Fix RFC num.

Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Compatibility patches for Cisco VPN client DTLS.

CHANGES

@@ -2,7 +2,42 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8j and 0.9.9  [xx XXX xxxx]
+ Changes between 0.9.8k and 1.0  [xx XXX xxxx]
+
+  *) Add "missing" function EVP_MD_flags() (without this the only way to
+     retrieve a digest flags is by accessing the structure directly. Update
+     EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
+     or cipher is registered as in the "from" argument. Print out all
+     registered digests in the dgst usage message instead of manually 
+     attempting to work them out.
+     [Steve Henson]
+
+  *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
+     this allows the use of compression and extensions. Change default cipher
+     string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
+     by default unless an application cipher string requests it.
+     [Steve Henson]
+
+  *) Alter match criteria in PKCS12_parse(). It used to try to use local
+     key ids to find matching certificates and keys but some PKCS#12 files
+     don't follow the (somewhat unwritten) rules and this strategy fails.
+     Now just gather all certificates together and the first private key
+     then look for the first certificate that matches the key.
+     [Steve Henson]
+
+  *) Support use of registered digest and cipher names for dgst and cipher
+     commands instead of having to add each one as a special case. So now
+     you can do:
+
+        openssl sha256 foo
+
+     as well as:
+
+        openssl dgst -sha256 foo
+
+     and this works for ENGINE based algorithms too.
+
+     [Steve Henson]
 
   *) Update Gost ENGINE to support parameter files.
      [Victor B. Wagner <vitus@cryptocom.ru>]
@@ -749,7 +784,30 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
+ Changes between 0.9.8k and 0.9.8l  [xx XXX xxxx]
+
+  *) Handle non-blocking I/O properly in SSL_shutdown() call.
+     [Darryl Miles <darryl-mailinglists@netbauds.net>]
+
+  *) Add 2.5.4.* OIDs
+     [Ilya O. <vrghost@gmail.com>]
+
+ Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
+
+  *) Don't set val to NULL when freeing up structures, it is freed up by
+     underlying code. If sizeof(void *) > sizeof(long) this can result in
+     zeroing past the valid field. (CVE-2009-0789)
+     [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
+  *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
+     checked correctly. This would allow some invalid signed attributes to
+     appear to verify correctly. (CVE-2009-0591)
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
+  *) Reject UniversalString and BMPString types with invalid lengths. This
+     prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
+     a legal length. (CVE-2009-0590)
+     [Steve Henson]
 
   *) Set S/MIME signing as the default purpose rather than setting it 
      unconditionally. This allows applications to override it at the store

CHANGES.SSLeay

@@ -148,7 +148,7 @@ eric (about to go bushwalking for the 4 day easter break :-)
       This would tend to cause memory overwrites since SSLv3 has
       a maximum packet size of 16k.  If your program uses
       buffers <= 16k, you would probably never see this problem.
-    - Fixed a new errors that were cause by malloc() not returning
+    - Fixed a few errors that were cause by malloc() not returning
       0 initialised memory..
     - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
       SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing

Configure

@@ -496,7 +496,7 @@ my %table=(
 "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32",
 
 # MinGW
-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a",
+"mingw", "gcc:-mno-cygwin -DL_ENDIAN -DOPENSSL_NO_CAPIENG -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a",
 # As for OPENSSL_USE_APPLINK. Applink makes it possible to use .dll
 # compiled with one compiler with application compiled with another
 # compiler. It's possible to engage Applink support in mingw64 build,
@@ -1218,7 +1218,14 @@ if ($zlib)
 	$cflags = "-DZLIB $cflags";
 	if (defined($disabled{"zlib-dynamic"}))
 		{
-		$lflags = "$lflags -lz";
+		if (defined($withargs{"zlib-lib"}))
+			{
+			$lflags = "$lflags -L" . $withargs{"zlib-lib"} . " -lz";
+			}
+		else
+			{
+			$lflags = "$lflags -lz";
+			}
 		}
 	else
 		{

FAQ

@@ -78,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8j was released on Jan 7th, 2009.
+OpenSSL 0.9.8k was released on Mar 25th, 2009.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

Makefile.org

@@ -188,6 +188,7 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
+		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
@@ -403,8 +404,8 @@ test:   tests
 
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on tests );
-	util/opensslwrap.sh version -a
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
+	OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
 
 report:
 	@$(PERL) util/selftest.pl
@@ -579,7 +580,7 @@ install_html_docs:
 				grep -v $$filecase "^$$fn\$$" | \
 				(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
 				 while read n; do \
-					$$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
+					PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
 				 done); \
 		done; \
 	done
@@ -610,7 +611,7 @@ install_docs:
 			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
-				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
+				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done; \
 	set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
@@ -627,7 +628,7 @@ install_docs:
 			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
-				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
+				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done
 

NEWS

@@ -5,8 +5,50 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8k and OpenSSL 1.0:
+
+
+      o RFC3280 path validation: sufficient to process PKITS tests.
+      o Integrated support for PVK files and keyblobs.
+      o Change default private key format to PKCS#8.
+      o CMS support: able to process all examples in RFC4134
+      o Streaming ASN1 encode support for PKCS#7 and CMS.
+      o Multiple signer and signer add support for PKCS#7 and CMS.
+      o ASN1 printing support.
+      o Whirlpool hash algorithm added.
+      o RFC3161 time stamp support.
+      o New generalised public key API supporting ENGINE based algorithms.
+      o New generalised public key API utilities.
+      o New ENGINE supporting GOST algorithms.
+      o SSL/TLS GOST ciphersuite support.
+      o PKCS#7 and CMS GOST support.
+      o RFC4279 PSK ciphersuite support.
+      o Supported points format extension for ECC ciphersuites.
+      o ecdsa-with-SHA224/256/384/512 signature types.
+      o dsa-with-SHA224 and dsa-with-SHA256 signature types.
+      o Opaque PRF Input TLS extension support.
+      o Updated time routines to avoid OS limitations.
+
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+
+      o Fix various build issues.
+      o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
+
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+
+      o Fix security issue (CVE-2008-5077)
+      o Merge FIPS 140-2 branch code.
+
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+
+      o CryptoAPI ENGINE support.
+      o Various precautionary measures.
+      o Fix for bugs affecting certificate request creation.
+      o Support for local machine keyset attribute in PKCS#12 files.
+
   Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
 
+      o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
   Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.9-dev XX xxx XXXX
+ OpenSSL 1.0.0-beta2 21 Apr 2009
 
  Copyright (c) 1998-2008 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,10 +1,11 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2008/05/28 22:30:28 $
+  ______________                           $Date: 2009/04/21 15:19:15 $
 
   DEVELOPMENT STATE
 
-    o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 1.0.0-beta2: Released on April 21st, 2009
+    o  OpenSSL 1.0.0-beta1: Released on April 1st, 2009
     o  OpenSSL 0.9.8h: Released on May       28th, 2008
     o  OpenSSL 0.9.8g: Released on October   19th, 2007
     o  OpenSSL 0.9.8f: Released on October   11th, 2007

TABLE

@@ -1366,7 +1366,7 @@ $multilib     =
 
 *** debug-ben-debug
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -3691,7 +3691,7 @@ $multilib     = 64
 
 *** mingw
 $cc           = gcc
-$cflags       = -mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall
+$cflags       = -mno-cygwin -DL_ENDIAN -DOPENSSL_NO_CAPIENG -fomit-frame-pointer -O3 -march=i486 -Wall
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MINGW32

apps/apps.c

@@ -259,13 +259,6 @@ int str2fmt(char *s)
 		return(FORMAT_ASN1);
 	else if ((*s == 'T') || (*s == 't'))
 		return(FORMAT_TEXT);
-	else if ((*s == 'P') || (*s == 'p'))
- 		{
- 		if (s[1] == 'V' || s[1] == 'v')
- 			return FORMAT_PVK;
- 		else
-  			return(FORMAT_PEM);
- 		}
   	else if ((*s == 'N') || (*s == 'n'))
   		return(FORMAT_NETSCAPE);
   	else if ((*s == 'S') || (*s == 's'))
@@ -278,6 +271,13 @@ int str2fmt(char *s)
 		return(FORMAT_PKCS12);
 	else if ((*s == 'E') || (*s == 'e'))
 		return(FORMAT_ENGINE);
+	else if ((*s == 'P') || (*s == 'p'))
+ 		{
+ 		if (s[1] == 'V' || s[1] == 'v')
+ 			return FORMAT_PVK;
+ 		else
+  			return(FORMAT_PEM);
+ 		}
 	else
 		return(FORMAT_UNDEF);
 	}

apps/cms.c

@@ -704,7 +704,7 @@ int MAIN(int argc, char **argv)
 
 		if (secret_key && !secret_keyid)
 			{
-			BIO_printf(bio_err, "No sectre key id\n");
+			BIO_printf(bio_err, "No secret key id\n");
 			goto end;
 			}
 

apps/dgst.c

@@ -79,6 +79,26 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  const char *sig_name, const char *md_name,
 	  const char *file,BIO *bmd);
 
+static void list_md_fn(const EVP_MD *m,
+			const char *from, const char *to, void *arg)
+	{
+	const char *mname;
+	/* Skip aliases */
+	if (!m)
+		return;
+	mname = OBJ_nid2ln(EVP_MD_type(m));
+	/* Skip shortnames */
+	if (strcmp(from, mname))
+		return;
+	/* Skip clones */
+	if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
+		return;
+	if (strchr(mname, ' '))
+		mname= EVP_MD_name(m);
+	BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
+			mname, mname);
+	}
+
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
@@ -249,43 +269,17 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
 		BIO_printf(bio_err,"-keyform arg    key file format (PEM or ENGINE)\n");
+		BIO_printf(bio_err,"-out filename   output to filename rather than stdout\n");
 		BIO_printf(bio_err,"-signature file signature to verify\n");
 		BIO_printf(bio_err,"-sigopt nm:v    signature parameter\n");
 		BIO_printf(bio_err,"-hmac key       create hashed MAC with key\n");
+		BIO_printf(bio_err,"-mac algorithm  create MAC (not neccessarily HMAC)\n"); 
+		BIO_printf(bio_err,"-macopt nm:v    MAC algorithm parameters or key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 #endif
 
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n",
-			LN_md5,LN_md5);
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_md4,LN_md4);
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_md2,LN_md2);
-#ifndef OPENSSL_NO_SHA
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_sha1,LN_sha1);
-#ifndef OPENSSL_NO_SHA256
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_sha224,LN_sha224);
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_sha256,LN_sha256);
-#endif
-#ifndef OPENSSL_NO_SHA512
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_sha384,LN_sha384);
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_sha512,LN_sha512);
-#endif
-#endif
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_mdc2,LN_mdc2);
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			LN_ripemd160,LN_ripemd160);
-#ifndef OPENSSL_NO_WHIRLPOOL
-		BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-			SN_whirlpool,SN_whirlpool);
-#endif
+		EVP_MD_do_all_sorted(list_md_fn, bio_err);
 		goto end;
 		}
 
@@ -598,7 +592,14 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			}
 		}
 	else
+		{
 		len=BIO_gets(bp,(char *)buf,BUFSIZE);
+		if (len <0) 
+			{
+			ERR_print_errors(bio_err);
+			return 1;
+			}
+		}
 
 	if(binout) BIO_write(out, buf, len);
 	else 

apps/genrsa.c

@@ -105,9 +105,9 @@ int MAIN(int argc, char **argv)
 	char *inrand=NULL;
 	BIO *out=NULL;
 	BIGNUM *bn = BN_new();
-	RSA *rsa = RSA_new();
+	RSA *rsa = NULL;
 
-	if(!bn || !rsa) goto err;
+	if(!bn) goto err;
 
 	apps_startup();
 	BN_GENCB_set(&cb, genrsa_cb, bio_err);
@@ -266,6 +266,10 @@ bad:
 	BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",
 		num);
 
+	rsa = RSA_new();
+	if (!rsa)
+		goto err;
+
 	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
 		goto err;
 		

apps/ocsp.c

@@ -62,6 +62,8 @@
 				   on OpenVMS */
 #endif
 
+#define USE_SOCKETS
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

apps/openssl-vms.cnf

@@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 subjectKeyIdentifier=hash
 
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always,issuer
 
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
@@ -264,7 +264,7 @@ basicConstraints = CA:true
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
 # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
@@ -297,7 +297,7 @@ nsComment			= "OpenSSL Generated Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.

apps/openssl.c

@@ -392,6 +392,21 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
 		{ ret=0; goto end; }
 	f.name=argv[0];
 	fp=lh_FUNCTION_retrieve(prog,&f);
+	if (fp == NULL)
+		{
+		if (EVP_get_digestbyname(argv[0]))
+			{
+			f.type = FUNC_TYPE_MD;
+			f.func = dgst_main;
+			fp = &f;
+			}
+		else if (EVP_get_cipherbyname(argv[0]))
+			{
+			f.type = FUNC_TYPE_CIPHER;
+			f.func = enc_main;
+			fp = &f;
+			}
+		}
 	if (fp != NULL)
 		{
 		ret=fp->func(argc,argv);

apps/openssl.cnf

@@ -231,7 +231,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 subjectKeyIdentifier=hash
 
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always,issuer
 
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
@@ -264,7 +264,7 @@ basicConstraints = CA:true
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
 # issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
@@ -297,7 +297,7 @@ nsComment			= "OpenSSL Generated Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.

apps/pkeyparam.c

@@ -179,7 +179,7 @@ int MAIN(int argc, char **argv)
 	pkey = PEM_read_bio_Parameters(in, NULL);
 	if (!pkey)
 		{
-		BIO_printf(bio_err, "Error reading paramters\n");
+		BIO_printf(bio_err, "Error reading parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}

apps/pkeyutl.c

@@ -390,7 +390,7 @@ static void usage()
 	BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
 	BIO_printf(bio_err, "-in file        input file\n");
 	BIO_printf(bio_err, "-out file       output file\n");
-	BIO_printf(bio_err, "-signature file signature file (verify operation only)\n");
+	BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
 	BIO_printf(bio_err, "-pubin          input is a public key\n");

apps/req.c

@@ -365,11 +365,6 @@ int MAIN(int argc, char **argv)
 			serial = s2i_ASN1_INTEGER(NULL, *(++argv));
 			if (!serial) goto bad;
 			}
-		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
-			{
-			/* ok */
-			digest=md_alg;
-			}
 		else if (strcmp(*argv,"-extensions") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -380,6 +375,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			req_exts = *(++argv);
 			}
+		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+			{
+			/* ok */
+			digest=md_alg;
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);

apps/s_server.c

@@ -671,7 +671,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 			return p->extension_error;
 		if (ctx2)
 			{
-			BIO_printf(p->biodebug,"Swiching server context.\n");
+			BIO_printf(p->biodebug,"Switching server context.\n");
 			SSL_set_SSL_CTX(s,ctx2);
 			}     
 		}

apps/ts.c

@@ -165,6 +165,9 @@ int MAIN(int argc, char **argv)
 		BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
 		}
 
+	if (!load_config(bio_err, NULL))
+		goto cleanup;
+
 	for (argc--, argv++; argc > 0; argc--, argv++)
 		{
 		if (strcmp(*argv, "-config") == 0)

apps/x509.c

@@ -114,7 +114,7 @@ static const char *x509_usage[]={
 " -alias          - output certificate alias\n",
 " -noout          - no certificate output\n",
 " -ocspid         - print OCSP hash values for the subject name and public key\n",
-" -ocspurl        - print OCSP Responder URL(s)\n",
+" -ocsp_uri       - print OCSP Responder URL(s)\n",
 " -trustout       - output a \"trusted\" certificate\n",
 " -clrtrust       - clear all trusted purposes\n",
 " -clrreject      - clear all rejected purposes\n",

crypto/Makefile

@@ -5,9 +5,9 @@
 DIR=		crypto
 TOP=		..
 CC=		cc
-INCLUDE=	-I. -I$(TOP) -I../include
+INCLUDE=	-I. -I$(TOP) -I../include $(ZLIB_INCLUDE)
 # INCLUDES targets sudbirs!
-INCLUDES=	-I.. -I../.. -I../asn1 -I../evp -I../../include
+INCLUDES=	-I.. -I../.. -I../asn1 -I../evp -I../../include $(ZLIB_INCLUDE)
 CFLAG=		-g
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)

crypto/asn1/a_gentm.c

@@ -243,7 +243,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
 		p=OPENSSL_malloc(len);
 		if (p == NULL)
 			{
-			ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET,
+			ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_ADJ,
 				ERR_R_MALLOC_FAILURE);
 			return(NULL);
 			}

crypto/asn1/a_time.c

@@ -112,7 +112,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
 	ts=OPENSSL_gmtime(&t,&data);
 	if (ts == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME);
+		ASN1err(ASN1_F_ASN1_TIME_ADJ, ASN1_R_ERROR_GETTING_TIME);
 		return NULL;
 		}
 	if (offset_day || offset_sec)

crypto/asn1/a_utctm.c

@@ -221,7 +221,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 		p=OPENSSL_malloc(len);
 		if (p == NULL)
 			{
-			ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_ASN1_UTCTIME_ADJ,ERR_R_MALLOC_FAILURE);
 			return(NULL);
 			}
 		if (s->data != NULL)

crypto/asn1/asn1.h

@@ -1172,6 +1172,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_ENUMERATED_TO_BN			 113
 #define ASN1_F_ASN1_EX_C2I				 204
 #define ASN1_F_ASN1_FIND_END				 190
+#define ASN1_F_ASN1_GENERALIZEDTIME_ADJ			 216
 #define ASN1_F_ASN1_GENERALIZEDTIME_SET			 185
 #define ASN1_F_ASN1_GENERATE_V3				 178
 #define ASN1_F_ASN1_GET_OBJECT				 114
@@ -1206,10 +1207,12 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TEMPLATE_EX_D2I			 132
 #define ASN1_F_ASN1_TEMPLATE_NEW			 133
 #define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I			 131
+#define ASN1_F_ASN1_TIME_ADJ				 217
 #define ASN1_F_ASN1_TIME_SET				 175
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 135
 #define ASN1_F_ASN1_UNPACK_STRING			 136
+#define ASN1_F_ASN1_UTCTIME_ADJ				 218
 #define ASN1_F_ASN1_UTCTIME_SET				 187
 #define ASN1_F_ASN1_VERIFY				 137
 #define ASN1_F_B64_READ_ASN1				 209
@@ -1278,6 +1281,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_BAD_OBJECT_HEADER			 102
 #define ASN1_R_BAD_PASSWORD_READ			 103
 #define ASN1_R_BAD_TAG					 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH		 214
 #define ASN1_R_BN_LIB					 105
 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH			 106
 #define ASN1_R_BUFFER_TOO_SMALL				 107
@@ -1369,6 +1373,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH		 215
 #define ASN1_R_UNKNOWN_FORMAT				 160
 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM		 161
 #define ASN1_R_UNKNOWN_OBJECT_TYPE			 162

crypto/asn1/asn1_err.c

@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -90,6 +90,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN),	"ASN1_ENUMERATED_to_BN"},
 {ERR_FUNC(ASN1_F_ASN1_EX_C2I),	"ASN1_EX_C2I"},
 {ERR_FUNC(ASN1_F_ASN1_FIND_END),	"ASN1_FIND_END"},
+{ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_ADJ),	"ASN1_GENERALIZEDTIME_adj"},
 {ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET),	"ASN1_GENERALIZEDTIME_set"},
 {ERR_FUNC(ASN1_F_ASN1_GENERATE_V3),	"ASN1_generate_v3"},
 {ERR_FUNC(ASN1_F_ASN1_GET_OBJECT),	"ASN1_get_object"},
@@ -124,10 +125,12 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I),	"ASN1_TEMPLATE_EX_D2I"},
 {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW),	"ASN1_TEMPLATE_NEW"},
 {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I),	"ASN1_TEMPLATE_NOEXP_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TIME_ADJ),	"ASN1_TIME_adj"},
 {ERR_FUNC(ASN1_F_ASN1_TIME_SET),	"ASN1_TIME_set"},
 {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING),	"ASN1_TYPE_get_int_octetstring"},
 {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING),	"ASN1_TYPE_get_octetstring"},
 {ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING),	"ASN1_unpack_string"},
+{ERR_FUNC(ASN1_F_ASN1_UTCTIME_ADJ),	"ASN1_UTCTIME_adj"},
 {ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET),	"ASN1_UTCTIME_set"},
 {ERR_FUNC(ASN1_F_ASN1_VERIFY),	"ASN1_verify"},
 {ERR_FUNC(ASN1_F_B64_READ_ASN1),	"B64_READ_ASN1"},
@@ -176,7 +179,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV),	"PKCS5_pbe2_set_iv"},
 {ERR_FUNC(ASN1_F_PKCS5_PBE_SET),	"PKCS5_pbe_set"},
 {ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR),	"PKCS5_pbe_set0_algor"},
-{ERR_FUNC(ASN1_F_SMIME_READ_ASN1),	"SMIME_read_asn1"},
+{ERR_FUNC(ASN1_F_SMIME_READ_ASN1),	"SMIME_read_ASN1"},
 {ERR_FUNC(ASN1_F_SMIME_TEXT),	"SMIME_text"},
 {ERR_FUNC(ASN1_F_X509_CINF_NEW),	"X509_CINF_NEW"},
 {ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED),	"X509_CRL_add0_revoked"},
@@ -199,6 +202,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
 {ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
 {ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
 {ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
 {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
 {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
@@ -290,6 +294,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
 {ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
 {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},

crypto/asn1/tasn_dec.c

@@ -613,7 +613,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 
 	err:
 	ASN1_template_free(val, tt);
-	*val = NULL;
 	return 0;
 	}
 
@@ -762,7 +761,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 
 	err:
 	ASN1_template_free(val, tt);
-	*val = NULL;
 	return 0;
 	}
 
