prepare for release

Submitted By: Mattias Ellert <mattias.ellert@fysast.uu.se>

Fix type checking macro SKM_ASN1_SET_OF_i2d

CHANGES

@@ -2,6 +2,12 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
+
+  *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
+     (CVE-2010-1633)
+     [Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
+
  Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
 
   *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
@@ -843,6 +849,17 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
   
+ Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
+
+  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
+     access or freeing data twice (CVE-2010-0742)
+     [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
+
+  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
+     common in certificates and some applications which only call
+     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
+     [Steve Henson]
+
  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 
   *) When rejecting SSL/TLS records due to an incorrect version number, never

Configure

@@ -503,7 +503,7 @@ my %table=(
 "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32",
 
 # MinGW
-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -fomit-frame-pointer -O3 -march=i486 -Wall:::MINGW32:-lws2_32 -lgdi32 -lcrypt32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a",
+"mingw", "gcc:-mno-cygwin -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -fomit-frame-pointer -O3 -march=i486 -Wall::-D_MT:MINGW32:-lws2_32 -lgdi32 -lcrypt32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_asm}:coff:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin:.dll.a",
 # As for OPENSSL_USE_APPLINK. Applink makes it possible to use .dll
 # compiled with one compiler with application compiled with another
 # compiler. It's possible to engage Applink support in mingw64 build,
@@ -511,7 +511,7 @@ my %table=(
 # handling, one can't seriously consider its binaries for using with
 # non-mingw64 run-time environment. And as mingw64 is always consistent
 # with itself, Applink is never engaged and can as well be omitted.
-"mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE:::MINGW64:-lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll.a",
+"mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-D_MT:MINGW64:-lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll.a",
 
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
@@ -547,7 +547,7 @@ my %table=(
 
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
-"darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN -Wa,-force_cpusubtype_ALL::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
@@ -1789,11 +1789,11 @@ EOF
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
-	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
+	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
 	} else {
 	    # No path for Perl known ...
-	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
+	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
 	if ($depflags ne $default_depflags && !$make_depend) {

FAQ

@@ -79,7 +79,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0 was released on Mar 29th, 2010.
+OpenSSL 1.0.0a was released on Jun 1st, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -722,7 +722,7 @@ file.
 Multi-threaded applications must provide two callback functions to
 OpenSSL by calling CRYPTO_set_locking_callback() and
 CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback()
+including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
 and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
 and friends. This is described in the threads(3) manpage.
 

NEWS

@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+
+      o Fix for security issue CVE-2010-1633.
+      o GOST MAC and CFB fixes.
+
   Major changes between OpenSSL 0.9.8n and OpenSSL 1.0:
 
       o RFC3280 path validation: sufficient to process PKITS tests.
@@ -28,6 +33,14 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+
+      o Fix for security issue CVE-2010-0742.
+      o Various DTLS fixes.
+      o Recognise SHA2 certificates if only SSL algorithms added.
+      o Fix for no-rc4 compilation.
+      o Chil ENGINE unload workaround.
+
   Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
 
       o CFB cipher definition fixes.

README

@@ -1,7 +1,7 @@
 
- OpenSSL 1.0.0 29 Mar 2010
+ OpenSSL 1.0.0a 1 Jun 2010
 
- Copyright (c) 1998-2009 The OpenSSL Project
+ Copyright (c) 1998-2010 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 

STATUS

@@ -1,9 +1,11 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2010/03/29 13:11:53 $
+  ______________                           $Date: 2010/06/01 13:31:36 $
 
   DEVELOPMENT STATE
 
+    o  OpenSSL 1.1.0:  Under development...
+    o  OpenSSL 1.0.0a: Released on June      1st,  2010
     o  OpenSSL 1.0.0:  Released on March     29th, 2010
     o  OpenSSL 0.9.8n: Released on March     24th, 2010
     o  OpenSSL 0.9.8m: Released on February  25th, 2010

TABLE

@@ -1211,7 +1211,7 @@ $multilib     =
 
 *** darwin-ppc-cc
 $cc           = cc
-$cflags       = -arch ppc -O3 -DB_ENDIAN
+$cflags       = -arch ppc -O3 -DB_ENDIAN -Wa,-force_cpusubtype_ALL
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
@@ -3879,7 +3879,7 @@ $multilib     = 64
 $cc           = gcc
 $cflags       = -mno-cygwin -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -fomit-frame-pointer -O3 -march=i486 -Wall
 $unistd       = 
-$thread_cflag = 
+$thread_cflag = -D_MT
 $sys_id       = MINGW32
 $lflags       = -lws2_32 -lgdi32 -lcrypt32
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT EXPORT_VAR_AS_FN
@@ -3910,7 +3910,7 @@ $multilib     =
 $cc           = gcc
 $cflags       = -mno-cygwin -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE
 $unistd       = 
-$thread_cflag = 
+$thread_cflag = -D_MT
 $sys_id       = MINGW64
 $lflags       = -lws2_32 -lgdi32 -lcrypt32
 $bn_ops       = SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN

apps/CA.com

@@ -114,8 +114,8 @@ $!
 $   IF F$SEARCH(CATOP+".private"+CAKEY) .EQS. ""
 $   THEN
 $     READ '__INPUT' FILE -
-	   /PROMT="CA certificate filename (or enter to create)"
-$     IF F$SEARCH(FILE) .NES. ""
+	   /PROMPT="CA certificate filename (or enter to create)"
+$     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
 $     THEN
 $       COPY 'FILE' 'CATOP'.private'CAKEY'
 $	RET=$STATUS

apps/apps.c

@@ -875,10 +875,17 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	if (format == FORMAT_ENGINE)
 		{
 		if (!e)
-			BIO_printf(bio_err,"no engine specified\n");
+			BIO_printf(err,"no engine specified\n");
 		else
+			{
 			pkey = ENGINE_load_private_key(e, file,
 				ui_method, &cb_data);
+			if (!pkey) 
+				{
+				BIO_printf(err,"cannot load %s from engine\n",key_descrip);
+				ERR_print_errors(err);
+				}	
+			}
 		goto end;
 		}
 #endif
@@ -923,7 +930,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 				&pkey, NULL, NULL))
 			goto end;
 		}
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
 	else if (format == FORMAT_MSBLOB)
 		pkey = b2i_PrivateKey_bio(key);
 	else if (format == FORMAT_PVK)
@@ -937,8 +944,11 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 		}
  end:
 	if (key != NULL) BIO_free(key);
-	if (pkey == NULL)
+	if (pkey == NULL) 
+		{
 		BIO_printf(err,"unable to load %s\n", key_descrip);
+		ERR_print_errors(err);
+		}	
 	return(pkey);
 	}
 

apps/dsa.c

@@ -334,7 +334,7 @@ bad:
 			i=PEM_write_bio_DSA_PUBKEY(out,dsa);
 		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
 							NULL,0,NULL, passout);
-#ifndef OPENSSL_NO_RSA
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
 	} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
 		EVP_PKEY *pk;
 		pk = EVP_PKEY_new();

apps/makeapps.com

@@ -25,7 +25,7 @@ $!	   VAXC	 For VAX C.
 $!	   DECC	 For DEC C.
 $!	   GNUC	 For GNU C.
 $!
-$!  If you don't speficy a compiler, it will try to determine which
+$!  If you don't specify a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
 $!  P3, if defined, sets a TCP/IP library to use, through one of the following
@@ -52,7 +52,7 @@ $ THEN
 $!
 $!  The Architecture Is VAX.
 $!
-$   ARCH := VAX
+$   ARCH = "VAX"
 $!
 $! Else...
 $!
@@ -555,7 +555,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -770,7 +770,7 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!
@@ -875,7 +875,7 @@ $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!

apps/rsa.c

@@ -409,7 +409,7 @@ bad:
 			}
 		else i=PEM_write_bio_RSAPrivateKey(out,rsa,
 						enc,NULL,0,NULL,passout);
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
 	} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
 		EVP_PKEY *pk;
 		pk = EVP_PKEY_new();

crypto/aes/asm/aes-ppc.pl

@@ -16,6 +16,19 @@
 # at 1/2 of ppc_AES_encrypt speed, while ppc_AES_decrypt_compact -
 # at 1/3 of ppc_AES_decrypt.
 
+# February 2010
+#
+# Rescheduling instructions to favour Power6 pipeline gives 10%
+# performance improvement on the platfrom in question (and marginal
+# improvement even on others). It should be noted that Power6 fails
+# to process byte in 18 cycles, only in 23, because it fails to issue
+# 4 load instructions in two cycles, only in 3. As result non-compact
+# block subroutines are 25% slower than one would expect. Compact
+# functions scale better, because they have pure computational part,
+# which scales perfectly with clock frequency. To be specific
+# ppc_AES_encrypt_compact operates at 42 cycles per byte, while
+# ppc_AES_decrypt_compact - at 55 (in 64-bit build).
+
 $flavour = shift;
 
 if ($flavour =~ /64/) {
@@ -376,7 +389,7 @@ $code.=<<___;
 	addi	$sp,$sp,$FRAME
 	blr
 
-.align	4
+.align	5
 Lppc_AES_encrypt:
 	lwz	$acc00,240($key)
 	lwz	$t0,0($key)
@@ -397,46 +410,46 @@ Lppc_AES_encrypt:
 Lenc_loop:
 	rlwinm	$acc00,$s0,`32-24+3`,21,28
 	rlwinm	$acc01,$s1,`32-24+3`,21,28
-	lwz	$t0,0($key)
-	lwz	$t1,4($key)
 	rlwinm	$acc02,$s2,`32-24+3`,21,28
 	rlwinm	$acc03,$s3,`32-24+3`,21,28
-	lwz	$t2,8($key)
-	lwz	$t3,12($key)
+	lwz	$t0,0($key)
+	lwz	$t1,4($key)
 	rlwinm	$acc04,$s1,`32-16+3`,21,28
 	rlwinm	$acc05,$s2,`32-16+3`,21,28
-	lwzx	$acc00,$Tbl0,$acc00
-	lwzx	$acc01,$Tbl0,$acc01
+	lwz	$t2,8($key)
+	lwz	$t3,12($key)
 	rlwinm	$acc06,$s3,`32-16+3`,21,28
 	rlwinm	$acc07,$s0,`32-16+3`,21,28
-	lwzx	$acc02,$Tbl0,$acc02
-	lwzx	$acc03,$Tbl0,$acc03
+	lwzx	$acc00,$Tbl0,$acc00
+	lwzx	$acc01,$Tbl0,$acc01
 	rlwinm	$acc08,$s2,`32-8+3`,21,28
 	rlwinm	$acc09,$s3,`32-8+3`,21,28
-	lwzx	$acc04,$Tbl1,$acc04
-	lwzx	$acc05,$Tbl1,$acc05
+	lwzx	$acc02,$Tbl0,$acc02
+	lwzx	$acc03,$Tbl0,$acc03
 	rlwinm	$acc10,$s0,`32-8+3`,21,28
 	rlwinm	$acc11,$s1,`32-8+3`,21,28
-	lwzx	$acc06,$Tbl1,$acc06
-	lwzx	$acc07,$Tbl1,$acc07
+	lwzx	$acc04,$Tbl1,$acc04
+	lwzx	$acc05,$Tbl1,$acc05
 	rlwinm	$acc12,$s3,`0+3`,21,28
 	rlwinm	$acc13,$s0,`0+3`,21,28
-	lwzx	$acc08,$Tbl2,$acc08
-	lwzx	$acc09,$Tbl2,$acc09
+	lwzx	$acc06,$Tbl1,$acc06
+	lwzx	$acc07,$Tbl1,$acc07
 	rlwinm	$acc14,$s1,`0+3`,21,28
 	rlwinm	$acc15,$s2,`0+3`,21,28
-	lwzx	$acc10,$Tbl2,$acc10
-	lwzx	$acc11,$Tbl2,$acc11
+	lwzx	$acc08,$Tbl2,$acc08
+	lwzx	$acc09,$Tbl2,$acc09
 	xor	$t0,$t0,$acc00
 	xor	$t1,$t1,$acc01
-	lwzx	$acc12,$Tbl3,$acc12
-	lwzx	$acc13,$Tbl3,$acc13
+	lwzx	$acc10,$Tbl2,$acc10
+	lwzx	$acc11,$Tbl2,$acc11
 	xor	$t2,$t2,$acc02
 	xor	$t3,$t3,$acc03
-	lwzx	$acc14,$Tbl3,$acc14
-	lwzx	$acc15,$Tbl3,$acc15
+	lwzx	$acc12,$Tbl3,$acc12
+	lwzx	$acc13,$Tbl3,$acc13
 	xor	$t0,$t0,$acc04
 	xor	$t1,$t1,$acc05
+	lwzx	$acc14,$Tbl3,$acc14
+	lwzx	$acc15,$Tbl3,$acc15
 	xor	$t2,$t2,$acc06
 	xor	$t3,$t3,$acc07
 	xor	$t0,$t0,$acc08
@@ -452,60 +465,60 @@ Lenc_loop:
 
 	addi	$Tbl2,$Tbl0,2048
 	nop
-	lwz	$acc08,`2048+0`($Tbl0)	! prefetch Te4
-	lwz	$acc09,`2048+32`($Tbl0)
-	lwz	$acc10,`2048+64`($Tbl0)
-	lwz	$acc11,`2048+96`($Tbl0)
-	lwz	$acc08,`2048+128`($Tbl0)
-	lwz	$acc09,`2048+160`($Tbl0)
-	lwz	$acc10,`2048+192`($Tbl0)
-	lwz	$acc11,`2048+224`($Tbl0)
-	rlwinm	$acc00,$s0,`32-24`,24,31
-	rlwinm	$acc01,$s1,`32-24`,24,31
 	lwz	$t0,0($key)
 	lwz	$t1,4($key)
-	rlwinm	$acc02,$s2,`32-24`,24,31
-	rlwinm	$acc03,$s3,`32-24`,24,31
+	rlwinm	$acc00,$s0,`32-24`,24,31
+	rlwinm	$acc01,$s1,`32-24`,24,31
 	lwz	$t2,8($key)
 	lwz	$t3,12($key)
+	rlwinm	$acc02,$s2,`32-24`,24,31
+	rlwinm	$acc03,$s3,`32-24`,24,31
+	lwz	$acc08,`2048+0`($Tbl0)	! prefetch Te4
+	lwz	$acc09,`2048+32`($Tbl0)
 	rlwinm	$acc04,$s1,`32-16`,24,31
 	rlwinm	$acc05,$s2,`32-16`,24,31
-	lbzx	$acc00,$Tbl2,$acc00
-	lbzx	$acc01,$Tbl2,$acc01
+	lwz	$acc10,`2048+64`($Tbl0)
+	lwz	$acc11,`2048+96`($Tbl0)
 	rlwinm	$acc06,$s3,`32-16`,24,31
 	rlwinm	$acc07,$s0,`32-16`,24,31
-	lbzx	$acc02,$Tbl2,$acc02
-	lbzx	$acc03,$Tbl2,$acc03
+	lwz	$acc12,`2048+128`($Tbl0)
+	lwz	$acc13,`2048+160`($Tbl0)
 	rlwinm	$acc08,$s2,`32-8`,24,31
 	rlwinm	$acc09,$s3,`32-8`,24,31
-	lbzx	$acc04,$Tbl2,$acc04
-	lbzx	$acc05,$Tbl2,$acc05
+	lwz	$acc14,`2048+192`($Tbl0)
+	lwz	$acc15,`2048+224`($Tbl0)
 	rlwinm	$acc10,$s0,`32-8`,24,31
 	rlwinm	$acc11,$s1,`32-8`,24,31
-	lbzx	$acc06,$Tbl2,$acc06
-	lbzx	$acc07,$Tbl2,$acc07
+	lbzx	$acc00,$Tbl2,$acc00
+	lbzx	$acc01,$Tbl2,$acc01
 	rlwinm	$acc12,$s3,`0`,24,31
 	rlwinm	$acc13,$s0,`0`,24,31
-	lbzx	$acc08,$Tbl2,$acc08
-	lbzx	$acc09,$Tbl2,$acc09
+	lbzx	$acc02,$Tbl2,$acc02
+	lbzx	$acc03,$Tbl2,$acc03
 	rlwinm	$acc14,$s1,`0`,24,31
 	rlwinm	$acc15,$s2,`0`,24,31
-	lbzx	$acc10,$Tbl2,$acc10
-	lbzx	$acc11,$Tbl2,$acc11
+	lbzx	$acc04,$Tbl2,$acc04
+	lbzx	$acc05,$Tbl2,$acc05
 	rlwinm	$s0,$acc00,24,0,7
 	rlwinm	$s1,$acc01,24,0,7
-	lbzx	$acc12,$Tbl2,$acc12
-	lbzx	$acc13,$Tbl2,$acc13
+	lbzx	$acc06,$Tbl2,$acc06
+	lbzx	$acc07,$Tbl2,$acc07
 	rlwinm	$s2,$acc02,24,0,7
 	rlwinm	$s3,$acc03,24,0,7
-	lbzx	$acc14,$Tbl2,$acc14
-	lbzx	$acc15,$Tbl2,$acc15
+	lbzx	$acc08,$Tbl2,$acc08
+	lbzx	$acc09,$Tbl2,$acc09
 	rlwimi	$s0,$acc04,16,8,15
 	rlwimi	$s1,$acc05,16,8,15
+	lbzx	$acc10,$Tbl2,$acc10
+	lbzx	$acc11,$Tbl2,$acc11
 	rlwimi	$s2,$acc06,16,8,15
 	rlwimi	$s3,$acc07,16,8,15
+	lbzx	$acc12,$Tbl2,$acc12
+	lbzx	$acc13,$Tbl2,$acc13
 	rlwimi	$s0,$acc08,8,16,23
 	rlwimi	$s1,$acc09,8,16,23
+	lbzx	$acc14,$Tbl2,$acc14
+	lbzx	$acc15,$Tbl2,$acc15
 	rlwimi	$s2,$acc10,8,16,23
 	rlwimi	$s3,$acc11,8,16,23
 	or	$s0,$s0,$acc12
@@ -542,40 +555,40 @@ Lenc_compact_loop:
 	rlwinm	$acc01,$s1,`32-24`,24,31
 	rlwinm	$acc02,$s2,`32-24`,24,31
 	rlwinm	$acc03,$s3,`32-24`,24,31
-	lbzx	$acc00,$Tbl1,$acc00
-	lbzx	$acc01,$Tbl1,$acc01
 	rlwinm	$acc04,$s1,`32-16`,24,31
 	rlwinm	$acc05,$s2,`32-16`,24,31
-	lbzx	$acc02,$Tbl1,$acc02
-	lbzx	$acc03,$Tbl1,$acc03
 	rlwinm	$acc06,$s3,`32-16`,24,31
 	rlwinm	$acc07,$s0,`32-16`,24,31
-	lbzx	$acc04,$Tbl1,$acc04
-	lbzx	$acc05,$Tbl1,$acc05
+	lbzx	$acc00,$Tbl1,$acc00
+	lbzx	$acc01,$Tbl1,$acc01
 	rlwinm	$acc08,$s2,`32-8`,24,31
 	rlwinm	$acc09,$s3,`32-8`,24,31
-	lbzx	$acc06,$Tbl1,$acc06
-	lbzx	$acc07,$Tbl1,$acc07
+	lbzx	$acc02,$Tbl1,$acc02
+	lbzx	$acc03,$Tbl1,$acc03
 	rlwinm	$acc10,$s0,`32-8`,24,31
 	rlwinm	$acc11,$s1,`32-8`,24,31
-	lbzx	$acc08,$Tbl1,$acc08
-	lbzx	$acc09,$Tbl1,$acc09
+	lbzx	$acc04,$Tbl1,$acc04
+	lbzx	$acc05,$Tbl1,$acc05
 	rlwinm	$acc12,$s3,`0`,24,31
 	rlwinm	$acc13,$s0,`0`,24,31
-	lbzx	$acc10,$Tbl1,$acc10
-	lbzx	$acc11,$Tbl1,$acc11
+	lbzx	$acc06,$Tbl1,$acc06
+	lbzx	$acc07,$Tbl1,$acc07
 	rlwinm	$acc14,$s1,`0`,24,31
 	rlwinm	$acc15,$s2,`0`,24,31
-	lbzx	$acc12,$Tbl1,$acc12
-	lbzx	$acc13,$Tbl1,$acc13
+	lbzx	$acc08,$Tbl1,$acc08
+	lbzx	$acc09,$Tbl1,$acc09
 	rlwinm	$s0,$acc00,24,0,7
 	rlwinm	$s1,$acc01,24,0,7
-	lbzx	$acc14,$Tbl1,$acc14
-	lbzx	$acc15,$Tbl1,$acc15
+	lbzx	$acc10,$Tbl1,$acc10
+	lbzx	$acc11,$Tbl1,$acc11
 	rlwinm	$s2,$acc02,24,0,7
 	rlwinm	$s3,$acc03,24,0,7
+	lbzx	$acc12,$Tbl1,$acc12
+	lbzx	$acc13,$Tbl1,$acc13
 	rlwimi	$s0,$acc04,16,8,15
 	rlwimi	$s1,$acc05,16,8,15
+	lbzx	$acc14,$Tbl1,$acc14
+	lbzx	$acc15,$Tbl1,$acc15
 	rlwimi	$s2,$acc06,16,8,15
 	rlwimi	$s3,$acc07,16,8,15
 	rlwimi	$s0,$acc08,8,16,23
@@ -725,7 +738,7 @@ Lenc_compact_done:
 	addi	$sp,$sp,$FRAME
 	blr
 
