceload lib$$i.a -ldl -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+	chmod a=rx $$shlib; \
 	done
 
 # The following method is said to work on all platforms.  Tests will
@@ -574,6 +591,8 @@ do_aix-shared:
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; \
+	  OBJECT_MODE=`expr x${SHARED_LDFLAGS} : 'x\-[a-z]\([0-9]*\)'`; \
+	  OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
 	  ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
 	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
 	    $(SHAREDCMD) $(SHAREDFLAGS) \
@@ -627,7 +646,7 @@ clean:	libclean
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making clean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
+		$(MAKE) EXE_EXT='${EXE_EXT}' SDIRS='${SDIRS}' clean ) || exit 1; \
 		rm -f $(LIBS); \
 	fi; \
 	done;
@@ -679,15 +698,10 @@ dclean:
 
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl$(EXE_EXT)"; OPENSSL_DEBUG_MEMORY=on; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-		LIBPATH="`pwd`:$$LIBPATH"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-		$(PERL) tools/c_rehash certs)
+	@(OPENSSL="`pwd`/util/opensslwrap.sh"; \
+	  OPENSSL_DEBUG_MEMORY=on; \
+	  export OPENSSL OPENSSL_DEBUG_MEMORY; \
+	  $(PERL) tools/c_rehash certs)
 	touch rehash.time
 
 test:   tests
@@ -695,13 +709,7 @@ test:   tests
 tests: rehash
 	@(cd test && echo "testing..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-	DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-	SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-	LIBPATH="`pwd`:$$LIBPATH"; \
-	if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-	export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-	apps/openssl version -a
+	util/shlib_wrap.sh apps/openssl version -a
 
 report:
 	@$(PERL) util/selftest.pl
@@ -800,7 +808,7 @@ install_sw:
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-	@for i in $(EXHEADER) ;\
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -879,7 +887,7 @@ install_docs:
 	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
 		filecase=-i; \
 	fi; \
 	for i in doc/apps/*.pod; do \

NEWS

@@ -5,6 +5,23 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+
+      o More compilation issues fixed.
+      o Adaptation to more modern Kerberos API.
+      o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
+      o Enhanced x86_64 assembler BIGNUM module.
+      o More constification.
+      o Added processing of proxy certificates (RFC 3820).
+
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+
+      o Several compilation issues fixed.
+      o Many memory allocation failure checks added.
+      o Improved comparison of X509 Name type.
+      o Mandatory basic checks on certificates.
+      o Performance improvements.
+
   Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
 
       o Fix race condition in CRL checking code.

PROBLEMS

@@ -90,15 +90,6 @@ failures in other parts of the code.
 
 Workaround: modify the target to +O2 when building with no-asm.
 
-* Poor support for AIX shared builds.
-
-do_aix-shared rule is not flexible enough to parameterize through a
-config-line. './Configure aix43-cc shared' is working, but not
-'./Configure aix64-gcc shared'. In latter case make fails to create shared
-libraries. It's possible to build 64-bit shared libraries by running
-'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one
-supporting even gcc shared builds. See RT#463 for background information.
-
 * Problems building shared libraries on SCO OpenServer Release 5.0.6
   with gcc 2.95.3
 

README

@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.7e 25 Oct 2004
+ OpenSSL 0.9.7g 11 April 2005
 
- Copyright (c) 1998-2004 The OpenSSL Project
+ Copyright (c) 1998-2005 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 

STATUS

@@ -1,10 +1,13 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2004/03/17 12:01:16 $
+  ______________                           $Date: 2005/04/11 15:10:06 $
 
   DEVELOPMENT STATE
 
     o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.7g: Released on April     11th, 2005
+    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
+    o  OpenSSL 0.9.7e: Released on October   25th, 2004
     o  OpenSSL 0.9.7d: Released on March     17th, 2004
     o  OpenSSL 0.9.7c: Released on September 30th, 2003
     o  OpenSSL 0.9.7b: Released on April     10th, 2003

TABLE

@@ -92,9 +92,9 @@ $cast_obj     = asm/cx86-out.o
 $rc4_obj      = asm/rx86-out.o
 $rmd160_obj   = asm/rm86-out.o
 $rc5_obj      = asm/r586-out.o
-$dso_scheme   = win32
+$dso_scheme   = dlfcn
 $shared_target= cygwin-shared
-$shared_cflag = 
+$shared_cflag = -D_WINDLL
 $shared_ldflag = 
 $shared_extension = .dll
 $ranlib       = 
@@ -127,7 +127,7 @@ $arflags      =
 
 *** DJGPP
 $cc           = gcc
-$cflags       = -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall
+$cflags       = -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM="/dev/urandom\x24"
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MSDOS
@@ -1027,6 +1027,56 @@ $arflags      =
 
 *** aix-cc
 $cc           = cc
+$cflags       = -q32 -O -DB_ENDIAN -qmaxmem=16384
+$unistd       = 
+$thread_cflag = -qthreaded
+$sys_id       = AIX
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_CHAR
+$bn_obj       = asm/aix_ppc32.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= aix-shared
+$shared_cflag = 
+$shared_ldflag = -q32
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = -X 32
+
+*** aix-gcc
+$cc           = gcc
+$cflags       = -O3 -DB_ENDIAN
+$unistd       = 
+$thread_cflag = -D_THREAD_SAFE
+$sys_id       = AIX
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_CHAR
+$bn_obj       = asm/aix_ppc32.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** aix3-cc
+$cc           = cc
 $cflags       = -O -DB_ENDIAN -qmaxmem=16384
 $unistd       = 
 $thread_cflag = (unknown)
@@ -1050,90 +1100,15 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 
 
-*** aix-gcc
-$cc           = gcc
-$cflags       = -O3 -DB_ENDIAN
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = AIX
-$lflags       = 
-$bn_ops       = BN_LLONG RC4_CHAR
-$bn_obj       = 
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
-*** aix43-cc
-$cc           = cc
-$cflags       = -O -DAIX -DB_ENDIAN -qmaxmem=16384
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = 
-$bn_ops       = BN_LLONG RC4_CHAR
-$bn_obj       = 
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = dlfcn
-$shared_target= aix-shared
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$ranlib       = 
-$arflags      = 
-
-*** aix43-gcc
-$cc           = gcc
-$cflags       = -O1 -DAIX -DB_ENDIAN
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = 
-$bn_ops       = BN_LLONG RC4_CHAR
-$bn_obj       = 
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = dlfcn
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** aix64-cc
 $cc           = cc
-$cflags       = -O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64
+$cflags       = -q64 -O -DB_ENDIAN -qmaxmem=16384
 $unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
+$thread_cflag = -qthreaded
+$sys_id       = AIX
 $lflags       = 
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR
-$bn_obj       = 
+$bn_obj       = asm/aix_ppc64.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
@@ -1458,7 +1433,7 @@ $thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
 $lflags       = 
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
-$bn_obj       = 
+$bn_obj       = asm/osx_ppc32.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
@@ -2357,21 +2332,21 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/ia64-cpp.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
-$sha1_obj     = 
+$sha1_obj     = asm/sha1-ia64.o
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = asm/rc4-ia64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
 $shared_target= hpux-shared
 $shared_cflag = +Z
 $shared_ldflag = 
-$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
 
@@ -2632,21 +2607,21 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/ia64-cpp.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
-$sha1_obj     = 
+$sha1_obj     = asm/sha1-ia64.o
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = asm/rc4-ia64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
 $shared_target= hpux64-shared
 $shared_cflag = +Z
 $shared_ldflag = 
-$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
 
@@ -3077,7 +3052,7 @@ $arflags      =
 
 *** linux-elf-arm
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$cflags       = -DTERMIO -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3100,6 +3075,31 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
 
+*** linux-em64t
+$cc           = gcc
+$cflags       = -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL
+$bn_obj       = asm/x86_64-gcc.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -m64
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
 *** linux-ia64
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
@@ -3107,14 +3107,14 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
 $bn_obj       = asm/ia64.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
-$sha1_obj     = 
+$sha1_obj     = asm/sha1-ia64.o
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = asm/rc4-ia64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
@@ -3127,19 +3127,19 @@ $arflags      =
 
 *** linux-ia64-ecc
 $cc           = ecc
-$cflags       = -DL_ENDIAN -DTERMIO -O2 -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
 $bn_obj       = asm/ia64.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
-$sha1_obj     = 
+$sha1_obj     = asm/sha1-ia64.o
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = asm/rc4-ia64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
@@ -3308,7 +3308,7 @@ $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL
-$bn_obj       = 
+$bn_obj       = asm/linux_ppc32.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
@@ -3325,6 +3325,31 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
 
+*** linux-ppc64
+$cc           = gcc
+$cflags       = -bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL
+$bn_obj       = asm/linux_ppc64.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -bpowerpc64-linux
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
 *** linux-ppro
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall
@@ -3482,14 +3507,14 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
 $bn_obj       = asm/x86_64-gcc.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = asm/rc4-amd64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
@@ -3531,7 +3556,7 @@ $cflags       = -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wal
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MINGW32
-$lflags       = -mno-cygwin -lwsock32 -lgdi32
+$lflags       = -lwsock32 -lgdi32
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = asm/bn86-out.o asm/co86-out.o
 $des_obj      = asm/dx86-out.o asm/yx86-out.o
@@ -3543,9 +3568,9 @@ $rc4_obj      = asm/rx86-out.o
 $rmd160_obj   = asm/rm86-out.o
 $rc5_obj      = asm/r586-out.o
 $dso_scheme   = win32
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
+$shared_target= cygwin-shared
+$shared_cflag = -D_WINDLL
+$shared_ldflag = -mno-cygwin
 $shared_extension = .dll
 $ranlib       = 
 $arflags      = 
@@ -4150,6 +4175,56 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
 
+*** solaris64-x86_64-cc
+$cc           = cc
+$cflags       = -fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -lsocket -lnsl -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -KPIC
+$shared_ldflag = -xarch=amd64
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
+*** solaris64-x86_64-gcc
+$cc           = gcc
+$cflags       = -m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -lsocket -lnsl -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
+$bn_obj       = asm/x86_64-gcc.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = asm/rc4-amd64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -m64 -shared -static-libgcc
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
 *** sunos-gcc
 $cc           = gcc
 $cflags       = -O3 -mv8 -Dssize_t=int

apps/.cvsignore

@@ -4,3 +4,5 @@ der_chop
 der_chop.bak
 CA.pl
 openssl.sha1
+*.flc
+semantic.cache

apps/CA.pl.in

@@ -36,13 +36,21 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
+my $openssl;
+if(defined $ENV{OPENSSL}) {
+	$openssl = $ENV{OPENSSL};
+} else {
+	$openssl = "openssl";
+	$ENV{OPENSSL} = $openssl;
+}
+
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
 $DAYS="-days 365";
-$REQ="openssl req $SSLEAY_CONFIG";
-$CA="openssl ca $SSLEAY_CONFIG";
-$VERIFY="openssl verify";
-$X509="openssl x509";
-$PKCS12="openssl pkcs12";
+$REQ="$openssl req $SSLEAY_CONFIG";
+$CA="$openssl ca $SSLEAY_CONFIG";
+$VERIFY="$openssl verify";
+$X509="$openssl x509";
+$PKCS12="$openssl pkcs12";
 
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";

apps/CA.sh

@@ -30,11 +30,13 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 
+if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+
 DAYS="-days 365"
-REQ="openssl req $SSLEAY_CONFIG"
-CA="openssl ca $SSLEAY_CONFIG"
-VERIFY="openssl verify"
-X509="openssl x509"
+REQ="$OPENSSL req $SSLEAY_CONFIG"
+CA="$OPENSSL ca $SSLEAY_CONFIG"
+VERIFY="$OPENSSL verify"
+X509="$OPENSSL x509"
 
 CATOP=./demoCA
 CAKEY=./cakey.pem

apps/Makefile

@@ -36,7 +36,7 @@ LIBSSL=-L.. -lssl
 
 PROGRAM= openssl
 
-SCRIPTS=CA.sh CA.pl der_chop
+SCRIPTS=CA.sh CA.pl
 
 EXE= $(PROGRAM)$(EXE_EXT)
 