@@ -1016,6 +1014,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		case V_ASN1_SET:
 		case V_ASN1_SEQUENCE:
 		default:
+		if (utype == V_ASN1_BMPSTRING && (len & 1))
+			{
+			ASN1err(ASN1_F_ASN1_EX_C2I,
+					ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+			goto err;
+			}
+		if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+			{
+			ASN1err(ASN1_F_ASN1_EX_C2I,
+					ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+			goto err;
+			}
 		/* All based on ASN1_STRING and handled the same */
 		if (!*pval)
 			{

crypto/bio/b_sock.c

@@ -810,7 +810,7 @@ int BIO_accept(int sock, char **addr)
 #ifdef EAI_FAMILY
 # if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_BEOS_BONE) || defined(OPENSSL_SYS_MSDOS)
 #  define SOCKLEN_T size_t
-# else
+# elif !defined(SOCKLEN_T)
 #  define SOCKLEN_T socklen_t
 #endif
 	do {

crypto/bio/bio.h

@@ -159,6 +159,7 @@ extern "C" {
 
 #define BIO_CTRL_DGRAM_SET_PEER           44 /* Destination for the data */
 
+#define BIO_CTRL_DGRAM_SET_TIMEOUT        45
 
 /* modifiers */
 #define BIO_FP_READ		0x02

crypto/bio/bss_dgram.c

@@ -66,6 +66,10 @@
 
 #include <openssl/bio.h>
 
+#ifdef OPENSSL_SYS_WIN32
+#include <sys/timeb.h>
+#endif
+
 #define IP_MTU      14 /* linux is lame */
 
 #ifdef WATT32
@@ -104,6 +108,8 @@ typedef struct bio_dgram_data_st
 	unsigned int connected;
 	unsigned int _errno;
 	unsigned int mtu;
+	struct timeval hstimeoutdiff;
+	struct timeval hstimeout;
 	} bio_dgram_data;
 
 BIO_METHOD *BIO_s_datagram(void)
@@ -196,6 +202,30 @@ static int dgram_read(BIO *b, char *out, int outl)
 				BIO_set_retry_read(b);
 				data->_errno = get_last_socket_error();
 				}
+			memset(&(data->hstimeout), 0, sizeof(struct timeval));
+			}
+		else
+			{
+			if (data->hstimeout.tv_sec > 0 || data->hstimeout.tv_usec > 0)
+				{
+				struct timeval curtime;
+#ifdef OPENSSL_SYS_WIN32
+				struct _timeb tb;
+				_ftime(&tb);
+				curtime.tv_sec = (long)tb.time;
+				curtime.tv_usec = (long)tb.millitm * 1000;
+#else
+				gettimeofday(&curtime, NULL);
+#endif
+
+				if (curtime.tv_sec >= data->hstimeout.tv_sec &&
+					curtime.tv_usec >= data->hstimeout.tv_usec)
+					{
+					data->_errno = EAGAIN;
+					ret = -1;
+					memset(&(data->hstimeout), 0, sizeof(struct timeval));
+					}
+				}
 			}
 		}
 	return(ret);
@@ -345,6 +375,30 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 
         memcpy(&(data->peer), to, sizeof(struct sockaddr));
         break;
+	case BIO_CTRL_DGRAM_SET_TIMEOUT:
+		if (num > 0)
+			{
+#ifdef OPENSSL_SYS_WIN32
+			struct _timeb tb;
+			_ftime(&tb);
+			data->hstimeout.tv_sec = (long)tb.time;
+			data->hstimeout.tv_usec = (long)tb.millitm * 1000;
+#else
+			gettimeofday(&(data->hstimeout), NULL);
+#endif
+			data->hstimeout.tv_sec += data->hstimeoutdiff.tv_sec;
+			data->hstimeout.tv_usec += data->hstimeoutdiff.tv_usec;
+			if (data->hstimeout.tv_usec >= 1000000)
+				{
+				data->hstimeout.tv_sec++;
+				data->hstimeout.tv_usec -= 1000000;
+				}
+			}
+		else
+			{
+			memset(&(data->hstimeout), 0, sizeof(struct timeval));
+			}
+		break;
 #if defined(SO_RCVTIMEO)
 	case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
 #ifdef OPENSSL_SYS_WINDOWS
@@ -360,6 +414,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 			sizeof(struct timeval)) < 0)
 			{ perror("setsockopt");	ret = -1; }
 #endif
+		memcpy(&(data->hstimeoutdiff), ptr, sizeof(struct timeval));
 		break;
 	case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
 #ifdef OPENSSL_SYS_WINDOWS

crypto/camellia/asm/cmll-x86.pl

@@ -1133,6 +1133,6 @@ my ($s0,$s1,$s2,$s3) = @T;
 &function_end("Camellia_cbc_encrypt");
 }
 
-&asciz("Camellia for x86 by <appro@openssl.org>");
+&asciz("Camellia for x86 by <appro\@openssl.org>");
 
 &asm_finish();

crypto/camellia/asm/cmll-x86_64.pl

@@ -859,7 +859,7 @@ Camellia_cbc_encrypt:
 	ret
 .size	Camellia_cbc_encrypt,.-Camellia_cbc_encrypt
 
-.asciz	"Camellia for x86_64 by <appro@openssl.org>"
+.asciz	"Camellia for x86_64 by <appro\@openssl.org>"
 ___
 }
 

crypto/camellia/camellia.c

@@ -91,10 +91,24 @@
 # if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
 #  define RightRotate(x, s) _lrotr(x, s)
 #  define LeftRotate(x, s)  _lrotl(x, s)
+#  if _MSC_VER >= 1400
+#   define SWAP(x) _byteswap_ulong(x)
+#  else
+#   define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+#  endif
+#  define GETU32(p)   SWAP(*((u32 *)(p)))
+#  define PUTU32(p,v) (*((u32 *)(p)) = SWAP((v)))
 # elif defined(__GNUC__) && __GNUC__>=2
 #  if defined(__i386) || defined(__x86_64)
 #   define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
 #   define LeftRotate(x,s)  ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; })
+#   if defined(B_ENDIAN) /* stratus.com does it */
+#    define GETU32(p)   (*(u32 *)(p))
+#    define PUTU32(p,v) (*(u32 *)(p)=(v))
+#   else
+#    define GETU32(p)   ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
+#    define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
+#   endif
 #  elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
         defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
 #   define LeftRotate(x,s)  ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; })
@@ -102,13 +116,20 @@
 #  elif defined(__s390x__)
 #   define LeftRotate(x,s)  ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; })
 #   define RightRotate(x,s) LeftRotate(x,(32-s))
+#   define GETU32(p)   (*(u32 *)(p))
+#   define PUTU32(p,v) (*(u32 *)(p)=(v))
 #  endif
 # endif
 #endif
 
 #if !defined(RightRotate) && !defined(LeftRotate)
-#define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
-#define LeftRotate(x, s)  ( ((x) << (s)) + ((x) >> (32 - s)) )
+# define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) )
+# define LeftRotate(x, s)  ( ((x) << (s)) + ((x) >> (32 - s)) )
+#endif
+
+#if !defined(GETU32) && !defined(PUTU32)
+# define GETU32(p)   (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] <<  8) ^ ((u32)(p)[3]))
+# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >>  8), (p)[3] = (u8)(v))
 #endif
 
 /* S-box data */

crypto/camellia/cmll_locl.h

@@ -71,30 +71,6 @@
 typedef unsigned int  u32;
 typedef unsigned char u8;
 
-#if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
-# if _MSC_VER >= 1400
-#  define SWAP(x) _byteswap_ulong(x)
-# else
-#  define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
-# endif
-# define GETU32(p)   SWAP(*((u32 *)(p)))
-# define PUTU32(p,v) (*((u32 *)(p)) = SWAP((v)))
-#elif defined(__GNUC__) && __GNUC__>=2 && (defined(__i386) || defined(__x86_64)) && !defined(PEDANTIC)
-# if defined(B_ENDIAN) /* stratus.com does it */
-#  define GETU32(p)   (*(u32 *)(p))
-#  define PUTU32(p,v) (*(u32 *)(p)=(v))
-# else
-#  define GETU32(p)   ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; })
-#  define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; })
-# endif
-#elif defined(__s390__) || defined(__s390x__)
-# define GETU32(p)   (*(u32 *)(p))
-# define PUTU32(p,v) (*(u32 *)(p)=(v))
-#else
-# define GETU32(p)   (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] <<  8) ^ ((u32)(p)[3]))
-# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >>  8), (p)[3] = (u8)(v))
-#endif
-
 int Camellia_Ekeygen(int keyBitLength, const u8 *rawKey, KEY_TABLE_TYPE keyTable);
 void Camellia_EncryptBlock_Rounds(int grandRounds, const u8 plaintext[], 
 		const KEY_TABLE_TYPE keyTable, u8 ciphertext[]);

crypto/cms/cms_smime.c

@@ -419,7 +419,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
 		for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++)
 			{
 			si = sk_CMS_SignerInfo_value(sinfos, i);
-			if (!CMS_SignerInfo_verify_content(si, cmsbio))
+			if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0)
 				{
 				CMSerr(CMS_F_CMS_VERIFY,
 					CMS_R_CONTENT_VERIFY_ERROR);

crypto/cryptlib.c

@@ -205,7 +205,7 @@ int CRYPTO_get_new_lockid(char *name)
 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
 	/* A hack to make Visual C++ 5.0 work correctly when linking as
 	 * a DLL using /MT. Without this, the application cannot use
-	 * and floating point printf's.
+	 * any floating point printf's.
 	 * It also seems to be needed for Visual C 1.5 (win16) */
 	SSLeay_MSVC5_hack=(double)name[0]*(double)name[1];
 #endif

crypto/des/enc_read.c

@@ -150,7 +150,7 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
 	/* first - get the length */
 	while (net_num < HDRSIZE) 
 		{
-#ifndef _WIN32
+#ifndef OPENSSL_SYS_WIN32
 		i=read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
 #else
 		i=_read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
@@ -176,7 +176,11 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
 	net_num=0;
 	while (net_num < rnum)
 		{
+#ifndef OPENSSL_SYS_WIN32
 		i=read(fd,(void *)&(net[net_num]),rnum-net_num);
+#else
+		i=_read(fd,(void *)&(net[net_num]),rnum-net_num);
+#endif
 #ifdef EINTR
 		if ((i == -1) && (errno == EINTR)) continue;
 #endif

crypto/dsa/dsa_asn1.c

@@ -69,12 +69,15 @@ static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 	if(operation == ASN1_OP_NEW_PRE) {
 		DSA_SIG *sig;
 		sig = OPENSSL_malloc(sizeof(DSA_SIG));
+		if (!sig)
+			{
+			DSAerr(DSA_F_SIG_CB, ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
 		sig->r = NULL;
 		sig->s = NULL;
 		*pval = (ASN1_VALUE *)sig;
-		if(sig) return 2;
-		DSAerr(DSA_F_SIG_CB, ERR_R_MALLOC_FAILURE);
-		return 0;
+		return 2;
 	}
 	return 1;
 }

crypto/evp/bio_md.c

@@ -130,8 +130,8 @@ static int md_read(BIO *b, char *out, int outl)
 		{
 		if (ret > 0)
 			{
-			EVP_DigestUpdate(ctx,(unsigned char *)out,
-				(unsigned int)ret);
+			if (EVP_DigestUpdate(ctx,(unsigned char *)out,
+				(unsigned int)ret)<=0) return (-1);
 			}
 		}
 	BIO_clear_retry_flags(b);
@@ -253,7 +253,9 @@ static int md_gets(BIO *bp, char *buf, int size)
 	ctx=bp->ptr;
 	if (size < ctx->digest->md_size)
 		return(0);
-	EVP_DigestFinal_ex(ctx,(unsigned char *)buf,&ret);
+	if (EVP_DigestFinal_ex(ctx,(unsigned char *)buf,&ret)<=0) 
+		return -1;
+		
 	return((int)ret);
 	}
 

crypto/evp/evp.h

@@ -421,6 +421,7 @@ int EVP_MD_type(const EVP_MD *md);
 int EVP_MD_pkey_type(const EVP_MD *md);	
 int EVP_MD_size(const EVP_MD *md);
 int EVP_MD_block_size(const EVP_MD *md);
+unsigned long EVP_MD_flags(const EVP_MD *md);
 
 const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
 #define EVP_MD_CTX_size(e)		EVP_MD_size(EVP_MD_CTX_md(e))

crypto/evp/evp_lib.c

@@ -263,6 +263,11 @@ int EVP_MD_size(const EVP_MD *md)
 	return md->md_size;
 	}
 
+unsigned long EVP_MD_flags(const EVP_MD *md)
+	{
+	return md->flags;
+	}
+
 const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx)
 	{
 	if (!ctx)

crypto/evp/names.c

@@ -145,7 +145,7 @@ static void do_all_cipher_fn(const OBJ_NAME *nm, void *arg)
 	if (nm->alias)
 		dc->fn(NULL, nm->name, nm->data, dc->arg);
 	else
-		dc->fn((const EVP_CIPHER *)nm->data, NULL, NULL, dc->arg);
+		dc->fn((const EVP_CIPHER *)nm->data, nm->name, NULL, dc->arg);
 	}
 
 void EVP_CIPHER_do_all(void (*fn)(const EVP_CIPHER *ciph,
@@ -179,7 +179,7 @@ static void do_all_md_fn(const OBJ_NAME *nm, void *arg)
 	if (nm->alias)
 		dc->fn(NULL, nm->name, nm->data, dc->arg);
 	else
-		dc->fn((const EVP_MD *)nm->data, NULL, NULL, dc->arg);
+		dc->fn((const EVP_MD *)nm->data, nm->name, NULL, dc->arg);
 	}
 
 void EVP_MD_do_all(void (*fn)(const EVP_MD *md,

crypto/mem_dbg.c

@@ -787,7 +787,7 @@ void CRYPTO_mem_leaks(BIO *b)
 		 * XXX    This should be in CRYPTO_mem_leaks_cb,
 		 * and CRYPTO_mem_leaks should be implemented by
 		 * using CRYPTO_mem_leaks_cb.
-		 * (Also their should be a variant of lh_doall_arg
+		 * (Also there should be a variant of lh_doall_arg
 		 * that takes a function pointer instead of a void *;
 		 * this would obviate the ugly and illegal
 		 * void_fn_to_char kludge in CRYPTO_mem_leaks_cb.

crypto/objects/obj_dat.h

@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 859
-#define NUM_SN 852
-#define NUM_LN 852
-#define NUM_OBJ 806
+#define NUM_NID 893
+#define NUM_SN 886
+#define NUM_LN 886
+#define NUM_OBJ 840
 
-static const unsigned char lvalues[5722]={
+static const unsigned char lvalues[5824]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -874,6 +874,40 @@ static const unsigned char lvalues[5722]={
 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,/* [5701] OBJ_LocalKeySet */
 0x55,0x1D,0x2E,                              /* [5710] OBJ_freshest_crl */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03,     /* [5713] OBJ_id_on_permanentIdentifier */
+0x55,0x04,0x0E,                              /* [5721] OBJ_searchGuide */
+0x55,0x04,0x0F,                              /* [5724] OBJ_businessCategory */
+0x55,0x04,0x10,                              /* [5727] OBJ_postalAddress */
+0x55,0x04,0x12,                              /* [5730] OBJ_postOfficeBox */
+0x55,0x04,0x13,                              /* [5733] OBJ_physicalDeliveryOfficeName */
+0x55,0x04,0x14,                              /* [5736] OBJ_telephoneNumber */
+0x55,0x04,0x15,                              /* [5739] OBJ_telexNumber */
+0x55,0x04,0x16,                              /* [5742] OBJ_teletexTerminalIdentifier */
+0x55,0x04,0x17,                              /* [5745] OBJ_facsimileTelephoneNumber */
+0x55,0x04,0x18,                              /* [5748] OBJ_x121Address */
+0x55,0x04,0x19,                              /* [5751] OBJ_internationaliSDNNumber */
+0x55,0x04,0x1A,                              /* [5754] OBJ_registeredAddress */
+0x55,0x04,0x1B,                              /* [5757] OBJ_destinationIndicator */
+0x55,0x04,0x1C,                              /* [5760] OBJ_preferredDeliveryMethod */
+0x55,0x04,0x1D,                              /* [5763] OBJ_presentationAddress */
+0x55,0x04,0x1E,                              /* [5766] OBJ_supportedApplicationContext */
+0x55,0x04,0x1F,                              /* [5769] OBJ_member */
+0x55,0x04,0x20,                              /* [5772] OBJ_owner */
+0x55,0x04,0x21,                              /* [5775] OBJ_roleOccupant */
+0x55,0x04,0x22,                              /* [5778] OBJ_seeAlso */
+0x55,0x04,0x23,                              /* [5781] OBJ_userPassword */
+0x55,0x04,0x24,                              /* [5784] OBJ_userCertificate */
+0x55,0x04,0x25,                              /* [5787] OBJ_cACertificate */
+0x55,0x04,0x26,                              /* [5790] OBJ_authorityRevocationList */
+0x55,0x04,0x27,                              /* [5793] OBJ_certificateRevocationList */
+0x55,0x04,0x28,                              /* [5796] OBJ_crossCertificatePair */
+0x55,0x04,0x2F,                              /* [5799] OBJ_enhancedSearchGuide */
+0x55,0x04,0x30,                              /* [5802] OBJ_protocolInformation */
+0x55,0x04,0x31,                              /* [5805] OBJ_distinguishedName */
+0x55,0x04,0x32,                              /* [5808] OBJ_uniqueMember */
+0x55,0x04,0x33,                              /* [5811] OBJ_houseIdentifier */
+0x55,0x04,0x34,                              /* [5814] OBJ_supportedAlgorithms */
+0x55,0x04,0x35,                              /* [5817] OBJ_deltaRevocationList */
+0x55,0x04,0x36,                              /* [5820] OBJ_dmdName */
 };
 
 static const ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1928,7 +1962,7 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 {"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL,0},
 {"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL,0},
 {"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL,0},
-{"streetAddress","streetAddress",NID_streetAddress,3,&(lvalues[4462]),0},
+{"street","streetAddress",NID_streetAddress,3,&(lvalues[4462]),0},
 {"postalCode","postalCode",NID_postalCode,3,&(lvalues[4465]),0},
 {"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4468]),0},
 {"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
@@ -2262,6 +2296,61 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[5710]),0},
 {"id-on-permanentIdentifier","Permanent Identifier",
 	NID_id_on_permanentIdentifier,8,&(lvalues[5713]),0},
+{"searchGuide","searchGuide",NID_searchGuide,3,&(lvalues[5721]),0},
+{"businessCategory","businessCategory",NID_businessCategory,3,
+	&(lvalues[5724]),0},
+{"postalAddress","postalAddress",NID_postalAddress,3,&(lvalues[5727]),0},
+{"postOfficeBox","postOfficeBox",NID_postOfficeBox,3,&(lvalues[5730]),0},
+{"physicalDeliveryOfficeName","physicalDeliveryOfficeName",
+	NID_physicalDeliveryOfficeName,3,&(lvalues[5733]),0},
+{"telephoneNumber","telephoneNumber",NID_telephoneNumber,3,
+	&(lvalues[5736]),0},
+{"telexNumber","telexNumber",NID_telexNumber,3,&(lvalues[5739]),0},
+{"teletexTerminalIdentifier","teletexTerminalIdentifier",
+	NID_teletexTerminalIdentifier,3,&(lvalues[5742]),0},
+{"facsimileTelephoneNumber","facsimileTelephoneNumber",
+	NID_facsimileTelephoneNumber,3,&(lvalues[5745]),0},
+{"x121Address","x121Address",NID_x121Address,3,&(lvalues[5748]),0},
+{"internationaliSDNNumber","internationaliSDNNumber",
+	NID_internationaliSDNNumber,3,&(lvalues[5751]),0},
+{"registeredAddress","registeredAddress",NID_registeredAddress,3,
+	&(lvalues[5754]),0},
+{"destinationIndicator","destinationIndicator",
+	NID_destinationIndicator,3,&(lvalues[5757]),0},
+{"preferredDeliveryMethod","preferredDeliveryMethod",
+	NID_preferredDeliveryMethod,3,&(lvalues[5760]),0},
+{"presentationAddress","presentationAddress",NID_presentationAddress,
+	3,&(lvalues[5763]),0},
+{"supportedApplicationContext","supportedApplicationContext",
+	NID_supportedApplicationContext,3,&(lvalues[5766]),0},
+{"member","member",NID_member,3,&(lvalues[5769]),0},
+{"owner","owner",NID_owner,3,&(lvalues[5772]),0},
+{"roleOccupant","roleOccupant",NID_roleOccupant,3,&(lvalues[5775]),0},
+{"seeAlso","seeAlso",NID_seeAlso,3,&(lvalues[5778]),0},
+{"userPassword","userPassword",NID_userPassword,3,&(lvalues[5781]),0},
+{"userCertificate","userCertificate",NID_userCertificate,3,
+	&(lvalues[5784]),0},
+{"cACertificate","cACertificate",NID_cACertificate,3,&(lvalues[5787]),0},
+{"authorityRevocationList","authorityRevocationList",
+	NID_authorityRevocationList,3,&(lvalues[5790]),0},
+{"certificateRevocationList","certificateRevocationList",
+	NID_certificateRevocationList,3,&(lvalues[5793]),0},
+{"crossCertificatePair","crossCertificatePair",
+	NID_crossCertificatePair,3,&(lvalues[5796]),0},
+{"enhancedSearchGuide","enhancedSearchGuide",NID_enhancedSearchGuide,
+	3,&(lvalues[5799]),0},
+{"protocolInformation","protocolInformation",NID_protocolInformation,
+	3,&(lvalues[5802]),0},
+{"distinguishedName","distinguishedName",NID_distinguishedName,3,
+	&(lvalues[5805]),0},
+{"uniqueMember","uniqueMember",NID_uniqueMember,3,&(lvalues[5808]),0},
+{"houseIdentifier","houseIdentifier",NID_houseIdentifier,3,
+	&(lvalues[5811]),0},
+{"supportedAlgorithms","supportedAlgorithms",NID_supportedAlgorithms,
+	3,&(lvalues[5814]),0},
+{"deltaRevocationList","deltaRevocationList",NID_deltaRevocationList,
+	3,&(lvalues[5817]),0},
+{"dmdName","dmdName",NID_dmdName,3,&(lvalues[5820]),0},
 };
 