-.align	4
+.align	5
 Lppc_AES_decrypt:
 	lwz	$acc00,240($key)
 	lwz	$t0,0($key)
@@ -746,46 +759,46 @@ Lppc_AES_decrypt:
 Ldec_loop:
 	rlwinm	$acc00,$s0,`32-24+3`,21,28
 	rlwinm	$acc01,$s1,`32-24+3`,21,28
-	lwz	$t0,0($key)
-	lwz	$t1,4($key)
 	rlwinm	$acc02,$s2,`32-24+3`,21,28
 	rlwinm	$acc03,$s3,`32-24+3`,21,28
-	lwz	$t2,8($key)
-	lwz	$t3,12($key)
+	lwz	$t0,0($key)
+	lwz	$t1,4($key)
 	rlwinm	$acc04,$s3,`32-16+3`,21,28
 	rlwinm	$acc05,$s0,`32-16+3`,21,28
-	lwzx	$acc00,$Tbl0,$acc00
-	lwzx	$acc01,$Tbl0,$acc01
+	lwz	$t2,8($key)
+	lwz	$t3,12($key)
 	rlwinm	$acc06,$s1,`32-16+3`,21,28
 	rlwinm	$acc07,$s2,`32-16+3`,21,28
-	lwzx	$acc02,$Tbl0,$acc02
-	lwzx	$acc03,$Tbl0,$acc03
+	lwzx	$acc00,$Tbl0,$acc00
+	lwzx	$acc01,$Tbl0,$acc01
 	rlwinm	$acc08,$s2,`32-8+3`,21,28
 	rlwinm	$acc09,$s3,`32-8+3`,21,28
-	lwzx	$acc04,$Tbl1,$acc04
-	lwzx	$acc05,$Tbl1,$acc05
+	lwzx	$acc02,$Tbl0,$acc02
+	lwzx	$acc03,$Tbl0,$acc03
 	rlwinm	$acc10,$s0,`32-8+3`,21,28
 	rlwinm	$acc11,$s1,`32-8+3`,21,28
-	lwzx	$acc06,$Tbl1,$acc06
-	lwzx	$acc07,$Tbl1,$acc07
+	lwzx	$acc04,$Tbl1,$acc04
+	lwzx	$acc05,$Tbl1,$acc05
 	rlwinm	$acc12,$s1,`0+3`,21,28
 	rlwinm	$acc13,$s2,`0+3`,21,28
-	lwzx	$acc08,$Tbl2,$acc08
-	lwzx	$acc09,$Tbl2,$acc09
+	lwzx	$acc06,$Tbl1,$acc06
+	lwzx	$acc07,$Tbl1,$acc07
 	rlwinm	$acc14,$s3,`0+3`,21,28
 	rlwinm	$acc15,$s0,`0+3`,21,28
-	lwzx	$acc10,$Tbl2,$acc10
-	lwzx	$acc11,$Tbl2,$acc11
+	lwzx	$acc08,$Tbl2,$acc08
+	lwzx	$acc09,$Tbl2,$acc09
 	xor	$t0,$t0,$acc00
 	xor	$t1,$t1,$acc01
-	lwzx	$acc12,$Tbl3,$acc12
-	lwzx	$acc13,$Tbl3,$acc13
+	lwzx	$acc10,$Tbl2,$acc10
+	lwzx	$acc11,$Tbl2,$acc11
 	xor	$t2,$t2,$acc02
 	xor	$t3,$t3,$acc03
-	lwzx	$acc14,$Tbl3,$acc14
-	lwzx	$acc15,$Tbl3,$acc15
+	lwzx	$acc12,$Tbl3,$acc12
+	lwzx	$acc13,$Tbl3,$acc13
 	xor	$t0,$t0,$acc04
 	xor	$t1,$t1,$acc05
+	lwzx	$acc14,$Tbl3,$acc14
+	lwzx	$acc15,$Tbl3,$acc15
 	xor	$t2,$t2,$acc06
 	xor	$t3,$t3,$acc07
 	xor	$t0,$t0,$acc08
@@ -801,56 +814,56 @@ Ldec_loop:
 
 	addi	$Tbl2,$Tbl0,2048
 	nop
-	lwz	$acc08,`2048+0`($Tbl0)	! prefetch Td4
-	lwz	$acc09,`2048+32`($Tbl0)
-	lwz	$acc10,`2048+64`($Tbl0)
-	lwz	$acc11,`2048+96`($Tbl0)
-	lwz	$acc08,`2048+128`($Tbl0)
-	lwz	$acc09,`2048+160`($Tbl0)
-	lwz	$acc10,`2048+192`($Tbl0)
-	lwz	$acc11,`2048+224`($Tbl0)
-	rlwinm	$acc00,$s0,`32-24`,24,31
-	rlwinm	$acc01,$s1,`32-24`,24,31
 	lwz	$t0,0($key)
 	lwz	$t1,4($key)
-	rlwinm	$acc02,$s2,`32-24`,24,31
-	rlwinm	$acc03,$s3,`32-24`,24,31
+	rlwinm	$acc00,$s0,`32-24`,24,31
+	rlwinm	$acc01,$s1,`32-24`,24,31
 	lwz	$t2,8($key)
 	lwz	$t3,12($key)
+	rlwinm	$acc02,$s2,`32-24`,24,31
+	rlwinm	$acc03,$s3,`32-24`,24,31
+	lwz	$acc08,`2048+0`($Tbl0)	! prefetch Td4
+	lwz	$acc09,`2048+32`($Tbl0)
 	rlwinm	$acc04,$s3,`32-16`,24,31
 	rlwinm	$acc05,$s0,`32-16`,24,31
+	lwz	$acc10,`2048+64`($Tbl0)
+	lwz	$acc11,`2048+96`($Tbl0)
 	lbzx	$acc00,$Tbl2,$acc00
 	lbzx	$acc01,$Tbl2,$acc01
+	lwz	$acc12,`2048+128`($Tbl0)
+	lwz	$acc13,`2048+160`($Tbl0)
 	rlwinm	$acc06,$s1,`32-16`,24,31
 	rlwinm	$acc07,$s2,`32-16`,24,31
-	lbzx	$acc02,$Tbl2,$acc02
-	lbzx	$acc03,$Tbl2,$acc03
+	lwz	$acc14,`2048+192`($Tbl0)
+	lwz	$acc15,`2048+224`($Tbl0)
 	rlwinm	$acc08,$s2,`32-8`,24,31
 	rlwinm	$acc09,$s3,`32-8`,24,31
-	lbzx	$acc04,$Tbl2,$acc04
-	lbzx	$acc05,$Tbl2,$acc05
+	lbzx	$acc02,$Tbl2,$acc02
+	lbzx	$acc03,$Tbl2,$acc03
 	rlwinm	$acc10,$s0,`32-8`,24,31
 	rlwinm	$acc11,$s1,`32-8`,24,31
-	lbzx	$acc06,$Tbl2,$acc06
-	lbzx	$acc07,$Tbl2,$acc07
+	lbzx	$acc04,$Tbl2,$acc04
+	lbzx	$acc05,$Tbl2,$acc05
 	rlwinm	$acc12,$s1,`0`,24,31
 	rlwinm	$acc13,$s2,`0`,24,31
-	lbzx	$acc08,$Tbl2,$acc08
-	lbzx	$acc09,$Tbl2,$acc09
+	lbzx	$acc06,$Tbl2,$acc06
+	lbzx	$acc07,$Tbl2,$acc07
 	rlwinm	$acc14,$s3,`0`,24,31
 	rlwinm	$acc15,$s0,`0`,24,31
-	lbzx	$acc10,$Tbl2,$acc10
-	lbzx	$acc11,$Tbl2,$acc11
+	lbzx	$acc08,$Tbl2,$acc08
+	lbzx	$acc09,$Tbl2,$acc09
 	rlwinm	$s0,$acc00,24,0,7
 	rlwinm	$s1,$acc01,24,0,7
-	lbzx	$acc12,$Tbl2,$acc12
-	lbzx	$acc13,$Tbl2,$acc13
+	lbzx	$acc10,$Tbl2,$acc10
+	lbzx	$acc11,$Tbl2,$acc11
 	rlwinm	$s2,$acc02,24,0,7
 	rlwinm	$s3,$acc03,24,0,7
-	lbzx	$acc14,$Tbl2,$acc14
-	lbzx	$acc15,$Tbl2,$acc15
+	lbzx	$acc12,$Tbl2,$acc12
+	lbzx	$acc13,$Tbl2,$acc13
 	rlwimi	$s0,$acc04,16,8,15
 	rlwimi	$s1,$acc05,16,8,15
+	lbzx	$acc14,$Tbl2,$acc14
+	lbzx	$acc15,$Tbl2,$acc15
 	rlwimi	$s2,$acc06,16,8,15
 	rlwimi	$s3,$acc07,16,8,15
 	rlwimi	$s0,$acc08,8,16,23
@@ -897,40 +910,40 @@ Ldec_compact_loop:
 	rlwinm	$acc01,$s1,`32-24`,24,31
 	rlwinm	$acc02,$s2,`32-24`,24,31
 	rlwinm	$acc03,$s3,`32-24`,24,31
-	lbzx	$acc00,$Tbl1,$acc00
-	lbzx	$acc01,$Tbl1,$acc01
 	rlwinm	$acc04,$s3,`32-16`,24,31
 	rlwinm	$acc05,$s0,`32-16`,24,31
-	lbzx	$acc02,$Tbl1,$acc02
-	lbzx	$acc03,$Tbl1,$acc03
 	rlwinm	$acc06,$s1,`32-16`,24,31
 	rlwinm	$acc07,$s2,`32-16`,24,31
-	lbzx	$acc04,$Tbl1,$acc04
-	lbzx	$acc05,$Tbl1,$acc05
+	lbzx	$acc00,$Tbl1,$acc00
+	lbzx	$acc01,$Tbl1,$acc01
 	rlwinm	$acc08,$s2,`32-8`,24,31
 	rlwinm	$acc09,$s3,`32-8`,24,31
-	lbzx	$acc06,$Tbl1,$acc06
-	lbzx	$acc07,$Tbl1,$acc07
+	lbzx	$acc02,$Tbl1,$acc02
+	lbzx	$acc03,$Tbl1,$acc03
 	rlwinm	$acc10,$s0,`32-8`,24,31
 	rlwinm	$acc11,$s1,`32-8`,24,31
-	lbzx	$acc08,$Tbl1,$acc08
-	lbzx	$acc09,$Tbl1,$acc09
+	lbzx	$acc04,$Tbl1,$acc04
+	lbzx	$acc05,$Tbl1,$acc05
 	rlwinm	$acc12,$s1,`0`,24,31
 	rlwinm	$acc13,$s2,`0`,24,31
-	lbzx	$acc10,$Tbl1,$acc10
-	lbzx	$acc11,$Tbl1,$acc11
+	lbzx	$acc06,$Tbl1,$acc06
+	lbzx	$acc07,$Tbl1,$acc07
 	rlwinm	$acc14,$s3,`0`,24,31
 	rlwinm	$acc15,$s0,`0`,24,31
-	lbzx	$acc12,$Tbl1,$acc12
-	lbzx	$acc13,$Tbl1,$acc13
+	lbzx	$acc08,$Tbl1,$acc08
+	lbzx	$acc09,$Tbl1,$acc09
 	rlwinm	$s0,$acc00,24,0,7
 	rlwinm	$s1,$acc01,24,0,7
-	lbzx	$acc14,$Tbl1,$acc14
-	lbzx	$acc15,$Tbl1,$acc15
+	lbzx	$acc10,$Tbl1,$acc10
+	lbzx	$acc11,$Tbl1,$acc11
 	rlwinm	$s2,$acc02,24,0,7
 	rlwinm	$s3,$acc03,24,0,7
+	lbzx	$acc12,$Tbl1,$acc12
+	lbzx	$acc13,$Tbl1,$acc13
 	rlwimi	$s0,$acc04,16,8,15
 	rlwimi	$s1,$acc05,16,8,15
+	lbzx	$acc14,$Tbl1,$acc14
+	lbzx	$acc15,$Tbl1,$acc15
 	rlwimi	$s2,$acc06,16,8,15
 	rlwimi	$s3,$acc07,16,8,15
 	rlwimi	$s0,$acc08,8,16,23

crypto/bio/b_sock.c

@@ -731,7 +731,14 @@ again:
 #ifdef SO_REUSEADDR
 		err_num=get_last_socket_error();
 		if ((bind_mode == BIO_BIND_REUSEADDR_IF_UNUSED) &&
+#ifdef OPENSSL_SYS_WINDOWS
+			/* Some versions of Windows define EADDRINUSE to
+			 * a dummy value.
+			 */
+			(err_num == WSAEADDRINUSE))
+#else
 			(err_num == EADDRINUSE))
+#endif
 			{
 			client = server;
 			if (h == NULL || strcmp(h,"*") == 0)

crypto/bio/bss_file.c

@@ -118,10 +118,47 @@ static BIO_METHOD methods_filep=
 
 BIO *BIO_new_file(const char *filename, const char *mode)
 	{
-	BIO *ret;
-	FILE *file;
+	BIO  *ret;
+	FILE *file=NULL;
 
-	if ((file=fopen(filename,mode)) == NULL)
+#if defined(_WIN32) && defined(CP_UTF8)
+	int sz, len_0 = (int)strlen(filename)+1;
+
+	/*
+	 * Basically there are three cases to cover: a) filename is
+	 * pure ASCII string; b) actual UTF-8 encoded string and
+	 * c) locale-ized string, i.e. one containing 8-bit
+	 * characters that are meaningful in current system locale.
+	 * If filename is pure ASCII or real UTF-8 encoded string,
+	 * MultiByteToWideChar succeeds and _wfopen works. If
+	 * filename is locale-ized string, chances are that
+	 * MultiByteToWideChar fails reporting
+	 * ERROR_NO_UNICODE_TRANSLATION, in which case we fall
+	 * back to fopen...
+	 */
+	if ((sz=MultiByteToWideChar(CP_UTF8,MB_ERR_INVALID_CHARS,
+					filename,len_0,NULL,0))>0)
+		{
+		WCHAR  wmode[8];
+		WCHAR *wfilename = _alloca(sz*sizeof(WCHAR));
+
+		if (MultiByteToWideChar(CP_UTF8,MB_ERR_INVALID_CHARS,
+					filename,len_0,wfilename,sz) &&
+		    MultiByteToWideChar(CP_UTF8,0,mode,strlen(mode)+1,
+			    		wmode,sizeof(wmode)/sizeof(wmode[0])) &&
+		    (file=_wfopen(wfilename,wmode))==NULL && errno==ENOENT
+		   )	/* UTF-8 decode succeeded, but no file, filename
+			 * could still have been locale-ized... */
+			file = fopen(filename,mode);
+		}
+	else if (GetLastError()==ERROR_NO_UNICODE_TRANSLATION)
+		{
+		file = fopen(filename,mode);
+		}
+#else
+	file=fopen(filename,mode);	
+#endif
+	if (file == NULL)
 		{
 		SYSerr(SYS_F_FOPEN,get_last_sys_error());
 		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");

crypto/bn/asm/alpha-mont.pl

@@ -53,15 +53,15 @@ $code=<<___;
 .align	5
 .ent	bn_mul_mont
 bn_mul_mont:
-	lda	sp,-40(sp)
+	lda	sp,-48(sp)
 	stq	ra,0(sp)
 	stq	s3,8(sp)
 	stq	s4,16(sp)
 	stq	s5,24(sp)
 	stq	fp,32(sp)
 	mov	sp,fp
-	.mask	0x0400f000,-40
-	.frame	fp,40,ra
+	.mask	0x0400f000,-48
+	.frame	fp,48,ra
 	.prologue 0
 
 	.align	4
@@ -306,7 +306,7 @@ bn_mul_mont:
 	ldq	s4,16(sp)
 	ldq	s5,24(sp)
 	ldq	fp,32(sp)
-	lda	sp,40(sp)
+	lda	sp,48(sp)
 	ret	(ra)
 .end	bn_mul_mont
 .rdata

crypto/cms/cms_asn1.c

@@ -131,8 +131,8 @@ ASN1_NDEF_SEQUENCE(CMS_SignedData) = {
 } ASN1_NDEF_SEQUENCE_END(CMS_SignedData)
 