@@ -144,22 +144,19 @@ $(DLIBCRYPTO):
 $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
 	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+	elif [ -z "$(SHARED_LIBS)" ]; then \
+	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
 	else \
-	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+	  set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
 	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
 	fi
 	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
 		TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \
 	fi
-	-(cd ..; OPENSSL="`pwd`/apps/$(EXE)"; export OPENSSL; \
-		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
-		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-		LIBPATH="`pwd`:$$LIBPATH"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-		$(PERL) tools/c_rehash certs)
+	-(cd ..; \
+	  OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \
+	  $(PERL) tools/c_rehash certs)
 
 progs.h: progs.pl
 	$(PERL) progs.pl $(E_EXE) >progs.h

apps/apps.c

@@ -330,22 +330,6 @@ void program_name(char *in, char *out, int size)
 #endif
 #endif
 
-#ifdef OPENSSL_SYS_VMS
-int VMS_strcasecmp(const char *str1, const char *str2)
-	{
-	while (*str1 && *str2)
-		{
-		int res = toupper(*str1) - toupper(*str2);
-		if (res) return res < 0 ? -1 : 1;
-		}
-	if (*str1)
-		return 1;
-	if (*str2)
-		return -1;
-	return 0;
-	}
-#endif
-
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	{
 	int num,len,i;
@@ -542,7 +526,7 @@ int password_callback(char *buf, int bufsiz, int verify,
 		char *prompt = NULL;
 
 		prompt = UI_construct_prompt(ui, "pass phrase",
-			cb_data->prompt_info);
+			prompt_info);
 
 		ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
 		UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
@@ -691,6 +675,51 @@ int add_oid_section(BIO *err, CONF *conf)
 	return 1;
 }
 
+static int load_pkcs12(BIO *err, BIO *in, const char *desc,
+		pem_password_cb *pem_cb,  void *cb_data,
+		EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+	{
+ 	const char *pass;
+	char tpass[PEM_BUFSIZE];
+	int len, ret = 0;
+	PKCS12 *p12;
+	p12 = d2i_PKCS12_bio(in, NULL);
+	if (p12 == NULL)
+		{
+		BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);	
+		goto die;
+		}
+	/* See if an empty password will do */
+	if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
+		pass = "";
+	else
+		{
+		if (!pem_cb)
+			pem_cb = (pem_password_cb *)password_callback;
+		len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
+		if (len < 0) 
+			{
+			BIO_printf(err, "Passpharse callback error for %s\n",
+					desc);
+			goto die;
+			}
+		if (len < PEM_BUFSIZE)
+			tpass[len] = 0;
+		if (!PKCS12_verify_mac(p12, tpass, len))
+			{
+			BIO_printf(err,
+	"Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);	
+			goto die;
+			}
+		pass = tpass;
+		}
+	ret = PKCS12_parse(p12, pass, pkey, cert, ca);
+	die:
+	if (p12)
+		PKCS12_free(p12);
+	return ret;
+	}
+
 X509 *load_cert(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip)
 	{
@@ -771,11 +800,9 @@ X509 *load_cert(BIO *err, const char *file, int format,
 			(pem_password_cb *)password_callback, NULL);
 	else if (format == FORMAT_PKCS12)
 		{
-		PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
-
-		PKCS12_parse(p12, NULL, NULL, &x, NULL);
-		PKCS12_free(p12);
-		p12 = NULL;
+		if (!load_pkcs12(err, cert,cert_descrip, NULL, NULL,
+					NULL, &x, NULL))
+			goto end;
 		}
 	else	{
 		BIO_printf(err,"bad input format specified for %s\n",
@@ -854,11 +881,10 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 #endif
 	else if (format == FORMAT_PKCS12)
 		{
-		PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
-
-		PKCS12_parse(p12, pass, &pkey, NULL, NULL);
-		PKCS12_free(p12);
-		p12 = NULL;
+		if (!load_pkcs12(err, key, key_descrip,
+				(pem_password_cb *)password_callback, &cb_data,
+				&pkey, NULL, NULL))
+			goto end;
 		}
 	else
 		{

apps/ca.c

@@ -994,25 +994,27 @@ bad:
 			}
 		}
 
+	if ((md == NULL) && ((md=NCONF_get_string(conf,
+		section,ENV_DEFAULT_MD)) == NULL))
+		{
+		lookup_fail(section,ENV_DEFAULT_MD);
+		goto err;
+		}
+
+	if ((dgst=EVP_get_digestbyname(md)) == NULL)
+		{
+		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+		goto err;
+		}
+
 	if (req)
 		{
-		if ((md == NULL) && ((md=NCONF_get_string(conf,
-			section,ENV_DEFAULT_MD)) == NULL))
-			{
-			lookup_fail(section,ENV_DEFAULT_MD);
-			goto err;
-			}
 		if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
 			section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
 			{
 			if(strcmp(tmp_email_dn,"no") == 0)
 				email_dn=0;
 			}
-		if ((dgst=EVP_get_digestbyname(md)) == NULL)
-			{
-			BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
-			goto err;
-			}
 		if (verbose)
 			BIO_printf(bio_err,"message digest is %s\n",
 				OBJ_nid2ln(dgst->type));
@@ -1395,23 +1397,10 @@ bad:
 
 		/* we now have a CRL */
 		if (verbose) BIO_printf(bio_err,"signing CRL\n");
-		if (md != NULL)
-			{
-			if ((dgst=EVP_get_digestbyname(md)) == NULL)
-				{
-				BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
-				goto err;
-				}
-			}
-		else
-			{
 #ifndef OPENSSL_NO_DSA
-			if (pkey->type == EVP_PKEY_DSA) 
-				dgst=EVP_dss1();
-			else
+		if (pkey->type == EVP_PKEY_DSA) 
+			dgst=EVP_dss1();
 #endif
-				dgst=EVP_md5();
-			}
 
 		/* Add any extensions asked for */
 

apps/crl.c

@@ -355,7 +355,11 @@ bad:
 
 	if (text) X509_CRL_print(out, x);
 
-	if (noout) goto end;
+	if (noout) 
+		{
+		ret = 0;
+		goto end;
+		}
 
 	if 	(outformat == FORMAT_ASN1)
 		i=(int)i2d_X509_CRL_bio(out,x);

apps/der_chop.in

@@ -1,305 +0,0 @@
-#!/usr/local/bin/perl
-#
-# der_chop ... this is one total hack that Eric is really not proud of
-#              so don't look at it and don't ask for support
-#
-# The "documentation" for this (i.e. all the comments) are my fault --tjh
-#
-# This program takes the "raw" output of derparse/asn1parse and 
-# converts it into tokens and then runs regular expression matches
-# to try to figure out what to grab to get the things that are needed
-# and it is possible that this will do the wrong thing as it is a *hack*
-#
-# SSLeay 0.5.2+ should have direct read support for x509 (via -inform NET)
-# [I know ... promises promises :-)]
-#
-# To convert a Netscape Certificate:
-#    der_chop < ServerCert.der > cert.pem
-# To convert a Netscape Key (and encrypt it again to protect it)
-#    rsa -inform NET -in ServerKey.der -des > key.pem
-#
-# 23-Apr-96 eay    Added the extra ASN.1 string types, I still think this
-#		   is an evil hack.  If nothing else the parsing should
-#		   be relative, not absolute.
-# 19-Apr-96 tjh    hacked (with eay) into 0.5.x format
-#
-# Tim Hudson
-# tjh@cryptsoft.com
-#
-
-
-require 'getopts.pl';
-
-$debug=0;
-
-# this was the 0.4.x way of doing things ...
-$cmd="derparse";
-$x509_cmd="x509";
-$crl_cmd="crl";
-$rc4_cmd="rc4";
-$md2_cmd="md2";
-$md4_cmd="md4";
-$rsa_cmd="rsa -des -inform der ";
-
-# this was the 0.5.x way of doing things ...
-$cmd="openssl asn1parse";
-$x509_cmd="openssl x509";
-$crl_cmd="openssl crl";
-$rc4_cmd="openssl rc4";
-$md2_cmd="openssl md2";
-$md4_cmd="openssl md4";
-$rsa_cmd="openssl rsa -des -inform der ";
-
-&Getopts('vd:') || die "usage:$0 [-v] [-d num] file";
-$depth=($opt_d =~ /^\d+$/)?$opt_d:0;
-
-&init_der();
-
-if ($#ARGV != -1)
-	{
-	foreach $file (@ARGV)
-		{
-		print STDERR "doing $file\n";
-		&dofile($file);
-		}
-	}
-else
-	{
-	$file="/tmp/a$$.DER";
-	open(OUT,">$file") || die "unable to open $file:$!\n";
-	for (;;)
-		{
-		$i=sysread(STDIN,$b,1024*10);
-		last if ($i <= 0);
-		$i=syswrite(OUT,$b,$i);
-		}
-	&dofile($file);
-	unlink($file);
-	}
-	
-sub dofile
-	{
-	local($file)=@_;
-	local(@p);
-
-	$b=&load_file($file);
-	@p=&load_file_parse($file);
-
-	foreach $_ (@p)
-		{
-		($off,$d,$hl,$len)=&parse_line($_);
-		$d-=$depth;
-		next if ($d != 0);
-		next if ($len == 0);
-
-		$o=substr($b,$off,$len+$hl);
-		($str,@data)=&der_str($o);
-		print "$str\n" if ($opt_v);
-		if ($str =~ /^$crl/)
-			{
-			open(OUT,"|$crl_cmd -inform d -hash -issuer") ||
-				die "unable to run $crl_cmd:$!\n";
-			print OUT $o;
-			close(OUT);
-			}
-		elsif ($str =~ /^$x509/)
-			{
-			open(OUT,"|$x509_cmd -inform d -hash -subject -issuer")
-				|| die "unable to run $x509_cmd:$!\n";
-			print OUT $o;
-			close(OUT);
-			}
-		elsif ($str =~ /^$rsa/)
-			{
-			($type)=($data[3] =~ /OBJECT_IDENTIFIER :(.*)\s*$/);
-			next unless ($type eq "rsaEncryption");
-			($off,$d,$hl,$len)=&parse_line($data[5]);
-			$os=substr($o,$off+$hl,$len);
-			open(OUT,"|$rsa_cmd")
-				|| die "unable to run $rsa_cmd:$!\n";
-			print OUT $os;
-			close(OUT);
-			}
-		elsif ($str =~ /^0G-1D-1G/)
-			{
-			($off,$d,$hl,$len)=&parse_line($data[1]);
-			$os=substr($o,$off+$hl,$len);
-			print STDERR "<$os>\n" if $opt_v;
-			&do_certificate($o,@data)
-				if (($os eq "certificate") &&
-				    ($str =! /^0G-1D-1G-2G-3F-3E-2D/));
-			&do_private_key($o,@data)
-				if (($os eq "private-key") &&
-				    ($str =! /^0G-1D-1G-2G-3F-3E-2D/));
-			}
-		}
-	}
-
-sub der_str
-	{
-	local($str)=@_;
-	local(*OUT,*IN,@a,$t,$d,$ret);
-	local($file)="/tmp/b$$.DER";
-	local(@ret);
-
-	open(OUT,">$file");
-	print OUT $str;
-	close(OUT);
-	open(IN,"$cmd -inform 'd' -in $file |") ||
-		die "unable to run $cmd:$!\n";
-	$ret="";
-	while (<IN>)
-		{
-		chop;
-		push(@ret,$_);
-
-		print STDERR "$_\n" if ($debug);
-
-		@a=split(/\s*:\s*/);
-		($d)=($a[1] =~ /d=\s*(\d+)/);
-		$a[2] =~ s/\s+$//;
-		$t=$DER_s2i{$a[2]};
-		$ret.="$d$t-";
-		}
-	close(IN);
-	unlink($file);
-	chop $ret;
-	$ret =~ s/(-3H(-4G-5F-5[IJKMQRS])+)+/-NAME/g;
-	$ret =~ s/(-3G-4B-4L)+/-RCERT/g;
-	return($ret,@ret);
-	}
-
-sub init_der
-	{
-	$crl= "0G-1G-2G-3F-3E-2G-NAME-2L-2L-2G-RCERT-1G-2F-2E-1C";
-	$x509="0G-1G-2B-2G-3F-3E-2G-NAME-2G-3L-3L-2G-NAME-2G-3G-4F-4E-3C-1G-2F-2E-1C";
-	$rsa= "0G-1B-1G-2F-2E-1D";
-
-	%DER_i2s=(
-		# SSLeay 0.4.x has this list
-		"A","EOC",
-		"B","INTEGER",
-		"C","BIT STRING",
-		"D","OCTET STRING",
-		"E","NULL",
-		"F","OBJECT",
-		"G","SEQUENCE",
-		"H","SET",
-		"I","PRINTABLESTRING",
-		"J","T61STRING",
-		"K","IA5STRING",
-		"L","UTCTIME",
-		"M","NUMERICSTRING",
-		"N","VIDEOTEXSTRING",
-		"O","GENERALIZEDTIME",
-		"P","GRAPHICSTRING",
-		"Q","ISO64STRING",
-		"R","GENERALSTRING",
-		"S","UNIVERSALSTRING",
-
-		# SSLeay 0.5.x changed some things ... and I'm
-		# leaving in the old stuff but adding in these
-		# to handle the new as well --tjh
-		# - Well I've just taken them out and added the extra new
-		# ones :-) - eay
-		);
-
-	foreach (keys %DER_i2s)
-		{ $DER_s2i{$DER_i2s{$_}}=$_; }
-	}
-
-sub parse_line
-	{
-	local($_)=@_;
-
-	return(/\s*(\d+):d=\s*(\d+)\s+hl=\s*(\d+)\s+l=\s*(\d+|inf)\s/);
-	}
-
-#  0:d=0 hl=4 l=377 cons: univ: SEQUENCE          
-#  4:d=1 hl=2 l= 11 prim: univ: OCTET_STRING      
-# 17:d=1 hl=4 l=360 cons: univ: SEQUENCE          
-# 21:d=2 hl=2 l= 12 cons: univ: SEQUENCE          
-# 23:d=3 hl=2 l=  8 prim: univ: OBJECT_IDENTIFIER :rc4
-# 33:d=3 hl=2 l=  0 prim: univ: NULL              
-# 35:d=2 hl=4 l=342 prim: univ: OCTET_STRING
-sub do_private_key
-	{
-	local($data,@struct)=@_;
-	local($file)="/tmp/b$$.DER";
-	local($off,$d,$hl,$len,$_,$b,@p,$s);
-
-	($type)=($struct[4] =~ /OBJECT_IDENTIFIER :(.*)\s*$/);
-	if ($type eq "rc4")
-		{
-		($off,$d,$hl,$len)=&parse_line($struct[6]);
-		open(OUT,"|$rc4_cmd >$file") ||
-			die "unable to run $rc4_cmd:$!\n";
-		print OUT substr($data,$off+$hl,$len);
-		close(OUT);
-
-		$b=&load_file($file);
-		unlink($file);
-
-		($s,@p)=&der_str($b);
-		die "unknown rsa key type\n$s\n"
-			if ($s ne '0G-1B-1G-2F-2E-1D');
-		local($off,$d,$hl,$len)=&parse_line($p[5]);
-		$b=substr($b,$off+$hl,$len);
-		($s,@p)=&der_str($b);
-		open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n";
-		print OUT $b;
-		close(OUT);
-		}
-	else
-		{
-		print "'$type' is unknown\n";
-		exit(1);
-		}
-	}
-
-sub do_certificate
-	{
-	local($data,@struct)=@_;
-	local($file)="/tmp/b$$.DER";
-	local($off,$d,$hl,$len,$_,$b,@p,$s);
-
-	($off,$d,$hl,$len)=&parse_line($struct[2]);
-	$b=substr($data,$off,$len+$hl);
-
-	open(OUT,"|$x509_cmd -inform d") || die "unable to run $x509_cmd:$!\n";
-	print OUT $b;
-	close(OUT);
-	}
-
-sub load_file
-	{
-	local($file)=@_;
-	local(*IN,$r,$b,$i);
-
-	$r="";
-	open(IN,"<$file") || die "unable to open $file:$!\n";
-	for (;;)
-		{
-		$i=sysread(IN,$b,10240);
-		last if ($i <= 0);
-		$r.=$b;
-		}
-	close(IN);
-	return($r);
-	}
-
-sub load_file_parse
-	{
-	local($file)=@_;
-	local(*IN,$r,@ret,$_,$i,$n,$b);
-
-	open(IN,"$cmd -inform d -in $file|")
-		|| die "unable to run der_parse\n";
-	while (<IN>)
-		{
-		chop;
-		push(@ret,$_);
-		}
-	return($r,@ret);
-	}
-