 static const unsigned int sn_objs[NUM_SN]={
@@ -2458,10 +2547,12 @@ static const unsigned int sn_objs[NUM_SN]={
 501,	/* "audio" */
 177,	/* "authorityInfoAccess" */
 90,	/* "authorityKeyIdentifier" */
+882,	/* "authorityRevocationList" */
 87,	/* "basicConstraints" */
 365,	/* "basicOCSPResponse" */
 285,	/* "biometricInfo" */
 494,	/* "buildingName" */
+860,	/* "businessCategory" */
 691,	/* "c2onb191v4" */
 692,	/* "c2onb191v5" */
 697,	/* "c2onb239v4" */
@@ -2482,6 +2573,7 @@ static const unsigned int sn_objs[NUM_SN]={
 696,	/* "c2tnb239v3" */
 701,	/* "c2tnb359v1" */
 703,	/* "c2tnb431r1" */
+881,	/* "cACertificate" */
 483,	/* "cNAMERecord" */
 179,	/* "caIssuers" */
 785,	/* "caRepository" */
@@ -2490,6 +2582,7 @@ static const unsigned int sn_objs[NUM_SN]={
 677,	/* "certicom-arc" */
 771,	/* "certificateIssuer" */
 89,	/* "certificatePolicies" */
+883,	/* "certificateRevocationList" */
 54,	/* "challengePassword" */
 407,	/* "characteristic-two-field" */
 395,	/* "clearance" */
@@ -2500,6 +2593,7 @@ static const unsigned int sn_objs[NUM_SN]={
 153,	/* "crlBag" */
 103,	/* "crlDistributionPoints" */
 88,	/* "crlNumber" */
+884,	/* "crossCertificatePair" */
 806,	/* "cryptocom" */
 805,	/* "cryptopro" */
 500,	/* "dITRedirect" */
@@ -2508,9 +2602,13 @@ static const unsigned int sn_objs[NUM_SN]={
 434,	/* "data" */
 390,	/* "dcobject" */
 140,	/* "deltaCRL" */
+891,	/* "deltaRevocationList" */
 107,	/* "description" */
+871,	/* "destinationIndicator" */
 28,	/* "dhKeyAgreement" */
 382,	/* "directory" */
+887,	/* "distinguishedName" */
+892,	/* "dmdName" */
 174,	/* "dnQualifier" */
 447,	/* "document" */
 471,	/* "documentAuthor" */
@@ -2533,12 +2631,14 @@ static const unsigned int sn_objs[NUM_SN]={
 792,	/* "ecdsa-with-Specified" */
 48,	/* "emailAddress" */
 132,	/* "emailProtection" */
+885,	/* "enhancedSearchGuide" */
 389,	/* "enterprises" */
 384,	/* "experimental" */
 172,	/* "extReq" */
 56,	/* "extendedCertificateAttributes" */
 126,	/* "extendedKeyUsage" */
 372,	/* "extendedStatus" */
+867,	/* "facsimileTelephoneNumber" */
 462,	/* "favouriteDrink" */
 857,	/* "freshestCRL" */
 453,	/* "friendlyCountry" */
@@ -2565,6 +2665,7 @@ static const unsigned int sn_objs[NUM_SN]={
 486,	/* "homePostalAddress" */
 473,	/* "homeTelephoneNumber" */
 466,	/* "host" */
+889,	/* "houseIdentifier" */
 442,	/* "iA5StringSyntax" */
 783,	/* "id-DHBasedMac" */
 824,	/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
@@ -2794,6 +2895,7 @@ static const unsigned int sn_objs[NUM_SN]={
 748,	/* "inhibitAnyPolicy" */
 101,	/* "initials" */
 647,	/* "international-organizations" */
+869,	/* "internationaliSDNNumber" */
 142,	/* "invalidityDate" */
 294,	/* "ipsecEndSystem" */
 295,	/* "ipsecTunnel" */
@@ -2811,6 +2913,7 @@ static const unsigned int sn_objs[NUM_SN]={
 493,	/* "mailPreferenceOption" */
 467,	/* "manager" */
 809,	/* "md_gost94" */
+875,	/* "member" */
 182,	/* "member-body" */
 51,	/* "messageDigest" */
 383,	/* "mgmt" */
@@ -2846,12 +2949,14 @@ static const unsigned int sn_objs[NUM_SN]={
 681,	/* "onBasis" */
 491,	/* "organizationalStatus" */
 475,	/* "otherMailbox" */
+876,	/* "owner" */
 489,	/* "pagerTelephoneNumber" */
 374,	/* "path" */
 112,	/* "pbeWithMD5AndCast5CBC" */
 499,	/* "personalSignature" */
 487,	/* "personalTitle" */
 464,	/* "photo" */
+863,	/* "physicalDeliveryOfficeName" */
 437,	/* "pilot" */
 439,	/* "pilotAttributeSyntax" */
 438,	/* "pilotAttributeType" */
@@ -2877,8 +2982,12 @@ static const unsigned int sn_objs[NUM_SN]={
 47,	/* "pkcs9" */
 401,	/* "policyConstraints" */
 747,	/* "policyMappings" */
+862,	/* "postOfficeBox" */
+861,	/* "postalAddress" */
 661,	/* "postalCode" */
 683,	/* "ppBasis" */
+872,	/* "preferredDeliveryMethod" */
+873,	/* "presentationAddress" */
 816,	/* "prf-gostr3411-94" */
 406,	/* "prime-field" */
 409,	/* "prime192v1" */
@@ -2890,13 +2999,16 @@ static const unsigned int sn_objs[NUM_SN]={
 415,	/* "prime256v1" */
 385,	/* "private" */
 84,	/* "privateKeyUsagePeriod" */
+886,	/* "protocolInformation" */
 663,	/* "proxyCertInfo" */
 510,	/* "pseudonym" */
 435,	/* "pss" */
 286,	/* "qcStatements" */
 457,	/* "qualityLabelledData" */
 450,	/* "rFC822localPart" */
+870,	/* "registeredAddress" */
 400,	/* "role" */
+877,	/* "roleOccupant" */
 448,	/* "room" */
 463,	/* "roomNumber" */
  6,	/* "rsaEncryption" */
@@ -2909,6 +3021,7 @@ static const unsigned int sn_objs[NUM_SN]={
 290,	/* "sbgp-ipAddrBlock" */
 292,	/* "sbgp-routerIdentifier" */
 159,	/* "sdsiCertificate" */
+859,	/* "searchGuide" */
 704,	/* "secp112r1" */
 705,	/* "secp112r2" */
 706,	/* "secp128r1" */
@@ -2943,6 +3056,7 @@ static const unsigned int sn_objs[NUM_SN]={
 733,	/* "sect571k1" */
 734,	/* "sect571r1" */
 386,	/* "security" */
+878,	/* "seeAlso" */
 394,	/* "selected-attribute-types" */
 105,	/* "serialNumber" */
 129,	/* "serverAuth" */
@@ -3081,14 +3195,19 @@ static const unsigned int sn_objs[NUM_SN]={
 454,	/* "simpleSecurityObject" */
 496,	/* "singleLevelQuality" */
 387,	/* "snmpv2" */
-660,	/* "streetAddress" */
+660,	/* "street" */
 85,	/* "subjectAltName" */
 769,	/* "subjectDirectoryAttributes" */
 398,	/* "subjectInfoAccess" */
 82,	/* "subjectKeyIdentifier" */
 498,	/* "subtreeMaximumQuality" */
 497,	/* "subtreeMinimumQuality" */
+890,	/* "supportedAlgorithms" */
+874,	/* "supportedApplicationContext" */
 402,	/* "targetInformation" */
+864,	/* "telephoneNumber" */
+866,	/* "teletexTerminalIdentifier" */
+865,	/* "telexNumber" */
 459,	/* "textEncodedORAddress" */
 293,	/* "textNotice" */
 133,	/* "timeStamping" */
@@ -3096,9 +3215,12 @@ static const unsigned int sn_objs[NUM_SN]={
 682,	/* "tpBasis" */
 375,	/* "trustRoot" */
 436,	/* "ucl" */
+888,	/* "uniqueMember" */
 55,	/* "unstructuredAddress" */
 49,	/* "unstructuredName" */
+880,	/* "userCertificate" */
 465,	/* "userClass" */
+879,	/* "userPassword" */
 373,	/* "valid" */
 678,	/* "wap" */
 679,	/* "wap-wsg" */
@@ -3114,6 +3236,7 @@ static const unsigned int sn_objs[NUM_SN]={
 741,	/* "wap-wsg-idm-ecid-wtls8" */
 742,	/* "wap-wsg-idm-ecid-wtls9" */
 804,	/* "whirlpool" */
+868,	/* "x121Address" */
 503,	/* "x500UniqueIdentifier" */
 158,	/* "x509Certificate" */
 160,	/* "x509Crl" */
@@ -3284,11 +3407,13 @@ static const unsigned int ln_objs[NUM_LN]={
 484,	/* "associatedDomain" */
 485,	/* "associatedName" */
 501,	/* "audio" */
+882,	/* "authorityRevocationList" */
 91,	/* "bf-cbc" */
 93,	/* "bf-cfb" */
 92,	/* "bf-ecb" */
 94,	/* "bf-ofb" */
 494,	/* "buildingName" */
+860,	/* "businessCategory" */
 691,	/* "c2onb191v4" */
 692,	/* "c2onb191v5" */
 697,	/* "c2onb239v4" */
@@ -3309,6 +3434,7 @@ static const unsigned int ln_objs[NUM_LN]={
 696,	/* "c2tnb239v3" */
 701,	/* "c2tnb359v1" */
 703,	/* "c2tnb431r1" */
+881,	/* "cACertificate" */
 483,	/* "cNAMERecord" */
 751,	/* "camellia-128-cbc" */
 757,	/* "camellia-128-cfb" */
@@ -3336,6 +3462,7 @@ static const unsigned int ln_objs[NUM_LN]={
 152,	/* "certBag" */
 677,	/* "certicom-arc" */
 517,	/* "certificate extensions" */
+883,	/* "certificateRevocationList" */
 54,	/* "challengePassword" */
 407,	/* "characteristic-two-field" */
 395,	/* "clearance" */
@@ -3346,6 +3473,7 @@ static const unsigned int ln_objs[NUM_LN]={
 53,	/* "countersignature" */
 14,	/* "countryName" */
 153,	/* "crlBag" */
+884,	/* "crossCertificatePair" */
 806,	/* "cryptocom" */
 805,	/* "cryptopro" */
 500,	/* "dITRedirect" */
@@ -3353,6 +3481,7 @@ static const unsigned int ln_objs[NUM_LN]={
 495,	/* "dSAQuality" */
 434,	/* "data" */
 390,	/* "dcObject" */
+891,	/* "deltaRevocationList" */
 31,	/* "des-cbc" */
 643,	/* "des-cdmf" */
 30,	/* "des-cfb" */
@@ -3371,10 +3500,13 @@ static const unsigned int ln_objs[NUM_LN]={
 63,	/* "des-ede3-ofb" */
 45,	/* "des-ofb" */
 107,	/* "description" */
+871,	/* "destinationIndicator" */
 80,	/* "desx-cbc" */
 28,	/* "dhKeyAgreement" */
 11,	/* "directory services (X.500)" */
 378,	/* "directory services - algorithms" */
+887,	/* "distinguishedName" */
+892,	/* "dmdName" */
 174,	/* "dnQualifier" */
 447,	/* "document" */
 471,	/* "documentAuthor" */
@@ -3404,7 +3536,9 @@ static const unsigned int ln_objs[NUM_LN]={
 792,	/* "ecdsa-with-Specified" */
 48,	/* "emailAddress" */
 632,	/* "encrypted track 2" */
+885,	/* "enhancedSearchGuide" */
 56,	/* "extendedCertificateAttributes" */
+867,	/* "facsimileTelephoneNumber" */
 462,	/* "favouriteDrink" */
 453,	/* "friendlyCountry" */
 490,	/* "friendlyCountryName" */
@@ -3426,6 +3560,7 @@ static const unsigned int ln_objs[NUM_LN]={
 486,	/* "homePostalAddress" */
 473,	/* "homeTelephoneNumber" */
 466,	/* "host" */
+889,	/* "houseIdentifier" */
 442,	/* "iA5StringSyntax" */
 381,	/* "iana" */
 824,	/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
@@ -3640,6 +3775,7 @@ static const unsigned int ln_objs[NUM_LN]={
 676,	/* "identified-organization" */
 461,	/* "info" */
 101,	/* "initials" */
+869,	/* "internationaliSDNNumber" */
 749,	/* "ipsec3" */
 750,	/* "ipsec4" */
 181,	/* "iso" */
@@ -3666,6 +3802,7 @@ static const unsigned int ln_objs[NUM_LN]={
  8,	/* "md5WithRSAEncryption" */
 95,	/* "mdc2" */
 96,	/* "mdc2WithRSA" */
+875,	/* "member" */
 602,	/* "merchant initiated auth" */
 514,	/* "message extensions" */
 51,	/* "messageDigest" */
@@ -3680,6 +3817,7 @@ static const unsigned int ln_objs[NUM_LN]={
 491,	/* "organizationalStatus" */
 18,	/* "organizationalUnitName" */
 475,	/* "otherMailbox" */
+876,	/* "owner" */
 489,	/* "pagerTelephoneNumber" */
 782,	/* "password based MAC" */
 374,	/* "path" */
@@ -3700,6 +3838,7 @@ static const unsigned int ln_objs[NUM_LN]={
 499,	/* "personalSignature" */
 487,	/* "personalTitle" */
 464,	/* "photo" */
+863,	/* "physicalDeliveryOfficeName" */
 437,	/* "pilot" */
 439,	/* "pilotAttributeSyntax" */
 438,	/* "pilotAttributeType" */
@@ -3722,8 +3861,12 @@ static const unsigned int ln_objs[NUM_LN]={
 22,	/* "pkcs7-signedData" */
 151,	/* "pkcs8ShroudedKeyBag" */
 47,	/* "pkcs9" */
+862,	/* "postOfficeBox" */
+861,	/* "postalAddress" */
 661,	/* "postalCode" */
 683,	/* "ppBasis" */
+872,	/* "preferredDeliveryMethod" */
+873,	/* "presentationAddress" */
 406,	/* "prime-field" */
 409,	/* "prime192v1" */
 410,	/* "prime192v2" */
@@ -3732,6 +3875,7 @@ static const unsigned int ln_objs[NUM_LN]={
 413,	/* "prime239v2" */
 414,	/* "prime239v3" */
 415,	/* "prime256v1" */
+886,	/* "protocolInformation" */
 510,	/* "pseudonym" */
 435,	/* "pss" */
 286,	/* "qcStatements" */
@@ -3749,10 +3893,12 @@ static const unsigned int ln_objs[NUM_LN]={
 122,	/* "rc5-cfb" */
 121,	/* "rc5-ecb" */
 123,	/* "rc5-ofb" */
+870,	/* "registeredAddress" */
 460,	/* "rfc822Mailbox" */
 117,	/* "ripemd160" */
 119,	/* "ripemd160WithRSA" */
 400,	/* "role" */
+877,	/* "roleOccupant" */
 448,	/* "room" */
 463,	/* "roomNumber" */
 19,	/* "rsa" */
@@ -3766,6 +3912,7 @@ static const unsigned int ln_objs[NUM_LN]={
 290,	/* "sbgp-ipAddrBlock" */
 292,	/* "sbgp-routerIdentifier" */
 159,	/* "sdsiCertificate" */
+859,	/* "searchGuide" */
 704,	/* "secp112r1" */
 705,	/* "secp112r2" */
 706,	/* "secp128r1" */
@@ -3800,6 +3947,7 @@ static const unsigned int ln_objs[NUM_LN]={
 733,	/* "sect571k1" */
 734,	/* "sect571r1" */
 635,	/* "secure device signature" */
+878,	/* "seeAlso" */
 777,	/* "seed-cbc" */
 779,	/* "seed-cfb" */
 776,	/* "seed-ecb" */
@@ -3942,17 +4090,25 @@ static const unsigned int ln_objs[NUM_LN]={
 660,	/* "streetAddress" */
 498,	/* "subtreeMaximumQuality" */
 497,	/* "subtreeMinimumQuality" */
+890,	/* "supportedAlgorithms" */
+874,	/* "supportedApplicationContext" */
 100,	/* "surname" */
+864,	/* "telephoneNumber" */
+866,	/* "teletexTerminalIdentifier" */
+865,	/* "telexNumber" */
 459,	/* "textEncodedORAddress" */
 293,	/* "textNotice" */
 106,	/* "title" */
 682,	/* "tpBasis" */
 436,	/* "ucl" */
  0,	/* "undefined" */
+888,	/* "uniqueMember" */
 55,	/* "unstructuredAddress" */
 49,	/* "unstructuredName" */
+880,	/* "userCertificate" */
 465,	/* "userClass" */
 458,	/* "userId" */
+879,	/* "userPassword" */
 373,	/* "valid" */
 678,	/* "wap" */
 679,	/* "wap-wsg" */
@@ -3968,6 +4124,7 @@ static const unsigned int ln_objs[NUM_LN]={
 741,	/* "wap-wsg-idm-ecid-wtls8" */
 742,	/* "wap-wsg-idm-ecid-wtls9" */
 804,	/* "whirlpool" */
+868,	/* "x121Address" */
 503,	/* "x500UniqueIdentifier" */
 158,	/* "x509Certificate" */
 160,	/* "x509Crl" */
@@ -4009,13 +4166,47 @@ static const unsigned int obj_objs[NUM_OBJ]={
 18,	/* OBJ_organizationalUnitName       2 5 4 11 */
 106,	/* OBJ_title                        2 5 4 12 */
 107,	/* OBJ_description                  2 5 4 13 */
+859,	/* OBJ_searchGuide                  2 5 4 14 */
+860,	/* OBJ_businessCategory             2 5 4 15 */
+861,	/* OBJ_postalAddress                2 5 4 16 */
 661,	/* OBJ_postalCode                   2 5 4 17 */
+862,	/* OBJ_postOfficeBox                2 5 4 18 */
+863,	/* OBJ_physicalDeliveryOfficeName   2 5 4 19 */
+864,	/* OBJ_telephoneNumber              2 5 4 20 */
+865,	/* OBJ_telexNumber                  2 5 4 21 */
+866,	/* OBJ_teletexTerminalIdentifier    2 5 4 22 */
+867,	/* OBJ_facsimileTelephoneNumber     2 5 4 23 */
+868,	/* OBJ_x121Address                  2 5 4 24 */
+869,	/* OBJ_internationaliSDNNumber      2 5 4 25 */
+870,	/* OBJ_registeredAddress            2 5 4 26 */
+871,	/* OBJ_destinationIndicator         2 5 4 27 */
+872,	/* OBJ_preferredDeliveryMethod      2 5 4 28 */
+873,	/* OBJ_presentationAddress          2 5 4 29 */
+874,	/* OBJ_supportedApplicationContext  2 5 4 30 */
+875,	/* OBJ_member                       2 5 4 31 */
+876,	/* OBJ_owner                        2 5 4 32 */
+877,	/* OBJ_roleOccupant                 2 5 4 33 */
+878,	/* OBJ_seeAlso                      2 5 4 34 */
+879,	/* OBJ_userPassword                 2 5 4 35 */
+880,	/* OBJ_userCertificate              2 5 4 36 */
+881,	/* OBJ_cACertificate                2 5 4 37 */
+882,	/* OBJ_authorityRevocationList      2 5 4 38 */
+883,	/* OBJ_certificateRevocationList    2 5 4 39 */
+884,	/* OBJ_crossCertificatePair         2 5 4 40 */
 173,	/* OBJ_name                         2 5 4 41 */
 99,	/* OBJ_givenName                    2 5 4 42 */
 101,	/* OBJ_initials                     2 5 4 43 */
 509,	/* OBJ_generationQualifier          2 5 4 44 */
 503,	/* OBJ_x500UniqueIdentifier         2 5 4 45 */
 174,	/* OBJ_dnQualifier                  2 5 4 46 */
+885,	/* OBJ_enhancedSearchGuide          2 5 4 47 */
+886,	/* OBJ_protocolInformation          2 5 4 48 */
+887,	/* OBJ_distinguishedName            2 5 4 49 */
+888,	/* OBJ_uniqueMember                 2 5 4 50 */
+889,	/* OBJ_houseIdentifier              2 5 4 51 */
+890,	/* OBJ_supportedAlgorithms          2 5 4 52 */
+891,	/* OBJ_deltaRevocationList          2 5 4 53 */
+892,	/* OBJ_dmdName                      2 5 4 54 */
 510,	/* OBJ_pseudonym                    2 5 4 65 */
 400,	/* OBJ_role                         2 5 4 72 */
 769,	/* OBJ_subject_directory_attributes 2 5 29 9 */

crypto/objects/obj_mac.h

@@ -2049,6 +2049,7 @@
 #define NID_stateOrProvinceName		16
 #define OBJ_stateOrProvinceName		OBJ_X509,8L
 
+#define SN_streetAddress		"street"
 #define LN_streetAddress		"streetAddress"
 #define NID_streetAddress		660
 #define OBJ_streetAddress		OBJ_X509,9L
@@ -2063,6 +2064,7 @@
 #define NID_organizationalUnitName		18
 #define OBJ_organizationalUnitName		OBJ_X509,11L
 
+#define SN_title		"title"
 #define LN_title		"title"
 #define NID_title		106
 #define OBJ_title		OBJ_X509,12L
@@ -2071,10 +2073,114 @@
 #define NID_description		107
 #define OBJ_description		OBJ_X509,13L
 
+#define LN_searchGuide		"searchGuide"
+#define NID_searchGuide		859
+#define OBJ_searchGuide		OBJ_X509,14L
+
+#define LN_businessCategory		"businessCategory"
+#define NID_businessCategory		860
+#define OBJ_businessCategory		OBJ_X509,15L
+
+#define LN_postalAddress		"postalAddress"
+#define NID_postalAddress		861
+#define OBJ_postalAddress		OBJ_X509,16L
+
 #define LN_postalCode		"postalCode"
 #define NID_postalCode		661
 #define OBJ_postalCode		OBJ_X509,17L
 