 ASN1_SEQUENCE(CMS_OriginatorInfo) = {
-	ASN1_IMP_SET_OF_OPT(CMS_SignedData, certificates, CMS_CertificateChoices, 0),
-	ASN1_IMP_SET_OF_OPT(CMS_SignedData, crls, CMS_RevocationInfoChoice, 1)
+	ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, certificates, CMS_CertificateChoices, 0),
+	ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1)
 } ASN1_SEQUENCE_END(CMS_OriginatorInfo)
 
 ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = {

crypto/cryptlib.c

@@ -749,6 +749,18 @@ int OPENSSL_isservice(void)
 { HWINSTA h;
   DWORD len;
   WCHAR *name;
+  static union { void *p; int (*f)(void); } _OPENSSL_isservice = { NULL };
+
+    if (_OPENSSL_isservice.p == NULL) {
+	HANDLE h = GetModuleHandle(NULL);
+	if (h != NULL)
+	    _OPENSSL_isservice.p = GetProcAddress(h,"_OPENSSL_isservice");
+	if (_OPENSSL_isservice.p == NULL)
+	    _OPENSSL_isservice.p = (void *)-1;
+    }
+
+    if (_OPENSSL_isservice.p != (void *)-1)
+	return (*_OPENSSL_isservice.f)();
 
     (void)GetDesktopWindow(); /* return value is ignored */
 

crypto/crypto-lib.com

@@ -60,7 +60,7 @@ $ THEN
 $!
 $!  The Architecture Is VAX
 $!
-$   ARCH := VAX
+$   ARCH = "VAX"
 $!
 $! Else...
 $!
@@ -80,9 +80,11 @@ $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the SDIRS variable in [-]Makefile.org as closely as possible,
 $! thereby making it fairly easy to verify that the lists are the same.
 $!
+$ ET_WHIRLPOOL = "WHRLPOOL"
+$ IF ARCH .EQS. "VAX" THEN ET_WHIRLPOOL = ""
 $ ENCRYPT_TYPES = "Basic,"+ -
 		  "OBJECTS,"+ -
-		  "MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,WHRLPOOL,"+ -
+		  "MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ET_WHIRLPOOL+","+ -
 		  "DES,AES,RC2,RC4,RC5,IDEA,BF,CAST,CAMELLIA,SEED,MODES,"+ -
 		  "BN,EC,RSA,DSA,ECDSA,DH,ECDH,DSO,ENGINE,"+ -
 		  "BUFFER,BIO,STACK,LHASH,RAND,ERR,"+ -
@@ -367,7 +369,7 @@ $!
 $ IF F$TYPE('LIB_MODULE') .EQS. ""
 $ THEN
 $   WRITE SYS$ERROR ""
-$   WRITE SYS$ERROR "The module ",MODULE_NAME," does not exist.  Continuing..."
+$   WRITE SYS$ERROR "The module ",MODULE_NAME1," does not exist.  Continuing..."
 $   WRITE SYS$ERROR ""
 $   GOTO MODULE_NEXT
 $ ENDIF
@@ -777,12 +779,12 @@ $! Else...
 $!
 $ ELSE
 $!
-$!  Else, Check To See If P1 Has A Valid Arguement.
+$!  Else, Check To See If P1 Has A Valid Argument.
 $!
 $   IF (P1.EQS."LIBRARY").OR.(P1.EQS."APPS")
 $   THEN
 $!
-$!    A Valid Arguement.
+$!    A Valid Argument.
 $!
 $     BUILDALL = P1
 $!
@@ -810,7 +812,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -863,7 +865,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -1034,7 +1036,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
            "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
 	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
@@ -1068,7 +1070,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
 	   CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -1100,7 +1102,7 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
 	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
@@ -1150,7 +1152,7 @@ $!  Show user the result
 $!
 $   WRITE/SYMBOL SYS$OUTPUT "Main C Compiling Command: ",CC
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!
@@ -1168,7 +1170,7 @@ $!  Time To EXIT.
 $!
 $   EXIT
 $!
-$! End The Valid Arguement Check.
+$! End The Valid Argument Check.
 $!
 $ ENDIF
 $!
@@ -1263,7 +1265,7 @@ $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!

crypto/des/des-lib.com

@@ -659,13 +659,13 @@ $! Else...
 $!
 $ ELSE
 $!
-$!  Else, Check To See If P1 Has A Valid Arguement.
+$!  Else, Check To See If P1 Has A Valid Argument.
 $!
 $   IF (P1.EQS."LIBRARY").OR.(P1.EQS."DESTEST").OR.(P1.EQS."SPEED") -
        .OR.(P1.EQS."RPW").OR.(P1.EQS."DES").OR.(P1.EQS."DES_OPTS")
 $   THEN
 $!
-$!    A Valid Arguement.
+$!    A Valid Argument.
 $!
 $     BUILDALL = P1
 $!
@@ -678,7 +678,7 @@ $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything.
+$     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
 $     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.CRYPTO.DES]LIBDES.OLB Library."
 $     WRITE SYS$OUTPUT "    DESTEST  :  To Compile Just The [.xxx.EXE.CRYPTO.DES]DESTEST.EXE Program."
 $     WRITE SYS$OUTPUT "    SPEED    :  To Compile Just The [.xxx.EXE.CRYPTO.DES]SPEED.EXE Program."
@@ -697,7 +697,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -754,7 +754,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -978,7 +978,7 @@ $!  Show user the result
 $!
 $   WRITE SYS$OUTPUT "Main Compiling Command: ",CC
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!

crypto/des/rpc_des.h

@@ -122,10 +122,10 @@ struct desparams {
 /*
  * Encrypt an arbitrary sized buffer
  */
-#define	DESIOCBLOCK	_IOWR(d, 6, struct desparams)
+#define	DESIOCBLOCK	_IOWR('d', 6, struct desparams)
 
 /* 
  * Encrypt of small amount of data, quickly
  */
-#define DESIOCQUICK	_IOWR(d, 7, struct desparams) 
+#define DESIOCQUICK	_IOWR('d', 7, struct desparams) 
 

crypto/dsa/dsa_ameth.c

@@ -209,7 +209,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 	if (*p == (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
 		{
 		ASN1_TYPE *t1, *t2;
-	    	if(!(ndsa = d2i_ASN1_SEQUENCE_ANY(NULL, &p, pklen)));
+	    	if(!(ndsa = d2i_ASN1_SEQUENCE_ANY(NULL, &p, pklen)))
 			goto decerr;
 		if (sk_ASN1_TYPE_num(ndsa) != 2)
 			goto decerr;

crypto/err/err_prn.c

@@ -81,7 +81,8 @@ void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
 		ERR_error_string_n(l, buf, sizeof buf);
 		BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", es, buf,
 			file, line, (flags & ERR_TXT_STRING) ? data : "");
-		cb(buf2, strlen(buf2), u);
+		if (cb(buf2, strlen(buf2), u) <= 0)
+			break; /* abort outputting the error report */
 		}
 	}
 

crypto/evp/bio_b64.c

@@ -64,7 +64,7 @@
 
 static int b64_write(BIO *h, const char *buf, int num);
 static int b64_read(BIO *h, char *buf, int size);
-/*static int b64_puts(BIO *h, const char *str); */
+static int b64_puts(BIO *h, const char *str);
 /*static int b64_gets(BIO *h, char *str, int size); */
 static long b64_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int b64_new(BIO *h);
@@ -96,7 +96,7 @@ static BIO_METHOD methods_b64=
 	BIO_TYPE_BASE64,"base64 encoding",
 	b64_write,
 	b64_read,
-	NULL, /* b64_puts, */
+	b64_puts,
 	NULL, /* b64_gets, */
 	b64_ctrl,
 	b64_new,
@@ -127,6 +127,7 @@ static int b64_new(BIO *bi)
 	bi->init=1;
 	bi->ptr=(char *)ctx;
 	bi->flags=0;
+	bi->num = 0;
 	return(1);
 	}
 
@@ -151,6 +152,8 @@ static int b64_read(BIO *b, char *out, int outl)
 
 	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
 
+	BIO_clear_retry_flags(b);
+
 	if (ctx->encode != B64_DECODE)
 		{
 		ctx->encode=B64_DECODE;
@@ -163,6 +166,7 @@ static int b64_read(BIO *b, char *out, int outl)
 	/* First check if there are bytes decoded/encoded */
 	if (ctx->buf_len > 0)
 		{
+		OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 		i=ctx->buf_len-ctx->buf_off;
 		if (i > outl) i=outl;
 		OPENSSL_assert(ctx->buf_off+i < (int)sizeof(ctx->buf));
@@ -184,7 +188,6 @@ static int b64_read(BIO *b, char *out, int outl)
 	ret_code=0;
 	while (outl > 0)
 		{
-
 		if (ctx->cont <= 0)
 			break;
 
@@ -195,7 +198,7 @@ static int b64_read(BIO *b, char *out, int outl)
 			{
 			ret_code=i;
 
-			/* Should be continue next time we are called? */
+			/* Should we continue next time we are called? */
 			if (!BIO_should_retry(b->next_bio))
 				{
 				ctx->cont=i;
@@ -285,19 +288,27 @@ static int b64_read(BIO *b, char *out, int outl)
 				continue;
 				}
 			else
+			{
 				ctx->tmp_len=0;
 			}
-		/* If buffer isn't full and we can retry then
-		 * restart to read in more data.
-		 */
+		}
 		else if ((i < B64_BLOCK_SIZE) && (ctx->cont > 0))
+		{
+			/* If buffer isn't full and we can retry then
+			 * restart to read in more data.
+			 */
 			continue;
+		}
 
 		if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
 			{
 			int z,jj;
 
+#if 0
 			jj=(i>>2)<<2;
+#else
+			jj = i & ~3; /* process per 4 */
+#endif
 			z=EVP_DecodeBlock((unsigned char *)ctx->buf,
 				(unsigned char *)ctx->tmp,jj);
 			if (jj > 2)
@@ -313,18 +324,15 @@ static int b64_read(BIO *b, char *out, int outl)
 			 * number consumed */
 			if (jj != i)
 				{
-				memcpy((unsigned char *)ctx->tmp,
-					(unsigned char *)&(ctx->tmp[jj]),i-jj);
+				memmove(ctx->tmp, &ctx->tmp[jj], i-jj);
 				ctx->tmp_len=i-jj;
 				}
 			ctx->buf_len=0;
 			if (z > 0)
 				{
 				ctx->buf_len=z;
-				i=1;
 				}
-			else
-				i=z;
+			i=z;
 			}
 		else
 			{
@@ -357,14 +365,16 @@ static int b64_read(BIO *b, char *out, int outl)
 		outl-=i;
 		out+=i;
 		}
-	BIO_clear_retry_flags(b);
+	/* BIO_clear_retry_flags(b); */
 	BIO_copy_next_retry(b);
 	return((ret == 0)?ret_code:ret);
 	}
 
 static int b64_write(BIO *b, const char *in, int inl)
 	{
-	int ret=inl,n,i;
+	int ret=0;
+	int n;
+	int i;
 	BIO_B64_CTX *ctx;
 
 	ctx=(BIO_B64_CTX *)b->ptr;
@@ -379,6 +389,9 @@ static int b64_write(BIO *b, const char *in, int inl)
 		EVP_EncodeInit(&(ctx->base64));
 		}
 
+	OPENSSL_assert(ctx->buf_off < (int)sizeof(ctx->buf));
+	OPENSSL_assert(ctx->buf_len <= (int)sizeof(ctx->buf));
+	OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 	n=ctx->buf_len-ctx->buf_off;
 	while (n > 0)
 		{
@@ -388,7 +401,10 @@ static int b64_write(BIO *b, const char *in, int inl)
 			BIO_copy_next_retry(b);
 			return(i);
 			}
+		OPENSSL_assert(i <= n);
 		ctx->buf_off+=i;
+		OPENSSL_assert(ctx->buf_off <= (int)sizeof(ctx->buf));
+		OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 		n-=i;
 		}
 	/* at this point all pending data has been written */
@@ -405,18 +421,19 @@ static int b64_write(BIO *b, const char *in, int inl)
 			{
 			if (ctx->tmp_len > 0)
 				{
+				OPENSSL_assert(ctx->tmp_len <= 3);
 				n=3-ctx->tmp_len;
-				/* There's a teoretical possibility for this */
+				/* There's a theoretical possibility for this */
 				if (n > inl) 
 					n=inl;
 				memcpy(&(ctx->tmp[ctx->tmp_len]),in,n);
 				ctx->tmp_len+=n;
+				ret += n;
 				if (ctx->tmp_len < 3)
 					break;
-				ctx->buf_len=EVP_EncodeBlock(
-					(unsigned char *)ctx->buf,
-					(unsigned char *)ctx->tmp,
-					ctx->tmp_len);
+				ctx->buf_len=EVP_EncodeBlock((unsigned char *)ctx->buf,(unsigned char *)ctx->tmp,ctx->tmp_len);
+				OPENSSL_assert(ctx->buf_len <= (int)sizeof(ctx->buf));
+				OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 				/* Since we're now done using the temporary
 				   buffer, the length should be 0'd */
 				ctx->tmp_len=0;
@@ -425,14 +442,16 @@ static int b64_write(BIO *b, const char *in, int inl)
 				{
 				if (n < 3)
 					{
-					memcpy(&(ctx->tmp[0]),in,n);
+					memcpy(ctx->tmp,in,n);
 					ctx->tmp_len=n;
+					ret += n;
 					break;
 					}
 				n-=n%3;
-				ctx->buf_len=EVP_EncodeBlock(
-					(unsigned char *)ctx->buf,
-					(unsigned char *)in,n);
+				ctx->buf_len=EVP_EncodeBlock((unsigned char *)ctx->buf,(const unsigned char *)in,n);
+				OPENSSL_assert(ctx->buf_len <= (int)sizeof(ctx->buf));
+				OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
+				ret += n;
 				}
 			}
 		else
@@ -440,6 +459,9 @@ static int b64_write(BIO *b, const char *in, int inl)
 			EVP_EncodeUpdate(&(ctx->base64),
 				(unsigned char *)ctx->buf,&ctx->buf_len,
 				(unsigned char *)in,n);
+			OPENSSL_assert(ctx->buf_len <= (int)sizeof(ctx->buf));
+			OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
+			ret += n;
 			}
 		inl-=n;
 		in+=n;
@@ -454,8 +476,11 @@ static int b64_write(BIO *b, const char *in, int inl)
 				BIO_copy_next_retry(b);
 				return((ret == 0)?i:ret);
 				}
+			OPENSSL_assert(i <= n);
 			n-=i;
 			ctx->buf_off+=i;
+			OPENSSL_assert(ctx->buf_off <= (int)sizeof(ctx->buf));
+			OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 			}
 		ctx->buf_len=0;
 		ctx->buf_off=0;
@@ -486,6 +511,7 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
 		break;
 	case BIO_CTRL_WPENDING: /* More to write in buffer */
+		OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 		ret=ctx->buf_len-ctx->buf_off;
 		if ((ret == 0) && (ctx->encode != B64_NONE)
 			&& (ctx->base64.num != 0))
@@ -494,6 +520,7 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
 		break;
 	case BIO_CTRL_PENDING: /* More to read in buffer */
+		OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
 		ret=ctx->buf_len-ctx->buf_off;
 		if (ret <= 0)
 			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
@@ -565,3 +592,7 @@ static long b64_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	return(ret);
 	}
 
+static int b64_puts(BIO *b, const char *str)
+	{
+	return b64_write(b,str,strlen(str));
+	}

crypto/evp/pmeth_lib.c

@@ -177,6 +177,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
 	ret->operation = EVP_PKEY_OP_UNDEFINED;
 	ret->pkey = pkey;
 	ret->peerkey = NULL;
+	ret->pkey_gencb = 0;
 	if (pkey)
 		CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
 	ret->data = NULL;

crypto/md5/asm/md5-ia64.S

@@ -914,7 +914,7 @@ md5_digest_block##offset:						\
 	nop 0x0 ;							\
 	br.cond.sptk.many md5_digest_GHI ;				\
 } ;;									\
-	.endp md5digestBlock ## offset
+	.endp md5_digest_block##offset
 
 MD5FBLOCK(1)
 MD5FBLOCK(2)

crypto/modes/cfb128.c

@@ -96,15 +96,15 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 #endif
 		while (len>=16) {
 			(*block)(ivec, ivec, key);
-			for (n=0; n<16; n+=sizeof(size_t)) {
+			for (; n<16; n+=sizeof(size_t)) {
 				*(size_t*)(out+n) =
 				*(size_t*)(ivec+n) ^= *(size_t*)(in+n);
 			}
 			len -= 16;
 			out += 16;
 			in  += 16;
+			n = 0;
 		}
-		n = 0;
 		if (len) {
 			(*block)(ivec, ivec, key);
 			while (len--) {
@@ -141,7 +141,7 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 #endif
 		while (len>=16) {
 			(*block)(ivec, ivec, key);
-			for (n=0; n<16; n+=sizeof(size_t)) {
+			for (; n<16; n+=sizeof(size_t)) {
 				size_t t = *(size_t*)(in+n);
 				*(size_t*)(out+n) = *(size_t*)(ivec+n) ^ t;
 				*(size_t*)(ivec+n) = t;
@@ -149,8 +149,8 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 			len -= 16;
 			out += 16;
 			in  += 16;
+			n = 0;
 		}
-		n = 0;
 		if (len) {
 			(*block)(ivec, ivec, key);
 			while (len--) {

crypto/modes/ctr128.c

@@ -61,14 +61,11 @@
 typedef unsigned int u32;
 typedef unsigned char u8;
 
-# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
-# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
-
 #define STRICT_ALIGNMENT
-#if defined(__i386) || defined(__i386__) || \
-    defined(__x86_64) || defined(__x86_64__) || \
-    defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \
-    defined(__s390__) || defined(__s390x__)
+#if defined(__i386)	|| defined(__i386__)	|| \
+    defined(__x86_64)	|| defined(__x86_64__)	|| \
+    defined(_M_IX86)	|| defined(_M_AMD64)	|| defined(_M_X64) || \
+    defined(__s390__)	|| defined(__s390x__)
 #  undef STRICT_ALIGNMENT
 #endif
 
@@ -77,18 +74,19 @@ typedef unsigned char u8;
 
 /* increment counter (128-bit int) by 1 */
 static void ctr128_inc(unsigned char *counter) {
-	u32 c,n=16;
+	u32 n=16;
+	u8  c;
 
 	do {
-		n -= 4;
-		c = GETU32(counter+n);
-		++c;	c &= 0xFFFFFFFF;
-		PUTU32(counter + n, c);
+		--n;
+		c = counter[n];
+		++c;
+		counter[n] = c;
 		if (c) return;
 	} while (n);
 }
 