apps/dgst.c

@@ -78,7 +78,7 @@ static HMAC_CTX hmac_ctx;
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-	  const char *file,BIO *bmd,const char *hmac_key);
+	  const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow);
 
 int MAIN(int, char **);
 
@@ -103,10 +103,12 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
+	char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	char *hmac_key=NULL;
+	int non_fips_allow = 0;
 
 	apps_startup();
 
@@ -149,6 +151,12 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) break;
 			keyfile=*(++argv);
 			}
+		else if (!strcmp(*argv,"-passin"))
+			{
+			if (--argc < 1)
+				break;
+			passargin=*++argv;
+			}
 		else if (strcmp(*argv,"-verify") == 0)
 			{
 			if (--argc < 1) break;
@@ -185,6 +193,8 @@ int MAIN(int argc, char **argv)
 			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
+		else if (strcmp(*argv,"-non-fips-allow") == 0)
+			non_fips_allow=1;
 		else if (!strcmp(*argv,"-hmac"))
 			{
 			if (--argc < 1)
@@ -257,6 +267,12 @@ int MAIN(int argc, char **argv)
 		BIO_set_callback_arg(in,bio_err);
 		}
 
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+		{
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+		}
+
 	if ((in == NULL) || (bmd == NULL))
 		{
 		ERR_print_errors(bio_err);
@@ -298,7 +314,7 @@ int MAIN(int argc, char **argv)
 			sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
 				e, "key file");
 		else
-			sigkey = load_key(bio_err, keyfile, keyform, 0, NULL,
+			sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
 				e, "key file");
 		if (!sigkey)
 			{
@@ -329,10 +345,18 @@ int MAIN(int argc, char **argv)
 		}
 	}
 
+	if (non_fips_allow)
+		{
+		EVP_MD_CTX *md_ctx;
+		BIO_get_md_ctx(bmd,&md_ctx);
+		EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+		}
+
 	/* we use md as a filter, reading from 'in' */
 	if (!BIO_set_md(bmd,md))
 		{
-		BIO_printf(bio_err, "Error setting digest %s\n", pname);
+		BIO_printf(bio_err, "Error setting digest %s\n",
+							EVP_MD_name(md));
 		ERR_print_errors(bio_err);
 		goto end;
 		}
@@ -343,7 +367,7 @@ int MAIN(int argc, char **argv)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
-			  siglen,"","(stdin)",bmd,hmac_key);
+			  siglen,"","(stdin)",bmd,hmac_key, non_fips_allow);
 		}
 	else
 		{
@@ -369,7 +393,7 @@ int MAIN(int argc, char **argv)
 			else
 				tmp="";
 			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
-				siglen,tmp,argv[i],bmd,hmac_key);
+				siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow);
 			if(r)
 			    err=r;
 			if(tofree)
@@ -384,6 +408,8 @@ end:
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
+	if (passin)
+		OPENSSL_free(passin);
 	BIO_free_all(out);
 	EVP_PKEY_free(sigkey);
 	if(sigbuf) OPENSSL_free(sigbuf);
@@ -394,7 +420,7 @@ end:
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-	  const char *file,BIO *bmd,const char *hmac_key)
+	  const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow)
 	{
 	unsigned int len;
 	int i;
@@ -405,7 +431,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 		EVP_MD *md;
 
 		BIO_get_md(bmd,&md);
-		HMAC_Init(&hmac_ctx,hmac_key,strlen(hmac_key),md);
+		HMAC_CTX_init(&hmac_ctx);
+		if (non_fips_allow)
+			HMAC_CTX_set_flags(&hmac_ctx,
+					EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+		HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL);
 		BIO_get_md_ctx(bmd,&md_ctx);
 		BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx);
 		}

apps/enc.c

@@ -118,6 +118,7 @@ int MAIN(int argc, char **argv)
 	int enc=1,printkey=0,i,base64=0;
 	int debug=0,olb64=0,nosalt=0;
 	const EVP_CIPHER *cipher=NULL,*c;
+	EVP_CIPHER_CTX *ctx = NULL;
 	char *inf=NULL,*outf=NULL;
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
@@ -126,6 +127,7 @@ int MAIN(int argc, char **argv)
 	char *engine = NULL;
 #endif
 	const EVP_MD *dgst=NULL;
+	int non_fips_allow = 0;
 
 	apps_startup();
 
@@ -260,6 +262,8 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			md= *(++argv);
 			}
+		else if (strcmp(*argv,"-non-fips-allow") == 0)
+			non_fips_allow = 1;
 		else if	((argv[0][0] == '-') &&
 			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
 			{
@@ -539,13 +543,43 @@ bad:
 
 		if ((benc=BIO_new(BIO_f_cipher())) == NULL)
 			goto end;
-		BIO_set_cipher(benc,cipher,key,iv,enc);
-		if (nopad)
+
+		/* Since we may be changing parameters work on the encryption
+		 * context rather than calling BIO_set_cipher().
+		 */
+
+		BIO_get_cipher_ctx(benc, &ctx);
+		if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
 			{
-			EVP_CIPHER_CTX *ctx;
-			BIO_get_cipher_ctx(benc, &ctx);
-			EVP_CIPHER_CTX_set_padding(ctx, 0);
+			BIO_printf(bio_err, "Error setting cipher %s\n",
+					EVP_CIPHER_name(cipher));
+			ERR_print_errors(bio_err);
+			goto end;
 			}
+
+		if (non_fips_allow)
+			EVP_CIPHER_CTX_set_flags(ctx,
+				EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
+		if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc))
+			{
+			BIO_printf(bio_err, "Error setting cipher %s\n",
+					EVP_CIPHER_name(cipher));
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
+		if (nopad)
+			EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+		if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc))
+			{
+			BIO_printf(bio_err, "Error setting cipher %s\n",
+					EVP_CIPHER_name(cipher));
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+
 		if (debug)
 			{
 			BIO_set_callback(benc,BIO_debug_callback);

apps/openssl-vms.cnf

@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

apps/openssl.c

@@ -239,7 +239,7 @@ int main(int Argc, char *Argv[])
 	if(getenv("OPENSSL_FIPS")) {
 #if defined(_WIN32)
 		char filename[MAX_PATH] = "";
-		GetModuleFileName( NULL, filename, MAX_PATH) ;
+		GetModuleFileNameA( NULL, filename, MAX_PATH) ;
 		p = filename;
 #else
 		p = Argv[0];
@@ -247,7 +247,7 @@ int main(int Argc, char *Argv[])
 		if (!FIPS_mode_set(1,p)) {
 			ERR_load_crypto_strings();
 			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-			exit(1);
+			EXIT(1);
 		}
 		in_FIPS_mode = 1;
 		if (getenv("OPENSSL_FIPS_MD5"))

apps/openssl.cnf

@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

apps/pkcs12.c

@@ -109,7 +109,7 @@ int MAIN(int argc, char **argv)
     int maciter = PKCS12_DEFAULT_ITER;
     int twopass = 0;
     int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     int ret = 1;
     int macver = 1;
@@ -126,6 +126,13 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+#endif
+    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 
@@ -666,7 +673,7 @@ int MAIN(int argc, char **argv)
     CRYPTO_push_info("verify MAC");
 #endif
 	/* If we enter empty password try no password first */
-	if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
+	if(!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
 		/* If mac and crypto pass the same set it to NULL too */
 		if(!twopass) cpass = NULL;
 	} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
@@ -710,9 +717,10 @@ int MAIN(int argc, char **argv)
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 	     int passlen, int options, char *pempass)
 {
-	STACK_OF(PKCS7) *asafes;
+	STACK_OF(PKCS7) *asafes = NULL;
 	STACK_OF(PKCS12_SAFEBAG) *bags;
 	int i, bagnid;
+	int ret = 0;
 	PKCS7 *p7;
 
 	if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0;
@@ -730,16 +738,22 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 			}
 			bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
 		} else continue;
-		if (!bags) return 0;
+		if (!bags) goto err;
 	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
 						 options, pempass)) {
 			sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
-			return 0;
+			goto err;
 		}
 		sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
+		bags = NULL;
 	}
-	sk_PKCS7_pop_free (asafes, PKCS7_free);
-	return 1;
+	ret = 1;
+
+	err:
+
+	if (asafes)
+		sk_PKCS7_pop_free (asafes, PKCS7_free);
+	return ret;
 }
 
 int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,

apps/prime.c

@@ -61,7 +61,7 @@ int MAIN(int argc, char **argv)
     int hex=0;
     int checks=20;
     BIGNUM *bn=NULL;
-    BIO *bio_out=NULL;
+    BIO *bio_out;
 
     apps_startup();
 