+#define LN_postOfficeBox		"postOfficeBox"
+#define NID_postOfficeBox		862
+#define OBJ_postOfficeBox		OBJ_X509,18L
+
+#define LN_physicalDeliveryOfficeName		"physicalDeliveryOfficeName"
+#define NID_physicalDeliveryOfficeName		863
+#define OBJ_physicalDeliveryOfficeName		OBJ_X509,19L
+
+#define LN_telephoneNumber		"telephoneNumber"
+#define NID_telephoneNumber		864
+#define OBJ_telephoneNumber		OBJ_X509,20L
+
+#define LN_telexNumber		"telexNumber"
+#define NID_telexNumber		865
+#define OBJ_telexNumber		OBJ_X509,21L
+
+#define LN_teletexTerminalIdentifier		"teletexTerminalIdentifier"
+#define NID_teletexTerminalIdentifier		866
+#define OBJ_teletexTerminalIdentifier		OBJ_X509,22L
+
+#define LN_facsimileTelephoneNumber		"facsimileTelephoneNumber"
+#define NID_facsimileTelephoneNumber		867
+#define OBJ_facsimileTelephoneNumber		OBJ_X509,23L
+
+#define LN_x121Address		"x121Address"
+#define NID_x121Address		868
+#define OBJ_x121Address		OBJ_X509,24L
+
+#define LN_internationaliSDNNumber		"internationaliSDNNumber"
+#define NID_internationaliSDNNumber		869
+#define OBJ_internationaliSDNNumber		OBJ_X509,25L
+
+#define LN_registeredAddress		"registeredAddress"
+#define NID_registeredAddress		870
+#define OBJ_registeredAddress		OBJ_X509,26L
+
+#define LN_destinationIndicator		"destinationIndicator"
+#define NID_destinationIndicator		871
+#define OBJ_destinationIndicator		OBJ_X509,27L
+
+#define LN_preferredDeliveryMethod		"preferredDeliveryMethod"
+#define NID_preferredDeliveryMethod		872
+#define OBJ_preferredDeliveryMethod		OBJ_X509,28L
+
+#define LN_presentationAddress		"presentationAddress"
+#define NID_presentationAddress		873
+#define OBJ_presentationAddress		OBJ_X509,29L
+
+#define LN_supportedApplicationContext		"supportedApplicationContext"
+#define NID_supportedApplicationContext		874
+#define OBJ_supportedApplicationContext		OBJ_X509,30L
+
+#define SN_member		"member"
+#define NID_member		875
+#define OBJ_member		OBJ_X509,31L
+
+#define SN_owner		"owner"
+#define NID_owner		876
+#define OBJ_owner		OBJ_X509,32L
+
+#define LN_roleOccupant		"roleOccupant"
+#define NID_roleOccupant		877
+#define OBJ_roleOccupant		OBJ_X509,33L
+
+#define SN_seeAlso		"seeAlso"
+#define NID_seeAlso		878
+#define OBJ_seeAlso		OBJ_X509,34L
+
+#define LN_userPassword		"userPassword"
+#define NID_userPassword		879
+#define OBJ_userPassword		OBJ_X509,35L
+
+#define LN_userCertificate		"userCertificate"
+#define NID_userCertificate		880
+#define OBJ_userCertificate		OBJ_X509,36L
+
+#define LN_cACertificate		"cACertificate"
+#define NID_cACertificate		881
+#define OBJ_cACertificate		OBJ_X509,37L
+
+#define LN_authorityRevocationList		"authorityRevocationList"
+#define NID_authorityRevocationList		882
+#define OBJ_authorityRevocationList		OBJ_X509,38L
+
+#define LN_certificateRevocationList		"certificateRevocationList"
+#define NID_certificateRevocationList		883
+#define OBJ_certificateRevocationList		OBJ_X509,39L
+
+#define LN_crossCertificatePair		"crossCertificatePair"
+#define NID_crossCertificatePair		884
+#define OBJ_crossCertificatePair		OBJ_X509,40L
+
 #define SN_name		"name"
 #define LN_name		"name"
 #define NID_name		173
@@ -2085,6 +2191,7 @@
 #define NID_givenName		99
 #define OBJ_givenName		OBJ_X509,42L
 
+#define SN_initials		"initials"
 #define LN_initials		"initials"
 #define NID_initials		101
 #define OBJ_initials		OBJ_X509,43L
@@ -2102,6 +2209,38 @@
 #define NID_dnQualifier		174
 #define OBJ_dnQualifier		OBJ_X509,46L
 
+#define LN_enhancedSearchGuide		"enhancedSearchGuide"
+#define NID_enhancedSearchGuide		885
+#define OBJ_enhancedSearchGuide		OBJ_X509,47L
+
+#define LN_protocolInformation		"protocolInformation"
+#define NID_protocolInformation		886
+#define OBJ_protocolInformation		OBJ_X509,48L
+
+#define LN_distinguishedName		"distinguishedName"
+#define NID_distinguishedName		887
+#define OBJ_distinguishedName		OBJ_X509,49L
+
+#define LN_uniqueMember		"uniqueMember"
+#define NID_uniqueMember		888
+#define OBJ_uniqueMember		OBJ_X509,50L
+
+#define LN_houseIdentifier		"houseIdentifier"
+#define NID_houseIdentifier		889
+#define OBJ_houseIdentifier		OBJ_X509,51L
+
+#define LN_supportedAlgorithms		"supportedAlgorithms"
+#define NID_supportedAlgorithms		890
+#define OBJ_supportedAlgorithms		OBJ_X509,52L
+
+#define LN_deltaRevocationList		"deltaRevocationList"
+#define NID_deltaRevocationList		891
+#define OBJ_deltaRevocationList		OBJ_X509,53L
+
+#define SN_dmdName		"dmdName"
+#define NID_dmdName		892
+#define OBJ_dmdName		OBJ_X509,54L
+
 #define LN_pseudonym		"pseudonym"
 #define NID_pseudonym		510
 #define OBJ_pseudonym		OBJ_X509,65L

crypto/objects/obj_mac.num

@@ -856,3 +856,37 @@ hmac		855
 LocalKeySet		856
 freshest_crl		857
 id_on_permanentIdentifier		858
+searchGuide		859
+businessCategory		860
+postalAddress		861
+postOfficeBox		862
+physicalDeliveryOfficeName		863
+telephoneNumber		864
+telexNumber		865
+teletexTerminalIdentifier		866
+facsimileTelephoneNumber		867
+x121Address		868
+internationaliSDNNumber		869
+registeredAddress		870
+destinationIndicator		871
+preferredDeliveryMethod		872
+presentationAddress		873
+supportedApplicationContext		874
+member		875
+owner		876
+roleOccupant		877
+seeAlso		878
+userPassword		879
+userCertificate		880
+cACertificate		881
+authorityRevocationList		882
+certificateRevocationList		883
+crossCertificatePair		884
+enhancedSearchGuide		885
+protocolInformation		886
+distinguishedName		887
+uniqueMember		888
+houseIdentifier		889
+supportedAlgorithms		890
+deltaRevocationList		891
+dmdName		892

crypto/objects/objects.h

@@ -1054,24 +1054,34 @@ const void *	OBJ_bsearch_ex_(const void *key,const void *base,int num,
  * the non-constness means a lot of complication, and in practice
  * comparison routines do always not touch their arguments.
  */
-#define _IMPLEMENT_OBJ_BSEARCH_CMP_FN(scope, type1, type2, nm)	\
+
+#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, nm)	\
   static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)	\
       { \
       type1 const *a = a_; \
       type2 const *b = b_; \
       return nm##_cmp(a,b); \
       } \
-  scope type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \
+  static type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \
       { \
       return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \
 					nm##_cmp_BSEARCH_CMP_FN); \
       } \
       extern void dummy_prototype(void)
 
-#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, cmp) \
-  _IMPLEMENT_OBJ_BSEARCH_CMP_FN(static, type1, type2, cmp)
-#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, cmp)	\
-  _IMPLEMENT_OBJ_BSEARCH_CMP_FN(, type1, type2, cmp)
+#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, nm)	\
+  static int nm##_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)	\
+      { \
+      type1 const *a = a_; \
+      type2 const *b = b_; \
+      return nm##_cmp(a,b); \
+      } \
+  type2 *OBJ_bsearch_##nm(type1 *key, type2 const *base, int num) \
+      { \
+      return (type2 *)OBJ_bsearch_(key, base, num, sizeof(type2), \
+					nm##_cmp_BSEARCH_CMP_FN); \
+      } \
+      extern void dummy_prototype(void)
 
 #define OBJ_bsearch(type1,key,type2,base,num,cmp)			       \
   ((type2 *)OBJ_bsearch_(CHECKED_PTR_OF(type1,key),CHECKED_PTR_OF(type2,base), \

crypto/objects/objects.txt

@@ -664,18 +664,52 @@ X509 5			: 			: serialNumber
 X509 6			: C			: countryName
 X509 7			: L			: localityName
 X509 8			: ST			: stateOrProvinceName
-X509 9			:			: streetAddress
+X509 9			: street		: streetAddress
 X509 10			: O			: organizationName
 X509 11			: OU			: organizationalUnitName
-X509 12			: 			: title
+X509 12			: title			: title
 X509 13			: 			: description
-X509 17			:			: postalCode
+X509 14			: 			: searchGuide
+X509 15			: 			: businessCategory
+X509 16			: 			: postalAddress
+X509 17			: 			: postalCode
+X509 18			: 			: postOfficeBox
+X509 19			: 			: physicalDeliveryOfficeName
+X509 20			: 			: telephoneNumber
+X509 21			: 			: telexNumber
+X509 22			: 			: teletexTerminalIdentifier
+X509 23			: 			: facsimileTelephoneNumber
+X509 24			: 			: x121Address
+X509 25			: 			: internationaliSDNNumber
+X509 26			: 			: registeredAddress
+X509 27			: 			: destinationIndicator
+X509 28			: 			: preferredDeliveryMethod
+X509 29			: 			: presentationAddress
+X509 30			: 			: supportedApplicationContext
+X509 31			: member		:
+X509 32			: owner			:
+X509 33			: 			: roleOccupant
+X509 34			: seeAlso		:
+X509 35			: 			: userPassword
+X509 36			: 			: userCertificate
+X509 37			: 			: cACertificate
+X509 38			: 			: authorityRevocationList
+X509 39			: 			: certificateRevocationList
+X509 40			: 			: crossCertificatePair
 X509 41			: name			: name
 X509 42			: GN			: givenName
-X509 43			: 			: initials
+X509 43			: initials		: initials
 X509 44			: 			: generationQualifier
 X509 45			: 			: x500UniqueIdentifier
 X509 46			: dnQualifier		: dnQualifier
+X509 47			: 			: enhancedSearchGuide
+X509 48			: 			: protocolInformation
+X509 49			: 			: distinguishedName
+X509 50			: 			: uniqueMember
+X509 51			: 			: houseIdentifier
+X509 52			: 			: supportedAlgorithms
+X509 53			: 			: deltaRevocationList
+X509 54			: dmdName		:
 X509 65			:			: pseudonym
 X509 72			: role			: role
 

crypto/objects/objxref.pl

@@ -54,10 +54,13 @@ my @srt2 = sort
 
 	return $ap2 - $bp2;
 	} @xrkeys;
-	
+
+my $pname = $0;
+
+$pname =~ s|^.[^/]/||;
 
 print <<EOF;
-/* AUTOGENERATED BY $0, DO NOT EDIT */
+/* AUTOGENERATED BY $pname, DO NOT EDIT */
 
 typedef struct
 	{

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x00909000L
+#define OPENSSL_VERSION_NUMBER	0x10000002L
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.9-fips-dev XX xxx XXXX"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0-fips-beta2 21 Apr 2009"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.9-dev XX xxx XXXX"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0-beta2 21 Apr 2009"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
@@ -83,7 +83,7 @@
  * should only keep the versions that are binary compatible with the current.
  */
 #define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "0.9.9"
+#define SHLIB_VERSION_NUMBER "1.0.0"
 
 
 #endif /* HEADER_OPENSSLV_H */

crypto/pkcs12/p12_kiss.c

@@ -63,16 +63,13 @@
 /* Simplified PKCS#12 routines */
 
 static int parse_pk12( PKCS12 *p12, const char *pass, int passlen,
-		EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
+		EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
 
 static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
-		       int passlen, EVP_PKEY **pkey, X509 **cert,
-		       STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
-		       char *keymatch);
+		       int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
 
 static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
-			EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
-			ASN1_OCTET_STRING **keyid, char *keymatch);
+			EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
 
 /* Parse and decrypt a PKCS#12 structure returning user key, user cert
  * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
@@ -83,24 +80,20 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 	     STACK_OF(X509) **ca)
 {
-
+	STACK_OF(X509) *ocerts = NULL;
+	X509 *x = NULL;
 	/* Check for NULL PKCS12 structure */
 
-	if(!p12) {
+	if(!p12)
+		{
 		PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
 		return 0;
-	}
-
-	/* Allocate stack for ca certificates if needed */
-	if ((ca != NULL) && (*ca == NULL)) {
-		if (!(*ca = sk_X509_new_null())) {
-			PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
-			return 0;
 		}
-	}
 
-	if(pkey) *pkey = NULL;
-	if(cert) *cert = NULL;
+	if(pkey)
+		*pkey = NULL;
+	if(cert)
+		*cert = NULL;
 
 	/* Check the mac */
 
@@ -122,19 +115,61 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 		goto err;
 	}
 
-	if (!parse_pk12 (p12, pass, -1, pkey, cert, ca))
+	/* Allocate stack for other certificates */
+	ocerts = sk_X509_new_null();
+
+	if (!ocerts)
+		{
+		PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+
+	if (!parse_pk12 (p12, pass, -1, pkey, ocerts))
 		{
 		PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
 		goto err;
 		}
 
+	while ((x = sk_X509_pop(ocerts)))
+		{
+		if (pkey && *pkey && cert && !*cert)
+			{
+			if (X509_check_private_key(x, *pkey))
+				{
+				*cert = x;
+				x = NULL;
+				}
+			}
+
+		if (ca && x)
+			{
+			if (!*ca)
+				*ca = sk_X509_new_null();
+			if (!*ca)
+				goto err;
+			if (!sk_X509_push(*ca, x))
+				goto err;
+			x = NULL;
+			}
+		if (x)
+			X509_free(x);
+		}
+
+	if (ocerts)
+		sk_X509_pop_free(ocerts, X509_free);
+
 	return 1;
 
  err:
 
-	if (pkey && *pkey) EVP_PKEY_free(*pkey);
-	if (cert && *cert) X509_free(*cert);
-	if (ca) sk_X509_pop_free(*ca, X509_free);
+	if (pkey && *pkey)
+		EVP_PKEY_free(*pkey);
+	if (cert && *cert)
+		X509_free(*cert);
+	if (x)
+		X509_free(*cert);
+	if (ocerts)
+		sk_X509_pop_free(ocerts, X509_free);
 	return 0;
 
 }
@@ -142,15 +177,13 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 /* Parse the outer PKCS#12 structure */
 
 static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
-	     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+	     EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
 {
 	STACK_OF(PKCS7) *asafes;
 	STACK_OF(PKCS12_SAFEBAG) *bags;
 	int i, bagnid;
 	PKCS7 *p7;
-	ASN1_OCTET_STRING *keyid = NULL;
 
-	char keymatch = 0;
 	if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;
 	for (i = 0; i < sk_PKCS7_num (asafes); i++) {
 		p7 = sk_PKCS7_value (asafes, i);
@@ -164,8 +197,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
 			sk_PKCS7_pop_free(asafes, PKCS7_free);
 			return 0;
 		}
-	    	if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
-							 &keyid, &keymatch)) {
+	    	if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {
 			sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 			sk_PKCS7_pop_free(asafes, PKCS7_free);
 			return 0;
@@ -173,89 +205,65 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
 		sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 	}
 	sk_PKCS7_pop_free(asafes, PKCS7_free);
-	if (keyid) M_ASN1_OCTET_STRING_free(keyid);
 	return 1;
 }
 
 
 static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
-		      int passlen, EVP_PKEY **pkey, X509 **cert,
-		      STACK_OF(X509) **ca, ASN1_OCTET_STRING **keyid,
-		      char *keymatch)
+		      int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
 {
 	int i;
 	for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
 		if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i),
-			 pass, passlen, pkey, cert, ca, keyid,
-							 keymatch)) return 0;
+				 pass, passlen, pkey, ocerts))
+			return 0;
 	}
 	return 1;
 }
 
-#define MATCH_KEY  0x1
-#define MATCH_CERT 0x2
-#define MATCH_ALL  0x3
-
 static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
-		     EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca,
-		     ASN1_OCTET_STRING **keyid,
-		     char *keymatch)
+		     EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
 {
 	PKCS8_PRIV_KEY_INFO *p8;
 	X509 *x509;
-	ASN1_OCTET_STRING *lkey = NULL, *ckid = NULL;
 	ASN1_TYPE *attrib;
 	ASN1_BMPSTRING *fname = NULL;
+	ASN1_OCTET_STRING *lkid = NULL;
 
 	if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))
 		fname = attrib->value.bmpstring;
 
-	if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) {
-		lkey = attrib->value.octet_string;
-		ckid = lkey;
-	}
+	if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
+		lkid = attrib->value.octet_string;
 
-	/* Check for any local key id matching (if needed) */
-	if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
-		if (*keyid) {
-			if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
-		} else {
-			if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
-				PKCS12err(PKCS12_F_PARSE_BAG,ERR_R_MALLOC_FAILURE);
-				return 0;
-		    }
-		}
-	}
-	
 	switch (M_PKCS12_bag_type(bag))
 	{
 	case NID_keyBag:
-		if (!lkey || !pkey) return 1;	
-		if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) return 0;
-		*keymatch |= MATCH_KEY;
+		if (!pkey || *pkey)
+			return 1;	
+		if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
+			return 0;
 	break;
 
 	case NID_pkcs8ShroudedKeyBag:
-		if (!lkey || !pkey) return 1;	
+		if (!pkey || *pkey)
+			return 1;	
 		if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
 				return 0;
 		*pkey = EVP_PKCS82PKEY(p8);
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		if (!(*pkey)) return 0;
-		*keymatch |= MATCH_KEY;
 	break;
 
 	case NID_certBag:
 		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
-								 return 1;
-		if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
-		if(ckid)
+			return 1;
+		if (!(x509 = PKCS12_certbag2x509(bag)))
+			return 0;
+		if(lkid && !X509_keyid_set1(x509, lkid->data, lkid->length))
 			{
-			if (!X509_keyid_set1(x509, ckid->data, ckid->length))
-				{
-				X509_free(x509);
-				return 0;
-				}
+			X509_free(x509);
+			return 0;
 			}
 		if(fname) {
 			int len, r;
@@ -272,20 +280,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 			}
 		}
 
+		if(!sk_X509_push(ocerts, x509))
+			{
+			X509_free(x509);
+			return 0;
+			}
 
-		if (lkey) {
-			*keymatch |= MATCH_CERT;
-			if (cert) *cert = x509;
-			else X509_free(x509);
-		} else {
-			if(ca) sk_X509_push (*ca, x509);
-			else X509_free(x509);
-		}
 	break;
 
 	case NID_safeContentsBag:
 		return parse_bags(bag->value.safes, pass, passlen,
-			 		pkey, cert, ca, keyid, keymatch);
+			 		pkey, ocerts);
 	break;
 
 	default:

crypto/rand/rand_unix.c

@@ -133,7 +133,50 @@
 # define FD_SETSIZE (8*sizeof(fd_set))
 #endif
 
-#ifdef __OpenBSD__
+#ifdef __VOS__
+int RAND_poll(void)
+{
+	unsigned char buf[ENTROPY_NEEDED];
+	pid_t curr_pid;
+	uid_t curr_uid;
+	static int first=1;
+	int i;
+	long rnd = 0;
+	struct timespec ts;
+	unsigned seed;
+
+/* The VOS random() function starts from a static seed so its
+   initial value is predictable.  If random() returns the
+   initial value, reseed it with dynamic data.  The VOS
+   real-time clock has a granularity of 1 nsec so it should be
+   reasonably difficult to predict its exact value.  Do not
+   gratuitously reseed the PRNG because other code in this
+   process or thread may be using it.  */
+
+	if (first) {
+		first = 0;
+		rnd = random ();
+		if (rnd == 1804289383) {
+			clock_gettime (CLOCK_REALTIME, &ts);
+			curr_pid = getpid();
+			curr_uid = getuid();
+			seed = ts.tv_sec ^ ts.tv_nsec ^ curr_pid ^ curr_uid;
+			srandom (seed);
+		}
+	}
+
+	for (i = 0; i < sizeof(buf); i++) {
+		if (i % 4 == 0)
+			rnd = random();
+		buf[i] = rnd;
+		rnd >>= 8;
+	}
+	RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
+	memset(buf, 0, sizeof(buf));
+
+	return 1;
+}
+#elif defined __OpenBSD__
 int RAND_poll(void)
 {
 	u_int32_t rnd = 0, i;