-#if !defined(OPENSSL_SMALL_FOORPRINT)
+#if !defined(OPENSSL_SMALL_FOOTPRINT)
 static void ctr128_inc_aligned(unsigned char *counter) {
 	size_t *data,c,n;
 	const union { long one; char little; } is_endian = {1};
@@ -151,14 +149,14 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 		while (len>=16) {
 			(*block)(ivec, ecount_buf, key);
 			ctr128_inc_aligned(ivec);
-			for (n=0; n<16; n+=sizeof(size_t))
+			for (; n<16; n+=sizeof(size_t))
 				*(size_t *)(out+n) =
 				*(size_t *)(in+n) ^ *(size_t *)(ecount_buf+n);
 			len -= 16;
 			out += 16;
 			in  += 16;
+			n = 0;
 		}
-		n = 0;
 		if (len) {
 			(*block)(ivec, ecount_buf, key);
  			ctr128_inc_aligned(ivec);

crypto/modes/ofb128.c

@@ -95,14 +95,14 @@ void CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 #endif
 		while (len>=16) {
 			(*block)(ivec, ivec, key);
-			for (n=0; n<16; n+=sizeof(size_t))
+			for (; n<16; n+=sizeof(size_t))
 				*(size_t*)(out+n) =
 				*(size_t*)(in+n) ^ *(size_t*)(ivec+n);
 			len -= 16;
 			out += 16;
 			in  += 16;
+			n = 0;
 		}
-		n = 0;
 		if (len) {
 			(*block)(ivec, ivec, key);
 			while (len--) {

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000000fL
+#define OPENSSL_VERSION_NUMBER	0x1000001fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0-fips 29 Mar 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0a-fips 1 Jun 2010"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0 29 Mar 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0a 1 Jun 2010"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/pem/pem.h

@@ -548,10 +548,11 @@ EVP_PKEY *b2i_PrivateKey_bio(BIO *in);
 EVP_PKEY *b2i_PublicKey_bio(BIO *in);
 int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk);
 int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk);
-
+#ifndef OPENSSL_NO_RC4
 EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u);
 int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
 		pem_password_cb *cb, void *u);
+#endif
 
 
 /* BEGIN ERROR CODES */

crypto/pem/pvkfmt.c

@@ -654,6 +654,8 @@ int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk)
 	return do_i2b_bio(out, pk, 1);
 	}
 
+#ifndef OPENSSL_NO_RC4
+
 static int do_PVK_header(const unsigned char **in, unsigned int length,
 		int skip_magic,
 	       	unsigned int *psaltlen, unsigned int *pkeylen)
@@ -934,4 +936,7 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
 		}
 	return -1;
 	}
+
+#endif
+
 #endif

crypto/perlasm/x86_64-xlate.pl

@@ -55,6 +55,8 @@
 #    Win64 prologue copies %rsp value to %rax. For further details
 #    see SEH paragraph at the end.
 # 9. .init segment is allowed to contain calls to functions only.
+# a. If function accepts more than 4 arguments *and* >4th argument
+#    is declared as non 64-bit value, do clear its upper part.
 
 my $flavour = shift;
 my $output  = shift;
@@ -80,7 +82,10 @@ my $PTR=" PTR";
 my $nasmref=2.03;
 my $nasm=0;
 
-if    ($flavour eq "mingw64")	{ $gas=1; $elf=0; $win64=1; $prefix="_"; }
+if    ($flavour eq "mingw64")	{ $gas=1; $elf=0; $win64=1;
+				  $prefix=`echo __USER_LABEL_PREFIX__ | $ENV{CC} -E -P -`;
+				  chomp($prefix);
+				}
 elsif ($flavour eq "macosx")	{ $gas=1; $elf=0; $prefix="_"; $decor="L\$"; }
 elsif ($flavour eq "masm")	{ $gas=0; $elf=0; $masm=$masmref; $win64=1; $decor="\$L\$"; }
 elsif ($flavour eq "nasm")	{ $gas=0; $elf=0; $nasm=$nasmref; $win64=1; $decor="\$L\$"; $PTR=""; }
@@ -115,7 +120,9 @@ my %globals;
 		$self->{op} = $1;
 		$self->{sz} = "b";
 	    } elsif ($self->{op} =~ /call|jmp/) {
-		$self->{sz} = ""
+		$self->{sz} = "";
+	    } elsif ($self->{op} =~ /^p/ && $' !~ /^(ush|op)/) { # SSEn
+		$self->{sz} = "";
 	    } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) {
 		$self->{op} = $1;
 		$self->{sz} = $2;
@@ -191,7 +198,7 @@ my %globals;
 	if ($gas) {
 	    # Solaris /usr/ccs/bin/as can't handle multiplications
 	    # in $self->{value}
-	    $self->{value} =~ s/(?<![0-9a-f])(0[x0-9a-f]+)/oct($1)/egi;
+	    $self->{value} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
 	    $self->{value} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
 	    sprintf "\$%s",$self->{value};
 	} else {
@@ -243,7 +250,7 @@ my %globals;
 	    # Solaris /usr/ccs/bin/as can't handle multiplications
 	    # in $self->{label}, new gas requires sign extension...
 	    use integer;
-	    $self->{label} =~ s/(?<![0-9a-f])(0[x0-9a-f]+)/oct($1)/egi;
+	    $self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
 	    $self->{label} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
 	    $self->{label} =~ s/([0-9]+)/$1<<32>>32/eg;
 	    $self->{label} =~ s/^___imp_/__imp__/   if ($flavour eq "mingw64");
@@ -259,7 +266,7 @@ my %globals;
 	    %szmap = ( b=>"BYTE$PTR", w=>"WORD$PTR", l=>"DWORD$PTR", q=>"QWORD$PTR" );
 
 	    $self->{label} =~ s/\./\$/g;
-	    $self->{label} =~ s/0x([0-9a-f]+)/0$1h/ig;
+	    $self->{label} =~ s/(?<![\w\$\.])0x([0-9a-f]+)/0$1h/ig;
 	    $self->{label} = "($self->{label})" if ($self->{label} =~ /[\*\+\-\/]/);
 	    $sz="q" if ($self->{asterisk});
 
@@ -574,11 +581,11 @@ my %globals;
 		/\.align/   && do { $self->{value} = "ALIGN\t".$line; last; };
 		/\.(value|long|rva|quad)/
 			    && do { my $sz  = substr($1,0,1);
-				    my @arr = split(',',$line);
+				    my @arr = split(/,\s*/,$line);
 				    my $last = pop(@arr);
 				    my $conv = sub  {	my $var=shift;
 							$var=~s/^(0b[0-1]+)/oct($1)/eig;
-							$var=~s/0x([0-9a-f]+)/0$1h/ig if ($masm);
+							$var=~s/^0x([0-9a-f]+)/0$1h/ig if ($masm);
 							if ($sz eq "D" && ($current_segment=~/.[px]data/ || $dir eq ".rva"))
 							{ $var=~s/([_a-z\$\@][_a-z0-9\$\@]*)/$nasm?"$1 wrt ..imagebase":"imagerel $1"/egi; }
 							$var;
@@ -590,7 +597,7 @@ my %globals;
 				    $self->{value} .= &$conv($last);
 				    last;
 				  };
-		/\.byte/    && do { my @str=split(",",$line);
+		/\.byte/    && do { my @str=split(/,\s*/,$line);
 				    map(s/(0b[0-1]+)/oct($1)/eig,@str);
 				    map(s/0x([0-9a-f]+)/0$1h/ig,@str) if ($masm);	
 				    while ($#str>15) {
@@ -664,7 +671,7 @@ while($line=<>) {
 		$insn = $opcode->out($#args>=1?$args[$#args]->size():$sz);
 	    } else {
 		$insn = $opcode->out();
-		$insn .= $sz if (map($_->out() =~ /xmm|mmx/,@args));
+		$insn .= $sz if (map($_->out() =~ /x?mm/,@args));
 		@args = reverse(@args);
 		undef $sz if ($nasm && $opcode->mnemonic() eq "lea");
 	    }

crypto/rsa/rsa_pmeth.c

@@ -246,6 +246,8 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
 			ret = int_rsa_verify(EVP_MD_type(rctx->md),
 						NULL, 0, rout, &sltmp,
 					sig, siglen, ctx->pkey->pkey.rsa);
+			if (ret <= 0)
+				return 0;
 			ret = sltmp;
 			}
 		else

crypto/sparccpuid.S

@@ -179,7 +179,7 @@ OPENSSL_atomic_add:
 	ba	.enter
 	nop
 #ifdef __sun
-! Note that you don't have to link with libthread to call thr_yield,
+! Note that you do not have to link with libthread to call thr_yield,
 ! as libc provides a stub, which is overloaded the moment you link
 ! with *either* libpthread or libthread...
 #define	YIELD_CPU	thr_yield

crypto/stack/safestack.h

@@ -179,7 +179,7 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 	sk_is_sorted(CHECKED_STACK_OF(type, st))
 
 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-	(STACK_OF(type) *)d2i_ASN1_SET(CHECKED_STACK_OF(type, st), \
+  (STACK_OF(type) *)d2i_ASN1_SET((STACK_OF(OPENSSL_BLOCK) **)CHECKED_STACK_OF(type, st), \
 				pp, length, \
 				CHECKED_D2I_OF(type, d2i_func), \
 				CHECKED_SK_FREE_FUNC(type, free_func), \

crypto/symhacks.h

@@ -399,6 +399,12 @@
 #undef dtls1_retransmit_buffered_messages
 #define dtls1_retransmit_buffered_messages	dtls1_retransmit_buffered_msgs
 
+/* Hack some long UI names */
+#undef UI_method_get_prompt_constructor
+#define UI_method_get_prompt_constructor	UI_method_get_prompt_constructr
+#undef UI_method_set_prompt_constructor
+#define UI_method_set_prompt_constructor	UI_method_set_prompt_constructr
+
 #endif /* defined OPENSSL_SYS_VMS */
 
 

crypto/ts/Makefile

@@ -60,7 +60,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
-	@for i in $(EXHEADER) ; \
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

crypto/x509v3/v3_pci.c

@@ -128,7 +128,12 @@ static int process_pci_value(CONF_VALUE *val,
 			unsigned char *tmp_data2 =
 				string_to_hex(val->value + 4, &val_len);
 
-			if (!tmp_data2) goto err;
+			if (!tmp_data2) 
+				{
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
+				X509V3_conf_err(val);
+				goto err;
+				}
 
 			tmp_data = OPENSSL_realloc((*policy)->data,
 				(*policy)->length + val_len + 1);
@@ -140,6 +145,17 @@ static int process_pci_value(CONF_VALUE *val,
 				(*policy)->length += val_len;
 				(*policy)->data[(*policy)->length] = '\0';
 				}
+			else
+				{
+				OPENSSL_free(tmp_data2);
+				/* realloc failure implies the original data space is b0rked too! */
+				(*policy)->data = NULL;
+				(*policy)->length = 0;
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				goto err;
+				}
+			OPENSSL_free(tmp_data2);
 			}
 		else if (strncmp(val->value, "file:", 5) == 0)
 			{
@@ -169,6 +185,7 @@ static int process_pci_value(CONF_VALUE *val,
 				(*policy)->length += n;
 				(*policy)->data[(*policy)->length] = '\0';
 				}
+			BIO_free_all(b);
 
 			if (n < 0)
 				{
@@ -190,6 +207,15 @@ static int process_pci_value(CONF_VALUE *val,
 				(*policy)->length += val_len;
 				(*policy)->data[(*policy)->length] = '\0';
 				}
+			else
+				{
+				/* realloc failure implies the original data space is b0rked too! */
+				(*policy)->data = NULL;
+				(*policy)->length = 0;
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				goto err;
+				}
 			}
 		else
 			{

crypto/x86_64cpuid.pl

@@ -152,7 +152,8 @@ OPENSSL_cleanse:
 	sub	\$1,$arg2
 	lea	1($arg1),$arg1
 	jnz	.Little
-.Lret:	ret
+.Lret:
+	ret
 .align	16
 .Lot:
 	test	\$7,$arg1

doc/crypto/BIO_f_buffer.pod

@@ -31,7 +31,7 @@ BIO_get_buffer_num_lines() returns the number of lines currently buffered.
 
 BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
 set the read, write or both read and write buffer sizes to B<size>. The initial
-buffer size is DEFAULT_BUFFER_SIZE, currently 1024. Any attempt to reduce the
+buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any attempt to reduce the
 buffer size below DEFAULT_BUFFER_SIZE is ignored. Any buffered data is cleared
 when the buffer is resized.
 
@@ -66,4 +66,9 @@ there was an error.
 
 =head1 SEE ALSO
 
-TBA
+L<BIO(3)|BIO(3)>,
+L<BIO_reset(3)|BIO_reset(3)>,
+L<BIO_flush(3)|BIO_flush(3)>,
+L<BIO_pop(3)|BIO_pop(3)>,
+L<BIO_ctrl(3)|BIO_ctrl(3)>,
+L<BIO_int_ctrl(3)|BIO_ctrl(3)>

doc/crypto/BIO_s_file.pod

@@ -76,6 +76,10 @@ normally be closed so the BIO_NOCLOSE flag should be set.
 Because the file BIO calls the underlying stdio functions any quirks
 in stdio behaviour will be mirrored by the corresponding BIO.
 
+On Windows BIO_new_files reserves for the filename argument to be
+UTF-8 encoded. In other words if you have to make it work in multi-
+lingual environment, encode file names in UTF-8.
+
 =head1 EXAMPLES
 
 File BIO "hello world":

doc/crypto/BIO_should_retry.pod

@@ -45,7 +45,7 @@ needs to read data.
 BIO_should_io_special() is true if some "special" condition, that is a
 reason other than reading or writing is the cause of the condition.
 
-BIO_get_retry_reason() returns a mask of the cause of a retry condition
+BIO_retry_type() returns a mask of the cause of a retry condition
 consisting of the values B<BIO_FLAGS_READ>, B<BIO_FLAGS_WRITE>,
 B<BIO_FLAGS_IO_SPECIAL> though current BIO types will only set one of
 these.

doc/ssl/SSL_library_init.pod

@@ -15,7 +15,7 @@ SSL_library_init, OpenSSL_add_ssl_algorithms, SSLeay_add_ssl_algorithms
 
 =head1 DESCRIPTION
 
-SSL_library_init() registers the available ciphers and digests.
+SSL_library_init() registers the available SSL/TLS ciphers and digests.
 
 OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms
 for SSL_library_init().
@@ -27,24 +27,28 @@ SSL_library_init() is not reentrant.
 
 =head1 WARNING
 
-SSL_library_init() only registers ciphers. Another important initialization
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
-be performed separately.
+SSL_library_init() adds ciphers and digests used directly and indirectly by
+SSL/TLS.
 
 =head1 EXAMPLES
 
 A typical TLS/SSL application will start with the library initialization,
-will provide readable error messages and will seed the PRNG.
+and provide readable error messages.
 
  SSL_load_error_strings();                /* readable error messages */
  SSL_library_init();                      /* initialize library */
- actions_to_seed_PRNG(); 
 
 =head1 RETURN VALUES
 
 SSL_library_init() always returns "1", so it is safe to discard the return
 value.
 
+=head1 NOTES
+
+OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
+Applications which need to use SHA2 in earlier versions of OpenSSL should call
+OpenSSL_add_all_algorithms() as well.
+
 =head1 SEE ALSO
 
 L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,

e_os.h

@@ -150,7 +150,6 @@ extern "C" {
 #define clear_socket_error()	WSASetLastError(0)
 #define readsocket(s,b,n)	recv((s),(b),(n),0)
 #define writesocket(s,b,n)	send((s),(b),(n),0)
-#define EADDRINUSE		WSAEADDRINUSE
 #elif defined(__DJGPP__)
 #define WATT32
 #define get_last_socket_error()	errno

engines/ccgost/gost94_keyx.c

@@ -177,7 +177,7 @@ int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
 	ASN1_OBJECT_free(gkt->key_agreement_info->cipher);
 	gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid);
 	*outlen = i2d_GOST_KEY_TRANSPORT(gkt,out?&out:NULL);
-	if (*outlen == 0)
+	if (*outlen <= 0)
 		{
 		GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,GOST_R_ERROR_PACKING_KEY_TRANSPORT_INFO);
 		goto err;

engines/ccgost/gost_ameth.c

@@ -801,7 +801,7 @@ static int mac_ctrl_gost(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 	switch (op)
 		{
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-			*(int *)arg2 = NID_undef;
+			*(int *)arg2 = NID_id_Gost28147_89_MAC;
 			return 2;
 		}
 	return -2;

engines/ccgost/gost_crypt.c

@@ -299,7 +299,7 @@ int	gost_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	if (i<inl)
 		{
 		gost_crypt_mesh(ctx->cipher_data,ctx->iv,ctx->buf);
-		if (!ctx->encrypt) memcpy(ctx->buf+8,in_ptr,j);
+		if (!ctx->encrypt) memcpy(ctx->buf+8,in_ptr,inl-i);
 		for (j=0;i<inl;j++,i++)
 			{
 			out_ptr[j]=ctx->buf[j]^in_ptr[j];
@@ -459,13 +459,15 @@ int  gost89_get_asn1_parameters(EVP_CIPHER_CTX *ctx,ASN1_TYPE *params)
 	int ret = -1;
 	int len; 
 	GOST_CIPHER_PARAMS *gcp = NULL;
-	unsigned char *p = params->value.sequence->data;
+	unsigned char *p;
 	struct ossl_gost_cipher_ctx *c=ctx->cipher_data;
 	if (ASN1_TYPE_get(params) != V_ASN1_SEQUENCE)
 		{
 		return ret;
 		}
 
+	p = params->value.sequence->data;
+
 	gcp = d2i_GOST_CIPHER_PARAMS(NULL, (const unsigned char **)&p,
 		params->value.sequence->length);
 

engines/e_chil.c

@@ -111,11 +111,10 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 #ifndef OPENSSL_NO_RSA
 /* RSA stuff */
 static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
-#endif
-#ifndef OPENSSL_NO_RSA
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int hwcrhk_rsa_finish(RSA *rsa);
 #endif
 
 #ifndef OPENSSL_NO_DH
@@ -135,10 +134,6 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 	UI_METHOD *ui_method, void *callback_data);
 static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
 	UI_METHOD *ui_method, void *callback_data);
-#ifndef OPENSSL_NO_RSA
-static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-	int ind,long argl, void *argp);
-#endif
 
 /* Interaction stuff */
 static int hwcrhk_insert_card(const char *prompt_info,
@@ -193,7 +188,7 @@ static RSA_METHOD hwcrhk_rsa =
 	hwcrhk_rsa_mod_exp,
 	hwcrhk_mod_exp_mont,
 	NULL,
-	NULL,
+	hwcrhk_rsa_finish,
 	0,
 	NULL,
 	NULL,
@@ -602,7 +597,7 @@ static int hwcrhk_init(ENGINE *e)
 	if (hndidx_rsa == -1)
 		hndidx_rsa = RSA_get_ex_new_index(0,
 			"nFast HWCryptoHook RSA key handle",
-			NULL, NULL, hwcrhk_ex_free);
+			NULL, NULL, NULL);
 #endif
 	return 1;
 err:
@@ -1078,6 +1073,21 @@ static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	{
 	return hwcrhk_mod_exp(r, a, p, m, ctx);
 	}
+
+static int hwcrhk_rsa_finish(RSA *rsa)
+	{
+	HWCryptoHook_RSAKeyHandle *hptr;
+	int ret;
+	hptr = RSA_get_ex_data(rsa, hndidx_rsa);
+	if (hptr)
+                {
+                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+                OPENSSL_free(hptr);
+		RSA_set_ex_data(rsa, hndidx_rsa, NULL);
+                }
+	return 1;
+	}
+
 #endif
 
