Time to release the next beta.

The tag will be OpenSSL_0_9_8-beta2.

FAQ

@@ -46,6 +46,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail on MacOS X?
 * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
 * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -598,6 +599,14 @@ Reportedly elder *BSD a.out platforms also suffer from this problem and
 remedy should be same. Provided binary is statically linked and should be
 working across wider range of *BSD branches, not just OpenBSD.
 
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+
+If the test program in question fails withs SIGILL, Illegal Instruction
+exception, then you more than likely to run SSE2-capable CPU, such as
+Intel P4, under control of kernel which does not support SSE2
+instruction extentions. See accompanying INSTALL file and
+OPENSSL_ia32cap(3) documentation page for further information.
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?

Makefile.org

@@ -276,7 +276,7 @@ Makefile: Makefile.org Configure config
 	@false
 
 libclean:
-	rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
@@ -476,13 +476,13 @@ install_sw:
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib/cyg/'`; \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				fi ); \
 			fi; \
 		done; \

Makefile.shared

@@ -231,7 +231,8 @@ link_o.cygwin:
 	SHLIB=cyg$(LIBNAME); \
 	expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
 	SHLIB_SUFFIX=.dll; \
-	SHLIB_SOVER=-$(LIBVERSION); \
+	LIBVERSION="$(LIBVERSION)"; \
+	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
@@ -242,16 +243,16 @@ link_a.cygwin:
 	SHLIB=cyg$(LIBNAME); \
 	expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
 	SHLIB_SUFFIX=.dll; \
-	SHLIB_SOVER=; \
+	SHLIB_SOVER=-$(LIBVERSION); \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	base=;  [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x61200000; \
+	base=;  [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
 	[ -f apps/$$SHLIB$$SHLIB_SUFFIX ] && rm apps/$$SHLIB$$SHLIB_SUFFIX; \
 	[ -f test/$$SHLIB$$SHLIB_SUFFIX ] && rm test/$$SHLIB$$SHLIB_SUFFIX; \
 	$(LINK_SO_A) || exit 1; \
-	cp -p $$SHLIB$$SHLIB_SUFFIX apps/; \
-	cp -p $$SHLIB$$SHLIB_SUFFIX test/
+	cp -p $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX apps/; \
+	cp -p $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX test/
 link_app.cygwin:
 	$(LINK_APP)
 

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8-beta1 19 May 2005
+ OpenSSL 0.9.8-beta2 24 May 2005
 
  Copyright (c) 1998-2005 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,10 +1,11 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2005/05/19 19:42:03 $
+  ______________                           $Date: 2005/05/24 03:42:48 $
 
   DEVELOPMENT STATE
 
     o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8-beta2:  Released on May 24th, 2005
     o  OpenSSL 0.9.8-beta1:  Released on May 19th, 2005
     o  OpenSSL 0.9.7g: Released on April     11th, 2005
     o  OpenSSL 0.9.7f: Released on March     22nd, 2005

apps/Makefile

@@ -86,7 +86,7 @@ req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
 	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 		shlib_target="$(SHLIB_TARGET)"; \
 	fi; \
-	$(MAKE) -f $(TOP)/Makefile.shared \
+	$(MAKE) -f $(TOP)/Makefile.shared $(BUILDENV) \
 		APPNAME=req OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \
 		LIBDEPS="$(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)" \
 		link_app.$${shlib_target}
@@ -158,7 +158,7 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	else \
 	  LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
 	fi; \
-	$(MAKE) -f $(TOP)/Makefile.shared \
+	$(MAKE) -f $(TOP)/Makefile.shared $(BUILDENV) \
 		APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
 		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
 		link_app.$${shlib_target}