crypto/stack/safestack.h

@@ -213,7 +213,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ACCESS_DESCRIPTION_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ACCESS_DESCRIPTION, (st), (cmp))
 #define sk_ACCESS_DESCRIPTION_dup(st) SKM_sk_dup(ACCESS_DESCRIPTION, st)
 #define sk_ACCESS_DESCRIPTION_pop_free(st, free_func) SKM_sk_pop_free(ACCESS_DESCRIPTION, (st), (free_func))
-#define sk_ACCESS_DESCRIPTION_free(st) SKM_sk_free(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
@@ -236,7 +235,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASIdOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASIdOrRange, (st), (cmp))
 #define sk_ASIdOrRange_dup(st) SKM_sk_dup(ASIdOrRange, st)
 #define sk_ASIdOrRange_pop_free(st, free_func) SKM_sk_pop_free(ASIdOrRange, (st), (free_func))
-#define sk_ASIdOrRange_free(st) SKM_sk_free(ASIdOrRange, (st))
 #define sk_ASIdOrRange_shift(st) SKM_sk_shift(ASIdOrRange, (st))
 #define sk_ASIdOrRange_pop(st) SKM_sk_pop(ASIdOrRange, (st))
 #define sk_ASIdOrRange_sort(st) SKM_sk_sort(ASIdOrRange, (st))
@@ -259,7 +257,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_GENERALSTRING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_GENERALSTRING, (st), (cmp))
 #define sk_ASN1_GENERALSTRING_dup(st) SKM_sk_dup(ASN1_GENERALSTRING, st)
 #define sk_ASN1_GENERALSTRING_pop_free(st, free_func) SKM_sk_pop_free(ASN1_GENERALSTRING, (st), (free_func))
-#define sk_ASN1_GENERALSTRING_free(st) SKM_sk_free(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st))
@@ -282,7 +279,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_INTEGER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_INTEGER, (st), (cmp))
 #define sk_ASN1_INTEGER_dup(st) SKM_sk_dup(ASN1_INTEGER, st)
 #define sk_ASN1_INTEGER_pop_free(st, free_func) SKM_sk_pop_free(ASN1_INTEGER, (st), (free_func))
-#define sk_ASN1_INTEGER_free(st) SKM_sk_free(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st))
@@ -305,7 +301,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_OBJECT_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_OBJECT, (st), (cmp))
 #define sk_ASN1_OBJECT_dup(st) SKM_sk_dup(ASN1_OBJECT, st)
 #define sk_ASN1_OBJECT_pop_free(st, free_func) SKM_sk_pop_free(ASN1_OBJECT, (st), (free_func))
-#define sk_ASN1_OBJECT_free(st) SKM_sk_free(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st))
@@ -328,7 +323,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_STRING_TABLE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_STRING_TABLE, (st), (cmp))
 #define sk_ASN1_STRING_TABLE_dup(st) SKM_sk_dup(ASN1_STRING_TABLE, st)
 #define sk_ASN1_STRING_TABLE_pop_free(st, free_func) SKM_sk_pop_free(ASN1_STRING_TABLE, (st), (free_func))
-#define sk_ASN1_STRING_TABLE_free(st) SKM_sk_free(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st))
@@ -351,7 +345,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_TYPE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_TYPE, (st), (cmp))
 #define sk_ASN1_TYPE_dup(st) SKM_sk_dup(ASN1_TYPE, st)
 #define sk_ASN1_TYPE_pop_free(st, free_func) SKM_sk_pop_free(ASN1_TYPE, (st), (free_func))
-#define sk_ASN1_TYPE_free(st) SKM_sk_free(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st))
@@ -374,7 +367,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_UTF8STRING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_UTF8STRING, (st), (cmp))
 #define sk_ASN1_UTF8STRING_dup(st) SKM_sk_dup(ASN1_UTF8STRING, st)
 #define sk_ASN1_UTF8STRING_pop_free(st, free_func) SKM_sk_pop_free(ASN1_UTF8STRING, (st), (free_func))
-#define sk_ASN1_UTF8STRING_free(st) SKM_sk_free(ASN1_UTF8STRING, (st))
 #define sk_ASN1_UTF8STRING_shift(st) SKM_sk_shift(ASN1_UTF8STRING, (st))
 #define sk_ASN1_UTF8STRING_pop(st) SKM_sk_pop(ASN1_UTF8STRING, (st))
 #define sk_ASN1_UTF8STRING_sort(st) SKM_sk_sort(ASN1_UTF8STRING, (st))
@@ -397,7 +389,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ASN1_VALUE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_VALUE, (st), (cmp))
 #define sk_ASN1_VALUE_dup(st) SKM_sk_dup(ASN1_VALUE, st)
 #define sk_ASN1_VALUE_pop_free(st, free_func) SKM_sk_pop_free(ASN1_VALUE, (st), (free_func))
-#define sk_ASN1_VALUE_free(st) SKM_sk_free(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st))
@@ -420,7 +411,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_BIO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(BIO, (st), (cmp))
 #define sk_BIO_dup(st) SKM_sk_dup(BIO, st)
 #define sk_BIO_pop_free(st, free_func) SKM_sk_pop_free(BIO, (st), (free_func))
-#define sk_BIO_free(st) SKM_sk_free(BIO, (st))
 #define sk_BIO_shift(st) SKM_sk_shift(BIO, (st))
 #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st))
 #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st))
@@ -443,7 +433,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_BY_DIR_ENTRY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(BY_DIR_ENTRY, (st), (cmp))
 #define sk_BY_DIR_ENTRY_dup(st) SKM_sk_dup(BY_DIR_ENTRY, st)
 #define sk_BY_DIR_ENTRY_pop_free(st, free_func) SKM_sk_pop_free(BY_DIR_ENTRY, (st), (free_func))
-#define sk_BY_DIR_ENTRY_free(st) SKM_sk_free(BY_DIR_ENTRY, (st))
 #define sk_BY_DIR_ENTRY_shift(st) SKM_sk_shift(BY_DIR_ENTRY, (st))
 #define sk_BY_DIR_ENTRY_pop(st) SKM_sk_pop(BY_DIR_ENTRY, (st))
 #define sk_BY_DIR_ENTRY_sort(st) SKM_sk_sort(BY_DIR_ENTRY, (st))
@@ -466,7 +455,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_BY_DIR_HASH_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(BY_DIR_HASH, (st), (cmp))
 #define sk_BY_DIR_HASH_dup(st) SKM_sk_dup(BY_DIR_HASH, st)
 #define sk_BY_DIR_HASH_pop_free(st, free_func) SKM_sk_pop_free(BY_DIR_HASH, (st), (free_func))
-#define sk_BY_DIR_HASH_free(st) SKM_sk_free(BY_DIR_HASH, (st))
 #define sk_BY_DIR_HASH_shift(st) SKM_sk_shift(BY_DIR_HASH, (st))
 #define sk_BY_DIR_HASH_pop(st) SKM_sk_pop(BY_DIR_HASH, (st))
 #define sk_BY_DIR_HASH_sort(st) SKM_sk_sort(BY_DIR_HASH, (st))
@@ -489,7 +477,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CMS_CertificateChoices_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CMS_CertificateChoices, (st), (cmp))
 #define sk_CMS_CertificateChoices_dup(st) SKM_sk_dup(CMS_CertificateChoices, st)
 #define sk_CMS_CertificateChoices_pop_free(st, free_func) SKM_sk_pop_free(CMS_CertificateChoices, (st), (free_func))
-#define sk_CMS_CertificateChoices_free(st) SKM_sk_free(CMS_CertificateChoices, (st))
 #define sk_CMS_CertificateChoices_shift(st) SKM_sk_shift(CMS_CertificateChoices, (st))
 #define sk_CMS_CertificateChoices_pop(st) SKM_sk_pop(CMS_CertificateChoices, (st))
 #define sk_CMS_CertificateChoices_sort(st) SKM_sk_sort(CMS_CertificateChoices, (st))
@@ -512,7 +499,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CMS_RecipientInfo_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CMS_RecipientInfo, (st), (cmp))
 #define sk_CMS_RecipientInfo_dup(st) SKM_sk_dup(CMS_RecipientInfo, st)
 #define sk_CMS_RecipientInfo_pop_free(st, free_func) SKM_sk_pop_free(CMS_RecipientInfo, (st), (free_func))
-#define sk_CMS_RecipientInfo_free(st) SKM_sk_free(CMS_RecipientInfo, (st))
 #define sk_CMS_RecipientInfo_shift(st) SKM_sk_shift(CMS_RecipientInfo, (st))
 #define sk_CMS_RecipientInfo_pop(st) SKM_sk_pop(CMS_RecipientInfo, (st))
 #define sk_CMS_RecipientInfo_sort(st) SKM_sk_sort(CMS_RecipientInfo, (st))
@@ -535,7 +521,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CMS_RevocationInfoChoice_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CMS_RevocationInfoChoice, (st), (cmp))
 #define sk_CMS_RevocationInfoChoice_dup(st) SKM_sk_dup(CMS_RevocationInfoChoice, st)
 #define sk_CMS_RevocationInfoChoice_pop_free(st, free_func) SKM_sk_pop_free(CMS_RevocationInfoChoice, (st), (free_func))
-#define sk_CMS_RevocationInfoChoice_free(st) SKM_sk_free(CMS_RevocationInfoChoice, (st))
 #define sk_CMS_RevocationInfoChoice_shift(st) SKM_sk_shift(CMS_RevocationInfoChoice, (st))
 #define sk_CMS_RevocationInfoChoice_pop(st) SKM_sk_pop(CMS_RevocationInfoChoice, (st))
 #define sk_CMS_RevocationInfoChoice_sort(st) SKM_sk_sort(CMS_RevocationInfoChoice, (st))
@@ -558,7 +543,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CMS_SignerInfo_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CMS_SignerInfo, (st), (cmp))
 #define sk_CMS_SignerInfo_dup(st) SKM_sk_dup(CMS_SignerInfo, st)
 #define sk_CMS_SignerInfo_pop_free(st, free_func) SKM_sk_pop_free(CMS_SignerInfo, (st), (free_func))
-#define sk_CMS_SignerInfo_free(st) SKM_sk_free(CMS_SignerInfo, (st))
 #define sk_CMS_SignerInfo_shift(st) SKM_sk_shift(CMS_SignerInfo, (st))
 #define sk_CMS_SignerInfo_pop(st) SKM_sk_pop(CMS_SignerInfo, (st))
 #define sk_CMS_SignerInfo_sort(st) SKM_sk_sort(CMS_SignerInfo, (st))
@@ -581,7 +565,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CONF_IMODULE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CONF_IMODULE, (st), (cmp))
 #define sk_CONF_IMODULE_dup(st) SKM_sk_dup(CONF_IMODULE, st)
 #define sk_CONF_IMODULE_pop_free(st, free_func) SKM_sk_pop_free(CONF_IMODULE, (st), (free_func))
-#define sk_CONF_IMODULE_free(st) SKM_sk_free(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st))
@@ -604,7 +587,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CONF_MODULE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CONF_MODULE, (st), (cmp))
 #define sk_CONF_MODULE_dup(st) SKM_sk_dup(CONF_MODULE, st)
 #define sk_CONF_MODULE_pop_free(st, free_func) SKM_sk_pop_free(CONF_MODULE, (st), (free_func))
-#define sk_CONF_MODULE_free(st) SKM_sk_free(CONF_MODULE, (st))
 #define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st))
 #define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st))
 #define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st))
@@ -627,7 +609,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CONF_VALUE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CONF_VALUE, (st), (cmp))
 #define sk_CONF_VALUE_dup(st) SKM_sk_dup(CONF_VALUE, st)
 #define sk_CONF_VALUE_pop_free(st, free_func) SKM_sk_pop_free(CONF_VALUE, (st), (free_func))
-#define sk_CONF_VALUE_free(st) SKM_sk_free(CONF_VALUE, (st))
 #define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st))
 #define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st))
 #define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st))
@@ -650,7 +631,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CRYPTO_EX_DATA_FUNCS, (st), (cmp))
 #define sk_CRYPTO_EX_DATA_FUNCS_dup(st) SKM_sk_dup(CRYPTO_EX_DATA_FUNCS, st)
 #define sk_CRYPTO_EX_DATA_FUNCS_pop_free(st, free_func) SKM_sk_pop_free(CRYPTO_EX_DATA_FUNCS, (st), (free_func))
-#define sk_CRYPTO_EX_DATA_FUNCS_free(st) SKM_sk_free(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st))
@@ -673,7 +653,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_CRYPTO_dynlock_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CRYPTO_dynlock, (st), (cmp))
 #define sk_CRYPTO_dynlock_dup(st) SKM_sk_dup(CRYPTO_dynlock, st)
 #define sk_CRYPTO_dynlock_pop_free(st, free_func) SKM_sk_pop_free(CRYPTO_dynlock, (st), (free_func))
-#define sk_CRYPTO_dynlock_free(st) SKM_sk_free(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st))
@@ -696,7 +675,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_DIST_POINT_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(DIST_POINT, (st), (cmp))
 #define sk_DIST_POINT_dup(st) SKM_sk_dup(DIST_POINT, st)
 #define sk_DIST_POINT_pop_free(st, free_func) SKM_sk_pop_free(DIST_POINT, (st), (free_func))
-#define sk_DIST_POINT_free(st) SKM_sk_free(DIST_POINT, (st))
 #define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st))
 #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st))
 #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st))
@@ -719,7 +697,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ENGINE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ENGINE, (st), (cmp))
 #define sk_ENGINE_dup(st) SKM_sk_dup(ENGINE, st)
 #define sk_ENGINE_pop_free(st, free_func) SKM_sk_pop_free(ENGINE, (st), (free_func))
-#define sk_ENGINE_free(st) SKM_sk_free(ENGINE, (st))
 #define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st))
 #define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st))
 #define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st))
@@ -742,7 +719,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ENGINE_CLEANUP_ITEM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ENGINE_CLEANUP_ITEM, (st), (cmp))
 #define sk_ENGINE_CLEANUP_ITEM_dup(st) SKM_sk_dup(ENGINE_CLEANUP_ITEM, st)
 #define sk_ENGINE_CLEANUP_ITEM_pop_free(st, free_func) SKM_sk_pop_free(ENGINE_CLEANUP_ITEM, (st), (free_func))
-#define sk_ENGINE_CLEANUP_ITEM_free(st) SKM_sk_free(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
@@ -765,7 +741,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_ESS_CERT_ID_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ESS_CERT_ID, (st), (cmp))
 #define sk_ESS_CERT_ID_dup(st) SKM_sk_dup(ESS_CERT_ID, st)
 #define sk_ESS_CERT_ID_pop_free(st, free_func) SKM_sk_pop_free(ESS_CERT_ID, (st), (free_func))
-#define sk_ESS_CERT_ID_free(st) SKM_sk_free(ESS_CERT_ID, (st))
 #define sk_ESS_CERT_ID_shift(st) SKM_sk_shift(ESS_CERT_ID, (st))
 #define sk_ESS_CERT_ID_pop(st) SKM_sk_pop(ESS_CERT_ID, (st))
 #define sk_ESS_CERT_ID_sort(st) SKM_sk_sort(ESS_CERT_ID, (st))
@@ -788,7 +763,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_EVP_MD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_MD, (st), (cmp))
 #define sk_EVP_MD_dup(st) SKM_sk_dup(EVP_MD, st)
 #define sk_EVP_MD_pop_free(st, free_func) SKM_sk_pop_free(EVP_MD, (st), (free_func))
-#define sk_EVP_MD_free(st) SKM_sk_free(EVP_MD, (st))
 #define sk_EVP_MD_shift(st) SKM_sk_shift(EVP_MD, (st))
 #define sk_EVP_MD_pop(st) SKM_sk_pop(EVP_MD, (st))
 #define sk_EVP_MD_sort(st) SKM_sk_sort(EVP_MD, (st))
@@ -811,7 +785,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_EVP_PBE_CTL_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_PBE_CTL, (st), (cmp))
 #define sk_EVP_PBE_CTL_dup(st) SKM_sk_dup(EVP_PBE_CTL, st)
 #define sk_EVP_PBE_CTL_pop_free(st, free_func) SKM_sk_pop_free(EVP_PBE_CTL, (st), (free_func))
-#define sk_EVP_PBE_CTL_free(st) SKM_sk_free(EVP_PBE_CTL, (st))
 #define sk_EVP_PBE_CTL_shift(st) SKM_sk_shift(EVP_PBE_CTL, (st))
 #define sk_EVP_PBE_CTL_pop(st) SKM_sk_pop(EVP_PBE_CTL, (st))
 #define sk_EVP_PBE_CTL_sort(st) SKM_sk_sort(EVP_PBE_CTL, (st))
@@ -834,7 +807,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_EVP_PKEY_ASN1_METHOD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_PKEY_ASN1_METHOD, (st), (cmp))
 #define sk_EVP_PKEY_ASN1_METHOD_dup(st) SKM_sk_dup(EVP_PKEY_ASN1_METHOD, st)
 #define sk_EVP_PKEY_ASN1_METHOD_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY_ASN1_METHOD, (st), (free_func))
-#define sk_EVP_PKEY_ASN1_METHOD_free(st) SKM_sk_free(EVP_PKEY_ASN1_METHOD, (st))
 #define sk_EVP_PKEY_ASN1_METHOD_shift(st) SKM_sk_shift(EVP_PKEY_ASN1_METHOD, (st))
 #define sk_EVP_PKEY_ASN1_METHOD_pop(st) SKM_sk_pop(EVP_PKEY_ASN1_METHOD, (st))
 #define sk_EVP_PKEY_ASN1_METHOD_sort(st) SKM_sk_sort(EVP_PKEY_ASN1_METHOD, (st))
@@ -857,7 +829,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_EVP_PKEY_METHOD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_PKEY_METHOD, (st), (cmp))
 #define sk_EVP_PKEY_METHOD_dup(st) SKM_sk_dup(EVP_PKEY_METHOD, st)
 #define sk_EVP_PKEY_METHOD_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY_METHOD, (st), (free_func))
-#define sk_EVP_PKEY_METHOD_free(st) SKM_sk_free(EVP_PKEY_METHOD, (st))
 #define sk_EVP_PKEY_METHOD_shift(st) SKM_sk_shift(EVP_PKEY_METHOD, (st))
 #define sk_EVP_PKEY_METHOD_pop(st) SKM_sk_pop(EVP_PKEY_METHOD, (st))
 #define sk_EVP_PKEY_METHOD_sort(st) SKM_sk_sort(EVP_PKEY_METHOD, (st))
@@ -880,7 +851,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_GENERAL_NAME_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(GENERAL_NAME, (st), (cmp))
 #define sk_GENERAL_NAME_dup(st) SKM_sk_dup(GENERAL_NAME, st)
 #define sk_GENERAL_NAME_pop_free(st, free_func) SKM_sk_pop_free(GENERAL_NAME, (st), (free_func))
-#define sk_GENERAL_NAME_free(st) SKM_sk_free(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
@@ -903,7 +873,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_GENERAL_NAMES_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(GENERAL_NAMES, (st), (cmp))
 #define sk_GENERAL_NAMES_dup(st) SKM_sk_dup(GENERAL_NAMES, st)
 #define sk_GENERAL_NAMES_pop_free(st, free_func) SKM_sk_pop_free(GENERAL_NAMES, (st), (free_func))
-#define sk_GENERAL_NAMES_free(st) SKM_sk_free(GENERAL_NAMES, (st))
 #define sk_GENERAL_NAMES_shift(st) SKM_sk_shift(GENERAL_NAMES, (st))
 #define sk_GENERAL_NAMES_pop(st) SKM_sk_pop(GENERAL_NAMES, (st))
 #define sk_GENERAL_NAMES_sort(st) SKM_sk_sort(GENERAL_NAMES, (st))
@@ -926,7 +895,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_GENERAL_SUBTREE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(GENERAL_SUBTREE, (st), (cmp))
 #define sk_GENERAL_SUBTREE_dup(st) SKM_sk_dup(GENERAL_SUBTREE, st)
 #define sk_GENERAL_SUBTREE_pop_free(st, free_func) SKM_sk_pop_free(GENERAL_SUBTREE, (st), (free_func))
-#define sk_GENERAL_SUBTREE_free(st) SKM_sk_free(GENERAL_SUBTREE, (st))
 #define sk_GENERAL_SUBTREE_shift(st) SKM_sk_shift(GENERAL_SUBTREE, (st))
 #define sk_GENERAL_SUBTREE_pop(st) SKM_sk_pop(GENERAL_SUBTREE, (st))
 #define sk_GENERAL_SUBTREE_sort(st) SKM_sk_sort(GENERAL_SUBTREE, (st))
@@ -949,7 +917,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_IPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressFamily, (st), (cmp))
 #define sk_IPAddressFamily_dup(st) SKM_sk_dup(IPAddressFamily, st)
 #define sk_IPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(IPAddressFamily, (st), (free_func))
-#define sk_IPAddressFamily_free(st) SKM_sk_free(IPAddressFamily, (st))
 #define sk_IPAddressFamily_shift(st) SKM_sk_shift(IPAddressFamily, (st))
 #define sk_IPAddressFamily_pop(st) SKM_sk_pop(IPAddressFamily, (st))
 #define sk_IPAddressFamily_sort(st) SKM_sk_sort(IPAddressFamily, (st))
@@ -972,7 +939,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_IPAddressOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressOrRange, (st), (cmp))
 #define sk_IPAddressOrRange_dup(st) SKM_sk_dup(IPAddressOrRange, st)
 #define sk_IPAddressOrRange_pop_free(st, free_func) SKM_sk_pop_free(IPAddressOrRange, (st), (free_func))
-#define sk_IPAddressOrRange_free(st) SKM_sk_free(IPAddressOrRange, (st))
 #define sk_IPAddressOrRange_shift(st) SKM_sk_shift(IPAddressOrRange, (st))
 #define sk_IPAddressOrRange_pop(st) SKM_sk_pop(IPAddressOrRange, (st))
 #define sk_IPAddressOrRange_sort(st) SKM_sk_sort(IPAddressOrRange, (st))
@@ -995,7 +961,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_APREQBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_APREQBODY, (st), (cmp))
 #define sk_KRB5_APREQBODY_dup(st) SKM_sk_dup(KRB5_APREQBODY, st)
 #define sk_KRB5_APREQBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_APREQBODY, (st), (free_func))
-#define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st))
@@ -1018,7 +983,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_AUTHDATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_AUTHDATA, (st), (cmp))
 #define sk_KRB5_AUTHDATA_dup(st) SKM_sk_dup(KRB5_AUTHDATA, st)
 #define sk_KRB5_AUTHDATA_pop_free(st, free_func) SKM_sk_pop_free(KRB5_AUTHDATA, (st), (free_func))
-#define sk_KRB5_AUTHDATA_free(st) SKM_sk_free(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st))
@@ -1041,7 +1005,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_AUTHENTBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_AUTHENTBODY, (st), (cmp))
 #define sk_KRB5_AUTHENTBODY_dup(st) SKM_sk_dup(KRB5_AUTHENTBODY, st)
 #define sk_KRB5_AUTHENTBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_AUTHENTBODY, (st), (free_func))
-#define sk_KRB5_AUTHENTBODY_free(st) SKM_sk_free(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st))
@@ -1064,7 +1027,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_CHECKSUM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_CHECKSUM, (st), (cmp))
 #define sk_KRB5_CHECKSUM_dup(st) SKM_sk_dup(KRB5_CHECKSUM, st)
 #define sk_KRB5_CHECKSUM_pop_free(st, free_func) SKM_sk_pop_free(KRB5_CHECKSUM, (st), (free_func))
-#define sk_KRB5_CHECKSUM_free(st) SKM_sk_free(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st))
@@ -1087,7 +1049,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_ENCDATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_ENCDATA, (st), (cmp))
 #define sk_KRB5_ENCDATA_dup(st) SKM_sk_dup(KRB5_ENCDATA, st)
 #define sk_KRB5_ENCDATA_pop_free(st, free_func) SKM_sk_pop_free(KRB5_ENCDATA, (st), (free_func))
-#define sk_KRB5_ENCDATA_free(st) SKM_sk_free(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st))
@@ -1110,7 +1071,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_ENCKEY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_ENCKEY, (st), (cmp))
 #define sk_KRB5_ENCKEY_dup(st) SKM_sk_dup(KRB5_ENCKEY, st)
 #define sk_KRB5_ENCKEY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_ENCKEY, (st), (free_func))
-#define sk_KRB5_ENCKEY_free(st) SKM_sk_free(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st))
@@ -1133,7 +1093,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_PRINCNAME_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_PRINCNAME, (st), (cmp))
 #define sk_KRB5_PRINCNAME_dup(st) SKM_sk_dup(KRB5_PRINCNAME, st)
 #define sk_KRB5_PRINCNAME_pop_free(st, free_func) SKM_sk_pop_free(KRB5_PRINCNAME, (st), (free_func))
-#define sk_KRB5_PRINCNAME_free(st) SKM_sk_free(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st))
@@ -1156,7 +1115,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_KRB5_TKTBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_TKTBODY, (st), (cmp))
 #define sk_KRB5_TKTBODY_dup(st) SKM_sk_dup(KRB5_TKTBODY, st)
 #define sk_KRB5_TKTBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_TKTBODY, (st), (free_func))
-#define sk_KRB5_TKTBODY_free(st) SKM_sk_free(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st))
@@ -1179,7 +1137,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_MEM_OBJECT_DATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MEM_OBJECT_DATA, (st), (cmp))
 #define sk_MEM_OBJECT_DATA_dup(st) SKM_sk_dup(MEM_OBJECT_DATA, st)
 #define sk_MEM_OBJECT_DATA_pop_free(st, free_func) SKM_sk_pop_free(MEM_OBJECT_DATA, (st), (free_func))
-#define sk_MEM_OBJECT_DATA_free(st) SKM_sk_free(MEM_OBJECT_DATA, (st))
 #define sk_MEM_OBJECT_DATA_shift(st) SKM_sk_shift(MEM_OBJECT_DATA, (st))
 #define sk_MEM_OBJECT_DATA_pop(st) SKM_sk_pop(MEM_OBJECT_DATA, (st))
 #define sk_MEM_OBJECT_DATA_sort(st) SKM_sk_sort(MEM_OBJECT_DATA, (st))
@@ -1202,7 +1159,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_MIME_HEADER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_HEADER, (st), (cmp))
 #define sk_MIME_HEADER_dup(st) SKM_sk_dup(MIME_HEADER, st)
 #define sk_MIME_HEADER_pop_free(st, free_func) SKM_sk_pop_free(MIME_HEADER, (st), (free_func))
-#define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
 #define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
 #define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
@@ -1225,7 +1181,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_MIME_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_PARAM, (st), (cmp))
 #define sk_MIME_PARAM_dup(st) SKM_sk_dup(MIME_PARAM, st)
 #define sk_MIME_PARAM_pop_free(st, free_func) SKM_sk_pop_free(MIME_PARAM, (st), (free_func))
-#define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
 #define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
 #define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
 #define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
@@ -1248,7 +1203,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_NAME_FUNCS_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(NAME_FUNCS, (st), (cmp))
 #define sk_NAME_FUNCS_dup(st) SKM_sk_dup(NAME_FUNCS, st)
 #define sk_NAME_FUNCS_pop_free(st, free_func) SKM_sk_pop_free(NAME_FUNCS, (st), (free_func))
-#define sk_NAME_FUNCS_free(st) SKM_sk_free(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st))
@@ -1271,7 +1225,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_OCSP_CERTID_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_CERTID, (st), (cmp))
 #define sk_OCSP_CERTID_dup(st) SKM_sk_dup(OCSP_CERTID, st)
 #define sk_OCSP_CERTID_pop_free(st, free_func) SKM_sk_pop_free(OCSP_CERTID, (st), (free_func))
-#define sk_OCSP_CERTID_free(st) SKM_sk_free(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st))
@@ -1294,7 +1247,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_OCSP_ONEREQ_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_ONEREQ, (st), (cmp))
 #define sk_OCSP_ONEREQ_dup(st) SKM_sk_dup(OCSP_ONEREQ, st)
 #define sk_OCSP_ONEREQ_pop_free(st, free_func) SKM_sk_pop_free(OCSP_ONEREQ, (st), (free_func))
-#define sk_OCSP_ONEREQ_free(st) SKM_sk_free(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st))
@@ -1317,7 +1269,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_OCSP_RESPID_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_RESPID, (st), (cmp))
 #define sk_OCSP_RESPID_dup(st) SKM_sk_dup(OCSP_RESPID, st)
 #define sk_OCSP_RESPID_pop_free(st, free_func) SKM_sk_pop_free(OCSP_RESPID, (st), (free_func))
-#define sk_OCSP_RESPID_free(st) SKM_sk_free(OCSP_RESPID, (st))
 #define sk_OCSP_RESPID_shift(st) SKM_sk_shift(OCSP_RESPID, (st))
 #define sk_OCSP_RESPID_pop(st) SKM_sk_pop(OCSP_RESPID, (st))
 #define sk_OCSP_RESPID_sort(st) SKM_sk_sort(OCSP_RESPID, (st))
@@ -1340,7 +1291,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_OCSP_SINGLERESP_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_SINGLERESP, (st), (cmp))
 #define sk_OCSP_SINGLERESP_dup(st) SKM_sk_dup(OCSP_SINGLERESP, st)
 #define sk_OCSP_SINGLERESP_pop_free(st, free_func) SKM_sk_pop_free(OCSP_SINGLERESP, (st), (free_func))
-#define sk_OCSP_SINGLERESP_free(st) SKM_sk_free(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st))
@@ -1363,7 +1313,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_PKCS12_SAFEBAG_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(PKCS12_SAFEBAG, (st), (cmp))
 #define sk_PKCS12_SAFEBAG_dup(st) SKM_sk_dup(PKCS12_SAFEBAG, st)
 #define sk_PKCS12_SAFEBAG_pop_free(st, free_func) SKM_sk_pop_free(PKCS12_SAFEBAG, (st), (free_func))
-#define sk_PKCS12_SAFEBAG_free(st) SKM_sk_free(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st))
@@ -1386,7 +1335,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_PKCS7_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(PKCS7, (st), (cmp))
 #define sk_PKCS7_dup(st) SKM_sk_dup(PKCS7, st)
 #define sk_PKCS7_pop_free(st, free_func) SKM_sk_pop_free(PKCS7, (st), (free_func))
-#define sk_PKCS7_free(st) SKM_sk_free(PKCS7, (st))
 #define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st))
 #define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st))
 #define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st))
@@ -1409,7 +1357,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_PKCS7_RECIP_INFO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(PKCS7_RECIP_INFO, (st), (cmp))
 #define sk_PKCS7_RECIP_INFO_dup(st) SKM_sk_dup(PKCS7_RECIP_INFO, st)
 #define sk_PKCS7_RECIP_INFO_pop_free(st, free_func) SKM_sk_pop_free(PKCS7_RECIP_INFO, (st), (free_func))
-#define sk_PKCS7_RECIP_INFO_free(st) SKM_sk_free(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st))
@@ -1432,7 +1379,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_PKCS7_SIGNER_INFO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(PKCS7_SIGNER_INFO, (st), (cmp))
 #define sk_PKCS7_SIGNER_INFO_dup(st) SKM_sk_dup(PKCS7_SIGNER_INFO, st)
 #define sk_PKCS7_SIGNER_INFO_pop_free(st, free_func) SKM_sk_pop_free(PKCS7_SIGNER_INFO, (st), (free_func))
-#define sk_PKCS7_SIGNER_INFO_free(st) SKM_sk_free(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st))
@@ -1455,7 +1401,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_POLICYINFO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(POLICYINFO, (st), (cmp))
 #define sk_POLICYINFO_dup(st) SKM_sk_dup(POLICYINFO, st)
 #define sk_POLICYINFO_pop_free(st, free_func) SKM_sk_pop_free(POLICYINFO, (st), (free_func))
-#define sk_POLICYINFO_free(st) SKM_sk_free(POLICYINFO, (st))
 #define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st))
 #define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st))
 #define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st))
@@ -1478,7 +1423,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_POLICYQUALINFO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(POLICYQUALINFO, (st), (cmp))
 #define sk_POLICYQUALINFO_dup(st) SKM_sk_dup(POLICYQUALINFO, st)
 #define sk_POLICYQUALINFO_pop_free(st, free_func) SKM_sk_pop_free(POLICYQUALINFO, (st), (free_func))
-#define sk_POLICYQUALINFO_free(st) SKM_sk_free(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st))
@@ -1501,7 +1445,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_POLICY_MAPPING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(POLICY_MAPPING, (st), (cmp))
 #define sk_POLICY_MAPPING_dup(st) SKM_sk_dup(POLICY_MAPPING, st)
 #define sk_POLICY_MAPPING_pop_free(st, free_func) SKM_sk_pop_free(POLICY_MAPPING, (st), (free_func))
-#define sk_POLICY_MAPPING_free(st) SKM_sk_free(POLICY_MAPPING, (st))
 #define sk_POLICY_MAPPING_shift(st) SKM_sk_shift(POLICY_MAPPING, (st))
 #define sk_POLICY_MAPPING_pop(st) SKM_sk_pop(POLICY_MAPPING, (st))
 #define sk_POLICY_MAPPING_sort(st) SKM_sk_sort(POLICY_MAPPING, (st))
@@ -1524,7 +1467,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_SSL_CIPHER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SSL_CIPHER, (st), (cmp))
 #define sk_SSL_CIPHER_dup(st) SKM_sk_dup(SSL_CIPHER, st)
 #define sk_SSL_CIPHER_pop_free(st, free_func) SKM_sk_pop_free(SSL_CIPHER, (st), (free_func))
-#define sk_SSL_CIPHER_free(st) SKM_sk_free(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st))
@@ -1547,7 +1489,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_SSL_COMP_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SSL_COMP, (st), (cmp))
 #define sk_SSL_COMP_dup(st) SKM_sk_dup(SSL_COMP, st)
 #define sk_SSL_COMP_pop_free(st, free_func) SKM_sk_pop_free(SSL_COMP, (st), (free_func))
-#define sk_SSL_COMP_free(st) SKM_sk_free(SSL_COMP, (st))
 #define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st))
 #define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st))
 #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st))
@@ -1570,7 +1511,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(STACK_OF_X509_NAME_ENTRY, (st), (cmp))
 #define sk_STACK_OF_X509_NAME_ENTRY_dup(st) SKM_sk_dup(STACK_OF_X509_NAME_ENTRY, st)
 #define sk_STACK_OF_X509_NAME_ENTRY_pop_free(st, free_func) SKM_sk_pop_free(STACK_OF_X509_NAME_ENTRY, (st), (free_func))
-#define sk_STACK_OF_X509_NAME_ENTRY_free(st) SKM_sk_free(STACK_OF_X509_NAME_ENTRY, (st))
 #define sk_STACK_OF_X509_NAME_ENTRY_shift(st) SKM_sk_shift(STACK_OF_X509_NAME_ENTRY, (st))
 #define sk_STACK_OF_X509_NAME_ENTRY_pop(st) SKM_sk_pop(STACK_OF_X509_NAME_ENTRY, (st))
 #define sk_STACK_OF_X509_NAME_ENTRY_sort(st) SKM_sk_sort(STACK_OF_X509_NAME_ENTRY, (st))
@@ -1593,7 +1533,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_STORE_ATTR_INFO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(STORE_ATTR_INFO, (st), (cmp))
 #define sk_STORE_ATTR_INFO_dup(st) SKM_sk_dup(STORE_ATTR_INFO, st)
 #define sk_STORE_ATTR_INFO_pop_free(st, free_func) SKM_sk_pop_free(STORE_ATTR_INFO, (st), (free_func))
-#define sk_STORE_ATTR_INFO_free(st) SKM_sk_free(STORE_ATTR_INFO, (st))
 #define sk_STORE_ATTR_INFO_shift(st) SKM_sk_shift(STORE_ATTR_INFO, (st))
 #define sk_STORE_ATTR_INFO_pop(st) SKM_sk_pop(STORE_ATTR_INFO, (st))
 #define sk_STORE_ATTR_INFO_sort(st) SKM_sk_sort(STORE_ATTR_INFO, (st))
@@ -1616,7 +1555,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_STORE_OBJECT_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(STORE_OBJECT, (st), (cmp))
 #define sk_STORE_OBJECT_dup(st) SKM_sk_dup(STORE_OBJECT, st)
 #define sk_STORE_OBJECT_pop_free(st, free_func) SKM_sk_pop_free(STORE_OBJECT, (st), (free_func))
-#define sk_STORE_OBJECT_free(st) SKM_sk_free(STORE_OBJECT, (st))
 #define sk_STORE_OBJECT_shift(st) SKM_sk_shift(STORE_OBJECT, (st))
 #define sk_STORE_OBJECT_pop(st) SKM_sk_pop(STORE_OBJECT, (st))
 #define sk_STORE_OBJECT_sort(st) SKM_sk_sort(STORE_OBJECT, (st))
@@ -1639,7 +1577,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_SXNETID_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SXNETID, (st), (cmp))
 #define sk_SXNETID_dup(st) SKM_sk_dup(SXNETID, st)
 #define sk_SXNETID_pop_free(st, free_func) SKM_sk_pop_free(SXNETID, (st), (free_func))
-#define sk_SXNETID_free(st) SKM_sk_free(SXNETID, (st))
 #define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st))
 #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st))
 #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st))
@@ -1662,7 +1599,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_UI_STRING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(UI_STRING, (st), (cmp))
 #define sk_UI_STRING_dup(st) SKM_sk_dup(UI_STRING, st)
 #define sk_UI_STRING_pop_free(st, free_func) SKM_sk_pop_free(UI_STRING, (st), (free_func))
-#define sk_UI_STRING_free(st) SKM_sk_free(UI_STRING, (st))
 #define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st))
 #define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st))
 #define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st))
@@ -1685,7 +1621,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509, (st), (cmp))
 #define sk_X509_dup(st) SKM_sk_dup(X509, st)
 #define sk_X509_pop_free(st, free_func) SKM_sk_pop_free(X509, (st), (free_func))
-#define sk_X509_free(st) SKM_sk_free(X509, (st))
 #define sk_X509_shift(st) SKM_sk_shift(X509, (st))
 #define sk_X509_pop(st) SKM_sk_pop(X509, (st))
 #define sk_X509_sort(st) SKM_sk_sort(X509, (st))
@@ -1708,7 +1643,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509V3_EXT_METHOD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509V3_EXT_METHOD, (st), (cmp))
 #define sk_X509V3_EXT_METHOD_dup(st) SKM_sk_dup(X509V3_EXT_METHOD, st)
 #define sk_X509V3_EXT_METHOD_pop_free(st, free_func) SKM_sk_pop_free(X509V3_EXT_METHOD, (st), (free_func))
-#define sk_X509V3_EXT_METHOD_free(st) SKM_sk_free(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st))
@@ -1731,7 +1665,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_ALGOR_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_ALGOR, (st), (cmp))
 #define sk_X509_ALGOR_dup(st) SKM_sk_dup(X509_ALGOR, st)
 #define sk_X509_ALGOR_pop_free(st, free_func) SKM_sk_pop_free(X509_ALGOR, (st), (free_func))
-#define sk_X509_ALGOR_free(st) SKM_sk_free(X509_ALGOR, (st))
 #define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st))
 #define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st))
 #define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st))
@@ -1754,7 +1687,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_ATTRIBUTE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_ATTRIBUTE, (st), (cmp))
 #define sk_X509_ATTRIBUTE_dup(st) SKM_sk_dup(X509_ATTRIBUTE, st)
 #define sk_X509_ATTRIBUTE_pop_free(st, free_func) SKM_sk_pop_free(X509_ATTRIBUTE, (st), (free_func))
-#define sk_X509_ATTRIBUTE_free(st) SKM_sk_free(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st))
@@ -1777,7 +1709,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_CRL_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_CRL, (st), (cmp))
 #define sk_X509_CRL_dup(st) SKM_sk_dup(X509_CRL, st)
 #define sk_X509_CRL_pop_free(st, free_func) SKM_sk_pop_free(X509_CRL, (st), (free_func))
-#define sk_X509_CRL_free(st) SKM_sk_free(X509_CRL, (st))
 #define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st))
 #define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st))
 #define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st))
@@ -1800,7 +1731,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_EXTENSION_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_EXTENSION, (st), (cmp))
 #define sk_X509_EXTENSION_dup(st) SKM_sk_dup(X509_EXTENSION, st)
 #define sk_X509_EXTENSION_pop_free(st, free_func) SKM_sk_pop_free(X509_EXTENSION, (st), (free_func))
-#define sk_X509_EXTENSION_free(st) SKM_sk_free(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st))
@@ -1823,7 +1753,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_INFO_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_INFO, (st), (cmp))
 #define sk_X509_INFO_dup(st) SKM_sk_dup(X509_INFO, st)
 #define sk_X509_INFO_pop_free(st, free_func) SKM_sk_pop_free(X509_INFO, (st), (free_func))
-#define sk_X509_INFO_free(st) SKM_sk_free(X509_INFO, (st))
 #define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st))
 #define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st))
 #define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st))
@@ -1846,7 +1775,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_LOOKUP_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_LOOKUP, (st), (cmp))
 #define sk_X509_LOOKUP_dup(st) SKM_sk_dup(X509_LOOKUP, st)
 #define sk_X509_LOOKUP_pop_free(st, free_func) SKM_sk_pop_free(X509_LOOKUP, (st), (free_func))
-#define sk_X509_LOOKUP_free(st) SKM_sk_free(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st))
@@ -1869,7 +1797,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_NAME_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_NAME, (st), (cmp))
 #define sk_X509_NAME_dup(st) SKM_sk_dup(X509_NAME, st)
 #define sk_X509_NAME_pop_free(st, free_func) SKM_sk_pop_free(X509_NAME, (st), (free_func))
-#define sk_X509_NAME_free(st) SKM_sk_free(X509_NAME, (st))
 #define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st))
 #define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st))
 #define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st))
@@ -1892,7 +1819,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_NAME_ENTRY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_NAME_ENTRY, (st), (cmp))
 #define sk_X509_NAME_ENTRY_dup(st) SKM_sk_dup(X509_NAME_ENTRY, st)
 #define sk_X509_NAME_ENTRY_pop_free(st, free_func) SKM_sk_pop_free(X509_NAME_ENTRY, (st), (free_func))
-#define sk_X509_NAME_ENTRY_free(st) SKM_sk_free(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st))
@@ -1915,7 +1841,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_OBJECT_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_OBJECT, (st), (cmp))
 #define sk_X509_OBJECT_dup(st) SKM_sk_dup(X509_OBJECT, st)
 #define sk_X509_OBJECT_pop_free(st, free_func) SKM_sk_pop_free(X509_OBJECT, (st), (free_func))
-#define sk_X509_OBJECT_free(st) SKM_sk_free(X509_OBJECT, (st))
 #define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st))
 #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st))
 #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))
@@ -1938,7 +1863,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_POLICY_DATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_DATA, (st), (cmp))
 #define sk_X509_POLICY_DATA_dup(st) SKM_sk_dup(X509_POLICY_DATA, st)
 #define sk_X509_POLICY_DATA_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_DATA, (st), (free_func))
-#define sk_X509_POLICY_DATA_free(st) SKM_sk_free(X509_POLICY_DATA, (st))
 #define sk_X509_POLICY_DATA_shift(st) SKM_sk_shift(X509_POLICY_DATA, (st))
 #define sk_X509_POLICY_DATA_pop(st) SKM_sk_pop(X509_POLICY_DATA, (st))
 #define sk_X509_POLICY_DATA_sort(st) SKM_sk_sort(X509_POLICY_DATA, (st))
@@ -1961,35 +1885,11 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_POLICY_NODE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_NODE, (st), (cmp))
 #define sk_X509_POLICY_NODE_dup(st) SKM_sk_dup(X509_POLICY_NODE, st)
 #define sk_X509_POLICY_NODE_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_NODE, (st), (free_func))
-#define sk_X509_POLICY_NODE_free(st) SKM_sk_free(X509_POLICY_NODE, (st))
 #define sk_X509_POLICY_NODE_shift(st) SKM_sk_shift(X509_POLICY_NODE, (st))
 #define sk_X509_POLICY_NODE_pop(st) SKM_sk_pop(X509_POLICY_NODE, (st))
 #define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st))
 #define sk_X509_POLICY_NODE_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_NODE, (st))
 