 #ifndef OPENSSL_NO_DH
@@ -1136,34 +1146,6 @@ static int hwcrhk_rand_status(void)
 	return 1;
 	}
 
-/* This cleans up an RSA KM key, called when ex_data is freed */
-#ifndef OPENSSL_NO_RSA
-static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-	int ind,long argl, void *argp)
-{
-	char tempbuf[1024];
-	HWCryptoHook_ErrMsgBuf rmsg;
-#ifndef OPENSSL_NO_RSA
-	HWCryptoHook_RSAKeyHandle *hptr;
-#endif
-#if !defined(OPENSSL_NO_RSA)
-	int ret;
-#endif
-
-	rmsg.buf = tempbuf;
-	rmsg.size = sizeof(tempbuf);
-
-#ifndef OPENSSL_NO_RSA
-	hptr = (HWCryptoHook_RSAKeyHandle *) item;
-	if(hptr)
-                {
-                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
-                OPENSSL_free(hptr);
-                }
-#endif
-}
-#endif
-
 /* Mutex calls: since the HWCryptoHook model closely follows the POSIX model
  * these just wrap the POSIX functions and add some logging.
  */

engines/e_ubsec.c

@@ -302,8 +302,8 @@ static t_UBSEC_diffie_hellman_generate_ioctl
 	*p_UBSEC_diffie_hellman_generate_ioctl = NULL;
 static t_UBSEC_diffie_hellman_agree_ioctl *p_UBSEC_diffie_hellman_agree_ioctl = NULL;
 #endif
-static t_UBSEC_rsa_mod_exp_ioctl *p_UBSEC_rsa_mod_exp_ioctl = NULL;
 #ifndef OPENSSL_NO_RSA
+static t_UBSEC_rsa_mod_exp_ioctl *p_UBSEC_rsa_mod_exp_ioctl = NULL;
 static t_UBSEC_rsa_mod_exp_crt_ioctl *p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
 #endif
 #ifndef OPENSSL_NO_DSA

engines/makeengines.com

@@ -30,17 +30,6 @@ $!	all available engines are built.
 $!
 $!-----------------------------------------------------------------------------
 $!
-$! Set the names of the engines we want to build
-$! NOTE: Some might think this list ugly.  However, it's made this way to
-$! reflect the LIBNAMES variable in Makefile as closely as possible,
-$! thereby making it fairly easy to verify that the lists are the same.
-$! NOTE: gmp isn't built, as it's mostly a test engine and brings in another
-$! library that isn't necessarely ported to VMS.
-$!
-$ ENGINES = "," + P6
-$ IF ENGINES .EQS. "," THEN -
-	ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec,padlock,ccgost"
-$!
 $! Set the default TCP/IP library to link against if needed
 $!
 $ TCPIP_LIB = ""
@@ -52,7 +41,7 @@ $ THEN
 $!
 $!  The Architecture Is VAX.
 $!
-$   ARCH := VAX
+$   ARCH = "VAX"
 $!
 $! Else...
 $!
@@ -67,7 +56,23 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
-$! Set the goal directories, and creat them if necessary
+$! Set the names of the engines we want to build
+$! NOTE: Some might think this list ugly.  However, it's made this way to
+$! reflect the LIBNAMES variable in Makefile as closely as possible,
+$! thereby making it fairly easy to verify that the lists are the same.
+$! NOTE: gmp isn't built, as it's mostly a test engine and brings in another
+$! library that isn't necessarely ported to VMS.
+$!
+$ ENGINES = "," + P6
+$ IF ENGINES .EQS. "," THEN -
+	ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec,padlock,"
+$!
+$! GOST requires a 64-bit integer type, unavailable on VAX.
+$!
+$ IF (ARCH .NES. "VAX") THEN -
+       ENGINES = ENGINES+ ",ccgost"
+$!
+$! Set the goal directories, and create them if necessary
 $!
 $ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.ENGINES]
 $ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.ENGINES]
@@ -110,7 +115,7 @@ $ ENGINE_chil = "e_chil"
 $ ENGINE_nuron = "e_nuron"
 $ ENGINE_sureware = "e_sureware"
 $ ENGINE_ubsec = "e_ubsec"
-$ ENGINE_ubsec = "e_padlock"
+$ ENGINE_padlock = "e_padlock"
 $
 $ ENGINE_ccgost_SUBDIR = "ccgost"
 $ ENGINE_ccgost = "e_gost_err,gost2001_keyx,gost2001,gost89,gost94_keyx,"+ -
@@ -163,9 +168,12 @@ $ ELSE
 $   WRITE SYS$OUTPUT "Compiling Support Files. (",BUILDALL,")"
 $ ENDIF
 $!
-$!  Create a .OPT file for the object files
+$! Create a .OPT file for the object files (for a real engine name).
 $!
-$ OPEN/WRITE OBJECTS 'EXE_DIR''ENGINE_NAME'.OPT
+$ IF ENGINE_NAME .NES. ""
+$ THEN
+$   OPEN/WRITE OBJECTS 'EXE_DIR''ENGINE_NAME'.OPT
+$ ENDIF
 $!
 $! Here's the start of per-engine module loop.
 $!
@@ -217,23 +225,28 @@ $   MACRO/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $ ELSE
 $   CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $ ENDIF
-$ WRITE OBJECTS OBJECT_FILE
+$!
+$! Write the entry to the .OPT file (for a real engine name).
+$!
+$ IF ENGINE_NAME .NES. ""
+$ THEN
+$   WRITE OBJECTS OBJECT_FILE
+$ ENDIF
 $!
 $! Next file
 $!
 $ GOTO FILE_NEXT
 $!
 $ FILE_DONE:
+$!
+$! Do not link the support files.
+$!
+$ IF ENGINE_NAME .EQS. "" THEN GOTO ENGINE_NEXT
+$!
+$! Close the linker options file (for a real engine name).
+$!
 $ CLOSE OBJECTS
 $!
-$! Do not link the support files.
-$!
-$ IF ENGINE_NAME .EQS. "" THEN GOTO ENGINE_NEXT
-$!
-$! Do not link the support files.
-$!
-$ IF ENGINE_NAME .EQS. "" THEN GOTO ENGINE_NEXT
-$!
 $! Now, there are two ways to handle this.  We can either build 
 $! shareable images or stick the engine object file into libcrypto.
 $! For now, the latter is NOT supported.
@@ -412,13 +425,13 @@ $! Else...
 $!
 $ ELSE
 $!
-$!  Else, Check To See If OPT_PHASE Has A Valid Arguement.
+$!  Else, Check To See If OPT_PHASE Has A Valid Argument.
 $!
 $   IF ("," + ACCEPT_PHASE + ",") - ("," + OPT_PHASE + ",") -
        .NES. ("," + ACCEPT_PHASE + ",")
 $   THEN
 $!
-$!    A Valid Arguement.
+$!    A Valid Argument.
 $!
 $     BUILDALL = OPT_PHASE
 $!
@@ -449,7 +462,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -502,7 +515,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -771,7 +784,7 @@ $!  Show user the result
 $!
 $   WRITE/SYMBOL SYS$OUTPUT "Main C Compiling Command: ",CC
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!
@@ -789,7 +802,7 @@ $!  Time To EXIT.
 $!
 $   EXIT
 $!
-$! End The Valid Arguement Check.
+$! End The Valid Argument Check.
 $!
 $ ENDIF
 $!
@@ -885,7 +898,7 @@ $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!