apps/speed.c

@@ -496,9 +496,13 @@ int MAIN(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_SHA
 	unsigned char sha[SHA_DIGEST_LENGTH];
+#ifndef OPENSSL_NO_SHA256
 	unsigned char sha256[SHA256_DIGEST_LENGTH];
+#endif
+#ifndef OPENSSL_NO_SHA512
 	unsigned char sha512[SHA512_DIGEST_LENGTH];
 #endif
+#endif
 #ifndef OPENSSL_NO_RIPEMD
 	unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
 #endif
@@ -878,11 +882,15 @@ int MAIN(int argc, char **argv)
 							doit[D_SHA256]=1,
 							doit[D_SHA512]=1;
 		else
+#ifndef OPENSSL_NO_SHA256
 			if (strcmp(*argv,"sha256") == 0) doit[D_SHA256]=1;
 		else
+#endif
+#ifndef OPENSSL_NO_SHA512
 			if (strcmp(*argv,"sha512") == 0) doit[D_SHA512]=1;
 		else
 #endif
+#endif
 #ifndef OPENSSL_NO_RIPEMD
 			if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1;
 		else
@@ -1064,8 +1072,12 @@ int MAIN(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_SHA1
 			BIO_printf(bio_err,"sha1     ");
-			BIO_printf(bio_err,"sha256  ");
-			BIO_printf(bio_err,"sha512  ");
+#endif
+#ifndef OPENSSL_NO_SHA256
+			BIO_printf(bio_err,"sha256   ");
+#endif
+#ifndef OPENSSL_NO_SHA512
+			BIO_printf(bio_err,"sha512   ");
 #endif
 #ifndef OPENSSL_NO_RIPEMD160
 			BIO_printf(bio_err,"rmd160");

config

@@ -647,11 +647,14 @@ case "$GUESSOS" in
 	    OUT="solaris64-x86_64-$CC"
 	else
 	    OUT="solaris-x86-$CC"
+	    if [ `uname -r | sed -e 's/5\.//'` -lt 10 ]; then
+		options="$options no-sse2"
+	    fi
 	fi
 	;;
   *-*-sunos4)		OUT="sunos-$CC" ;;
 
-  *86*-*-bsdi4)		OUT="bsdi-elf-gcc" ;;
+  *86*-*-bsdi4)		OUT="bsdi-elf-gcc"; options="$options no-sse2" ;;
   alpha*-*-*bsd*)	OUT="BSD-generic64; options="$options -DL_ENDIAN" ;;
   powerpc64-*-*bsd*)	OUT="BSD-generic64; options="$options -DB_ENDIAN" ;;
   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
@@ -659,7 +662,7 @@ case "$GUESSOS" in
   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
   *86*-*-*bsd*)		case "`(file -L /usr/lib/libc.so.*) 2>/dev/null`" in
 			*ELF*)	OUT="BSD-x86-elf" ;;
-			*)	OUT="BSD-x86" ;;
+			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
 			esac ;;
   *-*-*bsd*)		OUT="BSD-generic32" ;;
 

crypto/bn/bn_nist.c

@@ -282,6 +282,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	nist_cp_bn_0(buf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP);
 
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma save
+# pragma message disable BADSUBSCRIPT
+#endif
+
 	nist_set_192(t_d, buf, 0, 3, 3);
 	if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
 		++carry;
@@ -290,6 +295,10 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
 		++carry;
 
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma restore
+#endif
+
 	nist_set_192(t_d, buf, 5, 5, 5)
 	if (bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP))
 		++carry;

crypto/cryptlib.c

@@ -624,7 +624,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 #include <tchar.h>
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
-static int IsService(void)
+int OPENSSL_isservice(void)
 { HWINSTA h;
   DWORD len;
   WCHAR *name;
@@ -722,7 +722,7 @@ void OPENSSL_showfatal (const char *fmta,...)
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
     /* this -------------v--- guards NT-specific calls */
-    if (GetVersion() < 0x80000000 && IsService())
+    if (GetVersion() < 0x80000000 && OPENSSL_isservice())
     {	HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
 	const TCHAR *pmsg=buf;
 	ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
@@ -754,6 +754,7 @@ void OPENSSL_showfatal (const char *fmta,...)
     vfprintf (stderr,fmta,ap);
     va_end (ap);
 }
+int OPENSSL_isservice (void) { return 0; }
 #endif
 
 void OpenSSLDie(const char *file,int line,const char *assertion)

crypto/cryptlib.h

@@ -103,6 +103,7 @@ extern unsigned long OPENSSL_ia32cap_P;
 void OPENSSL_showfatal(const char *,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
+int OPENSSL_isservice(void);
 
 #ifdef  __cplusplus
 }

crypto/ec/ec_lib.c

@@ -622,7 +622,7 @@ void EC_EX_DATA_free_data(EC_EXTRA_DATA **ex_data,
 	}
 
 /* this has 'package' visibility */
-void EC_EX_DATA_clear_free_extra_data(EC_EXTRA_DATA **ex_data,
+void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **ex_data,
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
 	{
 	EC_EXTRA_DATA **p;

crypto/ecdh/ech_lib.c

@@ -78,6 +78,7 @@ const char *ECDH_version="ECDH" OPENSSL_VERSION_PTEXT;
 
 static const ECDH_METHOD *default_ECDH_method = NULL;
 