@@ -69,18 +69,6 @@ int MAIN(int argc, char **argv)
 	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 	    BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 
-    if (bio_out == NULL)
-	if ((bio_out=BIO_new(BIO_s_file())) != NULL)
-	    {
-	    BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-	    {
-	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-	    bio_out = BIO_push(tmpbio, bio_out);
-	    }
-#endif
-	    }
-
     --argc;
     ++argv;
     while (argc >= 1 && **argv == '-')
@@ -95,16 +83,29 @@ int MAIN(int argc, char **argv)
 	else
 	    {
 	    BIO_printf(bio_err,"Unknown option '%s'\n",*argv);
-	bad:
-	    BIO_printf(bio_err,"options are\n");
-	    BIO_printf(bio_err,"%-14s hex\n","-hex");
-	    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
-	    exit(1);
+	    goto bad;
 	    }
 	--argc;
 	++argv;
 	}
 
+    if (argv[0] == NULL)
+	{
+	BIO_printf(bio_err,"No prime specified\n");
+	goto bad;
+	}
+
+   if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+	{
+	BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+	    {
+	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	    bio_out = BIO_push(tmpbio, bio_out);
+	    }
+#endif
+	}
+
     if(hex)
 	BN_hex2bn(&bn,argv[0]);
     else
@@ -114,5 +115,14 @@ int MAIN(int argc, char **argv)
     BIO_printf(bio_out," is %sprime\n",
 	       BN_is_prime(bn,checks,NULL,NULL,NULL) ? "" : "not ");
 
+    BN_free(bn);
+    BIO_free_all(bio_out);
+
     return 0;
+
+    bad:
+    BIO_printf(bio_err,"options are\n");
+    BIO_printf(bio_err,"%-14s hex\n","-hex");
+    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
+    return 1;
     }

apps/req.c

@@ -175,7 +175,7 @@ int MAIN(int argc, char **argv)
 	char *passin = NULL, *passout = NULL;
 	char *p;
 	char *subj = NULL;
-	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
+	const EVP_MD *md_alg=NULL,*digest;
 	unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
 	char *to_free;
@@ -197,6 +197,13 @@ int MAIN(int argc, char **argv)
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 
+#ifdef  OPENSSL_FIPS
+	if (FIPS_mode())
+		digest = EVP_sha1();
+	else
+#endif
+		digest = EVP_md5();
+
 	prog=argv[0];
 	argc--;
 	argv++;
@@ -499,13 +506,16 @@ bad:
 	else
 		{
 		req_conf=config;
-		if( verbose )
-			BIO_printf(bio_err,"Using configuration from %s\n",
-			default_config_file);
+
 		if (req_conf == NULL)
 			{
-			BIO_printf(bio_err,"Unable to load config info\n");
+			BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file);
+			if (newreq)
+				goto end;
 			}
+		else if( verbose )
+			BIO_printf(bio_err,"Using configuration from %s\n",
+			default_config_file);
 		}
 
 	if (req_conf != NULL)

apps/s_client.c

@@ -197,6 +197,9 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
 	BIO_printf(bio_err," -debug        - extra output\n");
+#ifdef WATT32
+	BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
+#endif
 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
 	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
 	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
@@ -348,6 +351,10 @@ int MAIN(int argc, char **argv)
 			c_Pause=1;
 		else if	(strcmp(*argv,"-debug") == 0)
 			c_debug=1;
+#ifdef WATT32
+		else if	(strcmp(*argv,"-wdebug") == 0)
+			dbug_init();
+#endif
 		else if	(strcmp(*argv,"-msg") == 0)
 			c_msg=1;
 		else if	(strcmp(*argv,"-showcerts") == 0)
@@ -588,6 +595,8 @@ re_start:
 	if (starttls_proto == 1)
 		{
 		BIO_read(sbio,mbuf,BUFSIZZ);
+		BIO_printf(sbio,"EHLO some.host.name\r\n");
+		BIO_read(sbio,mbuf,BUFSIZZ);
 		BIO_printf(sbio,"STARTTLS\r\n");
 		BIO_read(sbio,sbuf,BUFSIZZ);
 		}

apps/s_socket.c

@@ -153,7 +153,6 @@ static int ssl_sock_init(void)
 #ifdef WATT32
 	extern int _watt_do_exit;
 	_watt_do_exit = 0;
-	dbug_init();
 	if (sock_init())
 		return (0);
 #elif defined(OPENSSL_SYS_WINDOWS)

apps/verify.c

@@ -354,6 +354,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
 		/* Continue after extension errors too */
 		if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
+		if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1;
 		if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
 		if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
 		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;

apps/x509.c

@@ -179,7 +179,7 @@ int MAIN(int argc, char **argv)
 	X509_REQ *rq=NULL;
 	int fingerprint=0;
 	char buf[256];
-	const EVP_MD *md_alg,*digest=EVP_md5();
+	const EVP_MD *md_alg,*digest;
 	CONF *extconf = NULL;
 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
 	int need_rand = 0;
@@ -216,6 +216,13 @@ int MAIN(int argc, char **argv)
 	if (ctx == NULL) goto end;
 	X509_STORE_set_verify_cb_func(ctx,callb);
 
+#ifdef  OPENSSL_FIPS
+	if (FIPS_mode())
+		digest = EVP_sha1();
+	else
+#endif
+		digest = EVP_md5();
+
 	argc--;
 	argv++;
 	num=0;
@@ -598,9 +605,12 @@ bad:
 			sno = ASN1_INTEGER_new();
 			if (!sno || !rand_serial(NULL, sno))
 				goto end;
+			if (!X509_set_serialNumber(x, sno)) 
+				goto end;
+			ASN1_INTEGER_free(sno);
+			sno = NULL;
 			}
-
-		if (!X509_set_serialNumber(x, sno)) 
+		else if (!X509_set_serialNumber(x, sno)) 
 			goto end;
 
 		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
@@ -971,9 +981,9 @@ bad:
 
 	if (checkend)
 		{
-		time_t tnow=time(NULL);
+		time_t tcheck=time(NULL) + checkoffset;
 
-		if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
+		if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
 			{
 			BIO_printf(out,"Certificate will expire\n");
 			ret=1;

certs/ICE-CA.pem

@@ -1,59 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
-        Validity
-            Not Before: Apr  2 17:35:53 1997 GMT
-            Not After : Apr  2 17:35:53 1998 GMT
-        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
-        Subject Public Key Info:
-            Public Key Algorithm: rsa
-            RSA Public Key: (512 bit)
-                Modulus (512 bit):
-                    00:82:75:ba:f6:d1:60:b5:f9:15:b3:6a:dd:29:8f:
-                    8b:a4:6f:1a:88:e0:50:43:40:0b:79:41:d5:d3:16:
-                    44:7d:74:65:17:42:06:52:0b:e9:50:c8:10:cd:24:
-                    e2:ae:8d:22:30:73:e6:b4:b7:93:1f:e5:6e:a2:ae:
-                    49:11:a5:c9:45
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Authority Key Identifier: 
-                0.........z.."p......e..
-            X509v3 Subject Key Identifier: 
-                ..~r..:..B.44fu......3
-            X509v3 Key Usage: critical
-                ....
-            X509v3 Certificate Policies: critical
-                0.0...*...
-            X509v3 Subject Alternative Name: 
-                0!..secude-support@darmstadt.gmd.de
-            X509v3 Issuer Alternative Name: 
-                0I..ice-tel-ca@darmstadt.gmd.de.*http://www.darmstadt.gmd.de/ice-tel/euroca
-            X509v3 Basic Constraints: critical
-                0....
-            X509v3 CRL Distribution Points: 
-                0200...,.*http://www.darmstadt.gmd.de/ice-tel/euroca
-    Signature Algorithm: md5WithRSAEncryption
-        17:a2:88:b7:99:5a:05:41:e4:13:34:67:e6:1f:3e:26:ec:4b:
-        69:f9:3e:28:22:be:9d:1c:ab:41:6f:0c:00:85:fe:45:74:f6:
-        98:f0:ce:9b:65:53:4a:50:42:c7:d4:92:bd:d7:a2:a8:3d:98:
-        88:73:cd:60:28:79:a3:fc:48:7a
------BEGIN CERTIFICATE-----
-MIICzDCCAnagAwIBAgIBATANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
-cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
-QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzU1M1oXDTk4MDQwMjE3MzU1M1owXDEhMB8G
-A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTESMBAGA1UEBxMJRGFybXN0YWR0MFkwCgYEVQgB
-AQICAgADSwAwSAJBAIJ1uvbRYLX5FbNq3SmPi6RvGojgUENAC3lB1dMWRH10ZRdC
-BlIL6VDIEM0k4q6NIjBz5rS3kx/lbqKuSRGlyUUCAwEAAaOCATgwggE0MB8GA1Ud
-IwQYMBaAFIr3yNUOx3ro1yJw4AuJ1bbsZbzPMB0GA1UdDgQWBBR+cvL4OoacQog0
-NGZ1w9T80aIRMzAOBgNVHQ8BAf8EBAMCAfYwFAYDVR0gAQH/BAowCDAGBgQqAwQF
-MCoGA1UdEQQjMCGBH3NlY3VkZS1zdXBwb3J0QGRhcm1zdGFkdC5nbWQuZGUwUgYD
-VR0SBEswSYEbaWNlLXRlbC1jYUBkYXJtc3RhZHQuZ21kLmRlhipodHRwOi8vd3d3
-LmRhcm1zdGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2EwDwYDVR0TAQH/BAUwAwEB
-/zA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3LmRhcm1zdGFkdC5nbWQuZGUv
-aWNlLXRlbC9ldXJvY2EwDQYJKoZIhvcNAQEEBQADQQAXooi3mVoFQeQTNGfmHz4m
-7Etp+T4oIr6dHKtBbwwAhf5FdPaY8M6bZVNKUELH1JK916KoPZiIc81gKHmj/Eh6
------END CERTIFICATE-----

certs/ICE-root.pem

@@ -1,48 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
-        Validity
-            Not Before: Apr  2 17:33:36 1997 GMT
-            Not After : Apr  2 17:33:36 1998 GMT
-        Subject: O=European ICE-TEL project, OU=V3-Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsa
-            RSA Public Key: (512 bit)
-                Modulus (512 bit):
-                    00:80:3e:eb:ae:47:a9:fe:10:54:0b:81:8b:9c:2b:
-                    82:ab:3a:61:36:65:8b:f3:73:9f:ac:ac:7a:15:a7:
-                    13:8f:b4:c4:ba:a3:0f:bc:a5:58:8d:cc:b1:93:31:
-                    9e:81:9e:8c:19:61:86:fa:52:73:54:d1:97:76:22:
-                    e7:c7:9f:41:cd
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                ........z.."p......e..
-            X509v3 Key Usage: critical
-                ....
-            X509v3 Subject Alternative Name: 
-                0I.*http://www.darmstadt.gmd.de/ice-tel/euroca..ice-tel-ca@darmstadt.gmd.de
-            X509v3 Basic Constraints: critical
-                0....
-    Signature Algorithm: md5WithRSAEncryption
-        76:69:61:db:b7:cf:8b:06:9e:d8:8c:96:53:d2:4d:a8:23:a6:
-        03:44:e8:8f:24:a5:c0:84:a8:4b:77:d4:2d:2b:7d:37:91:67:
-        f2:2c:ce:02:31:4c:6b:cc:ce:f2:68:a6:11:11:ab:7d:88:b8:
-        7e:22:9f:25:06:60:bd:79:30:3d
------BEGIN CERTIFICATE-----
-MIICFjCCAcCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
-cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
-QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzMzNloXDTk4MDQwMjE3MzMzNlowSDEhMB8G
-A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTBZMAoGBFUIAQECAgIAA0sAMEgCQQCAPuuuR6n+
-EFQLgYucK4KrOmE2ZYvzc5+srHoVpxOPtMS6ow+8pViNzLGTMZ6BnowZYYb6UnNU
-0Zd2IufHn0HNAgMBAAGjgZcwgZQwHQYDVR0OBBYEFIr3yNUOx3ro1yJw4AuJ1bbs
-ZbzPMA4GA1UdDwEB/wQEAwIB9jBSBgNVHREESzBJhipodHRwOi8vd3d3LmRhcm1z
-dGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2GBG2ljZS10ZWwtY2FAZGFybXN0YWR0
-LmdtZC5kZTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAdmlh27fP
-iwae2IyWU9JNqCOmA0TojySlwISoS3fULSt9N5Fn8izOAjFMa8zO8mimERGrfYi4
-fiKfJQZgvXkwPQ==
------END CERTIFICATE-----