makevms.com

@@ -18,8 +18,8 @@ $!
 $! Specify one of the following build options for P1.
 $!
 $!      ALL       Just build "everything".
-$!      CONFIG    Just build the "[.xxx.CRYPTO]OPENSSLCONF.H" file.
-$!      BUILDINF  Just build the "[.xxx.CRYPTO]BUILDINF.H" file.
+$!      CONFIG    Just build the "[.CRYPTO._xxx]OPENSSLCONF.H" file.
+$!      BUILDINF  Just build the "[.CRYPTO._xxx]BUILDINF.H" file.
 $!      SOFTLINKS Just fix the Unix soft links.
 $!      BUILDALL  Same as ALL, except CONFIG, BUILDINF and SOFTILNKS aren't done.
 $!      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
@@ -35,7 +35,7 @@ $!
 $! P2 is ignored (it was used to denote if RSAref should be used or not,
 $! and is simply kept so surrounding scripts don't get confused)
 $!
-$! Speficy DEBUG or NODEBUG as P3 to compile with or without debugging
+$! Specify DEBUG or NODEBUG as P3 to compile with or without debugging
 $! information.
 $!
 $! Specify which compiler as P4 to try to compile under.
@@ -46,7 +46,7 @@ $!	  GNUC	 For GNU C.
 $!	  LINK   To only link the programs from existing object files.
 $!               (not yet implemented)
 $!
-$! If you don't speficy a compiler, it will try to determine which
+$! If you don't specify a compiler, it will try to determine which
 $! "C" compiler to use.
 $!
 $! P5, if defined, sets a TCP/IP library to use, through one of the following
@@ -84,7 +84,7 @@ $ THEN
 $!
 $!  The Architecture Is VAX.
 $!
-$   ARCH := VAX
+$   ARCH = "VAX"
 $!
 $! Else...
 $!
@@ -99,6 +99,10 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
+$! Get VMS version.
+$!
+$ VMS_VERSION = f$edit( f$getsyi( "VERSION"), "TRIM")
+$!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
 $ GOSUB CHECK_OPTIONS
@@ -163,32 +167,53 @@ $! Time To EXIT.
 $!
 $ GOTO TIDY
 $!
-$! Rebuild The [.xxx.CRYPTO]OPENSSLCONF.H" file.
+$! Rebuild The [.CRYPTO._xxx]OPENSSLCONF.H" file.
 $!
 $ CONFIG:
 $!
-$! Tell The User We Are Creating The [.xxx.CRYPTO]OPENSSLCONF.H File.
+$! Tell The User We Are Creating The [.CRYPTO._xxx]OPENSSLCONF.H File.
 $!
-$ WRITE SYS$OUTPUT "Creating [.''ARCH'.CRYPTO]OPENSSLCONF.H Include File."
+$ WRITE SYS$OUTPUT "Creating [.CRYPTO._''ARCH']OPENSSLCONF.H Include File."
 $!
 $! First, make sure the directory exists.
 $!
-$ IF F$PARSE("SYS$DISK:[.''ARCH'.CRYPTO]") .EQS. "" THEN -
-     CREATE/DIRECTORY SYS$DISK:[.'ARCH'.CRYPTO]
+$ IF F$PARSE("SYS$DISK:[.CRYPTO._''ARCH']") .EQS. "" THEN -
+     CREATE/DIRECTORY SYS$DISK:[.CRYPTO._'ARCH']
 $!
-$! Create The [.xxx.CRYPTO]OPENSSLCONF.H File.
+$! Different tar/UnZip versions/option may have named the file differently
+$ IF F$SEARCH("[.crypto]opensslconf.h_in") .NES. ""
+$ THEN
+$   OPENSSLCONF_H_IN = "[.crypto]opensslconf.h_in"
+$ ELSE
+$   IF F$SEARCH( "[.crypto]opensslconf_h.in") .NES. ""
+$   THEN
+$     OPENSSLCONF_H_IN = "[.crypto]opensslconf_h.in"
+$   ELSE
+$     ! For ODS-5
+$     IF F$SEARCH( "[.crypto]opensslconf.h.in") .NES. ""
+$     THEN
+$       OPENSSLCONF_H_IN = "[.crypto]opensslconf.h.in"
+$     ELSE
+$       WRITE SYS$ERROR "Couldn't find a [.crypto]opensslconf.h.in.  Exiting!"
+$       $STATUS = %X00018294 ! "%RMS-F-FNF, file not found".
+$       GOTO TIDY
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Create The [.CRYPTO._xxx]OPENSSLCONF.H File.
 $! Make sure it has the right format.
 $!
-$ OSCH_NAME = "SYS$DISK:[.''ARCH'.CRYPTO]OPENSSLCONF.H"
+$ OSCH_NAME = "SYS$DISK:[.CRYPTO._''ARCH']OPENSSLCONF.H"
 $ CREATE /FDL=SYS$INPUT: 'OSCH_NAME'
 RECORD
         FORMAT stream_lf
 $ OPEN /APPEND H_FILE 'OSCH_NAME'
 $!
-$! Write The [.xxx.CRYPTO]OPENSSLCONF.H File.
+$! Write The [.CRYPTO._xxx]OPENSSLCONF.H File.
 $!
 $ WRITE H_FILE "/* This file was automatically built using makevms.com */"
-$ WRITE H_FILE "/* and [.''ARCH'.CRYPTO]OPENSSLCONF.H_IN */"
+$ WRITE H_FILE "/* and ''OPENSSLCONF_H_IN' */"
 $!
 $! Write a few macros that indicate how this system was built.
 $!
@@ -196,75 +221,249 @@ $ WRITE H_FILE ""
 $ WRITE H_FILE "#ifndef OPENSSL_SYS_VMS"
 $ WRITE H_FILE "# define OPENSSL_SYS_VMS"
 $ WRITE H_FILE "#endif"
-$ CONFIG_LOGICALS := NO_ASM,NO_RSA,NO_DSA,NO_DH,NO_MD2,NO_MD5,NO_RIPEMD,WHRLPOOL,-
-	NO_SHA,NO_SHA0,NO_SHA1,NO_DES/NO_MDC2;NO_MDC2,NO_RC2,NO_RC4,NO_RC5,-
-	NO_IDEA,NO_BF,NO_CAST,NO_CAMELLIA,NO_SEED,NO_HMAC,NO_SSL2
-$ CONFIG_LOG_I = 0
-$ CONFIG_LOG_LOOP:
-$   CONFIG_LOG_E1 = F$ELEMENT(CONFIG_LOG_I,",",CONFIG_LOGICALS)
-$   CONFIG_LOG_I = CONFIG_LOG_I + 1
-$   IF CONFIG_LOG_E1 .EQS. "" THEN GOTO CONFIG_LOG_LOOP
-$   IF CONFIG_LOG_E1 .EQS. "," THEN GOTO CONFIG_LOG_LOOP_END
-$   CONFIG_LOG_E2 = F$EDIT(CONFIG_LOG_E1,"TRIM")
-$   CONFIG_LOG_E1 = F$ELEMENT(0,";",CONFIG_LOG_E2)
-$   CONFIG_LOG_E2 = F$ELEMENT(1,";",CONFIG_LOG_E2)
-$   CONFIG_LOG_E0 = F$ELEMENT(0,"/",CONFIG_LOG_E1)
-$   CONFIG_LOG_E1 = F$ELEMENT(1,"/",CONFIG_LOG_E1)
-$   IF F$TRNLNM("OPENSSL_"+CONFIG_LOG_E0)
-$   THEN
-$     WRITE H_FILE "#ifndef OPENSSL_",CONFIG_LOG_E0
-$     WRITE H_FILE "# define OPENSSL_",CONFIG_LOG_E0
-$     WRITE H_FILE "#endif"
-$     IF CONFIG_LOG_E1 .NES. "/"
-$     THEN
-$       WRITE H_FILE "#ifndef OPENSSL_",CONFIG_LOG_E1
-$       WRITE H_FILE "# define OPENSSL_",CONFIG_LOG_E1
-$       WRITE H_FILE "#endif"
-$     ENDIF
-$   ELSE
-$     IF CONFIG_LOG_E2 .NES. ";"
-$     THEN
-$       IF F$TRNLNM("OPENSSL_"+CONFIG_LOG_E2)
-$       THEN
-$         WRITE H_FILE "#ifndef OPENSSL_",CONFIG_LOG_E2
-$         WRITE H_FILE "# define OPENSSL_",CONFIG_LOG_E2
-$         WRITE H_FILE "#endif"
-$       ENDIF
-$     ENDIF
-$   ENDIF
-$   GOTO CONFIG_LOG_LOOP
-$ CONFIG_LOG_LOOP_END:
-$ WRITE H_FILE "#ifndef OPENSSL_NO_STATIC_ENGINE"
-$ WRITE H_FILE "# define OPENSSL_NO_STATIC_ENGINE"
-$ WRITE H_FILE "#endif"
-$ WRITE H_FILE "#ifndef OPENSSL_THREADS"
-$ WRITE H_FILE "# define OPENSSL_THREADS"
-$ WRITE H_FILE "#endif"
-$ WRITE H_FILE "#ifndef OPENSSL_NO_KRB5"
-$ WRITE H_FILE "# define OPENSSL_NO_KRB5"
-$ WRITE H_FILE "#endif"
-$ WRITE H_FILE ""
-$!
-$! Different tar version may have named the file differently
-$ IF F$SEARCH("[.CRYPTO]OPENSSLCONF.H_IN") .NES. ""
+$
+$! One of the best way to figure out what the list should be is to do
+$! the followin on a Unix system:
+$!   grep OPENSSL_NO_ crypto/*/*.h ssl/*.h engines/*.h engines/*/*.h|grep ':# *if'|sed -e 's/^.*def //'|sort|uniq
+$! For that reason, the list will also always end up in alphabetical order
+$ CONFIG_LOGICALS := AES,-
+		     ASM,INLINE_ASM,-
+		     BF,-
+		     BIO,-
+		     BUFFER,-
+		     BUF_FREELISTS,-
+		     CAMELLIA,-
+		     CAST,-
+		     CMS,-
+		     COMP,-
+		     DEPRECATED,-
+		     DES,-
+		     DGRAM,-
+		     DH,-
+		     DSA,-
+		     EC,-
+		     ECDH,-
+		     ECDSA,-
+		     ENGINE,-
+		     ERR,-
+		     EVP,-
+		     FP_API,-
+		     GMP,-
+		     GOST,-
+		     HASH_COMP,-
+		     HMAC,-
+		     IDEA,-
+		     JPAKE,-
+		     KRB5,-
+		     LHASH,-
+		     MD2,-
+		     MD4,-
+		     MD5,-
+		     MDC2,-
+		     OCSP,-
+		     PSK,-
+		     RC2,-
+		     RC4,-
+		     RC5,-
+		     RFC3779,-
+		     RIPEMD,-
+		     RSA,-
+		     SEED,-
+		     SHA,-
+		     SHA0,-
+		     SHA1,-
+		     SHA256,-
+		     SHA512,-
+		     SOCK,-
+		     SSL2,-
+		     STACK,-
+		     STATIC_ENGINE,-
+		     STDIO,-
+		     STORE,-
+		     TLSEXT,-
+		     WHIRLPOOL,-
+		     X509
+$! Add a few that we know about
+$ CONFIG_LOGICALS := 'CONFIG_LOGICALS',-
+		     THREADS
+$! The following rules, which dictate how some algorithm choices affect
+$! others, are picked from Configure.
+$! Quick syntax:
+$!  list = item[ ; list]
+$!  item = algos / dependents
+$!  algos = algo [, algos]
+$!  dependents = dependent [, dependents]
+$! When a list of algos is specified in one item, it means that they must
+$! all be disabled for the rule to apply.
+$! When a list of dependents is specified in one item, it means that they
+$! will all be disabled if the rule applies.
+$! Rules are checked sequentially.  If a rule disables an algorithm, it will
+$! affect all following rules that depend on that algorithm being disabled.
+$! To force something to be enabled or disabled, have no algorithms in the
+$! algos part.
+$ CONFIG_DISABLE_RULES := RIJNDAEL/AES;-
+			  DES/MDC2;-
+			  EC/ECDSA,ECDH;-
+			  MD5/SSL2,SSL3,TLS1;-
+			  SHA/SSL3,TLS1;-
+			  RSA/SSL2;-
+			  RSA,DSA/SSL2;-
+			  DH/SSL3,TLS1;-
+			  TLS1/TLSEXT;-
+			  EC/GOST;-
+			  DSA/GOST;-
+			  DH/GOST;-
+			  /STATIC_ENGINE;-
+			  /KRB5
+$ CONFIG_ENABLE_RULES := ZLIB_DYNAMIC/ZLIB;-
+			 /THREADS
+$
+$! Architecture specific rule addtions
+$ IF ARCH .EQS. "VAX"
 $ THEN
-$   TYPE [.CRYPTO]OPENSSLCONF.H_IN /OUTPUT=H_FILE:
-$ ELSE
-$   IF F$SEARCH("[.CRYPTO]OPENSSLCONF_H.IN") .NES. ""
+$   ! Disable algorithms that require 64 bit integers in C
+$   CONFIG_DISABLE_RULES = CONFIG_DISABLE_RULES + -
+			   ";/GOST" + -
+			   ";/WHIRLPOOL"
+$ ENDIF
+$
+$ CONFIG_LOG_I = 0
+$ CONFIG_LOG_LOOP1:
+$   CONFIG_LOG_E = F$EDIT(F$ELEMENT(CONFIG_LOG_I,",",CONFIG_LOGICALS),"TRIM")
+$   CONFIG_LOG_I = CONFIG_LOG_I + 1
+$   IF CONFIG_LOG_E .EQS. "" THEN GOTO CONFIG_LOG_LOOP1
+$   IF CONFIG_LOG_E .EQS. "," THEN GOTO CONFIG_LOG_LOOP1_END
+$   IF F$TRNLNM("OPENSSL_NO_"+CONFIG_LOG_E)
 $   THEN
-$     TYPE [.CRYPTO]OPENSSLCONF_H.IN /OUTPUT=H_FILE:
+$       CONFIG_DISABLED_'CONFIG_LOG_E' := YES
+$       CONFIG_ENABLED_'CONFIG_LOG_E' := NO
+$	CONFIG_CHANGED_'CONFIG_LOG_E' := YES
 $   ELSE
-$     ! For ODS-5
-$     IF F$SEARCH("[.CRYPTO]OPENSSLCONF.H.IN") .NES. ""
+$       CONFIG_DISABLED_'CONFIG_LOG_E' := NO
+$       CONFIG_ENABLED_'CONFIG_LOG_E' := YES
+$	! Because all algorithms are assumed enabled by default
+$	CONFIG_CHANGED_'CONFIG_LOG_E' := NO
+$   ENDIF
+$   GOTO CONFIG_LOG_LOOP1
+$ CONFIG_LOG_LOOP1_END:
+$
+$! Apply cascading disable rules
+$ CONFIG_DISABLE_I = 0
+$ CONFIG_DISABLE_LOOP0:
+$   CONFIG_DISABLE_E = F$EDIT(F$ELEMENT(CONFIG_DISABLE_I,";",CONFIG_DISABLE_RULES),"TRIM")
+$   CONFIG_DISABLE_I = CONFIG_DISABLE_I + 1
+$   IF CONFIG_DISABLE_E .EQS. "" THEN GOTO CONFIG_DISABLE_LOOP0
+$   IF CONFIG_DISABLE_E .EQS. ";" THEN GOTO CONFIG_DISABLE_LOOP0_END
+$
+$   CONFIG_DISABLE_ALGOS = F$EDIT(F$ELEMENT(0,"/",CONFIG_DISABLE_E),"TRIM")
+$   CONFIG_DISABLE_DEPENDENTS = F$EDIT(F$ELEMENT(1,"/",CONFIG_DISABLE_E),"TRIM")
+$   TO_DISABLE := YES
+$   CONFIG_ALGO_I = 0
+$   CONFIG_DISABLE_LOOP1:
+$     CONFIG_ALGO_E = F$EDIT(F$ELEMENT(CONFIG_ALGO_I,",",CONFIG_DISABLE_ALGOS),"TRIM")
+$     CONFIG_ALGO_I = CONFIG_ALGO_I + 1
+$     IF CONFIG_ALGO_E .EQS. "" THEN GOTO CONFIG_DISABLE_LOOP1
+$     IF CONFIG_ALGO_E .EQS. "," THEN GOTO CONFIG_DISABLE_LOOP1_END
+$     IF F$TYPE(CONFIG_DISABLED_'CONFIG_ALGO_E') .EQS. ""
 $     THEN
-$       TYPE [.CRYPTO]OPENSSLCONF.H.IN /OUTPUT=H_FILE:
+$	TO_DISABLE := NO
 $     ELSE
-$       WRITE SYS$ERROR "Couldn't find a [.CRYPTO]OPENSSLCONF.H_IN.  Exiting!"
-$       $STATUS = %X00018294 ! "%RMS-F-FNF, file not found".
-$       GOTO TIDY
+$	IF .NOT. CONFIG_DISABLED_'CONFIG_ALGO_E' THEN TO_DISABLE := NO
+$     ENDIF
+$     GOTO CONFIG_DISABLE_LOOP1
+$   CONFIG_DISABLE_LOOP1_END:
+$
+$   IF TO_DISABLE
+$   THEN
+$     CONFIG_DEPENDENT_I = 0
+$     CONFIG_DISABLE_LOOP2:
+$	CONFIG_DEPENDENT_E = F$EDIT(F$ELEMENT(CONFIG_DEPENDENT_I,",",CONFIG_DISABLE_DEPENDENTS),"TRIM")
+$	CONFIG_DEPENDENT_I = CONFIG_DEPENDENT_I + 1
+$	IF CONFIG_DEPENDENT_E .EQS. "" THEN GOTO CONFIG_DISABLE_LOOP2
+$	IF CONFIG_DEPENDENT_E .EQS. "," THEN GOTO CONFIG_DISABLE_LOOP2_END
+$       CONFIG_DISABLED_'CONFIG_DEPENDENT_E' := YES
+$       CONFIG_ENABLED_'CONFIG_DEPENDENT_E' := NO
+$	! Better not to assume defaults at this point...
+$	CONFIG_CHANGED_'CONFIG_DEPENDENT_E' := YES
+$	WRITE SYS$ERROR "''CONFIG_DEPENDENT_E' disabled by rule ''CONFIG_DISABLE_E'"
+$	GOTO CONFIG_DISABLE_LOOP2
+$     CONFIG_DISABLE_LOOP2_END:
+$   ENDIF
+$   GOTO CONFIG_DISABLE_LOOP0
+$ CONFIG_DISABLE_LOOP0_END:
+$	
+$! Apply cascading enable rules
+$ CONFIG_ENABLE_I = 0
+$ CONFIG_ENABLE_LOOP0:
+$   CONFIG_ENABLE_E = F$EDIT(F$ELEMENT(CONFIG_ENABLE_I,";",CONFIG_ENABLE_RULES),"TRIM")
+$   CONFIG_ENABLE_I = CONFIG_ENABLE_I + 1
+$   IF CONFIG_ENABLE_E .EQS. "" THEN GOTO CONFIG_ENABLE_LOOP0
+$   IF CONFIG_ENABLE_E .EQS. ";" THEN GOTO CONFIG_ENABLE_LOOP0_END
+$
+$   CONFIG_ENABLE_ALGOS = F$EDIT(F$ELEMENT(0,"/",CONFIG_ENABLE_E),"TRIM")
+$   CONFIG_ENABLE_DEPENDENTS = F$EDIT(F$ELEMENT(1,"/",CONFIG_ENABLE_E),"TRIM")
+$   TO_ENABLE := YES
+$   CONFIG_ALGO_I = 0
+$   CONFIG_ENABLE_LOOP1:
+$     CONFIG_ALGO_E = F$EDIT(F$ELEMENT(CONFIG_ALGO_I,",",CONFIG_ENABLE_ALGOS),"TRIM")
+$     CONFIG_ALGO_I = CONFIG_ALGO_I + 1
+$     IF CONFIG_ALGO_E .EQS. "" THEN GOTO CONFIG_ENABLE_LOOP1
+$     IF CONFIG_ALGO_E .EQS. "," THEN GOTO CONFIG_ENABLE_LOOP1_END
+$     IF F$TYPE(CONFIG_ENABLED_'CONFIG_ALGO_E') .EQS. ""
+$     THEN
+$	TO_ENABLE := NO
+$     ELSE
+$	IF .NOT. CONFIG_ENABLED_'CONFIG_ALGO_E' THEN TO_ENABLE := NO
+$     ENDIF
+$     GOTO CONFIG_ENABLE_LOOP1
+$   CONFIG_ENABLE_LOOP1_END:
+$
+$   IF TO_ENABLE
+$   THEN
+$     CONFIG_DEPENDENT_I = 0
+$     CONFIG_ENABLE_LOOP2:
+$	CONFIG_DEPENDENT_E = F$EDIT(F$ELEMENT(CONFIG_DEPENDENT_I,",",CONFIG_ENABLE_DEPENDENTS),"TRIM")
+$	CONFIG_DEPENDENT_I = CONFIG_DEPENDENT_I + 1
+$	IF CONFIG_DEPENDENT_E .EQS. "" THEN GOTO CONFIG_ENABLE_LOOP2
+$	IF CONFIG_DEPENDENT_E .EQS. "," THEN GOTO CONFIG_ENABLE_LOOP2_END
+$       CONFIG_DISABLED_'CONFIG_DEPENDENT_E' := NO
+$       CONFIG_ENABLED_'CONFIG_DEPENDENT_E' := YES
+$	! Better not to assume defaults at this point...
+$	CONFIG_CHANGED_'CONFIG_DEPENDENT_E' := YES
+$	WRITE SYS$ERROR "''CONFIG_DEPENDENT_E' enabled by rule ''CONFIG_ENABLE_E'"
+$	GOTO CONFIG_ENABLE_LOOP2
+$     CONFIG_ENABLE_LOOP2_END:
+$   ENDIF
+$   GOTO CONFIG_ENABLE_LOOP0
+$ CONFIG_ENABLE_LOOP0_END:
+$
+$! Write to the configuration
+$ CONFIG_LOG_I = 0
+$ CONFIG_LOG_LOOP2:
+$   CONFIG_LOG_E = F$EDIT(F$ELEMENT(CONFIG_LOG_I,",",CONFIG_LOGICALS),"TRIM")
+$   CONFIG_LOG_I = CONFIG_LOG_I + 1
+$   IF CONFIG_LOG_E .EQS. "" THEN GOTO CONFIG_LOG_LOOP2
+$   IF CONFIG_LOG_E .EQS. "," THEN GOTO CONFIG_LOG_LOOP2_END
+$   IF CONFIG_CHANGED_'CONFIG_LOG_E'
+$   THEN
+$     IF CONFIG_DISABLED_'CONFIG_LOG_E'
+$     THEN
+$	WRITE H_FILE "#ifndef OPENSSL_NO_",CONFIG_LOG_E
+$	WRITE H_FILE "# define OPENSSL_NO_",CONFIG_LOG_E
+$	WRITE H_FILE "#endif"
+$     ELSE
+$	WRITE H_FILE "#ifndef OPENSSL_",CONFIG_LOG_E
+$	WRITE H_FILE "# define OPENSSL_",CONFIG_LOG_E
+$	WRITE H_FILE "#endif"
 $     ENDIF
 $   ENDIF
-$ ENDIF
+$   GOTO CONFIG_LOG_LOOP2
+$ CONFIG_LOG_LOOP2_END:
+$!
+$! Add in the common "crypto/opensslconf.h.in".
+$!
+$ TYPE 'OPENSSLCONF_H_IN' /OUTPUT=H_FILE:
+$!
 $ IF ARCH .NES. "VAX"
 $ THEN
 $!
@@ -347,29 +546,29 @@ $!  End
 $!
 $ ENDIF
 $!
-$! Close the [.xxx.CRYPTO]OPENSSLCONF.H file
+$! Close the [.CRYPTO._xxx]OPENSSLCONF.H file
 $!
 $ CLOSE H_FILE
 $!
-$! Purge The [.xxx.CRYPTO]OPENSSLCONF.H file
+$! Purge The [.CRYPTO._xxx]OPENSSLCONF.H file
 $!
-$ PURGE SYS$DISK:[.'ARCH'.CRYPTO]OPENSSLCONF.H
+$ PURGE SYS$DISK:[.CRYPTO._'ARCH']OPENSSLCONF.H
 $!
 $! That's All, Time To RETURN.
 $!
 $ RETURN
 $!
-$! Rebuild The "[.xxx.CRYPTO]BUILDINF.H" file.
+$! Rebuild The "[.CRYPTO._xxx]BUILDINF.H" file.
 $!
 $ BUILDINF:
 $!
-$! Tell The User We Are Creating The [.xxx.CRYPTO]BUILDINF.H File.
+$! Tell The User We Are Creating The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ WRITE SYS$OUTPUT "Creating [.''ARCH'.CRYPTO]BUILDINF.H Include File."
+$ WRITE SYS$OUTPUT "Creating [.CRYPTO._''ARCH']BUILDINF.H Include File."
 $!
-$! Create The [.xxx.CRYPTO]BUILDINF.H File.
+$! Create The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ BIH_NAME = "SYS$DISK:[.''ARCH'.CRYPTO]BUILDINF.H"
+$ BIH_NAME = "SYS$DISK:[.CRYPTO._''ARCH']BUILDINF.H"
 $ CREATE /FDL=SYS$INPUT: 'BIH_NAME'
 RECORD
         FORMAT stream_lf
@@ -380,19 +579,19 @@ $! Get The Current Date & Time.
 $!
 $ TIME = F$TIME()
 $!
-$! Write The [.xxx.CRYPTO]BUILDINF.H File.
+$! Write The [.CRYPTO._xxx]BUILDINF.H File.
 $!
 $ WRITE H_FILE "#define CFLAGS """" /* Not filled in for now */"
-$ WRITE H_FILE "#define PLATFORM ""VMS ''ARCH' ''VMS_VER'"""
+$ WRITE H_FILE "#define PLATFORM ""VMS ''ARCH' ''VMS_VERSION'"""
 $ WRITE H_FILE "#define DATE ""''TIME'"" "
 $!
-$! Close The [.xxx.CRYPTO]BUILDINF.H File.
+$! Close The [.CRYPTO._xxx]BUILDINF.H File.
 $!
 $ CLOSE H_FILE
 $!
-$! Purge The [.xxx.CRYPTO]BUILDINF.H File.
+$! Purge The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ PURGE SYS$DISK:[.'ARCH'.CRYPTO]BUILDINF.H
+$ PURGE SYS$DISK:[.CRYPTO._'ARCH']BUILDINF.H
 $!
 $! That's All, Time To RETURN.
 $!
@@ -404,42 +603,14 @@ $ SOFTLINKS:
 $!
 $! Tell The User We Are Partly Rebuilding The [.APPS] Directory.
 $!
-$ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD4.C', '[.APPS]MD5.C' And '[.APPS]RMD160.C' Files."
+$ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD4.C' File."
 $!
-$ DELETE SYS$DISK:[.APPS]MD4.C;*,MD5.C;*,RMD160.C;*
+$ DELETE SYS$DISK:[.APPS]MD4.C;*
 $!
 $! Copy MD4.C from [.CRYPTO.MD4] into [.APPS]
 $!
 $ COPY SYS$DISK:[.CRYPTO.MD4]MD4.C SYS$DISK:[.APPS]
 $!
-$! Copy MD5.C from [.CRYPTO.MD5] into [.APPS]
-$!
-$ COPY SYS$DISK:[.CRYPTO.MD5]MD5.C SYS$DISK:[.APPS]
-$!
-$! Copy RMD160.C from [.CRYPTO.RIPEMD] into [.APPS]
-$!
-$ COPY SYS$DISK:[.CRYPTO.RIPEMD]RMD160.C SYS$DISK:[.APPS]
-$!
-$! Tell The User We Are Partly Rebuilding The [.TEST] Directory.
-$!
-$ WRITE SYS$OUTPUT "Rebuilding The '[.TEST]*.C' Files."
-$!
-$! First, We Have To "Rebuild" The "[.TEST]" Directory, So Delete
-$! All The "C" Files That Are Currently There Now.
-$!
-$ DELETE SYS$DISK:[.TEST]*.C;*
-$ DELETE SYS$DISK:[.TEST]EVPTESTS.TXT;*
-$!
-$! Copy all the *TEST.C files from [.CRYPTO...] into [.TEST]
-$!
-$ COPY SYS$DISK:[.CRYPTO.*]%*TEST.C SYS$DISK:[.TEST]
-$ COPY SYS$DISK:[.CRYPTO.SHA]SHA%%%T.C SYS$DISK:[.TEST]
-$ COPY SYS$DISK:[.CRYPTO.EVP]EVPTESTS.TXT SYS$DISK:[.TEST]
-$!
-$! Copy all the *TEST.C files from [.SSL...] into [.TEST]
-$!
-$ COPY SYS$DISK:[.SSL]%*TEST.C SYS$DISK:[.TEST]
-$!
 $! Tell The User We Are Rebuilding The [.INCLUDE.OPENSSL] Directory.
 $!
 $ WRITE SYS$OUTPUT "Rebuilding The '[.INCLUDE.OPENSSL]' Directory."
@@ -532,12 +703,7 @@ $ IF D .EQS. ""
 $ THEN
 $   COPY [.CRYPTO]'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
 $ ELSE
-$   IF D .EQS. "_''ARCH'"
-$   THEN
-$     COPY [.'ARCH'.CRYPTO]'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
-$   ELSE
-$     COPY [.CRYPTO.'D']'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
-$   ENDIF
+$   COPY [.CRYPTO.'D']'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
 $ ENDIF
 $ GOTO LOOP_SDIRS
 $ LOOP_SDIRS_END:
@@ -736,7 +902,7 @@ $! Else...
 $!
 $ ELSE
 $!
-$!  Else, Check To See If P1 Has A Valid Arguement.
+$!  Else, Check To See If P1 Has A Valid Argument.
 $!
 $   IF (P1.EQS."CONFIG").OR.(P1.EQS."BUILDINF").OR.(P1.EQS."SOFTLINKS") -
        .OR.(P1.EQS."BUILDALL") -
@@ -745,7 +911,7 @@ $   IF (P1.EQS."CONFIG").OR.(P1.EQS."BUILDINF").OR.(P1.EQS."SOFTLINKS") -
        .OR.(P1.EQS."ENGINES")
 $   THEN
 $!
-$!    A Valid Arguement.
+$!    A Valid Argument.
 $!
 $     BUILDCOMMAND = P1
 $!
@@ -758,13 +924,13 @@ $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "USAGE:   @MAKEVMS.COM [Target] [not-used option] [Debug option] <Compiler>"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "Example: @MAKEVMS.COM ALL """" NODEBUG "
+$     WRITE SYS$OUTPUT "Example: @MAKEVMS.COM ALL NORSAREF NODEBUG "
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Target ",P1," Is Invalid.  The Valid Target Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
-$     WRITE SYS$OUTPUT "    CONFIG   :  Just build the [.xxx.CRYPTO]OPENSSLCONF.H file."
-$     WRITE SYS$OUTPUT "    BUILDINF :  Just build the [.xxx.CRYPTO]BUILDINF.H file."
+$     WRITE SYS$OUTPUT "    CONFIG   :  Just build the [.CRYPTO._xxx]OPENSSLCONF.H file."
+$     WRITE SYS$OUTPUT "    BUILDINF :  Just build the [.CRYPTO._xxx]BUILDINF.H file."
 $     WRITE SYS$OUTPUT "    SOFTLINKS:  Just Fix The Unix soft links."
 $     WRITE SYS$OUTPUT "    BUILDALL :  Same as ALL, except CONFIG, BUILDINF and SOFTILNKS aren't done."
 $     WRITE SYS$OUTPUT "    CRYPTO   :  To Build Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library."
@@ -834,7 +1000,7 @@ $!    Time To EXIT.
 $!
 $     GOTO TIDY
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -973,7 +1139,7 @@ $!    End The GNU C Check.
 $!
 $     ENDIF
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $   ELSE
 $!
@@ -991,7 +1157,7 @@ $!    Time To EXIT.
 $!
 $     GOTO TIDY
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -1098,7 +1264,7 @@ $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $   IF P5 .NES. ""
@@ -1153,7 +1319,7 @@ $!
 $!  Get The Version Of VMS We Are Using.
 $!
 $   ISSEVEN :=
-$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,VMS_VERSION))
 $   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
 $!
 $!  Check To See If The VMS Version Is v7.1 Or Later.