+static void *ecdh_data_new(void);
 static void *ecdh_data_dup(void *);
 static void  ecdh_data_free(void *);
 
@@ -167,7 +168,7 @@ static ECDH_DATA *ECDH_DATA_new_method(ENGINE *engine)
 	return(ret);
 	}
 
-void *ecdh_data_new(void)
+static void *ecdh_data_new(void)
 	{
 	return (void *)ECDH_DATA_new_method(NULL);
 	}

crypto/ecdsa/ecs_lib.c

@@ -65,6 +65,7 @@ const char *ECDSA_version="ECDSA" OPENSSL_VERSION_PTEXT;
 
 static const ECDSA_METHOD *default_ECDSA_method = NULL;
 
+static void *ecdsa_data_new(void);
 static void *ecdsa_data_dup(void *);
 static void  ecdsa_data_free(void *);
 
@@ -147,7 +148,7 @@ static ECDSA_DATA *ECDSA_DATA_new_method(ENGINE *engine)
 	return(ret);
 }
 
-void *ecdsa_data_new(void)
+static void *ecdsa_data_new(void)
 {
 	return (void *)ECDSA_DATA_new_method(NULL);
 }

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x00908001L
+#define OPENSSL_VERSION_NUMBER	0x00908002L
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8-fips-beta1 19 May 2005"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8-fips-beta2 24 May 2005"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8-beta1 19 May 2005"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8-beta2 24 May 2005"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/perlasm/x86unix.pl

@@ -537,7 +537,8 @@ sub main'file_end
 	if ($main'elf && grep {/%[x]*mm[0-7]/i} @out) {
 		local($tmp);
 
-		push (@out,"\n.comm\t${under}OPENSSL_ia32cap_P,4,4\n");
+		push (@out,"\n.section\t.bss\n");
+		push (@out,".comm\t${under}OPENSSL_ia32cap_P,4,4\n");
 
 		push (@out,".section\t.init\n");
 		# One can argue that it's wasteful to craft every
@@ -572,6 +573,8 @@ sub main'file_end
 		movl	%edx,0(%edi)
 		popl	%ebx
 		popl	%edi
+		jmp	1f
+	.align	$align
 	1:
 ___
 		push (@out,$tmp);
@@ -716,6 +719,9 @@ sub main'initseg
 		$tmp=<<___;
 .section	.init
 	call	$under$f
+	jmp	1f
+.align	$align
+1:
 ___
 		}
 	elsif ($main'coff)

crypto/pkcs7/pk7_smime.c

@@ -88,6 +88,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 
     	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
 		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
+		PKCS7_free(p7);
 		return NULL;
 	}
 
@@ -105,6 +106,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 		{
 		if(!(smcap = sk_X509_ALGOR_new_null())) {
 			PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+			PKCS7_free(p7);
 			return NULL;
 		}
 #ifndef OPENSSL_NO_DES
@@ -130,6 +132,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 
 	if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
 		PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+		PKCS7_free(p7);
 		return NULL;
 	}
 
@@ -139,10 +142,12 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 
         if (!PKCS7_dataFinal(p7,p7bio)) {
 		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN);
+		PKCS7_free(p7);
+		BIO_free_all(p7bio);
 		return NULL;
 	}
 
-        BIO_free_all(p7bio);
+	BIO_free_all(p7bio);
 	return p7;
 }
 

crypto/rand/rand_win.c

@@ -632,7 +632,8 @@ int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam)
 void RAND_screen(void) /* function available for backward compatibility */
 {
 	RAND_poll();
-	readscreen();
+	if (GetVersion() >= 0x80000000 || !OPENSSL_isservice())
+		readscreen();
 }
 
 

crypto/rand/randfile.c

@@ -57,7 +57,7 @@
  */
 
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
-#define _XOPEN_SOURCE 1
+#define _XOPEN_SOURCE 500
 
 #include <errno.h>
 #include <stdio.h>

crypto/sha/sha.h

@@ -148,6 +148,7 @@ void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
 #define SHA384_DIGEST_LENGTH	48
 #define SHA512_DIGEST_LENGTH	64
 