-#define sk_X509_POLICY_REF_new(cmp) SKM_sk_new(X509_POLICY_REF, (cmp))
-#define sk_X509_POLICY_REF_new_null() SKM_sk_new_null(X509_POLICY_REF)
-#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_num(st) SKM_sk_num(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_value(st, i) SKM_sk_value(X509_POLICY_REF, (st), (i))
-#define sk_X509_POLICY_REF_set(st, i, val) SKM_sk_set(X509_POLICY_REF, (st), (i), (val))
-#define sk_X509_POLICY_REF_zero(st) SKM_sk_zero(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_push(st, val) SKM_sk_push(X509_POLICY_REF, (st), (val))
-#define sk_X509_POLICY_REF_unshift(st, val) SKM_sk_unshift(X509_POLICY_REF, (st), (val))
-#define sk_X509_POLICY_REF_find(st, val) SKM_sk_find(X509_POLICY_REF, (st), (val))
-#define sk_X509_POLICY_REF_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_REF, (st), (val))
-#define sk_X509_POLICY_REF_delete(st, i) SKM_sk_delete(X509_POLICY_REF, (st), (i))
-#define sk_X509_POLICY_REF_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_REF, (st), (ptr))
-#define sk_X509_POLICY_REF_insert(st, val, i) SKM_sk_insert(X509_POLICY_REF, (st), (val), (i))
-#define sk_X509_POLICY_REF_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_REF, (st), (cmp))
-#define sk_X509_POLICY_REF_dup(st) SKM_sk_dup(X509_POLICY_REF, st)
-#define sk_X509_POLICY_REF_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_REF, (st), (free_func))
-#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_shift(st) SKM_sk_shift(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_pop(st) SKM_sk_pop(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_sort(st) SKM_sk_sort(X509_POLICY_REF, (st))
-#define sk_X509_POLICY_REF_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_REF, (st))
-
 #define sk_X509_PURPOSE_new(cmp) SKM_sk_new(X509_PURPOSE, (cmp))
 #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
 #define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st))
@@ -2007,7 +1907,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_PURPOSE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_PURPOSE, (st), (cmp))
 #define sk_X509_PURPOSE_dup(st) SKM_sk_dup(X509_PURPOSE, st)
 #define sk_X509_PURPOSE_pop_free(st, free_func) SKM_sk_pop_free(X509_PURPOSE, (st), (free_func))
-#define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st))
@@ -2030,7 +1929,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_REVOKED_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_REVOKED, (st), (cmp))
 #define sk_X509_REVOKED_dup(st) SKM_sk_dup(X509_REVOKED, st)
 #define sk_X509_REVOKED_pop_free(st, free_func) SKM_sk_pop_free(X509_REVOKED, (st), (free_func))
-#define sk_X509_REVOKED_free(st) SKM_sk_free(X509_REVOKED, (st))
 #define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st))
 #define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st))
 #define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st))
@@ -2053,7 +1951,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_TRUST_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_TRUST, (st), (cmp))
 #define sk_X509_TRUST_dup(st) SKM_sk_dup(X509_TRUST, st)
 #define sk_X509_TRUST_pop_free(st, free_func) SKM_sk_pop_free(X509_TRUST, (st), (free_func))
-#define sk_X509_TRUST_free(st) SKM_sk_free(X509_TRUST, (st))
 #define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st))
 #define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st))
 #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st))
@@ -2076,7 +1973,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_X509_VERIFY_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_VERIFY_PARAM, (st), (cmp))
 #define sk_X509_VERIFY_PARAM_dup(st) SKM_sk_dup(X509_VERIFY_PARAM, st)
 #define sk_X509_VERIFY_PARAM_pop_free(st, free_func) SKM_sk_pop_free(X509_VERIFY_PARAM, (st), (free_func))
-#define sk_X509_VERIFY_PARAM_free(st) SKM_sk_free(X509_VERIFY_PARAM, (st))
 #define sk_X509_VERIFY_PARAM_shift(st) SKM_sk_shift(X509_VERIFY_PARAM, (st))
 #define sk_X509_VERIFY_PARAM_pop(st) SKM_sk_pop(X509_VERIFY_PARAM, (st))
 #define sk_X509_VERIFY_PARAM_sort(st) SKM_sk_sort(X509_VERIFY_PARAM, (st))
@@ -2099,7 +1995,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_nid_triple_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(nid_triple, (st), (cmp))
 #define sk_nid_triple_dup(st) SKM_sk_dup(nid_triple, st)
 #define sk_nid_triple_pop_free(st, free_func) SKM_sk_pop_free(nid_triple, (st), (free_func))
-#define sk_nid_triple_free(st) SKM_sk_free(nid_triple, (st))
 #define sk_nid_triple_shift(st) SKM_sk_shift(nid_triple, (st))
 #define sk_nid_triple_pop(st) SKM_sk_pop(nid_triple, (st))
 #define sk_nid_triple_sort(st) SKM_sk_sort(nid_triple, (st))
@@ -2122,7 +2017,6 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_void_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(void, (st), (cmp))
 #define sk_void_dup(st) SKM_sk_dup(void, st)
 #define sk_void_pop_free(st, free_func) SKM_sk_pop_free(void, (st), (free_func))
-#define sk_void_free(st) SKM_sk_free(void, (st))
 #define sk_void_shift(st) SKM_sk_shift(void, (st))
 #define sk_void_pop(st) SKM_sk_pop(void, (st))
 #define sk_void_sort(st) SKM_sk_sort(void, (st))
@@ -2137,6 +2031,21 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_SK_FREE_FUNC2(STRING, free_func))
 #define sk_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val), i)
 #define sk_STRING_free(st) SKM_sk_free(STRING, st)
+#define sk_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), i, CHECKED_PTR_OF(char, val))
+#define sk_STRING_zero(st) SKM_sk_zero(STRING, (st))
+#define sk_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, val))
+#define sk_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(STRING), st), CHECKED_CONST_PTR_OF(char, val))
+#define sk_STRING_delete(st, i) SKM_sk_delete(STRING, (st), (i))
+#define sk_STRING_delete_ptr(st, ptr) (STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_PTR_OF(char, ptr))
+#define sk_STRING_set_cmp_func(st, cmp)  \
+	((int (*)(const char * const *,const char * const *)) \
+	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st), CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_STRING_dup(st) SKM_sk_dup(STRING, st)
+#define sk_STRING_shift(st) SKM_sk_shift(STRING, (st))
+#define sk_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(STRING), st))
+#define sk_STRING_sort(st) SKM_sk_sort(STRING, (st))
+#define sk_STRING_is_sorted(st) SKM_sk_is_sorted(STRING, (st))
+
 