openssl.spec

@@ -2,7 +2,7 @@
 %define libmaj 1
 %define libmin 0
 %define librel 0
-#%define librev a
+%define librev a
 Release: 1
 
 %define openssldir /var/ssl

ssl/d1_both.c

@@ -123,6 +123,37 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
+#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
+
+#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
+			if ((end) - (start) <= 8) { \
+				long ii; \
+				for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \
+			} else { \
+				long ii; \
+				bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \
+				for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
+				bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \
+			} }
+
+#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
+			long ii; \
+			OPENSSL_assert((msg_len) > 0); \
+			is_complete = 1; \
+			if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
+			if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
+				if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
+
+#if 0
+#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
+			long ii; \
+			printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
+			printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
+			printf("\n"); }
+#endif
+
+static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80};
+static unsigned char bitmask_end_values[]   = {0x00, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
 
 /* XDTLS:  figure out the right values */
 static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
@@ -140,10 +171,11 @@ static long dtls1_get_message_fragment(SSL *s, int st1, int stn,
 	long max, int *ok);
 
 static hm_fragment *
-dtls1_hm_fragment_new(unsigned long frag_len)
+dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
 	{
 	hm_fragment *frag = NULL;
 	unsigned char *buf = NULL;
+	unsigned char *bitmask = NULL;
 
 	frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
 	if ( frag == NULL)
@@ -162,6 +194,21 @@ dtls1_hm_fragment_new(unsigned long frag_len)
 	/* zero length fragment gets zero frag->fragment */
 	frag->fragment = buf;
 
+	/* Initialize reassembly bitmask if necessary */
+	if (reassembly)
+		{
+		bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
+		if (bitmask == NULL)
+			{
+			if (buf != NULL) OPENSSL_free(buf);
+			OPENSSL_free(frag);
+			return NULL;
+			}
+		memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
+		}
+
+	frag->reassembly = bitmask;
+
 	return frag;
 	}
 
@@ -169,6 +216,7 @@ static void
 dtls1_hm_fragment_free(hm_fragment *frag)
 	{
 	if (frag->fragment) OPENSSL_free(frag->fragment);
+	if (frag->reassembly) OPENSSL_free(frag->reassembly);
 	OPENSSL_free(frag);
 	}
 
@@ -363,6 +411,8 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 	{
 	int i, al;
 	struct hm_header_st *msg_hdr;
+	unsigned char *p;
+	unsigned long msg_len;
 
 	/* s3->tmp is used to store messages that are unexpected, caused
 	 * by the absence of an optional handshake message */
@@ -382,77 +432,55 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 		}
 
 	msg_hdr = &s->d1->r_msg_hdr;
-	do
-		{
-		if ( msg_hdr->frag_off == 0)
-			{
-			/* s->d1->r_message_header.msg_len = 0; */
-			memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
-			}
+	memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
 
-		i = dtls1_get_message_fragment(s, st1, stn, max, ok);
-		if ( i == DTLS1_HM_BAD_FRAGMENT ||
-			i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
-			continue;
-		else if ( i <= 0 && !*ok)
-			return i;
+again:
+	i = dtls1_get_message_fragment(s, st1, stn, max, ok);
+	if ( i == DTLS1_HM_BAD_FRAGMENT ||
+		i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
+		goto again;
+	else if ( i <= 0 && !*ok)
+		return i;
 
-		/* Note that s->init_sum is used as a counter summing
-		 * up fragments' lengths: as soon as they sum up to
-		 * handshake packet length, we assume we have got all
-		 * the fragments. Overlapping fragments would cause
-		 * premature termination, so we don't expect overlaps.
-		 * Well, handling overlaps would require something more
-		 * drastic. Indeed, as it is now there is no way to
-		 * tell if out-of-order fragment from the middle was
-		 * the last. '>=' is the best/least we can do to control
-		 * the potential damage caused by malformed overlaps. */
-		if ((unsigned int)s->init_num >= msg_hdr->msg_len)
-			{
-			unsigned char *p = (unsigned char *)s->init_buf->data;
-			unsigned long msg_len = msg_hdr->msg_len;
+	p = (unsigned char *)s->init_buf->data;
+	msg_len = msg_hdr->msg_len;
 
-			/* reconstruct message header as if it was
-			 * sent in single fragment */
-			*(p++) = msg_hdr->type;
-			l2n3(msg_len,p);
-			s2n (msg_hdr->seq,p);
-			l2n3(0,p);
-			l2n3(msg_len,p);
-			if (s->version != DTLS1_BAD_VER) {
-				p       -= DTLS1_HM_HEADER_LENGTH;
-				msg_len += DTLS1_HM_HEADER_LENGTH;
-			}
+	/* reconstruct message header */
+	*(p++) = msg_hdr->type;
+	l2n3(msg_len,p);
+	s2n (msg_hdr->seq,p);
+	l2n3(0,p);
+	l2n3(msg_len,p);
+	if (s->version != DTLS1_BAD_VER) {
+		p       -= DTLS1_HM_HEADER_LENGTH;
+		msg_len += DTLS1_HM_HEADER_LENGTH;
+	}
 
-			ssl3_finish_mac(s, p, msg_len);
-			if (s->msg_callback)
-				s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
-					p, msg_len,
-					s, s->msg_callback_arg);
+	ssl3_finish_mac(s, p, msg_len);
+	if (s->msg_callback)
+		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
+			p, msg_len,
+			s, s->msg_callback_arg);
 
-			memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
+	memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
 
-			s->d1->handshake_read_seq++;
-			/* we just read a handshake message from the other side:
-			 * this means that we don't need to retransmit of the
-			 * buffered messages.  
-			 * XDTLS: may be able clear out this
-			 * buffer a little sooner (i.e if an out-of-order
-			 * handshake message/record is received at the record
-			 * layer.  
-			 * XDTLS: exception is that the server needs to
-			 * know that change cipher spec and finished messages
-			 * have been received by the client before clearing this
-			 * buffer.  this can simply be done by waiting for the
-			 * first data  segment, but is there a better way?  */
-			dtls1_clear_record_buffer(s);
+	s->d1->handshake_read_seq++;
+	/* we just read a handshake message from the other side:
+	 * this means that we don't need to retransmit of the
+	 * buffered messages.  
+	 * XDTLS: may be able clear out this
+	 * buffer a little sooner (i.e if an out-of-order
+	 * handshake message/record is received at the record
+	 * layer.  
+	 * XDTLS: exception is that the server needs to
+	 * know that change cipher spec and finished messages
+	 * have been received by the client before clearing this
+	 * buffer.  this can simply be done by waiting for the
+	 * first data  segment, but is there a better way?  */
+	dtls1_clear_record_buffer(s);
 
-			s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-			return s->init_num;
-			}
-		else
-			msg_hdr->frag_off = i;
-		} while(1) ;
+	s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+	return s->init_num;
 
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -528,6 +556,10 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 		return 0;
 
 	frag = (hm_fragment *)item->data;
+	
+	/* Don't return if reassembly still in progress */
+	if (frag->reassembly != NULL)
+		return 0;
 
 	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
 		{
@@ -562,6 +594,109 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 	}
 
 
+static int
+dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+	{
+	hm_fragment *frag = NULL;
+	pitem *item = NULL;
+	int i = -1, is_complete;
+	unsigned char seq64be[8];
+	unsigned long frag_len = msg_hdr->frag_len, max_len;
+
+	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+		goto err;
+
+	/* Determine maximum allowed message size. Depends on (user set)
+	 * maximum certificate length, but 16k is minimum.
+	 */
+	if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
+		max_len = s->max_cert_list;
+	else
+		max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
+
+	if ((msg_hdr->frag_off+frag_len) > max_len)
+		goto err;
+
+	/* Try to find item in queue */
+	memset(seq64be,0,sizeof(seq64be));
+	seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
+	seq64be[7] = (unsigned char) msg_hdr->seq;
+	item = pqueue_find(s->d1->buffered_messages, seq64be);
+
+	if (item == NULL)
+		{
+		frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
+		if ( frag == NULL)
+			goto err;
+		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+		frag->msg_header.frag_len = frag->msg_header.msg_len;
+		frag->msg_header.frag_off = 0;
+		}
+	else
+		frag = (hm_fragment*) item->data;
+
+	/* If message is already reassembled, this must be a
+	 * retransmit and can be dropped.
+	 */
+	if (frag->reassembly == NULL)
+		{
+		unsigned char devnull [256];
+
+		while (frag_len)
+			{
+			i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+				devnull,
+				frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
+			if (i<=0) goto err;
+			frag_len -= i;
+			}
+		return DTLS1_HM_FRAGMENT_RETRY;
+		}
+
+	/* read the body of the fragment (header has already been read */
+	i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+		frag->fragment + msg_hdr->frag_off,frag_len,0);
+	if (i<=0 || (unsigned long)i!=frag_len)
+		goto err;
+
+	RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
+	                    (long)(msg_hdr->frag_off + frag_len));
+
+	RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
+	                           is_complete);
+
+	if (is_complete)
+		{
+		OPENSSL_free(frag->reassembly);
+		frag->reassembly = NULL;
+		}
+
+	if (item == NULL)
+		{
+		memset(seq64be,0,sizeof(seq64be));
+		seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
+		seq64be[7] = (unsigned char)(msg_hdr->seq);
+
+		item = pitem_new(seq64be, frag);
+		if (item == NULL)
+			{
+			goto err;
+			i = -1;
+			}
+
+		pqueue_insert(s->d1->buffered_messages, item);
+		}
+
+	return DTLS1_HM_FRAGMENT_RETRY;
+
+err:
+	if (frag != NULL) dtls1_hm_fragment_free(frag);
+	if (item != NULL) OPENSSL_free(item);
+	*ok = 0;
+	return i;
+	}
+
+
 static int
 dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 {
@@ -579,7 +714,13 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
 	seq64be[7] = (unsigned char) msg_hdr->seq;
 	item = pqueue_find(s->d1->buffered_messages, seq64be);
-	
+
+	/* If we already have an entry and this one is a fragment,
+	 * don't discard it and rather try to reassemble it.
+	 */
+	if (item != NULL && frag_len < msg_hdr->msg_len)
+		item = NULL;
+
 	/* Discard the message if sequence number was already there, is
 	 * too far in the future, already in the queue or if we received
 	 * a FINISHED before the SERVER_HELLO, which then must be a stale
@@ -600,20 +741,25 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 			frag_len -= i;
 			}
 		}
-
-	if (frag_len)
+	else
 		{
-		frag = dtls1_hm_fragment_new(frag_len);
+		if (frag_len && frag_len < msg_hdr->msg_len)
+			return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
+		frag = dtls1_hm_fragment_new(frag_len, 0);
 		if ( frag == NULL)
 			goto err;
 
 		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
 
-		/* read the body of the fragment (header has already been read */
-		i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-			frag->fragment,frag_len,0);
-		if (i<=0 || (unsigned long)i!=frag_len)
-			goto err;
+		if (frag_len)
+			{
+			/* read the body of the fragment (header has already been read */
+			i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+				frag->fragment,frag_len,0);
+			if (i<=0 || (unsigned long)i!=frag_len)
+				goto err;
+			}
 
 		memset(seq64be,0,sizeof(seq64be));
 		seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
@@ -640,14 +786,14 @@ static long
 dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	{
 	unsigned char wire[DTLS1_HM_HEADER_LENGTH];
-	unsigned long l, frag_off, frag_len;
+	unsigned long len, frag_off, frag_len;
 	int i,al;
 	struct hm_header_st msg_hdr;
 
 	/* see if we have the required fragment already */
 	if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
 		{
-		if (*ok)	s->init_num += frag_len;
+		if (*ok)	s->init_num = frag_len;
 		return frag_len;
 		}
 
@@ -672,10 +818,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	if ( msg_hdr.seq != s->d1->handshake_read_seq)
 		return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
 
-	l = msg_hdr.msg_len;
+	len = msg_hdr.msg_len;
 	frag_off = msg_hdr.frag_off;
 	frag_len = msg_hdr.frag_len;
 
+	if (frag_len && frag_len < len)
+		return dtls1_reassemble_fragment(s, &msg_hdr, ok);
+
 	if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
 		wire[0] == SSL3_MT_HELLO_REQUEST)
 		{
@@ -735,7 +884,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	 * s->init_buf->data, but as a counter summing up fragments'
 	 * lengths: as soon as they sum up to handshake packet
 	 * length, we assume we have got all the fragments. */
-	s->init_num += frag_len;
+	s->init_num = frag_len;
 	return frag_len;
 
 f_err:
@@ -1010,7 +1159,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 	 * been serialized */
 	OPENSSL_assert(s->init_off == 0);
 
-	frag = dtls1_hm_fragment_new(s->init_num);
+	frag = dtls1_hm_fragment_new(s->init_num, 0);
 
 	memcpy(frag->fragment, s->init_buf->data, s->init_num);
 

ssl/d1_lib.c

@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft)
 		timeleft->tv_usec += 1000000;
 		}
 
+	/* If remaining time is less than 15 ms, set it to 0
+	 * to prevent issues because of small devergences with
+	 * socket timeouts.
+	 */
+	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
+		{
+		memset(timeleft, 0, sizeof(struct timeval));
+		}
+	
+
 	return timeleft;
 	}
 

ssl/d1_pkt.c

@@ -196,6 +196,9 @@ dtls1_copy_record(SSL *s, pitem *item)
     s->packet_length = rdata->packet_length;
     memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
     memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+	
+	/* Set proper sequence number for mac calculation */
+	memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
     
     return(1);
     }
@@ -414,7 +417,7 @@ dtls1_process_record(SSL *s)
 			goto err;
 
 		/* otherwise enc_err == -1 */
-		goto decryption_failed_or_bad_record_mac;
+		goto err;
 		}
 
 #ifdef TLS_DEBUG
@@ -444,7 +447,7 @@ printf("\n");
 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
 			goto f_err;
 #else
-			goto decryption_failed_or_bad_record_mac;
+			goto err;
 #endif			
 			}
 		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -455,14 +458,14 @@ printf("\n");
 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
 			goto f_err;
 #else
-			goto decryption_failed_or_bad_record_mac;
+			goto err;
 #endif
 			}
 		rr->length-=mac_size;
 		i=s->method->ssl3_enc->mac(s,md,0);
 		if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
 			{
-			goto decryption_failed_or_bad_record_mac;
+			goto err;
 			}
 		}
 
@@ -504,14 +507,6 @@ printf("\n");
 	dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
 	return(1);
 
-decryption_failed_or_bad_record_mac:
-	/* Separate 'decryption_failed' alert was introduced with TLS 1.0,
-	 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
-	 * failure is directly visible from the ciphertext anyway,
-	 * we should not reveal which kind of error occured -- this
-	 * might become visible to an attacker (e.g. via logfile) */
-	al=SSL_AD_BAD_RECORD_MAC;
-	SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -544,8 +539,7 @@ int dtls1_get_record(SSL *s)
 
 	/* The epoch may have changed.  If so, process all the
 	 * pending records.  This is a non-blocking operation. */
-	if ( ! dtls1_process_buffered_records(s))
-            return 0;
+	dtls1_process_buffered_records(s);
 
 	/* if we're renegotiating, then there may be buffered records */
 	if (dtls1_get_processed_record(s))
@@ -667,21 +661,25 @@ again:
 	if (rr->length == 0) goto again;
 
 	/* If this record is from the next epoch (either HM or ALERT),
-	 * buffer it since it cannot be processed at this time. Records
-	 * from the next epoch are marked as received even though they
-	 * are not processed, so as to prevent any potential resource
-	 * DoS attack */
+	 * and a handshake is currently in progress, buffer it since it
+	 * cannot be processed at this time. */
 	if (is_next_epoch)
 		{
-		dtls1_record_bitmap_update(s, bitmap);
-		dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+		if (SSL_in_init(s) || s->in_handshake)
+			{
+			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+			}
 		rr->length = 0;
 		s->packet_length = 0;
 		goto again;
 		}
 