+#ifndef OPENSSL_NO_SHA512
 /*
  * Unlike 32-bit digest algorithms, SHA-512 *relies* on SHA_LONG64
  * being exactly 64-bit wide. See Implementation Notes in sha512.c
@@ -177,6 +178,7 @@ typedef struct SHA512state_st
 	} u;
 	unsigned int num,md_len;
 	} SHA512_CTX;
+#endif
 
 #ifndef OPENSSL_NO_SHA512
 int SHA384_Init(SHA512_CTX *c);

crypto/sha/sha256t.c

@@ -10,6 +10,14 @@
 #include <openssl/sha.h>
 #include <openssl/evp.h>
 
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA256)
+int main(int argc, char *argv[])
+{
+    printf("No SHA256 support\n");
+    return(0);
+}
+#else
+
 unsigned char app_b1[SHA256_DIGEST_LENGTH] = {
 	0xba,0x78,0x16,0xbf,0x8f,0x01,0xcf,0xea,
 	0x41,0x41,0x40,0xde,0x5d,0xae,0x22,0x23,
@@ -136,3 +144,4 @@ int main ()
 
   return 0;
 }
+#endif

crypto/sha/sha512t.c

@@ -11,6 +11,14 @@
 #include <openssl/evp.h>
 #include <openssl/crypto.h>
 
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA512)
+int main(int argc, char *argv[])
+{
+    printf("No SHA512 support\n");
+    return(0);
+}
+#else
+
 unsigned char app_c1[SHA512_DIGEST_LENGTH] = {
 	0xdd,0xaf,0x35,0xa1,0x93,0x61,0x7a,0xba,
 	0xcc,0x41,0x73,0x49,0xae,0x20,0x41,0x31,
@@ -173,3 +181,4 @@ int main ()
 
   return 0;
 }
+#endif

doc/apps/ca.pod

@@ -422,7 +422,7 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
-=item B<nameopt>, B<certopt>
+=item B<name_opt>, B<cert_opt>
 
 these options allow the format used to display the certificate details
 when asking the user to confirm signing. All the options supported by
@@ -544,8 +544,8 @@ A sample configuration file with the relevant sections for B<ca>:
  policy         = policy_any            # default policy
  email_in_dn    = no                    # Don't add the email into cert DN
 
- nameopt	= ca_default		# Subject name display option
- certopt	= ca_default		# Certificate display option
+ name_opt	= ca_default		# Subject name display option
+ cert_opt	= ca_default		# Certificate display option
  copy_extensions = none			# Don't copy extensions from request
 
  [ policy_any ]

doc/crypto/ecdsa.pod

@@ -14,13 +14,11 @@ ecdsa - Elliptic Curve Digital Signature Algorithm
  ECDSA_SIG*	d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, 
 		long len);
 
- ECDSA_DATA*	ECDSA_DATA_new(void);
- ECDSA_DATA*	ECDSA_DATA_new_method(ENGINE *eng);
- void		ECDSA_DATA_free(ECDSA_DATA *data);
- ECDSA_DATA*	ecdsa_check(EC_KEY *eckey);
-
  ECDSA_SIG*	ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
 			EC_KEY *eckey);
+ ECDSA_SIG*	ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, 
+			const BIGNUM *kinv, const BIGNUM *rp,
+			EC_KEY *eckey);
  int		ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
 			const ECDSA_SIG *sig, EC_KEY* eckey);
  int		ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
@@ -28,6 +26,10 @@ ecdsa - Elliptic Curve Digital Signature Algorithm
  int		ECDSA_sign(int type, const unsigned char *dgst,
 			int dgstlen, unsigned char *sig,
 			unsigned int *siglen, EC_KEY *eckey);
+ int		ECDSA_sign_ex(int type, const unsigned char *dgst,
+			int dgstlen, unsigned char *sig,
+			unsigned int *siglen, const BIGNUM *kinv, 
+			const BIGNUM *rp, EC_KEY *eckey);
  int		ECDSA_verify(int type, const unsigned char *dgst,
 			int dgstlen, const unsigned char *sig,
 			int siglen, EC_KEY *eckey);
@@ -72,35 +74,6 @@ the decoded signature in a newly allocated B<ECDSA_SIG> structure.
 B<*sig> points to the buffer containing the DER encoded signature
 of size B<len>.
 