certs/ICE-user.pem

@@ -1,63 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
-        Validity
-            Not Before: Apr  2 17:35:59 1997 GMT
-            Not After : Apr  2 17:35:59 1998 GMT
-        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt, CN=USER
-        Subject Public Key Info:
-            Public Key Algorithm: rsa
-            RSA Public Key: (512 bit)
-                Modulus (512 bit):
-                    00:a8:a8:53:63:49:1b:93:c3:c3:0b:6c:88:11:55:
-                    de:7e:6a:e2:f9:52:a0:dc:69:25:c4:c8:bf:55:e1:
-                    31:a8:ce:e4:a9:29:85:99:8a:15:9a:de:f6:2f:e1:
-                    b4:50:5f:5e:04:75:a6:f4:76:dc:3c:0e:39:dc:3a:
-                    be:3e:a4:61:8b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Authority Key Identifier: 
-                0...~r..:..B.44fu......3
-            X509v3 Subject Key Identifier: 
-                ...... .*...1.*.......
-            X509v3 Key Usage: critical
-                ....
-            X509v3 Certificate Policies: critical
-                0.0...*...0.......
-            X509v3 Subject Alternative Name: 
-                0:..user@darmstadt.gmd.de.!http://www.darmstadt.gmd.de/~user
-            X509v3 Issuer Alternative Name: 
-                0....gmdca@gmd.de..http://www.gmd.de..saturn.darmstadt.gmd.de.\1!0...U.
-..European ICE-TEL project1#0!..U....V3-Certification Authority1.0...U....Darmstadt..141.12.62.26
-            X509v3 Basic Constraints: critical
-                0.
-            X509v3 CRL Distribution Points: 
-                0.0.......gmdca@gmd.de
-    Signature Algorithm: md5WithRSAEncryption
-        69:0c:e1:b7:a7:f2:d8:fb:e8:69:c0:13:cd:37:ad:21:06:22:
-        4d:e8:c6:db:f1:04:0b:b7:e0:b3:d6:0c:81:03:ce:c3:6a:3e:
-        c7:e7:24:24:a4:92:64:c2:83:83:06:42:53:0e:6f:09:1e:84:
-        9a:f7:6f:63:9b:94:99:83:d6:a4
------BEGIN CERTIFICATE-----
-MIIDTzCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMSEwHwYDVQQKExhFdXJv
-cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
-QXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHQwHhcNOTcwNDAyMTczNTU5WhcN
-OTgwNDAyMTczNTU5WjBrMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2pl
-Y3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQH
-EwlEYXJtc3RhZHQxDTALBgNVBAMTBFVTRVIwWTAKBgRVCAEBAgICAANLADBIAkEA
-qKhTY0kbk8PDC2yIEVXefmri+VKg3GklxMi/VeExqM7kqSmFmYoVmt72L+G0UF9e
-BHWm9HbcPA453Dq+PqRhiwIDAQABo4IBmDCCAZQwHwYDVR0jBBgwFoAUfnLy+DqG
-nEKINDRmdcPU/NGiETMwHQYDVR0OBBYEFJfc4B8gjSoRmLUx4Sq/ucIYiMrPMA4G
-A1UdDwEB/wQEAwIB8DAcBgNVHSABAf8EEjAQMAYGBCoDBAUwBgYECQgHBjBDBgNV
-HREEPDA6gRV1c2VyQGRhcm1zdGFkdC5nbWQuZGWGIWh0dHA6Ly93d3cuZGFybXN0
-YWR0LmdtZC5kZS9+dXNlcjCBsQYDVR0SBIGpMIGmgQxnbWRjYUBnbWQuZGWGEWh0
-dHA6Ly93d3cuZ21kLmRlghdzYXR1cm4uZGFybXN0YWR0LmdtZC5kZaRcMSEwHwYD
-VQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHSHDDE0MS4xMi42
-Mi4yNjAMBgNVHRMBAf8EAjAAMB0GA1UdHwQWMBQwEqAQoA6BDGdtZGNhQGdtZC5k
-ZTANBgkqhkiG9w0BAQQFAANBAGkM4ben8tj76GnAE803rSEGIk3oxtvxBAu34LPW
-DIEDzsNqPsfnJCSkkmTCg4MGQlMObwkehJr3b2OblJmD1qQ=
------END CERTIFICATE-----

certs/ICE.crl

@@ -1,9 +0,0 @@
------BEGIN X509 CRL-----
-MIIBNDCBnjANBgkqhkiG9w0BAQIFADBFMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0Ut
-VEVMIFByb2plY3QxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05
-NzA2MDkxNDQyNDNaFw05NzA3MDkxNDQyNDNaMCgwEgIBChcNOTcwMzAzMTQ0MjU0
-WjASAgEJFw05NjEwMDIxMjI5MjdaMA0GCSqGSIb3DQEBAgUAA4GBAH4vgWo2Tej/
-i7kbiw4Imd30If91iosjClNpBFwvwUDBclPEeMuYimHbLOk4H8Nofc0fw11+U/IO
-KSNouUDcqG7B64oY7c4SXKn+i1MWOb5OJiWeodX3TehHjBlyWzoNMWCnYA8XqFP1
-mOKp8Jla1BibEZf14+/HqCi2hnZUiEXh
------END X509 CRL-----

certs/wellsfgo.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5TCCAs2gAwIBAgIEOeSXnjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBGYXJnbyBD
+ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0GA1UEAxMmV2VsbHMgRmFyZ28gUm9v
+dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDAxMDExMTY0MTI4WhcNMjEwMTE0
+MTY0MTI4WjCBgjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSww
+KgYDVQQLEyNXZWxscyBGYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0G
+A1UEAxMmV2VsbHMgRmFyZ28gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVqDM7Jvk0/82bfuUER84A4n13
+5zHCLielTWi5MbqNQ1mXx3Oqfz1cQJ4F5aHiidlMuD+b+Qy0yGIZLEWukR5zcUHE
+SxP9cMIlrCL1dQu3U+SlK93OvRw6esP3E48mVJwWa2uv+9iWsWCaSOAlIiR5NM4O
+JgALTqv9i86C1y8IcGjBqAr5dE8Hq6T54oN+J3N0Prj5OEL8pahbSCOz6+MlsoCu
+ltQKnMJ4msZoGK43YjdeUXWoWGPAUe5AeH6orxqg4bB4nVCMe+ez/I4jsNtlAHCE
+AQgAFG5Uhpq6zPk3EPbg3oQtnaSFN9OH4xXQwReQfhkhahKpdv0SAulPIV4XAgMB
+AAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wTAYDVR0gBEUwQzBBBgtghkgBhvt7hwcB
+CzAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LndlbGxzZmFyZ28uY29tL2NlcnRw
+b2xpY3kwDQYJKoZIhvcNAQEFBQADggEBANIn3ZwKdyu7IvICtUpKkfnRLb7kuxpo
+7w6kAOnu5+/u9vnldKTC2FJYxHT7zmu1Oyl5GFrvm+0fazbuSCUlFLZWohDo7qd/
+0D+j0MNdJu4HzMPBJCGHHt8qElNvQRbn7a6U+oxy+hNH8Dx+rn0ROhPs7fpvcmR7
+nX1/Jv16+yWt6j4pf0zjAFcysLPp7VMX2YuyFA4w6OXVE8Zkr8QA1dhYJPz1j+zx
+x32l2w8n0cbyQIjmH/ZhqPRCyLk306m+LFZ4wnKbWV01QIroTmMatukgalHizqSQ
+33ZwmVxwQ023tqcZZE6St8WRPH9IFmV7Fv3L/PvZ1dZPIWU7Sn9Ho/s=
+-----END CERTIFICATE-----

config

@@ -111,16 +111,16 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "m68k-apple-aux3"; exit 0
 	;;
 
-    AIX:[3456789]:4:*)
-	echo "${MACHINE}-ibm-aix43"; exit 0
+    AIX:[3-9]:4:*)
+	echo "${MACHINE}-ibm-aix"; exit 0
 	;;
 
-    AIX:*:[56789]:*)
-	echo "${MACHINE}-ibm-aix43"; exit 0
+    AIX:*:[5-9]:*)
+	echo "${MACHINE}-ibm-aix"; exit 0
 	;;
 
     AIX:*)
-	echo "${MACHINE}-ibm-aix"; exit 0
+	echo "${MACHINE}-ibm-aix3"; exit 0
 	;;
 
     dgux:*)
@@ -337,6 +337,9 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "mips-sony-newsos4"; exit 0;
 	;;
 
+    MINGW*)
+	echo "${MACHINE}-whatever-mingw"; echo 0;
+	;;
     CYGWIN*)
 	case "$RELEASE" in
 	    [bB]*|1.0|1.[12].*)
@@ -442,7 +445,7 @@ if [ "$SYSTEM" = "SunOS" ]; then
   	egrep -e '^cc: .* C [0-9]\.[0-9]' | \
 	sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'`
   CCVER=${CCVER:-0}
-  if [ $CCVER -gt 40 ]; then
+  if [ $MACHINE != i86pc -a $CCVER -gt 40 ]; then
     CC=cc	# overrides gcc!!!
     if [ $CCVER -eq 50 ]; then
       echo "WARNING! Detected WorkShop C 5.0. Do make sure you have"
@@ -491,29 +494,29 @@ case "$GUESSOS" in
 	OUT="irix-$CC"
 	;;
   mips3-sgi-irix)
-	CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
-	CPU=${CPU:-0}
-	if [ $CPU -ge 5000 ]; then
-		options="$options -mips4"
-	else
-		options="$options -mips3"
-	fi
+	#CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+	#CPU=${CPU:-0}
+	#if [ $CPU -ge 5000 ]; then
+	#	options="$options -mips4"
+	#else
+	#	options="$options -mips3"
+	#fi
 	OUT="irix-mips3-$CC"
 	;;
   mips4-sgi-irix64)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
 	echo "         invoke './Configure irix64-mips4-$CC' *manually*."
-	if [ "$TEST" = "false" ]; then
+	if [ "$TEST" = "false" -a -t 1 ]; then
 	  echo "         You have about 5 seconds to press Ctrl-C to abort."
-	  (stty -icanon min 0 time 50; read waste) < /dev/tty
+	  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
-        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
-        CPU=${CPU:-0}
-        if [ $CPU -ge 5000 ]; then
-                options="$options -mips4"
-        else
-                options="$options -mips3"
-        fi
+        #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        #CPU=${CPU:-0}
+        #if [ $CPU -ge 5000 ]; then
+        #        options="$options -mips4"
+        #else
+        #        options="$options -mips3"
+        #fi
 	OUT="irix-mips3-$CC"
 	;;
   alpha-*-linux2)
@@ -547,9 +550,14 @@ EOF
 	rm dummy dummy.c
 	;;
   ppc64-*-linux2)
-	#Use the standard target for PPC architecture until we create a
-	#special one for the 64bit architecture.
-	OUT="linux-ppc" ;;
+	echo "WARNING! If you wish to build 64-bit library, then you have to"
+	echo "         invoke './Configure linux-ppc64' *manually*."
+	if [ "$TEST" = "false" -a -t 1 ]; then
+	    echo "         You have about 5 seconds to press Ctrl-C to abort."
+	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	fi
+	OUT="linux-ppc"
+	;;
   ppc-*-linux2) OUT="linux-ppc" ;;
   m68k-*-linux*) OUT="linux-m68k" ;;
   ia64-*-linux?) OUT="linux-ia64" ;;
@@ -560,9 +568,9 @@ EOF
 	echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI"
 	echo "         and wish to build 64-bit library, then you have to"
 	echo "         invoke './Configure linux64-sparcv9' *manually*."
-	if [ "$TEST" = "false" ]; then
+	if [ "$TEST" = "false" -a -t 1 ]; then
 	  echo "          You have about 5 seconds to press Ctrl-C to abort."
-	  (stty -icanon min 0 time 50; read waste) < /dev/tty
+	  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
 	OUT="linux-sparcv9" ;;
   sparc-*-linux2)
@@ -593,7 +601,9 @@ EOF
 