 #define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
 #define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null())
@@ -2147,6 +2056,21 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func))
 #define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i)
 #define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st)
+#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val))
+#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st))
+#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
+#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
+#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i))
+#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr))
+#define sk_BLOCK_set_cmp_func(st, cmp)  \
+	((int (*)(const void * const *,const void * const *)) \
+	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st)
+#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st))
+#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st))
+#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st))
+#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st))
+
 
 #define sk_PSTRING_new(cmp) ((STACK_OF(PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(STRING, cmp)))
 #define sk_PSTRING_new_null() ((STACK_OF(PSTRING) *)sk_new_null())
@@ -2157,6 +2081,21 @@ DECLARE_SPECIAL_STACK_OF(BLOCK, void)
 #define sk_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_SK_FREE_FUNC2(PSTRING, free_func))
 #define sk_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val), i)
 #define sk_PSTRING_free(st) SKM_sk_free(PSTRING, st)
+#define sk_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), i, CHECKED_PTR_OF(STRING, val))
+#define sk_PSTRING_zero(st) SKM_sk_zero(PSTRING, (st))
+#define sk_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, val))
+#define sk_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(PSTRING), st), CHECKED_CONST_PTR_OF(STRING, val))
+#define sk_PSTRING_delete(st, i) SKM_sk_delete(PSTRING, (st), (i))
+#define sk_PSTRING_delete_ptr(st, ptr) (PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_PTR_OF(STRING, ptr))
+#define sk_PSTRING_set_cmp_func(st, cmp)  \
+	((int (*)(const STRING * const *,const STRING * const *)) \
+	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st), CHECKED_SK_CMP_FUNC(STRING, cmp)))
+#define sk_PSTRING_dup(st) SKM_sk_dup(PSTRING, st)
+#define sk_PSTRING_shift(st) SKM_sk_shift(PSTRING, (st))
+#define sk_PSTRING_pop(st) (STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(PSTRING), st))
+#define sk_PSTRING_sort(st) SKM_sk_sort(PSTRING, (st))
+#define sk_PSTRING_is_sorted(st) SKM_sk_is_sorted(PSTRING, (st))
+
 
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
 	SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 

crypto/symhacks.h

@@ -382,7 +382,7 @@
 #endif /* defined OPENSSL_SYS_VMS */
 
 
-/* Case insensiteve linking causes problems.... */
+/* Case insensitive linking causes problems.... */
 #if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2)
 #undef ERR_load_CRYPTO_strings
 #define ERR_load_CRYPTO_strings			ERR_load_CRYPTOlib_strings

crypto/x509/x509.h

@@ -116,6 +116,7 @@ extern "C" {
 /* Under Win32 these are defined in wincrypt.h */
 #undef X509_NAME
 #undef X509_CERT_PAIR
+#undef X509_EXTENSIONS
 #endif
 
 #define X509_FILETYPE_PEM	1

crypto/x509/x509_vfy.c

@@ -1124,7 +1124,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
 	/* Verify CRL issuer */
 	ret = X509_verify_cert(&crl_ctx);
 
-	if (!ret)
+	if (ret <= 0)
 		goto err;
 
 	/* Check chain is acceptable */

crypto/x509v3/pcy_tree.c

@@ -231,7 +231,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 	tree->auth_policies = NULL;
 	tree->user_policies = NULL;
 
-	if (!tree)
+	if (!tree->levels)
 		{
 		OPENSSL_free(tree);
 		return 0;

crypto/x509v3/v3_alt.c

@@ -366,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
                 if (move_p)
                         {
                         X509_NAME_delete_entry(nm, i);
+			X509_NAME_ENTRY_free(ne);
                         i--;
                         }
 		if(!email || !(gen = GENERAL_NAME_new())) {
@@ -605,6 +606,7 @@ static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
 	if (!ret)
 		X509_NAME_free(nm);
 	gen->d.dirn = nm;
+	X509V3_section_free(ctx, sk);
 		
 	return ret;
 	}

crypto/x509v3/v3_cpols.c

@@ -453,4 +453,5 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
 
 
 IMPLEMENT_STACK_OF(X509_POLICY_NODE)
+IMPLEMENT_STACK_OF(X509_POLICY_DATA)
 

crypto/x509v3/v3_crld.c

@@ -152,7 +152,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
 				sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
 			{
 			X509V3err(X509V3_F_SET_DIST_POINT_NAME,
-						X509V3_R_INVAID_MULTIPLE_RDNS);
+						X509V3_R_INVALID_MULTIPLE_RDNS);
 			goto err;
 			}
 		}

crypto/x509v3/v3_pci.c

@@ -82,7 +82,7 @@ static int process_pci_value(CONF_VALUE *val,
 		{
 		if (*language)
 			{
-			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
 			X509V3_conf_err(val);
 			return 0;
 			}
@@ -97,7 +97,7 @@ static int process_pci_value(CONF_VALUE *val,
 		{
 		if (*pathlen)
 			{
-			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
+			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
 			X509V3_conf_err(val);
 			return 0;
 			}

crypto/x509v3/v3err.c

@@ -159,7 +159,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
 {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  ,"illegal hex digit"},
 {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
-{ERR_REASON(X509V3_R_INVAID_MULTIPLE_RDNS),"invaid multiple rdns"},
+{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
 {ERR_REASON(X509V3_R_INVALID_ASNUMBER)   ,"invalid asnumber"},
 {ERR_REASON(X509V3_R_INVALID_ASRANGE)    ,"invalid asrange"},
 {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
@@ -193,9 +193,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
 {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
 {ERR_REASON(X509V3_R_OTHERNAME_ERROR)    ,"othername error"},
-{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
-{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
 {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
 {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
 {ERR_REASON(X509V3_R_SECTION_NOT_FOUND)  ,"section not found"},

crypto/x509v3/x509v3.h

@@ -951,7 +951,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_ILLEGAL_EMPTY_EXTENSION		 151
 #define X509V3_R_ILLEGAL_HEX_DIGIT			 113
 #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG		 152
-#define X509V3_R_INVAID_MULTIPLE_RDNS			 161
+#define X509V3_R_INVALID_MULTIPLE_RDNS			 161
 #define X509V3_R_INVALID_ASNUMBER			 162
 #define X509V3_R_INVALID_ASRANGE			 163
 #define X509V3_R_INVALID_BOOLEAN_STRING			 104
@@ -985,9 +985,9 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
 #define X509V3_R_OPERATION_NOT_DEFINED			 148
 #define X509V3_R_OTHERNAME_ERROR			 147
-#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED	 155
+#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED	 155
 #define X509V3_R_POLICY_PATH_LENGTH			 156
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED	 157
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED	 157
 #define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED	 158
 #define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
 #define X509V3_R_SECTION_NOT_FOUND			 150

demos/pkcs12/pkread.c

@@ -51,7 +51,7 @@ int main(int argc, char **argv)
 		fprintf(fp, "***User Certificate***\n");
 		PEM_write_X509_AUX(fp, cert);
 	}
-	if (ca && sk_num(ca)) {
+	if (ca && sk_X509_num(ca)) {
 		fprintf(fp, "***Other Certificates***\n");
 		for (i = 0; i < sk_X509_num(ca); i++) 
 		    PEM_write_X509_AUX(fp, sk_X509_value(ca, i));

doc/apps/ca.pod

@@ -217,7 +217,7 @@ used).
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<ca>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/ciphers.pod

@@ -251,6 +251,33 @@ cipher suites using MD5.
 
 cipher suites using SHA1.
 
+=item B<aGOST> 
+
+cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
+(needs an engine supporting GOST algorithms). 
+
+=item B<aGOST01>
+
+cipher suites using GOST R 34.10-2001 authentication.
+
+=item B<aGOST94>
+
+cipher suites using GOST R 34.10-94 authentication (note that R 34.10-94
+standard has been expired so use GOST R 34.10-2001)
+
+=item B<kGOST>
+
+cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357.
+
+=item B<GOST94>
+
+cipher suites, using HMAC based on GOST R 34.11-94.
+
+=item B<GOST89MAC>
+
+cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
+
+
 =back
 
 =head1 CIPHER SUITE NAMES
@@ -376,6 +403,16 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
 
  TLS_DH_anon_WITH_SEED_CBC_SHA          ADH-SEED-SHA
 
+=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
+
+Note: these ciphers require an engine which including GOST cryptographic
+algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
+
+ TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
+ TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
+ TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94-NULL-GOST94
+ TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001-NULL-GOST94
+
 =head2 Additional Export 1024 and other cipher suites
 
 Note: these ciphers can also be used in SSL v3.

doc/apps/cms.pod

@@ -36,17 +36,7 @@ B<openssl> B<cms>
 [B<-CAfile file>]
 [B<-CApath dir>]
 [B<-md digest>]
-[B<-des>]
-[B<-des3>]
-[B<-rc2-40>]
-[B<-rc2-64>]
-[B<-rc2-128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
+[B<-[cipher]>]
 [B<-nointern>]
 [B<-no_signer_cert_verify>]
 [B<-nocerts>]
@@ -253,13 +243,13 @@ to each certificate.
 digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually SHA1).
 
-=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256>
+=item B<-[cipher]>
 
-the encryption algorithm to use. DES (56 bits), triple DES (168 bits), 40, 64
-or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia
-respectively. Any other cipher name (as recognized by the
+the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
+or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
 EVP_get_cipherbyname() function) can also be used preceded by a dash, for 
-example B<-aes_128_cbc>.
+example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for a list of ciphers
+supported by your version of OpenSSL.
 
 If not specified triple DES is used. Only used with B<-encrypt> and 
 B<-EncryptedData_create> commands.
@@ -411,6 +401,11 @@ portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+
+Set various certificate chain valiadition option. See the
+L<B<verify>|verify(1)> manual page for details.
+
 =back
 
 =head1 NOTES

doc/apps/dgst.pod

@@ -14,6 +14,7 @@ B<openssl> B<dgst>
 [B<-binary>]
 [B<-out filename>]
 [B<-sign filename>]
+[B<-keyform arg>]
 [B<-passin arg>]
 [B<-verify filename>]
 [B<-prverify filename>]
@@ -61,6 +62,23 @@ filename to output to, or standard output by default.
 
 digitally sign the digest using the private key in "filename".
 
+=item B<-keyform arg>
+
+Specifies the key format to sign digest with. Only PEM and ENGINE
+formats are supported by the B<dgst> command.
+
+=item B<-engine id>
+
+Use engine B<id> for operations (including private key storage).
+This engine is not used as source for digest algorithms, unless it is
+also specified in the configuration file.
+
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
+
 =item B<-passin arg>
 
 the private key password source. For more information about the format of B<arg>
@@ -83,6 +101,35 @@ the actual signature to verify.
 
 create a hashed MAC using "key".
 
+=item B<-mac alg>
+
+create MAC (keyed Message Authentication Code). The most popular MAC
+algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
+which are not based on hash, for instance B<gost-mac> algorithm,
+supported by B<ccgost> engine. MAC keys and other options should be set
+via B<-macopt> parameter.
+
+=item B<-macopt nm:v>
+
+Passes options to MAC algorithm, specified by B<-mac> key.
+Following options are supported by both by B<HMAC> and B<gost-mac>:
+
+=over 8
+
+=item B<key:string>
+	
+Specifies MAC key as alphnumeric string (use if key contain printable
+characters only). String length must conform to any restrictions of
+the MAC algorithm for example exactly 32 chars for gost-mac.
+
+=item B<hexkey:string>
+
+Specifies MAC key in hexadecimal form (two hex digits per byte).
+Key length must conform to any restrictions of the MAC algorithm
+for example exactly 32 chars for gost-mac.
+
+=back
+
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number

doc/apps/dhparam.pod

@@ -99,7 +99,7 @@ be loaded by calling the B<get_dh>I<numbits>B<()> function.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<dhparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/dsa.pod

@@ -109,7 +109,7 @@ a public key.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<dsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/dsaparam.pod

@@ -85,7 +85,7 @@ the input file (if any) is ignored.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<dsaparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/ec.pod

@@ -130,7 +130,7 @@ is currently not implemented in OpenSSL.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<ec>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/ecparam.pod

@@ -121,7 +121,7 @@ all others.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<ecparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/enc.pod

@@ -12,17 +12,24 @@ B<openssl enc -ciphername>
 [B<-pass arg>]
 [B<-e>]
 [B<-d>]
-[B<-a>]
+[B<-a/-base64>]
 [B<-A>]
 [B<-k password>]
 [B<-kfile filename>]
 [B<-K key>]
 [B<-iv IV>]
+[B<-S salt>]
+[B<-salt>]
+[B<-nosalt>]
+[B<-z>]
+[B<-md>]
 [B<-p>]
 [B<-P>]
 [B<-bufsize number>]
 [B<-nopad>]
 [B<-debug>]
+[B<-none>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -74,6 +81,10 @@ base64 process the data. This means that if encryption is taking place
 the data is base64 encoded after encryption. If decryption is set then
 the input data is base64 decoded before being decrypted.
 
+=item B<-base64>
+
+same as B<-a>
+
 =item B<-A>
 
 if the B<-a> option is set then base64 process the data on one line.
@@ -89,10 +100,18 @@ read the password to derive the key from the first line of B<filename>.
 This is for compatibility with previous versions of OpenSSL. Superseded by
 the B<-pass> argument.
 
+=item B<-nosalt>
+
+do not use a salt 
+
+=item B<-salt>
+
+use salt (randomly generated or provide with B<-S> option) when
+encrypting (this is the default).
+
 =item B<-S salt>
 
-the actual salt to use: this must be represented as a string comprised only
-of hex digits.
+the actual salt to use: this must be represented as a string of hex digits.
 
 =item B<-K key>
 
@@ -131,12 +150,34 @@ disable standard block padding
 
 debug the BIOs used for I/O.
 
+=item B<-z>
+
+Compress or decompress clear text using zlib before encryption or after
+decryption. This option exists only if OpenSSL with compiled with zlib
+or zlib-dynamic option.
+
+=item B<-none>
+
+Use NULL cipher (no encryption or decryption of input).
+
 =back
 
 =head1 NOTES
 
 The program can be called either as B<openssl ciphername> or
-B<openssl enc -ciphername>.
+B<openssl enc -ciphername>. But the first form doesn't work with
+engine-provided ciphers, because this form is processed before the
+configuration file is read and any ENGINEs loaded.
+
+Engines which provide entirely new encryption algorithms (such as ccgost
+engine which provides gost89 algorithm) should be configured in the
+configuration file. Engines, specified in the command line using -engine
+options can only be used for hadrware-assisted implementations of
+ciphers, which are supported by OpenSSL core or other engine, specified
+in the configuration file.
+
+When enc command lists supported ciphers, ciphers provided by engines,
+specified in the configuration files are listed too.
 
 A password will be prompted for to derive the key and IV if necessary.
 
@@ -169,6 +210,14 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
 =head1 SUPPORTED CIPHERS
 
+Note that some of these ciphers can be disabled at compile time
+and some are available only if an appropriate engine is configured
+in the configuration file. The output of the B<enc> command run with
+unsupported options (for example B<openssl enc -help>) includes a
+list of ciphers, supported by your versesion of OpenSSL, including
+ones provided by configured engines.
+
+
  base64             Base 64
 
  bf-cbc             Blowfish in CBC mode
@@ -203,6 +252,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  desx               DESX algorithm.
 
+ gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
+ gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine) 
+
  idea-cbc           IDEA algorithm in CBC mode
  idea               same as idea-cbc
  idea-cfb           IDEA in CFB mode

doc/apps/gendsa.pod

@@ -40,7 +40,7 @@ all others.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<gendsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/genpkey.pod

@@ -47,7 +47,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<genpkey>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. If used this option should precede all other
@@ -138,6 +138,37 @@ the EC curve to use.
 
 =back
 
+=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS
+
+Gost 2001 support is not enabled by default. To enable this algorithm,
+one should load the ccgost engine in the OpenSSL configuration file.
+See README.gost file in the engines/ccgost directiry of the source
+distribution for more details.
+
+Use of a parameter file for the GOST R 34.10 algorithm is optional.
+Parameters can be specified during key generation directly as well as
+during generation of parameter file.
+
+=over 4
+
+=item B<paramset:name>
+
+Specifies GOST R 34.10-2001 parameter set according to RFC 4357.
+Parameter set can be specified using abbreviated name, object short name or
+numeric OID. Following parameter sets are supported:
+
+  paramset   OID               Usage
+  A          1.2.643.2.2.35.1  Signature
+  B          1.2.643.2.2.35.2  Signature
+  C          1.2.643.2.2.35.3  Signature
+  XA         1.2.643.2.2.36.0  Key exchange
+  XB         1.2.643.2.2.36.1  Key exchange
+  test       1.2.643.2.2.35.0  Test purposes
+
+=back
+
+
+
 =head1 NOTES
 
 The use of the genpkey program is encouraged over the algorithm specific
@@ -148,15 +179,15 @@ can be used.
 
 Generate an RSA private key using default parameters:
 
- openssl genpkey -algoritm RSA -out key.pem 
+ openssl genpkey -algorithm RSA -out key.pem 
 
 Encrypt output private key using 128 bit AES and the passphrase "hello":
 
- openssl genpkey -algoritm RSA -out key.pem -aes-128-cbc -pass pass:hello
+ openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
 
 Generate a 2048 bit RSA key using 3 as the public exponent:
 
- openssl genpkey -algoritm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
+ openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
  						-pkeyopt rsa_keygen_pubexp:3
 
 Generate 1024 bit DSA parameters:

doc/apps/genrsa.pod

@@ -57,7 +57,7 @@ all others.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<genrsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/openssl.pod

@@ -81,6 +81,10 @@ Certificate Authority (CA) Management.
 