-The B<ECDSA_DATA> structure extends the B<EC_KEY_METH_DATA>
-structure with ECDSA specific data.
-
- struct
-	{
-	/* EC_KEY_METH_DATA part */
-	int  (*init)(EC_KEY *);
-	void (*finish)(EC_KEY *);
-	/* method (ECDSA) specific part */
-	BIGNUM	*kinv;	/* signing pre-calc */
-	BIGNUM	*r;	/* signing pre-calc */
-	...
-	} 
- ECDSA_DATA;
-
-B<kinv> and B<r> are used to store precomputed values (see
-B<ECDSA_sign_setup>). 
-
-ECDSA_DATA_new() returns a newly allocated and initialized
-B<ECDSA_DATA> structure (or NULL on error). 
-
-ECDSA_DATA_free() frees the B<ECDSA_DATA> structure B<data>.
-
-ecdsa_check() returns the pointer to the B<ECDSA_DATA>
-structure in B<EC_KEY-E<gt>meth_data> (if B<EC_KEY-E<gt>meth_data>
-is not a pointer to a B<ECDSA_DATA> structure then the old
-data is freed and a new B<ECDSA_DATA> structure is allocated
-using B<ECDSA_DATA_new>).
-
 ECDSA_size() returns the maximum length of a DER encoded
 ECDSA signature created with the private EC key B<eckey>.
 
@@ -108,13 +81,15 @@ ECDSA_sign_setup() may be used to precompute parts of the
 signing operation. B<eckey> is the private EC key and B<ctx>
 is a pointer to B<BN_CTX> structure (or NULL). The precomputed
 values or returned in B<kinv> and B<rp> and can be used in a
-later call to B<ECDSA_sign> or B<ECDSA_do_sign> when placed in
-B<ECDSA_DATA-E<gt>kinv> and B<ECDSA_DATA-E<gt>r>.
+later call to B<ECDSA_sign_ex> or B<ECDSA_do_sign_ex>.
 
-ECDSA_sign() computes a digital signature of the B<dgstlen> bytes
-hash value B<dgst> using the private EC key B<eckey> and places
-the DER encoding of the created signature in B<sig>. The length
-of the created signature is returned in B<sig_len>. Note: B<sig>
+ECDSA_sign() is wrapper function for ECDSA_sign_ex with B<kinv>
+and B<rp> set to NULL.
+
+ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes
+hash value B<dgst> using the private EC key B<eckey> and the optional
+pre-computed values B<kinv> and B<rp>. The DER encoded signatures is
+stored in B<sig> and it's length is returned in B<sig_len>. Note: B<sig>
 must point to B<ECDSA_size> bytes of memory. The parameter B<type>
 is ignored.
 
@@ -123,10 +98,13 @@ B<siglen> is a valid ECDSA signature of the hash value
 value B<dgst> of size B<dgstlen> using the public key B<eckey>.
 The parameter B<type> is ignored.
 
-ECDSA_do_sign() computes a digital signature of the B<dgst_len>
-bytes hash value B<dgst> using the private key B<eckey> and 
-returns the signature in a newly allocated B<ECDSA_SIG> structure
-(or NULL on error).
+ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv>
+and B<rp> set to NULL.
+
+ECDSA_do_sign_ex() computes a digital signature of the B<dgst_len>
+bytes hash value B<dgst> using the private key B<eckey> and the
+optional pre-computed values B<kinv> and B<rp>. The signature is
+returned in a newly allocated B<ECDSA_SIG> structure (or NULL on error).
 
 ECDSA_do_verify() verifies that the signature B<sig> is a valid
 ECDSA signature of the hash value B<dgst> of size B<dgst_len>

e_os.h

@@ -235,6 +235,23 @@ extern "C" {
 #  define NO_DIRENT
 
 #  ifdef WINDOWS
+#    ifndef _WIN32_WINNT
+       /*
+	* Defining _WIN32_WINNT here in e_os.h implies certain "discipline."
+	* Most notably we ought to check for availability of each specific
+	* routine with GetProcAddress() and/or quard NT-specific calls with
+	* GetVersion() < 0x80000000. One can argue that in latter "or" case
+	* we ought to /DELAYLOAD some .DLLs in order to protect ourselves
+	* against run-time link errors. This doesn't seem to be necessary,
+	* because it turned out that already Windows 95, first non-NT Win32
+	* implementation, is equipped with at least NT 3.51 stubs, dummy
+	* routines with same name, but which do nothing. Meaning that it's
+	* apparently appropriate to guard generic NT calls with GetVersion
+	* alone, while NT 4.0 and above calls ought to be additionally
+	* checked upon with GetProcAddress.
+	*/
+#      define _WIN32_WINNT 0x0400
+#    endif
 #    include <windows.h>
 #    include <stddef.h>
 #    include <errno.h>

engines/Makefile

@@ -82,14 +82,19 @@ files:
 links:
 