 	options="$options -mschedule=$CPUSCHEDULE -march=$CPUARCH"
 	OUT="linux-parisc" ;;
-  arm*-*-linux2) OUT="linux-elf-arm" ;;
+  arm*b-*-linux2) OUT="linux-elf-arm"; options="$options -DB_ENDIAN" ;;
+  arm*l-*-linux2) OUT="linux-elf-arm"; options="$options -DL_ENDIAN" ;;
+  arm*-*-linux2)  OUT="linux-elf-arm" ;;
   s390-*-linux2) OUT="linux-s390" ;;
   s390x-*-linux?) OUT="linux-s390x" ;;
   x86_64-*-linux?) OUT="linux-x86_64" ;;
@@ -617,9 +627,9 @@ EOF
 	    if [ "$CC" = "cc" -a $CCVER -ge 50 ]; then
 		echo "WARNING! If you wish to build 64-bit library, then you have to"
 		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then
 		# $GCC_ARCH denotes default ABI chosen by compiler driver
@@ -629,17 +639,17 @@ EOF
 		OUT="solaris64-sparcv9-gcc"
 		echo "WARNING! If you wish to build 32-bit library, then you have to"
 		echo "         invoke './Configure solaris-sparcv9-gcc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    elif [ "$GCC_ARCH" = "-m32" ]; then
 		echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI"
 		echo "        and wish to build 64-bit library, then you have to"
 		echo "        invoke './Configure solaris64-sparcv9-gcc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    fi
 	fi
@@ -647,7 +657,14 @@ EOF
   sun4m-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
   sun4d-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
   sun4*-*-solaris2)	OUT="solaris-sparcv7-$CC" ;;
-  *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
+  *86*-*-solaris2)
+	ISA64=`(isalist) 2>/dev/null | grep amd64`
+	if [ "$ISA64" != "" ]; then
+	    OUT="solaris64-x86_64-$CC"
+	else
+	    OUT="solaris-x86-$CC"
+	fi
+	;;
   *-*-sunos4) OUT="sunos-$CC" ;;
   alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
   sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;;
@@ -715,9 +732,9 @@ EOF
 	     echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi."
 	     echo "         If you wish to build 32-bit library, the you have to"
 	     echo "         invoke './Configure hpux-ia64-cc' *manually*."
-	     if [ "$TEST" = "false" ]; then
+	     if [ "$TEST" = "false" -a -t 1 ]; then
 		echo "         You have about 5 seconds to press Ctrl-C to abort."
-		(stty -icanon min 0 time 50; read waste) < /dev/tty
+		(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	     fi
 	     OUT="hpux64-ia64-cc"
 	elif [ $CPU_VERSION -ge 532 ]; then	# PA-RISC 2.x CPU
@@ -727,9 +744,9 @@ EOF
 	     if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then
 		echo "WARNING! If you wish to build 64-bit library then you have to"
 		echo "         invoke './Configure hpux64-parisc2-cc' *manually*."
-		if [ "$TEST" = "false" ]; then
+		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (stty -icanon min 0 time 50; read waste) < /dev/tty
+		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	     fi
 	elif [ $CPU_VERSION -ge 528 ]; then	# PA-RISC 1.1+ CPU
@@ -741,8 +758,28 @@ EOF
 	fi
 	options="$options -D_REENTRANT" ;;
   *-hpux)	OUT="hpux-parisc-$CC" ;;
+  *-aix)
+	KERNEL_BITS=`(getconf KERNEL_BITMODE) 2>/dev/null`
+	KERNEL_BITS=${KERNEL_BITS:-32}
+	OBJECT_MODE=${OBJECT_MODE:-32}
+	if [ "$CC" = "gcc" ]; then
+	    OUT="aix-gcc"
+	elif [ $OBJECT_MODE -eq 64 ]; then
+	    echo 'Your $OBJECT_MODE was found to be set to 64' 
+	    OUT="aix64-cc"
+	else
+	    OUT="aix-cc"
+	    if [ $KERNEL_BITS -eq 64 ]; then
+		echo "WARNING! If you wish to build 64-bit kit, then you have to"
+		echo "         invoke './Configure aix64-cc' *manually*."
+		if [ "$TEST" = "false" -a -t 1 ]; then
+		    echo "         You have ~5 seconds to press Ctrl-C to abort."
+		    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		fi
+	    fi
+	fi
+	;;
   # these are all covered by the catchall below
-  # *-aix) OUT="aix-$CC" ;;
   # *-dgux) OUT="dgux" ;;
   mips-sony-newsos4) OUT="newsos4-gcc" ;;
   *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;

crypto/.cvsignore

@@ -2,3 +2,5 @@ lib
 buildinf.h
 opensslconf.h
 Makefile.save
+*.flc
+semantic.cache

crypto/Makefile

@@ -94,7 +94,8 @@ lib:	$(LIBOBJ)
 	@touch lib
 
 shared: buildinf.h lib subdirs
-	if [ -n "$(SHARED_LIBS)" ]; then \
+	@if [ -n "$(SHARED_LIBS)" ]; then \
+		egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null || \
 		(cd ..; $(MAKE) $(SHARED_LIB)); \
 	fi
 
@@ -113,7 +114,7 @@ tests:
 	done;
 
 install:
-	@for i in $(EXHEADER) ;\
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -200,8 +201,8 @@ mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h mem_dbg.c
-o_str.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_str.c
-o_str.o: o_str.h
+o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+o_str.o: o_str.c o_str.h
 o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
 o_time.o: o_time.h
 tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h

crypto/aes/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/aes/Makefile

@@ -58,7 +58,7 @@ links:
 install: installs
 
 installs:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -86,8 +86,9 @@ clean:
 
 aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h
-aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
-aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h
+aes_cfb.o: ../../e_os.h ../../include/openssl/aes.h
+aes_cfb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+aes_cfb.o: aes_cfb.c aes_locl.h
 aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_core.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 aes_core.o: aes_core.c aes_locl.h

crypto/aes/aes_cbc.c

@@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 	unsigned long n;
 	unsigned long len = length;
 	unsigned char tmp[AES_BLOCK_SIZE];
+	const unsigned char *iv = ivec;
 
 	assert(in && out && key && ivec);
 	assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
@@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 	if (AES_ENCRYPT == enc) {
 		while (len >= AES_BLOCK_SIZE) {
 			for(n=0; n < AES_BLOCK_SIZE; ++n)
-				tmp[n] = in[n] ^ ivec[n];
-			AES_encrypt(tmp, out, key);
-			memcpy(ivec, out, AES_BLOCK_SIZE);
+				out[n] = in[n] ^ iv[n];
+			AES_encrypt(out, out, key);
+			iv = out;
 			len -= AES_BLOCK_SIZE;
 			in += AES_BLOCK_SIZE;
 			out += AES_BLOCK_SIZE;
 		}
 		if (len) {
 			for(n=0; n < len; ++n)
-				tmp[n] = in[n] ^ ivec[n];
+				out[n] = in[n] ^ iv[n];
 			for(n=len; n < AES_BLOCK_SIZE; ++n)
-				tmp[n] = ivec[n];
-			AES_encrypt(tmp, tmp, key);
-			memcpy(out, tmp, AES_BLOCK_SIZE);
-			memcpy(ivec, tmp, AES_BLOCK_SIZE);
-		}			
+				out[n] = iv[n];
+			AES_encrypt(out, out, key);
+			iv = out;
+		}
+		memcpy(ivec,iv,AES_BLOCK_SIZE);
+	} else if (in != out) {
+		while (len >= AES_BLOCK_SIZE) {
+			AES_decrypt(in, out, key);
+			for(n=0; n < AES_BLOCK_SIZE; ++n)
+				out[n] ^= iv[n];
+			iv = in;
+			len -= AES_BLOCK_SIZE;
+			in  += AES_BLOCK_SIZE;
+			out += AES_BLOCK_SIZE;
+		}
+		if (len) {
+			AES_decrypt(in,tmp,key);
+			for(n=0; n < len; ++n)
+				out[n] = tmp[n] ^ iv[n];
+			iv = in;
+		}
+		memcpy(ivec,iv,AES_BLOCK_SIZE);
 	} else {
 		while (len >= AES_BLOCK_SIZE) {
 			memcpy(tmp, in, AES_BLOCK_SIZE);
@@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 		}
 		if (len) {
 			memcpy(tmp, in, AES_BLOCK_SIZE);
-			AES_decrypt(tmp, tmp, key);
+			AES_decrypt(tmp, out, key);
 			for(n=0; n < len; ++n)
-				out[n] = tmp[n] ^ ivec[n];
+				out[n] ^= ivec[n];
+			for(n=len; n < AES_BLOCK_SIZE; ++n)
+				out[n] = tmp[n];
 			memcpy(ivec, tmp, AES_BLOCK_SIZE);
-		}			
+		}
 	}
 }

crypto/aes/aes_cfb.c

@@ -114,6 +114,7 @@
 
 #include <openssl/aes.h>
 #include "aes_locl.h"
+#include "e_os.h"
 
 /* The input and output encrypted as though 128bit cfb mode is being
  * used.  The extra state information to record how much of the
@@ -157,61 +158,35 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 
 /* This expects a single block of size nbits for both in and out. Note that
    it corrupts any extra bits in the last byte of out */
-/* Untested, once it is working, it will be optimised */
 void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
 			    const int nbits,const AES_KEY *key,
 			    unsigned char *ivec,const int enc)
     {
-    int n;
+    int n,rem,num;
     unsigned char ovec[AES_BLOCK_SIZE*2];
 
-    assert(in && out && key && ivec);
-    if(enc)
-	{
+    if (nbits<=0 || nbits>128) return;
+
+	/* fill in the first half of the new IV with the current IV */
+	memcpy(ovec,ivec,AES_BLOCK_SIZE);
 	/* construct the new IV */
-	AES_encrypt(ivec,ovec,key);
-	/* encrypt the input */
-	for(n=0 ; n < (nbits+7)/8 ; ++n)
-	    out[n]=in[n]^ovec[n];
-	/* fill in the first half of the new IV with the current IV */
-	memcpy(ovec,ivec,AES_BLOCK_SIZE);
-	/* and put the ciphertext in the second half */
-	memcpy(ovec+AES_BLOCK_SIZE,out,(nbits+7)/8);
-	/* shift ovec left most of the bits... */
-	memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0));
-	/* now the remaining bits */
-	if(nbits%8 != 0)
+	AES_encrypt(ivec,ivec,key);
+	num = (nbits+7)/8;
+	if (enc)	/* encrypt the input */
+	    for(n=0 ; n < num ; ++n)
+		out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]);
+	else		/* decrypt the input */
+	    for(n=0 ; n < num ; ++n)
+		out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n];
+	/* shift ovec left... */
+	rem = nbits%8;
+	num = nbits/8;
+	if(rem==0)
+	    memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
+	else
 	    for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
-		{
-		ovec[n]<<=nbits%8;
-		ovec[n]|=ovec[n+1]>>(8-nbits%8);
-		}
-	/* finally, move it back into place */
-	memcpy(ivec,ovec,AES_BLOCK_SIZE);
-	}
-    else
-	{
-	/* construct the new IV in the first half of ovec */
-	AES_encrypt(ivec,ovec,key);
-	/* decrypt the input */
-	for(n=0 ; n < (nbits+7)/8 ; ++n)
-	    out[n]=in[n]^ovec[n];
-	/* fill in the first half of the new IV with the current IV */
-	memcpy(ovec,ivec,AES_BLOCK_SIZE);
-	/* append the ciphertext */
-	memcpy(ovec+AES_BLOCK_SIZE,in,(nbits+7)/8);
-	/* shift ovec left most of the bits... */
-	memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0));
-	/* now the remaining bits */
-	if(nbits%8 != 0)
-	    for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
-		{
-		ovec[n]<<=nbits%8;
-		ovec[n]|=ovec[n+1]>>(8-nbits%8);
-		}
-	/* finally, move it back into place */
-	memcpy(ivec,ovec,AES_BLOCK_SIZE);
-	}
+		ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem);
+
     /* it is not necessary to cleanse ovec, since the IV is not secret */
     }
 