 Cipher Suite Description Determination.
 
+=item L<B<cms>|cms(1)>
+
+CMS (Cryptographic Message Syntax) utility
+
 =item L<B<crl>|crl(1)>
 
 Certificate Revocation List (CRL) Management.
@@ -98,6 +102,12 @@ Message Digest Calculation.
 Diffie-Hellman Parameter Management.
 Obsoleted by L<B<dhparam>|dhparam(1)>.
 
+=item L<B<dhparam>|dhparam(1)>
+
+Generation and Management of Diffie-Hellman Parameters. Superseded by 
+L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
+
+
 =item L<B<dsa>|dsa(1)>
 
 DSA Data Management.
@@ -107,19 +117,26 @@ DSA Data Management.
 DSA Parameter Generation and Management. Superseded by 
 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
 
+=item L<B<ec>|ec(1)>
+
+EC (Elliptic curve) key processing
+
+=item L<B<ecparam>|ecparam(1)>
+
+EC parameter manipulation and generation
+
 =item L<B<enc>|enc(1)>
 
 Encoding with Ciphers.
 
+=item L<B<engine>|engine(1)>
+
+Engine (loadble module) information and manipulation.
+
 =item L<B<errstr>|errstr(1)>
 
 Error Number to Error String Conversion.
 
-=item L<B<dhparam>|dhparam(1)>
-
-Generation and Management of Diffie-Hellman Parameters. Superseded by 
-L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
-
 =item B<gendh>
 
 Generation of Diffie-Hellman Parameters.
@@ -138,6 +155,10 @@ Generation of Private Key or Parameters.
 
 Generation of RSA Private Key. Superceded by L<B<genpkey>|genpkey(1)>.
 
+=item L<B<nseq>|nseq(1)
+
+Create or examine a netscape certificate sequence
+
 =item L<B<ocsp>|ocsp(1)>
 
 Online Certificate Status Protocol utility.
@@ -158,14 +179,14 @@ PKCS#7 Data Management.
 
 Public and private key management.
 
-=item L<B<pkeyutl>|pkeyutl(1)>
-
-Public key algorithm cryptographic operation utility.
-
 =item L<B<pkeyparam>|pkeyparam(1)>
 
 Public key algorithm parameter management.
 
+=item L<B<pkeyutl>|pkeyutl(1)>
+
+Public key algorithm cryptographic operation utility.
+
 =item L<B<rand>|rand(1)>
 
 Generate pseudo-random bytes.
@@ -178,6 +199,7 @@ PKCS#10 X.509 Certificate Signing Request (CSR) Management.
 
 RSA key management.
 
+
 =item L<B<rsautl>|rsautl(1)>
 
 RSA utility for signing, verification, encryption, and decryption. Superseded
@@ -215,6 +237,10 @@ S/MIME mail processing.
 
 Algorithm Speed Measurement.
 
+=item L<B<spkac>|spkac(1)>
+
+SPKAC printing and generating utility
+
 =item L<B<ts>|ts(1)>
 
 Time Stamping Authority tool (client/server)

doc/apps/pkcs7.pod

@@ -62,7 +62,7 @@ is B<-print_certs> is set).
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<pkcs7>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/pkcs8.pod

@@ -125,7 +125,7 @@ list of possible algorithms is included below.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<pkcs8>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/pkey.pod

@@ -94,7 +94,7 @@ the input is a public key.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<pkey>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/pkeyparam.pod

@@ -43,7 +43,7 @@ do not output the encoded version of the parameters.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/pkeyutl.pod

@@ -12,6 +12,7 @@ B<openssl> B<pkeyutl>
 [B<-sigfile file>]
 [B<-inkey file>]
 [B<-keyform PEM|DER>]
+[B<-passin arg>]
 [B<-peerkey file>]
 [B<-peerform PEM|DER>]
 [B<-pubin>]
@@ -26,6 +27,7 @@ B<openssl> B<pkeyutl>
 [B<-pkeyopt opt:value>]
 [B<-hexdump>]
 [B<-asn1parse>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -52,7 +54,13 @@ the input key file, by default it should be a private key.
 
 =item B<-keyform PEM|DER>
 
-the key format PEM or DER.
+the key format PEM, DER or ENGINE.
+
+=item B<-passin arg>
+
+the input key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 
 =item B<-peerkey file>
 
@@ -60,7 +68,15 @@ the peer key file, used by key derivation (agreement) operations.
 
 =item B<-peerform PEM|DER>
 
-the peer key format PEM or DER.
+the peer key format PEM, DER or ENGINE.
+
+=item B<-engine id>
+
+specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 
 =item B<-pubin>
 

doc/apps/req.pod

@@ -22,13 +22,13 @@ B<openssl> B<req>
 [B<-new>]
 [B<-rand file(s)>]
 [B<-newkey rsa:bits>]
-[B<-newkey dsa:file>]
 [B<-newkey alg:file>]
 [B<-nodes>]
 [B<-key filename>]
 [B<-keyform PEM|DER>]
 [B<-keyout filename>]
-[B<-[md5|sha1|md2|mdc2]>]
+[B<-keygen_engine id>]
+[B<-[digest]>]
 [B<-config filename>]
 [B<-subj arg>]
 [B<-multivalue-rdn>]
@@ -36,11 +36,15 @@ B<openssl> B<req>
 [B<-days n>]
 [B<-set_serial n>]
 [B<-asn1-kludge>]
+[B<-no-asn1-kludge>]
 [B<-newhdr>]
 [B<-extensions section>]
 [B<-reqexts section>]
 [B<-utf8>]
 [B<-nameopt>]
+[B<-reqopt>]
+[B<-subject>]
+[B<-subj arg>]
 [B<-batch>]
 [B<-verbose>]
 [B<-engine id>]
@@ -92,6 +96,11 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
 prints out the certificate request in text form.
 
+=item B<-subject>
+
+prints out the request subject (or certificate subject if B<-x509> is
+specified)
+
 =item B<-pubkey>
 
 outputs the public key.
@@ -119,6 +128,13 @@ in the configuration file and any requested extensions.
 If the B<-key> option is not used it will generate a new RSA private
 key using information specified in the configuration file.
 
+=item B<-subj arg>
+
+Replaces subject field of input request with specified data and outputs
+modified request. The arg must be formatted as
+I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
@@ -132,12 +148,26 @@ all others.
 this option creates a new certificate request and a new private
 key. The argument takes one of several forms. B<rsa:nbits>, where
 B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. B<dsa:filename> generates a DSA key using the parameters
-in the file B<filename>. B<param:file> generates a key using the
-parameter file B<file>, the algorithm is determined by the
-parameters. B<algname:file> use algorithm B<algname> and parameter file
-B<file> the two algorithms must match or an error occurs. B<algname> just
-uses algorithm B<algname>.
+in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
+the default key size, specified in the configuration file is used.
+
+All other algorithms support the B<-newkey alg:file> form, where file may be
+an algorithm parameter file, created by the B<genpkey -genparam> command
+or and X.509 certificate for a key with approriate algorithm.
+
+B<param:file> generates a key using the parameter file or certificate B<file>,
+the algorithm is determined by the parameters. B<algname:file> use algorithm
+B<algname> and parameter file B<file>: the two algorithms must match or an
+error occurs. B<algname> just uses algorithm B<algname>, and parameters,
+if neccessary should be specified via B<-pkeyopt> parameter.
+
+B<dsa:filename> generates a DSA key using the parameters
+in the file B<filename>. B<ec:filename> generates EC key (usable both with
+ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
+34.10-2001 key (requires B<ccgost> engine configured in the configuration
+file). If just B<gost2001> is specified a parameter set should be
+specified by B<-pkeyopt paramset:X>
+
 
 =item B<-pkeyopt opt:value>
 
@@ -167,11 +197,15 @@ configuration file is used.
 if this option is specified then if a private key is created it
 will not be encrypted.
 
-=item B<-[md5|sha1|md2|mdc2]>
+=item B<-[digest]>
 
-this specifies the message digest to sign the request with. This
-overrides the digest algorithm specified in the configuration file.
-This option is ignored for DSA requests: they always use SHA1.
+this specifies the message digest to sign the request with (such as
+B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
+the configuration file.
+
+Some public key algorithms may override this choice. For instance, DSA
+signatures always use SHA1, GOST R 34.10 signatures always use
+GOST R 34.11-94 (B<-md_gost94>).
 
 =item B<-config filename>
 
@@ -239,6 +273,15 @@ B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)|x509(1)> manual page for details.
 
+=item B<-reqopt>
+
+customise the output format used with B<-text>. The B<option> argument can be
+a single option or multiple options separated by commas. 
+
+See discission of the  B<-certopt> parameter in the L<B<x509>|x509(1)>
+command.
+
+
 =item B<-asn1-kludge>
 
 by default the B<req> command outputs certificate requests containing
@@ -254,6 +297,10 @@ B<SET OF> whereas the correct form does.
 
 It should be noted that very few CAs still require the use of this option.
 
+=item B<-no-asn1-kludge>
+
+Reverses effect of B<-asn1-kludge>
+
 =item B<-newhdr>
 
 Adds the word B<NEW> to the PEM file header and footer lines on the outputed
@@ -269,11 +316,16 @@ print extra details about the operations being performed.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<req>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
+=item B<-keygen_engine id>
+
+specifies an engine (by its unique B<id> string) which would be used
+for key generation operations.
+
 =back
 
 =head1 CONFIGURATION FILE FORMAT

doc/apps/rsa.pod

@@ -120,7 +120,7 @@ the input is a public key.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<rsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/s_client.pod

@@ -101,6 +101,11 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+
+Set various certificate chain valiadition option. See the
+L<B<verify>|verify(1)> manual page for details.
+
 =item B<-reconnect>
 
 reconnects to the same server 5 times using the same session ID, this can
@@ -219,7 +224,7 @@ connection from this session.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<s_client>
+specifying an engine (by its unique B<id> string) will cause B<s_client>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/s_server.pod

@@ -256,7 +256,7 @@ are part of the HTTP response line and headers must end with CRLF).
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<s_server>
+specifying an engine (by its unique B<id> string) will cause B<s_server>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/smime.pod

@@ -13,17 +13,7 @@ B<openssl> B<smime>
 [B<-resign>]
 [B<-verify>]
 [B<-pk7out>]
-[B<-des>]
-[B<-des3>]
-[B<-rc2-40>]
-[B<-rc2-64>]
-[B<-rc2-128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
+[B<-[cipher]>]
 [B<-in file>]
 [B<-certfile file>]
 [B<-signer file>]
@@ -161,13 +151,13 @@ to each certificate.
 digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually SHA1).
 
-=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256>
+=item B<-[cipher]>
 
-the encryption algorithm to use. DES (56 bits), triple DES (168 bits), 40, 64
-or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia
-respectively. Any other cipher name (as recognized by the
+the encryption algorithm to use. For example DES  (56 bits) - B<-des>,
+triple DES (168 bits) - B<-des3>,
 EVP_get_cipherbyname() function) can also be used preceded by a dash, for 
-example B<-aes_128_cbc>.
+example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
+supported by your version of OpenSSL.
 
 If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
 
@@ -269,6 +259,11 @@ portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+
+Set various options of certificate chain verification. See
+L<B<verify>|verify(1)> manual page for details.
+
 =back
 
 =head1 NOTES

doc/apps/speed.pod

@@ -44,7 +44,7 @@ This command is used to test the performance of cryptographic algorithms.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<speed>
+specifying an engine (by its unique B<id> string) will cause B<speed>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/spkac.pod

@@ -81,7 +81,7 @@ verifies the digital signature on the supplied SPKAC.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<spkac>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/apps/ts.pod

@@ -265,7 +265,7 @@ instead of DER. (Optional)
 
 =item B<-engine> id
 
-Specifying an engine (by it's unique B<id> string) will cause B<ts>
+Specifying an engine (by its unique B<id> string) will cause B<ts>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. Default is builtin. (Optional)

doc/apps/verify.pod

@@ -10,6 +10,18 @@ B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-CAfile file>]
 [B<-purpose purpose>]
+[B<-policy arg>]
+[B<-ignore_critical>]
+[B<-crl_check>]
+[B<-crl_check_all>]
+[B<-policy_check>]
+[B<-explicit_policy>]
+[B<-inhibit_any>]
+[B<-inhibit_map>]
+[B<-x509_strict>]
+[B<-extended_crl>]
+[B<-use_deltas>]
+[B<-policy_print>]
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
@@ -66,6 +78,63 @@ certificate was rejected. However the presence of rejection messages
 does not itself imply that anything is wrong: during the normal
 verify process several rejections may take place.
 
+=item B<-policy arg>
+
+Enable policy processing and add B<arg> to the user-initial-policy-set
+(see RFC3280 et al). The policy B<arg> can be an object name an OID in numeric
+form. This argument can appear more than once.
+
+=item B<-policy_check>
+
+Enables certificate policy processing.
+
+=item B<-explicit_policy>
+
+Set policy variable require-explicit-policy (see RFC3280 et al).
+
+=item B<-inhibit_any>
+
+Set policy variable inhibit-any-policy (see RFC3280 et al).
+
+=item B<-inhibit_map>
+
+Set policy variable inhibit-policy-mapping (see RFC3280 et al).
+
+=item B<-policy_print>
+
+Print out diagnostics, related to policy checking
+
+=item B<-crl_check>
+
+Checks end entity certificate validity by attempting to lookup a valid CRL.
+If a valid CRL cannot be found an error occurs. 
+
+=item B<-crl_check_all>
+
+Checks the validity of B<all> certificates in the chain by attempting
+to lookup valid CRLs.
+
+=item B<-ignore_critical>
+
+Normally if an unhandled critical extension is present which is not
+supported by OpenSSL the certificate is rejected (as required by
+RFC3280 et al). If this option is set critical extensions are
+ignored.
+
+=item B<-x509_strict>
+
+Disable workarounds for broken certificates which have to be disabled
+for strict X.509 compliance.
+
+=item B<-extended_crl>
+
+Enable extended CRL features such as indirect CRLs and alternate CRL
+signing keys.
+
+=item B<-use_deltas>
+
+Enable support for delta CRLs.
+
 =item B<->
 
 marks the last option. All arguments following this are assumed to be

doc/apps/x509.pod

@@ -23,6 +23,7 @@ B<openssl> B<x509>
 [B<-issuer>]
 [B<-nameopt option>]
 [B<-email>]
+[B<-ocsp_uri>]
 [B<-startdate>]
 [B<-enddate>]
 [B<-purpose>]
@@ -103,7 +104,7 @@ then this option has no effect: SHA1 is always used with DSA keys.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<x509>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -176,6 +177,10 @@ set multiple options. See the B<NAME OPTIONS> section for more information.
 
 outputs the email address(es) if any.
 
+=item B<-ocsp_uri>
+
+outputs the OCSP responder address(es) if any.
+
 =item B<-startdate>
 
 prints out the start date of the certificate, that is the notBefore date.

doc/crypto/BIO_s_mem.pod

@@ -74,7 +74,7 @@ Writes to memory BIOs will always succeed if memory is available: that is
 their size can grow indefinitely.
 
 Every read from a read write memory BIO will remove the data just read with
-an internal copy operation, if a BIO contains a lots of data and it is
+an internal copy operation, if a BIO contains a lot of data and it is
 read in small chunks the operation can be very slow. The use of a read only
 memory BIO avoids this problem. If the BIO must be read write then adding
 a buffering BIO to the chain will speed up the process.

doc/crypto/SSLeay_version.pod

@@ -1,74 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSLeay_version - retrieve version/build information about OpenSSL library
-
-=head1 SYNOPSIS
-
- #include <openssl/crypto.h>
-
- const char *SSLeay_version(int type);
-
-=head1 DESCRIPTION
-
-SSLeay_version() returns a pointer to a constant string describing the
-version of the OpenSSL library or giving information about the library
-build.
-
-The following B<type> values are supported:
-
-=over 4
-
-=item SSLEAY_VERSION
-
-The version of the OpenSSL library including the release date.
-
-=item SSLEAY_CFLAGS
-
-The compiler flags set for the compilation process in the form
-"compiler: ..."  if available or "compiler: information not available"
-otherwise.
-
-=item SSLEAY_BUILT_ON
-
-The date of the build process in the form "built on: ..." if available
-or "built on: date not available" otherwise.
-
-=item SSLEAY_PLATFORM
-
-The "Configure" target of the library build in the form "platform: ..."
-if available or "platform: information not available" otherwise.
-
-=item SSLEAY_DIR
-
-The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "...""
-if available or "OPENSSLDIR: N/A" otherwise.
-
-=back
-
-=head1 RETURN VALUES
-
-The following return values can occur:
-
-=over 4
-
-=item "not available"
-
-An invalid value for B<type> was given.
-
-=item Pointer to constant string
-
-Textual description.
-
-=back
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>
-
-=head1 HISTORY
-
-B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
-
-=cut

doc/crypto/d2i_RSAPublicKey.pod

@@ -11,21 +11,21 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
  #include <openssl/rsa.h>
  #include <openssl/x509.h>
 
- RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
+ RSA * d2i_RSAPublicKey(RSA **a, const unsigned char **pp, long length);
 
  int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
 
- RSA * d2i_RSA_PUBKEY(RSA **a, unsigned char **pp, long length);
+ RSA * d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length);
 
  int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp);
 
- RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
+ RSA * d2i_RSAPrivateKey(RSA **a, const unsigned char **pp, long length);
 
  int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
 
  int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
 
- RSA * d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+ RSA * d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)());
 
 =head1 DESCRIPTION
 

doc/ssleay.txt

@@ -20,7 +20,7 @@ don't do that.
 ==== readme ========================================================
 
 This is the old 0.6.6 docuementation.  Most of the cipher stuff is still
-relevent but I'm working (very slowly) on new docuemtation.
+relevent but I'm working (very slowly) on new documentation.
 The current version can be found online at
 
 http://www.cryptsoft.com/ssleay/doc
@@ -548,8 +548,8 @@ application, ssleay.  This one program is composed of many programs that
 can all be compiled independantly.
 
 ssleay has 3 modes of operation.
-1) If the ssleay binaray has the name of one of its component programs, it
-executes that program and then exits.  This can be achieve by using hard or
+1) If the ssleay binary has the name of one of its component programs, it
+executes that program and then exits.  This can be achieved by using hard or
 symbolic links, or failing that, just renaming the binary.
 2) If the first argument to ssleay is the name of one of the component
 programs, that program runs that program and then exits.
@@ -1185,7 +1185,7 @@ typedef struct bio_st
 	example is for BIO_s_sock().  A socket needs to be 
 	assigned to the BIO before it can be used.
 -	'shutdown', this flag indicates if the underlying 
-	comunication primative being used should be closed/freed 
+	communication primitive being used should be closed/freed 
 	when the BIO is closed.
 -	'flags' is used to hold extra state.  It is primarily used 
 	to hold information about why a non-blocking operation 
@@ -1799,7 +1799,7 @@ int BN_set_word(BIGNUM *a, unsigned long w);
 
 unsigned long BN_get_word(BIGNUM *a);
 	Returns 'a' in an unsigned long.  Not remarkably, often 'a' will
-	be biger than a word, in which case 0xffffffffL is returned.
+	be bigger than a word, in which case 0xffffffffL is returned.
 
 Word Operations
 These functions are much more efficient that the normal bignum arithmetic
@@ -2058,7 +2058,7 @@ Now you will notice that macros like
                 PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \
 		                        (char *)x, NULL,NULL,0,NULL)
 Don't do encryption normally.  If you want to PEM encrypt your X509 structure,
-either just call PEM_ASN1_write directly or just define you own
+either just call PEM_ASN1_write directly or just define your own
 macro variant.  As you can see, this macro just sets all encryption related
 parameters to NULL.
 
@@ -5566,7 +5566,7 @@ These 2 functions create and destroy SSL_CTX structures
 
 The SSL_CTX has a session_cache_mode which is by default,
 in SSL_SESS_CACHE_SERVER mode.  What this means is that the library
-will automatically add new session-id's to the cache apon sucsessful
+will automatically add new session-id's to the cache upon successful
 SSL_accept() calls.
 If SSL_SESS_CACHE_CLIENT is set, then client certificates are also added
 to the cache.
@@ -5580,12 +5580,12 @@ SSL_SESS_NO_CACHE_BOTH	- Either SSL_accept() or SSL_connect().
 If SSL_SESS_CACHE_NO_AUTO_CLEAR is set, old timed out sessions are
 not automatically removed each 255, SSL_connect()s or SSL_accept()s.
 
-By default, apon every 255 successful SSL_connect() or SSL_accept()s,
+By default, upon every 255 successful SSL_connect() or SSL_accept()s,
 the cache is flush.  Please note that this could be expensive on
 a heavily loaded SSL server, in which case, turn this off and
 clear the cache of old entries 'manually' (with one of the functions
 listed below) every few hours.  Perhaps I should up this number, it is hard
-to say.  Remember, the '255' new calls is just a mechanims to get called
+to say.  Remember, the '255' new calls is just a mechanism to get called
 every now and then, in theory at most 255 new session-id's will have been
 added but if 100 are added every minute, you would still have
 500 in the cache before any would start being flushed (assuming a 3 minute
@@ -5628,10 +5628,10 @@ if copy is 1.  Otherwise, the reference count is not modified.
 void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and
 int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback.
 
-These callbacks are basically indended to be used by processes to
+These callbacks are basically intended to be used by processes to
 send their session-id's to other processes.  I currently have not implemented
-non-blocking semantics for these callbacks, it is upto the appication
-to make the callbacks effiecent if they require blocking (perhaps
+non-blocking semantics for these callbacks, it is upto the application
+to make the callbacks efficient if they require blocking (perhaps
 by 'saving' them and then 'posting them' when control returns from
 the SSL_accept().
 
@@ -6589,7 +6589,7 @@ This information can be used to recall the functions when the 'error'
 condition has dissapeared.
 
 After the connection has been made, information can be retrived about the
-SSL session and the session-id values that have been decided apon.
+SSL session and the session-id values that have been decided upon.
 The 'peer' certificate can be retrieved.
 
 The session-id values include