 # XXXXX This currently only works on systems that use .so as suffix
-# for shared libraries.
+# for shared libraries as well as for Cygwin which uses the
+# dlfcn_name_converter and therefore stores the engines with .so suffix, too.
 install:
 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		set -e; \
 		for l in $(LIBNAMES); do \
 			( echo installing $$l; \
-			  cp lib$$l.so $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \
+			  if [ "$(PLATFORM)" != "Cygwin" ]; then \
+				  cp lib$$l.so $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \
+			  else \
+				  cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \
+			  fi; \
 			  chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \
 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so ); \
 		done; \

ssl/Makefile

@@ -160,7 +160,7 @@ d1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 d1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 d1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 d1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_clnt.c
-d1_clnt.o: ssl_locl.h
+d1_clnt.o: kssl_lcl.h ssl_locl.h
 d1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 d1_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h

ssl/d1_clnt.c

@@ -115,6 +115,7 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>

ssl/kssl.c

@@ -68,7 +68,7 @@
 
 #include <openssl/opensslconf.h>
 
-#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
+#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */
 #include <time.h>
 #undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
 #include <string.h>

ssl/s3_srvr.c

@@ -1886,7 +1886,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		n2s(p,i);
 		enc_ticket.length = i;
 
-		if (n < enc_ticket.length + 6)
+		if (n < (int)enc_ticket.length + 6)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1899,7 +1899,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		n2s(p,i);
 		authenticator.length = i;
 
-		if (n < enc_ticket.length + authenticator.length + 6)
+		if (n < (int)(enc_ticket.length + authenticator.length) + 6)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);

ssl/ssltest.c

@@ -128,7 +128,7 @@
 #define USE_SOCKETS
 #include "e_os.h"
 
-#define _XOPEN_SOURCE 1		/* Or isascii won't be declared properly on
+#define _XOPEN_SOURCE 500	/* Or isascii won't be declared properly on
 				   VMS (at least with DECompHP C).  */
 #include <ctype.h>
 

test/Makefile

@@ -312,7 +312,7 @@ BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 	else \
 		LIBRARIES="$(LIBSSL) $(LIBCRYPTO)"; \
 	fi; \
-	$(MAKE) -f $(TOP)/Makefile.shared \
+	$(MAKE) -f $(TOP)/Makefile.shared $(BUILDENV) \
 		APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
 		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
 		link_app.$${shlib_target}

util/cygwin.sh

@@ -47,6 +47,14 @@ function doc_install()
   create_cygwin_readme
 }
 
+function certs_install()
+{
+  CERTS_DIR=${INSTALL_PREFIX}/usr/ssl/certs
+
+  mkdir -p ${CERTS_DIR}
+  cp -rp certs/* ${CERTS_DIR}
+}
+
 function create_cygwin_readme()
 {
   README_DIR=${INSTALL_PREFIX}/usr/share/doc/Cygwin
@@ -104,6 +112,8 @@ base_install
 
 doc_install
 
+certs_install
+
 create_cygwin_readme
 
 create_profile_files
@@ -112,11 +122,13 @@ cd ${INSTALL_PREFIX}
 strip usr/bin/*.exe usr/bin/*.dll
 
 # Runtime package
-find etc usr/bin usr/share/doc usr/ssl/certs usr/ssl/man/man[157] \
-     usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
+find etc usr/bin usr/lib/engines usr/share/doc usr/ssl/certs \
+     usr/ssl/man/man[157] usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private \
+     -empty -o \! -type d |
 tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
 # Development package
-find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d |
+find usr/include usr/lib/*.a usr/lib/pkgconfig usr/ssl/man/man3 \
+     -empty -o \! -type d |
 tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -
 
 ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2

util/pl/VC-32.pl

@@ -11,7 +11,7 @@ $rm='del';
 
 # C compiler stuff
 $cc='cl';
-$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0333 -DL_ENDIAN -DDSO_WIN32';
+$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
 $lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
 $mlflags='';