crypto/asn1/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/asn1/Makefile

@@ -81,7 +81,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

crypto/asn1/a_bitstr.c

@@ -194,8 +194,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 			c=(unsigned char *)OPENSSL_realloc_clean(a->data,
 								 a->length,
 								 w+1);
-		if (c == NULL) return(0);
-		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
+		if (c == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+  		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
 		a->data=c;
 		a->length=w+1;
 	}

crypto/asn1/a_digest.c

@@ -65,6 +65,7 @@
 # include <sys/types.h>
 #endif
 
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
@@ -78,7 +79,11 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
 	unsigned char *str,*p;
 
 	i=i2d(data,NULL);
-	if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0);
+	if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE);
+		return(0);
+		}
 	p=str;
 	i2d(data,&p);
 

crypto/asn1/a_enum.c

@@ -156,7 +156,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
-			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;

crypto/asn1/a_gentm.c

@@ -192,8 +192,9 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
 		{
 		if (s != NULL)
 			{
-			ASN1_STRING_set((ASN1_STRING *)s,
-				(unsigned char *)str,t.length);
+			if (!ASN1_STRING_set((ASN1_STRING *)s,
+				(unsigned char *)str,t.length))
+				return 0;
 			s->type=V_ASN1_GENERALIZEDTIME;
 			}
 		return(1);
@@ -223,7 +224,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 	if ((p == NULL) || ((size_t)s->length < len))
 		{
 		p=OPENSSL_malloc(len);
-		if (p == NULL) return(NULL);
+		if (p == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET,
+				ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;

crypto/asn1/a_print.c

@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-int ASN1_PRINTABLE_type(unsigned char *s, int len)
+int ASN1_PRINTABLE_type(const unsigned char *s, int len)
 	{
 	int c;
 	int ia5=0;

crypto/asn1/a_set.c

@@ -118,8 +118,13 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}
 
         pStart  = p; /* Catch the beg of Setblobs*/
-        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
-we will store the SET blobs */
+		/* In this array we will store the SET blobs */
+		rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB));
+		if (rgSetBlob == NULL)
+			{
+			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
 
         for (i=0; i<sk_num(a); i++)
 	        {
@@ -135,7 +140,11 @@ SetBlob
  /* Now we have to sort the blobs. I am using a simple algo.
     *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
         qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;
+		if (!(pTempMem = OPENSSL_malloc(totSize)))
+			{
+			ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
 
 /* Copy to temp mem */
         p = pTempMem;
@@ -160,7 +169,13 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
 	STACK *ret=NULL;
 
 	if ((a == NULL) || ((*a) == NULL))
-		{ if ((ret=sk_new_null()) == NULL) goto err; }
+		{
+		if ((ret=sk_new_null()) == NULL)
+			{
+			ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		}
 	else
 		ret=(*a);
 

crypto/asn1/a_type.c

@@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a)
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
 	{
 	if (a->value.ptr != NULL)
-		ASN1_primitive_free((ASN1_VALUE **)&a, NULL);
+		{
+		ASN1_TYPE **tmp_a = &a;
+		ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL);
+		}
 	a->type=type;
 	a->value.ptr=value;
 	}

crypto/asn1/a_utctm.c

@@ -173,8 +173,9 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
 		{
 		if (s != NULL)
 			{
-			ASN1_STRING_set((ASN1_STRING *)s,
-				(unsigned char *)str,t.length);
+			if (!ASN1_STRING_set((ASN1_STRING *)s,
+				(unsigned char *)str,t.length))
+				return 0;
 			s->type = V_ASN1_UTCTIME;
 			}
 		return(1);
@@ -203,7 +204,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	if ((p == NULL) || ((size_t)s->length < len))
 		{
 		p=OPENSSL_malloc(len);
-		if (p == NULL) return(NULL);
+		if (p == NULL)
+			{
+			ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE);
+			return(NULL);
+			}
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;

crypto/asn1/a_verify.c

@@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 		goto err;
 		}
 
+	if (!EVP_VerifyInit_ex(&ctx,type, NULL))
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+		ret=0;
+		goto err;
+		}
+
 	inl = ASN1_item_i2d(asn, &buf_in, it);
 	
 	if (buf_in == NULL)
@@ -150,7 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 		goto err;
 		}
 
-	EVP_VerifyInit_ex(&ctx,type, NULL);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
 	OPENSSL_cleanse(buf_in,(unsigned int)inl);

crypto/asn1/asn1.h

@@ -829,7 +829,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
 
 /* General */
 /* given a string, return the correct type, max is the maximum length */
-int ASN1_PRINTABLE_type(unsigned char *s, int max);
+int ASN1_PRINTABLE_type(const unsigned char *s, int max);
 
 int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
 ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
@@ -950,16 +950,19 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_A2I_ASN1_ENUMERATED			 101
 #define ASN1_F_A2I_ASN1_INTEGER				 102
 #define ASN1_F_A2I_ASN1_STRING				 103
+#define ASN1_F_ASN1_BIT_STRING_SET_BIT			 176
 #define ASN1_F_ASN1_CHECK_TLEN				 104
 #define ASN1_F_ASN1_COLLATE_PRIMITIVE			 105
 #define ASN1_F_ASN1_COLLECT				 106
 #define ASN1_F_ASN1_D2I_BIO				 107
 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE			 108
 #define ASN1_F_ASN1_D2I_FP				 109
+#define ASN1_F_ASN1_DIGEST				 177
 #define ASN1_F_ASN1_DO_ADB				 110
 #define ASN1_F_ASN1_DUP					 111
 #define ASN1_F_ASN1_ENUMERATED_SET			 112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN			 113
+#define ASN1_F_ASN1_GENERALIZEDTIME_SET			 178
 #define ASN1_F_ASN1_GET_OBJECT				 114
 #define ASN1_F_ASN1_HEADER_NEW				 115
 #define ASN1_F_ASN1_I2D_BIO				 116
@@ -975,6 +978,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_SEQ_PACK				 126
 #define ASN1_F_ASN1_SEQ_UNPACK				 127
 #define ASN1_F_ASN1_SIGN				 128
+#define ASN1_F_ASN1_STRING_SET				 179
 #define ASN1_F_ASN1_STRING_TABLE_ADD			 129
 #define ASN1_F_ASN1_STRING_TYPE_NEW			 130
 #define ASN1_F_ASN1_TEMPLATE_D2I			 131
@@ -984,6 +988,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 135
 #define ASN1_F_ASN1_UNPACK_STRING			 136
+#define ASN1_F_ASN1_UTCTIME_SET				 180
 #define ASN1_F_ASN1_VERIFY				 137
 #define ASN1_F_BN_TO_ASN1_ENUMERATED			 138
 #define ASN1_F_BN_TO_ASN1_INTEGER			 139
@@ -1007,6 +1012,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_CINF				 157
 #define ASN1_F_D2I_X509_NAME				 158
 #define ASN1_F_D2I_X509_PKEY				 159
+#define ASN1_F_I2D_ASN1_SET				 181
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
 #define ASN1_F_I2D_NETSCAPE_RSA				 162

crypto/asn1/asn1_err.c

@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,16 +70,19 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),	"a2i_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0),	"a2i_ASN1_INTEGER"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),	"a2i_ASN1_STRING"},
+{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0),	"ASN1_BIT_STRING_set_bit"},
 {ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),	"ASN1_CHECK_TLEN"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),	"ASN1_COLLATE_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),	"ASN1_COLLECT"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),	"ASN1_d2i_bio"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),	"ASN1_D2I_EX_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),	"ASN1_d2i_fp"},
+{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0),	"ASN1_digest"},
 {ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),	"ASN1_DO_ADB"},
 {ERR_PACK(0,ASN1_F_ASN1_DUP,0),	"ASN1_dup"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),	"ASN1_ENUMERATED_set"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),	"ASN1_ENUMERATED_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0),	"ASN1_GENERALIZEDTIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),	"ASN1_get_object"},
 {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),	"ASN1_HEADER_new"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),	"ASN1_i2d_bio"},
@@ -95,6 +98,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),	"ASN1_seq_pack"},
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),	"ASN1_seq_unpack"},
 {ERR_PACK(0,ASN1_F_ASN1_SIGN,0),	"ASN1_sign"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0),	"ASN1_STRING_set"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),	"ASN1_STRING_TABLE_add"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),	"ASN1_STRING_type_new"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),	"ASN1_TEMPLATE_D2I"},
@@ -104,6 +108,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),	"ASN1_unpack_string"},
+{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0),	"ASN1_UTCTIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),	"ASN1_verify"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),	"BN_to_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),	"BN_to_ASN1_INTEGER"},
@@ -127,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),	"D2I_X509_CINF"},
 {ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),	"D2I_X509_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
+{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0),	"i2d_ASN1_SET"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},

crypto/asn1/asn1_lib.c

@@ -349,6 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
 
 		if (str->data == NULL)
 			{
+			ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE);
 			str->data=c;
 			return(0);
 			}

crypto/asn1/evp_asn1.c

@@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
 
 	if ((osp=ASN1_STRING_new()) == NULL) return(0);
 	/* Grow the 'string' */
-	ASN1_STRING_set(osp,NULL,size);
+	if (!ASN1_STRING_set(osp,NULL,size))
+		{
+		ASN1_STRING_free(osp);
+		return(0);
+		}
 
 	M_ASN1_STRING_length_set(osp, size);
 	p=M_ASN1_STRING_data(osp);

crypto/asn1/p5_pbe.c

@@ -76,47 +76,55 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM)
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 	     int saltlen)
 {
-	PBEPARAM *pbe;
+	PBEPARAM *pbe=NULL;
 	ASN1_OBJECT *al;
 	X509_ALGOR *algor;
-	ASN1_TYPE *astype;
+	ASN1_TYPE *astype=NULL;
 
 	if (!(pbe = PBEPARAM_new ())) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
-	ASN1_INTEGER_set (pbe->iter, iter);
+	if (!ASN1_INTEGER_set(pbe->iter, iter)) {
+		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 	if (!saltlen) saltlen = PKCS5_SALT_LEN;
 	if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	pbe->salt->length = saltlen;
 	if (salt) memcpy (pbe->salt->data, salt, saltlen);
 	else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0)
-		return NULL;
+		goto err;
 
 	if (!(astype = ASN1_TYPE_new())) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 
 	astype->type = V_ASN1_SEQUENCE;
 	if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	PBEPARAM_free (pbe);
+	pbe = NULL;
 	
 	al = OBJ_nid2obj(alg); /* never need to free al */
 	if (!(algor = X509_ALGOR_new())) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	ASN1_OBJECT_free(algor->algorithm);
 	algor->algorithm = al;
 	algor->parameter = astype;
 
 	return (algor);
+err:
+	if (pbe != NULL) PBEPARAM_free(pbe);
+	if (astype != NULL) ASN1_TYPE_free(astype);
+	return NULL;
 }

crypto/asn1/t_bitst.c

@@ -84,7 +84,10 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
 	int bitnum;
 	bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
 	if(bitnum < 0) return 0;
-	if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+	if(bs) {
+		if(!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
+			return 0;
+	}
 	return 1;
 }
 

crypto/asn1/x_crl.c

@@ -130,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 		ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
+	inf->enc.modified = 1;
 	return 1;
 }
 

crypto/asn1/x_name.c

@@ -160,21 +160,22 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons
 					int tag, int aclass, char opt, ASN1_TLC *ctx)
 {
 	unsigned char *p = *in, *q;
-	STACK *intname = NULL;
+	STACK *intname = NULL, **intname_pp = &intname;
 	int i, j, ret;
-	X509_NAME *nm = NULL;
+	X509_NAME *nm = NULL, **nm_pp = &nm;
 	STACK_OF(X509_NAME_ENTRY) *entries;
 	X509_NAME_ENTRY *entry;
 	q = p;
 
 	/* Get internal representation of Name */
-	ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
-								tag, aclass, opt, ctx);
+	ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp,
+			       &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+			       tag, aclass, opt, ctx);
 	
 	if(ret <= 0) return ret;
 
 	if(*val) x509_name_ex_free(val, NULL);
-	if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err;
+	if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err;
 	/* We've decoded it: now cache encoding */
 	if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
 	memcpy(nm->bytes->data, q, p - q);
@@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT
 
 static int x509_name_encode(X509_NAME *a)
 {
-	STACK *intname = NULL;
+	STACK *intname = NULL, **intname_pp = &intname;
 	int len;
 	unsigned char *p;
 	STACK_OF(X509_NAME_ENTRY) *entries = NULL;
@@ -236,10 +237,12 @@ static int x509_name_encode(X509_NAME *a)
 		}
 		if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
 	}
-	len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+	len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL,
+			       ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
 	if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
 	p=(unsigned char *)a->bytes->data;
-	ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+	ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp,
+			 &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
 	sk_pop_free(intname, sk_internal_free);
 	a->modified = 0;
 	return len;

crypto/asn1/x_pubkey.c

@@ -80,8 +80,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY)
 
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 	{
-	int ok=0;
-	X509_PUBKEY *pk;
+	X509_PUBKEY *pk=NULL;
 	X509_ALGOR *a;
 	ASN1_OBJECT *o;
 	unsigned char *s,*p = NULL;
@@ -104,7 +103,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
-			a->parameter=ASN1_TYPE_new();
+			if (!(a->parameter=ASN1_TYPE_new()))
+				{
+				X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+				goto err;
+				}
 			a->parameter->type=V_ASN1_NULL;
 			}
 		}
@@ -118,14 +121,34 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		dsa=pkey->pkey.dsa;
 		dsa->write_params=0;
 		ASN1_TYPE_free(a->parameter);
-		i=i2d_DSAparams(dsa,NULL);
-		if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
+		if ((i=i2d_DSAparams(dsa,NULL)) <= 0)
+			goto err;
+		if (!(p=(unsigned char *)OPENSSL_malloc(i)))
+			{
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		pp=p;
 		i2d_DSAparams(dsa,&pp);
-		a->parameter=ASN1_TYPE_new();
+		if (!(a->parameter=ASN1_TYPE_new()))
+			{
+			OPENSSL_free(p);
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		a->parameter->type=V_ASN1_SEQUENCE;
-		a->parameter->value.sequence=ASN1_STRING_new();
-		ASN1_STRING_set(a->parameter->value.sequence,p,i);
+		if (!(a->parameter->value.sequence=ASN1_STRING_new()))
+			{
+			OPENSSL_free(p);
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		if (!ASN1_STRING_set(a->parameter->value.sequence,p,i))
+			{
+			OPENSSL_free(p);
+			X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		OPENSSL_free(p);
 		}
 	else
@@ -143,7 +166,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		}
 	p=s;
 	i2d_PublicKey(pkey,&p);
-	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
+	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i))
+		{
+		X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
 	/* Set number of unused bits to zero */
 	pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
 	pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
@@ -159,12 +186,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		X509_PUBKEY_free(*x);
 
 	*x=pk;
-	pk=NULL;
 
-	ok=1;
+	return 1;
 err:
 	if (pk != NULL) X509_PUBKEY_free(pk);
-	return(ok);
+	return 0;
 	}
 
 EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)

crypto/bf/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/bf/Makefile

@@ -74,7 +74,7 @@ links:
 install: installs
 
 installs:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -109,5 +109,8 @@ bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
 bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h
 bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
 bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c
-bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
-bf_skey.o: ../../include/openssl/opensslconf.h bf_locl.h bf_pi.h bf_skey.c
+bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/crypto.h
+bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+bf_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bf_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bf_skey.o: bf_locl.h bf_pi.h bf_skey.c

crypto/bf/asm/.cvsignore

@@ -1,2 +1,4 @@
 bx86unix.cpp
 bx86-elf.s
+*.flc
+semantic.cache

crypto/bf/bf_skey.c

@@ -58,11 +58,12 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include <openssl/blowfish.h>
 #include "bf_locl.h"
 #include "bf_pi.h"
 
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
 	{
 	int i;
 	BF_LONG *p,ri,in[2];

crypto/bf/blowfish.h

@@ -104,7 +104,10 @@ typedef struct bf_key_st
 	BF_LONG S[4*256];
 	} BF_KEY;
 
- 
+
+#ifdef OPENSSL_FIPS 
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
 void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
 
 void BF_encrypt(BF_LONG *data,const BF_KEY *key);

crypto/bio/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/bio/Makefile

@@ -61,7 +61,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER); \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

crypto/bio/bss_file.c

@@ -266,7 +266,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret=0;
 			break;
 			}
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
 		if (!(num & BIO_FP_TEXT))
 			strcat(p,"b");
 		else

crypto/bn/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/bn/Makefile

@@ -118,10 +118,17 @@ asm/ia64-cpp.o:	asm/ia64.S
 	rm -f /tmp/ia64.$$$$.s
 
 asm/x86_64-gcc.o: asm/x86_64-gcc.c
+	$(CC) $(ASFLAGS) -c -o $@ $<
 
 asm/pa-risc2W.o: asm/pa-risc2W.s
 	/usr/ccs/bin/as -o asm/pa-risc2W.o asm/pa-risc2W.s
 
+asm/linux_ppc32.s: asm/ppc.pl;	$(PERL) $< $@
+asm/linux_ppc64.s: asm/ppc.pl;	$(PERL) $< $@
+asm/aix_ppc32.s: asm/ppc.pl;	$(PERL) asm/ppc.pl $@
+asm/aix_ppc64.s: asm/ppc.pl;	$(PERL) asm/ppc.pl $@
+asm/osx_ppc32.s: asm/ppc.pl;	$(PERL) $< $@
+
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 
@@ -131,7 +138,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

crypto/bn/asm/.cvsignore

@@ -2,3 +2,5 @@ bn86unix.cpp
 co86unix.cpp
 bn86-elf.s
 co86-elf.s
+*.flc
+semantic.cache

crypto/bn/asm/x86_64-gcc.c

@@ -13,20 +13,42 @@
  * A. Well, that's because this code is basically a quick-n-dirty
  *    proof-of-concept hack. As you can see it's implemented with
  *    inline assembler, which means that you're bound to GCC and that
- *    there must be a room for fine-tuning.
+ *    there might be enough room for further improvement.
  *
  * Q. Why inline assembler?
- * A. x86_64 features own ABI I'm not familiar with. Which is why
- *    I decided to let the compiler take care of subroutine
- *    prologue/epilogue as well as register allocation.
+ * A. x86_64 features own ABI which I'm not familiar with. This is
+ *    why I decided to let the compiler take care of subroutine
+ *    prologue/epilogue as well as register allocation. For reference.
+ *    Win64 implements different ABI for AMD64, different from Linux.
  *
  * Q. How much faster does it get?
- * A. Unfortunately people sitting on x86_64 hardware are prohibited
- *    to disclose the performance numbers, so they (SuSE labs to be
- *    specific) wouldn't tell me. However! Very similar coding technique
- *    (reaching out for 128-bit result from 64x64-bit multiplication)
- *    results in >3 times performance improvement on MIPS and I see no
- *    reason why gain on x86_64 would be so much different:-)
+ * A. 'apps/openssl speed rsa dsa' output with no-asm:
+ *
+ *	                  sign    verify    sign/s verify/s
+ *	rsa  512 bits   0.0006s   0.0001s   1683.8  18456.2
+ *	rsa 1024 bits   0.0028s   0.0002s    356.0   6407.0
+ *	rsa 2048 bits   0.0172s   0.0005s     58.0   1957.8
+ *	rsa 4096 bits   0.1155s   0.0018s      8.7    555.6
+ *	                  sign    verify    sign/s verify/s
+ *	dsa  512 bits   0.0005s   0.0006s   2100.8   1768.3
+ *	dsa 1024 bits   0.0014s   0.0018s    692.3    559.2
+ *	dsa 2048 bits   0.0049s   0.0061s    204.7    165.0
+ *
+ *    'apps/openssl speed rsa dsa' output with this module:
+ *
+ *	                  sign    verify    sign/s verify/s
+ *	rsa  512 bits   0.0004s   0.0000s   2767.1  33297.9
+ *	rsa 1024 bits   0.0012s   0.0001s    867.4  14674.7
+ *	rsa 2048 bits   0.0061s   0.0002s    164.0   5270.0
+ *	rsa 4096 bits   0.0384s   0.0006s     26.1   1650.8
+ *	                  sign    verify    sign/s verify/s
+ *	dsa  512 bits   0.0002s   0.0003s   4442.2   3786.3
+ *	dsa 1024 bits   0.0005s   0.0007s   1835.1   1497.4
+ *	dsa 2048 bits   0.0016s   0.0020s    620.4    504.6
+ *
+ *    For the reference. IA-32 assembler implementation performs
+ *    very much like 64-bit code compiled with no-asm on the same
+ *    machine.
  */
 
 #define BN_ULONG unsigned long
@@ -151,7 +173,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 }
 
 BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
-{ BN_ULONG ret,i;
+{ BN_ULONG ret=0,i=0;
 
 	if (n <= 0) return 0;
 
@@ -164,7 +186,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
 	"	leaq	1(%2),%2	\n"
 	"	loop	1b		\n"
 	"	sbbq	%0,%0		\n"
-		: "+a"(ret),"+c"(n),"+r"(i)
+		: "=&a"(ret),"+c"(n),"=&r"(i)
 		: "r"(rp),"r"(ap),"r"(bp)
 		: "cc"
 	);
@@ -174,7 +196,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
 
 #ifndef SIMICS
 BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
-{ BN_ULONG ret,i;
+{ BN_ULONG ret=0,i=0;
 
 	if (n <= 0) return 0;
 
@@ -187,7 +209,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n)
 	"	leaq	1(%2),%2	\n"
 	"	loop	1b		\n"
 	"	sbbq	%0,%0		\n"
-		: "+a"(ret),"+c"(n),"+r"(i)
+		: "=&a"(ret),"+c"(n),"=&r"(i)
 		: "r"(rp),"r"(ap),"r"(bp)
 		: "cc"
 	);
@@ -318,7 +340,6 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 
 void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
@@ -423,7 +444,6 @@ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 
 void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
@@ -464,7 +484,6 @@ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 
 void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 
@@ -541,7 +560,6 @@ void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
 
 void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
 	{
-	BN_ULONG bl,bh;
 	BN_ULONG t1,t2;
 	BN_ULONG c1,c2,c3;
 

crypto/bn/bn_mont.c

@@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 
 	BN_init(&Ri);
 	R= &(mont->RR);					/* grab RR as a temp */
-	BN_copy(&(mont->N),mod);			/* Set N */
+	if (!BN_copy(&(mont->N),mod)) goto err;		/* Set N */
 	mont->N.neg = 0;
 
 #ifdef MONT_WORD

crypto/buffer/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/buffer/Makefile

@@ -51,7 +51,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

crypto/cast/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/cast/Makefile

@@ -75,7 +75,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -114,5 +114,7 @@ c_ofb64.o: ../../e_os.h ../../include/openssl/cast.h
 c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 c_ofb64.o: c_ofb64.c cast_lcl.h
 c_skey.o: ../../e_os.h ../../include/openssl/cast.h
-c_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-c_skey.o: c_skey.c cast_lcl.h cast_s.h
+c_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+c_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_skey.o: ../../include/openssl/symhacks.h c_skey.c cast_lcl.h cast_s.h

crypto/cast/asm/.cvsignore

@@ -1,2 +1,4 @@
 cx86unix.cpp
 cx86-elf.s
+*.flc
+semantic.cache

crypto/cast/c_skey.c

@@ -56,7 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <openssl/crypto.h>
 #include <openssl/cast.h>
+
 #include "cast_lcl.h"
 #include "cast_s.h"
 
@@ -72,7 +74,7 @@
 #define S6 CAST_S_table6
 #define S7 CAST_S_table7
 
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(CAST)
 	{
 	CAST_LONG x[16];
 	CAST_LONG z[16];

crypto/cast/cast.h

@@ -81,7 +81,10 @@ typedef struct cast_key_st
 	int short_key;	/* Use reduced rounds for short key */
 	} CAST_KEY;
 
- 
+
+#ifdef OPENSSL_FIPS 
+void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
+#endif
 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
 void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
 		      int enc);

crypto/comp/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache

crypto/comp/Makefile

@@ -54,7 +54,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -90,6 +90,7 @@ c_rle.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h c_rle.c
 c_zlib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_zlib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
 c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+c_zlib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 c_zlib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 c_zlib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 c_zlib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h

crypto/comp/c_zlib.c

@@ -3,6 +3,7 @@
 #include <string.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
+#include <openssl/err.h>
 
 COMP_METHOD *COMP_zlib(void );
 

crypto/conf/.cvsignore

@@ -1,2 +1,4 @@
 lib
 Makefile.save
+*.flc
+semantic.cache