-	if ( ! dtls1_process_record(s))
-		return(0);
+	if (!dtls1_process_record(s))
+		{
+		rr->length = 0;
+		s->packet_length = 0;  /* dump this record */
+		goto again;   /* get another record */
+		}
 
 	dtls1_clear_timeouts(s);  /* done waiting */
 	return(1);
@@ -809,7 +807,7 @@ start:
 		 * buffer the application data for later processing rather
 		 * than dropping the connection.
 		 */
-		dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
+		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
 		rr->length = 0;
 		goto start;
 		}

ssl/dtls1.h

@@ -167,6 +167,7 @@ typedef struct hm_fragment_st
 	{
 	struct hm_header_st msg_header;
 	unsigned char *fragment;
+	unsigned char *reassembly;
 	} hm_fragment;
 
 typedef struct dtls1_state_st

ssl/ssl-lib.com

@@ -30,7 +30,7 @@ $!	   VAXC	 For VAX C.
 $!	   DECC	 For DEC C.
 $!	   GNUC	 For GNU C.
 $!
-$!  If you don't speficy a compiler, it will try to determine which
+$!  If you don't specify a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
 $!  P4, if defined, sets a TCP/IP library to use, through one of the following
@@ -55,7 +55,7 @@ $ THEN
 $!
 $!  The Architecture Is VAX.
 $!
-$   ARCH := VAX
+$   ARCH = "VAX"
 $!
 $! Else...
 $!
@@ -524,12 +524,12 @@ $! Else...
 $!
 $ ELSE
 $!
-$!  Else, Check To See If P1 Has A Valid Arguement.
+$!  Else, Check To See If P1 Has A Valid Argument.
 $!
 $   IF (P1.EQS."LIBRARY").OR.(P1.EQS."SSL_TASK")
 $   THEN
 $!
-$!    A Valid Arguement.
+$!    A Valid Argument.
 $!
 $     BUILDALL = P1
 $!
@@ -557,7 +557,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -611,7 +611,7 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
 $!
 $   ENDIF
 $!
@@ -893,7 +893,7 @@ $!  Show user the result
 $!
 $   WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!
@@ -994,7 +994,7 @@ $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!

ssl/ssl_algs.c

@@ -105,6 +105,14 @@ int SSL_library_init(void)
 	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 #endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
 	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);

ssl/t1_enc.c

@@ -148,7 +148,7 @@
 #endif
 
 /* seed1 through seed5 are virtually concatenated */
-static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
+static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 			int sec_len,
 			const void *seed1, int seed1_len,
 			const void *seed2, int seed2_len,
@@ -163,55 +163,79 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 	HMAC_CTX ctx_tmp;
 	unsigned char A1[EVP_MAX_MD_SIZE];
 	unsigned int A1_len;
+	int ret = 0;
 	
 	chunk=EVP_MD_size(md);
 	OPENSSL_assert(chunk >= 0);
 
 	HMAC_CTX_init(&ctx);
 	HMAC_CTX_init(&ctx_tmp);
-	HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
-	HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
-	if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len);
-	if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len);
-	if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len);
-	if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len);
-	if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len);
-	HMAC_Final(&ctx,A1,&A1_len);
+	if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL))
+		goto err;
+	if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL))
+		goto err;
+	if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len))
+		goto err;
+	if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len))
+		goto err;
+	if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len))
+		goto err;
+	if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len))
+		goto err;
+	if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len))
+		goto err;
+	if (!HMAC_Final(&ctx,A1,&A1_len))
+		goto err;
 
 	n=0;
 	for (;;)
 		{
-		HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
-		HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
-		HMAC_Update(&ctx,A1,A1_len);
-		HMAC_Update(&ctx_tmp,A1,A1_len);
-		if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len);
-		if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len);
-		if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len);
-		if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len);
-		if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len);
+		if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */
+			goto err;
+		if (!HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL)) /* re-init */
+			goto err;
+		if (!HMAC_Update(&ctx,A1,A1_len))
+			goto err;
+		if (!HMAC_Update(&ctx_tmp,A1,A1_len))
+			goto err;
+		if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len))
+			goto err;
+		if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len))
+			goto err;
+		if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len))
+			goto err;
+		if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len))
+			goto err;
+		if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len))
+			goto err;
 
 		if (olen > chunk)
 			{
-			HMAC_Final(&ctx,out,&j);
+			if (!HMAC_Final(&ctx,out,&j))
+				goto err;
 			out+=j;
 			olen-=j;
-			HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
+			if (!HMAC_Final(&ctx_tmp,A1,&A1_len)) /* calc the next A1 value */
+				goto err;
 			}
 		else	/* last one */
 			{
-			HMAC_Final(&ctx,A1,&A1_len);
+			if (!HMAC_Final(&ctx,A1,&A1_len))
+				goto err;
 			memcpy(out,A1,olen);
 			break;
 			}
 		}
+	ret = 1;
+err:
 	HMAC_CTX_cleanup(&ctx);
 	HMAC_CTX_cleanup(&ctx_tmp);
 	OPENSSL_cleanse(A1,sizeof(A1));
+	return ret;
 	}
 
 /* seed1 through seed5 are virtually concatenated */
-static void tls1_PRF(long digest_mask,
+static int tls1_PRF(long digest_mask,
 		     const void *seed1, int seed1_len,
 		     const void *seed2, int seed2_len,
 		     const void *seed3, int seed3_len,
@@ -225,6 +249,7 @@ static void tls1_PRF(long digest_mask,
 	const unsigned char *S1;
 	long m;
 	const EVP_MD *md;
+	int ret = 0;
 
 	/* Count number of digests and partition sec evenly */
 	count=0;
@@ -239,11 +264,12 @@ static void tls1_PRF(long digest_mask,
 			if (!md) {
 				SSLerr(SSL_F_TLS1_PRF,
 				SSL_R_UNSUPPORTED_DIGEST_TYPE);
-				return;				
+				goto err;				
 			}
-			tls1_P_hash(md ,S1,len+(slen&1),
-			            seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
-			            out2,olen);
+			if (!tls1_P_hash(md ,S1,len+(slen&1),
+					seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
+					out2,olen))
+				goto err;
 			S1+=len;
 			for (i=0; i<olen; i++)
 			{
@@ -251,12 +277,15 @@ static void tls1_PRF(long digest_mask,
 			}
 		}
 	}
-
+	ret = 1;
+err:
+	return ret;
 }
-static void tls1_generate_key_block(SSL *s, unsigned char *km,
+static int tls1_generate_key_block(SSL *s, unsigned char *km,
 	     unsigned char *tmp, int num)
 	{
-	tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+	int ret;
+	ret = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
 		 TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE,
 		 s->s3->server_random,SSL3_RANDOM_SIZE,
 		 s->s3->client_random,SSL3_RANDOM_SIZE,
@@ -274,6 +303,7 @@ static void tls1_generate_key_block(SSL *s, unsigned char *km,
                 }
         printf("\n");  }
 #endif    /* KSSL_DEBUG */
+	return ret;
 	}
 
 int tls1_change_cipher_state(SSL *s, int which)
@@ -461,22 +491,24 @@ printf("which = %04X\nmac key=",which);
 		/* In here I set both the read and write key/iv to the
 		 * same value since only the correct one will be used :-).
 		 */
-		tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
-			 exp_label,exp_label_len,
-			 s->s3->client_random,SSL3_RANDOM_SIZE,
-			 s->s3->server_random,SSL3_RANDOM_SIZE,
-			 NULL,0,NULL,0,
-			 key,j,tmp1,tmp2,EVP_CIPHER_key_length(c));
+		if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+				exp_label,exp_label_len,
+				s->s3->client_random,SSL3_RANDOM_SIZE,
+				s->s3->server_random,SSL3_RANDOM_SIZE,
+				NULL,0,NULL,0,
+				key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)))
+			goto err2;
 		key=tmp1;
 
 		if (k > 0)
 			{
-			tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
-				 TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
-				 s->s3->client_random,SSL3_RANDOM_SIZE,
-				 s->s3->server_random,SSL3_RANDOM_SIZE,
-				 NULL,0,NULL,0,
-				 empty,0,iv1,iv2,k*2);
+			if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+					TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
+					s->s3->client_random,SSL3_RANDOM_SIZE,
+					s->s3->server_random,SSL3_RANDOM_SIZE,
+					NULL,0,NULL,0,
+					empty,0,iv1,iv2,k*2))
+				goto err2;
 			if (client_write)
 				iv=iv1;
 			else
@@ -518,12 +550,13 @@ err2:
 
 int tls1_setup_key_block(SSL *s)
 	{
-	unsigned char *p1,*p2;
+	unsigned char *p1,*p2=NULL;
 	const EVP_CIPHER *c;
 	const EVP_MD *hash;
 	int num;
 	SSL_COMP *comp;
 	int mac_type= NID_undef,mac_secret_size=0;
+	int ret=0;
 
 #ifdef KSSL_DEBUG
 	printf ("tls1_setup_key_block()\n");
@@ -548,13 +581,19 @@ int tls1_setup_key_block(SSL *s)
 	ssl3_cleanup_key_block(s);
 
 	if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+		{
+		SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
 		goto err;
-	if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
-		goto err;
+		}
 
 	s->s3->tmp.key_block_length=num;
 	s->s3->tmp.key_block=p1;
 
+	if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
+		{
+		SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
 
 #ifdef TLS_DEBUG
 printf("client random\n");
@@ -564,9 +603,8 @@ printf("server random\n");
 printf("pre-master\n");
 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
 #endif
-	tls1_generate_key_block(s,p1,p2,num);
-	OPENSSL_cleanse(p2,num);
-	OPENSSL_free(p2);
+	if (!tls1_generate_key_block(s,p1,p2,num))
+		goto err;
 #ifdef TLS_DEBUG
 printf("\nkey block\n");
 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
@@ -591,10 +629,14 @@ printf("\nkey block\n");
 			}
 		}
 		
-	return(1);
+	ret = 1;
 err:
-	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
-	return(0);
+	if (p2)
+		{
+		OPENSSL_cleanse(p2,num);
+		OPENSSL_free(p2);
+		}
+	return(ret);
 	}
 
 int tls1_enc(SSL *s, int send)
@@ -822,10 +864,11 @@ int tls1_final_finish_mac(SSL *s,
 			}
 		}
 		
-	tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
-		 str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
-		 s->session->master_key,s->session->master_key_length,
-		 out,buf2,sizeof buf2);
+	if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+			str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
+			s->session->master_key,s->session->master_key_length,
+			out,buf2,sizeof buf2))
+		err = 1;
 	EVP_MD_CTX_cleanup(&ctx);
 
 	if (err)

test/cms-test.pl

@@ -54,8 +54,12 @@
 # OpenSSL PKCS#7 and CMS implementations.
 
 my $ossl_path;
-
-if ( -f "../apps/openssl$ENV{EXE_EXT}" ) {
+my $redir = " 2>cms.err 1>cms.out";
+# Make MSYS work
+if ( $^O eq "MSWin32" && -f "../apps/openssl.exe" ) {
+    $ossl_path = "cmd /c ..\\apps\\openssl";
+}
+elsif ( -f "../apps/openssl$ENV{EXE_EXT}" ) {
     $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
 }
 elsif ( -f "..\\out32dll\\openssl.exe" ) {
@@ -382,14 +386,14 @@ sub run_smime_tests {
 		$rscmd =~ s/-stream//;	
 		$rvcmd =~ s/-stream//;
 		}
-        system("$scmd$rscmd 2>cms.err 1>cms.out");
+        system("$scmd$rscmd$redir");
         if ($?) {
             print "$tnam: generation error\n";
             $$rv++;
             exit 1 if $halt_err;
             next;
         }
-        system("$vcmd$rvcmd 2>cms.err 1>cms.out");
+        system("$vcmd$rvcmd$redir");
         if ($?) {
             print "$tnam: verify error\n";
             $$rv++;

test/maketests.com

@@ -42,34 +42,20 @@ $! (That is, If Wee Need To Link To One.)
 $!
 $ TCPIP_LIB = ""
 $!
-$! Check What Architecture We Are Using.
+$! Check Which Architecture We Are Using.
 $!
-$ IF (F$GETSYI("CPU").LT.128)
-$ THEN
+$ if (f$getsyi( "HW_MODEL") .lt. 1024)
+$ then
+$    arch = "VAX"
+$ else
+$    arch = ""
+$    arch = arch+ f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
+$    if (arch .eqs. "") then arch = "UNK"
+$ endif
 $!
-$!  The Architecture Is VAX.
-$!
-$   ARCH := VAX
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  The Architecture Is Alpha, IA64 or whatever comes in the future.
-$!
-$   ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE")
-$   IF (ARCH .EQS. "") THEN ARCH = "UNK"
-$!
-$! End The Architecture Check.
-$!
-$ ENDIF
-$!
-$! Define The OBJ Directory.
+$! Define The OBJ and EXE Directories (EXE before CHECK_OPTIONS).
 $!
 $ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.TEST]
-$!
-$! Define The EXE Directory.
-$!
 $ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.TEST]
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
@@ -82,7 +68,7 @@ $ GOSUB INITIALISE
 $!
 $! Tell The User What Kind of Machine We Run On.
 $!
-$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$ WRITE SYS$OUTPUT "Compiling On ''ARCH'."
 $!
 $! Define The CRYPTO-LIB We Are To Use.
 $!
@@ -92,31 +78,12 @@ $! Define The SSL We Are To Use.
 $!
 $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
 $!
-$! Check To See If The Architecture Specific OBJ Directory Exists.
+$! Create the OBJ and EXE Directories, if needed.
 $!
-$ IF (F$PARSE(OBJ_DIR).EQS."")
-$ THEN
-$!
-$!  The EXE Directory Dosen't Exist, So Create It.
-$!
-$   CREATE/DIRECTORY 'OBJ_DIR'
-$!
-$! End The Architecture Specific OBJ Directory Check.
-$!
-$ ENDIF
-$!
-$! Check To See If The Architecture Specific EXE Directory Exists.
-$!
-$ IF (F$PARSE(EXE_DIR).EQS."")
-$ THEN
-$!
-$!  The EXE Directory Dosen't Exist, So Create It.
-$!
-$   CREATE/DIRECTORY 'EXE_DIR'
-$!
-$! End The Architecture Specific EXE Directory Check.
-$!
-$ ENDIF
+$ IF (F$PARSE(OBJ_DIR).EQS."") THEN -
+   CREATE /DIRECTORY 'OBJ_DIR'
+$ IF (F$PARSE(EXE_DIR).EQS."") THEN -
+   CREATE /DIRECTORY 'EXE_DIR'
 $!
 $! Check To See If We Have The Proper Libraries.
 $!
@@ -140,12 +107,46 @@ $ TEST_FILES = "BNTEST,ECTEST,ECDSATEST,ECDHTEST,IDEATEST,"+ -
 	       "BFTEST,CASTTEST,SSLTEST,EXPTEST,DSATEST,RSA_TEST,"+ -
 	       "EVP_TEST,JPAKETEST"
 $! Should we add MTTEST,PQ_TEST,LH_TEST,DIVTEST,TABTEST as well?
-$
+$!
+$! Additional directory information.
+$ T_D_BNTEST     := [-.crypto.bn]
+$ T_D_ECTEST     := [-.crypto.ec]
+$ T_D_ECDSATEST  := [-.crypto.ecdsa]
+$ T_D_ECDHTEST   := [-.crypto.ecdh]
+$ T_D_IDEATEST   := [-.crypto.idea]
+$ T_D_MD2TEST    := [-.crypto.md2]
+$ T_D_MD4TEST    := [-.crypto.md4]
+$ T_D_MD5TEST    := [-.crypto.md5]
+$ T_D_HMACTEST   := [-.crypto.hmac]
+$ T_D_WP_TEST    := [-.crypto.whrlpool]
+$ T_D_RC2TEST    := [-.crypto.rc2]
+$ T_D_RC4TEST    := [-.crypto.rc4]
+$ T_D_RC5TEST    := [-.crypto.rc5]
+$ T_D_DESTEST    := [-.crypto.des]
+$ T_D_SHATEST    := [-.crypto.sha]
+$ T_D_SHA1TEST   := [-.crypto.sha]
+$ T_D_SHA256T    := [-.crypto.sha]
+$ T_D_SHA512T    := [-.crypto.sha]
+$ T_D_MDC2TEST   := [-.crypto.mdc2]
+$ T_D_RMDTEST    := [-.crypto.ripemd]
+$ T_D_RANDTEST   := [-.crypto.rand]
+$ T_D_DHTEST     := [-.crypto.dh]
+$ T_D_ENGINETEST := [-.crypto.engine]
+$ T_D_BFTEST     := [-.crypto.bf]
+$ T_D_CASTTEST   := [-.crypto.cast]
+$ T_D_SSLTEST    := [-.ssl]
+$ T_D_EXPTEST    := [-.crypto.bn]
+$ T_D_DSATEST    := [-.crypto.dsa]
+$ T_D_RSA_TEST   := [-.crypto.rsa]
+$ T_D_EVP_TEST   := [-.crypto.evp]
+$ T_D_JPAKETEST  := [-.crypto.jpake]
+$ T_D_IGETEST    := [-.test]
+$!
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
      TCPIP_PROGRAMS = ",SSLTEST,"
 $!
-$!  Define A File Counter And Set It To "0".
+$! Define A File Counter And Set It To "0".
 $!
 $ FILE_COUNTER = 0
 $!
@@ -167,7 +168,7 @@ $ FILE_COUNTER = FILE_COUNTER + 1
 $!
 $! Create The Source File Name.
 $!
-$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$ SOURCE_FILE = "SYS$DISK:" + T_D_'FILE_NAME' + FILE_NAME + ".C"
 $!
 $! Create The Object File Name.
 $!
@@ -201,9 +202,7 @@ $!
 $! Compile The File.
 $!
 $ ON ERROR THEN GOTO NEXT_FILE
-$ CC/OBJECT='OBJECT_FILE' /PREFIX=ALL -
-    /INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO],SYS$DISK:[-.CRYPTO.X509V3],SYS$DISK:[-.INCLUDE.OPENSSL]) - 
-    'SOURCE_FILE'
+$ CC /OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $ ON WARNING THEN GOTO NEXT_FILE
 $!
 $! Check If What We Are About To Compile Works Without A TCP/IP Library.
@@ -213,7 +212,8 @@ $ THEN
 $!
 $!  Inform The User That A TCP/IP Library Is Needed To Compile This Program.
 $!
-$   WRITE SYS$OUTPUT FILE_NAME," Needs A TCP/IP Library.  Can't Link.  Skipping..."
+$   WRITE SYS$OUTPUT -
+	  FILE_NAME," Needs A TCP/IP Library.  Can't Link.  Skipping..."
 $   GOTO NEXT_FILE
 $!
 $! End The TCP/IP Library Check.
@@ -228,10 +228,12 @@ $ THEN
 $!
 $!  Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
-$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+$   LINK /'DEBUGGER' /'TRACEBACK' /EXECTABLE = 'EXE_FILE' -
 	'OBJECT_FILE', -
-        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-        'TCPIP_LIB','OPT_FILE'/OPTION
+	'SSL_LIB' /LIBRARY, -
+	'CRYPTO_LIB' /LIBRARY, -
+	'TCPIP_LIB', -
+	'OPT_FILE' /OPTIONS
 $!
 $! Else...
 $!
@@ -239,10 +241,11 @@ $ ELSE
 $!
 $!  Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
-$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+$   LINK /'DEBUGGER' /'TRACEBACK' /EXECUTABLE = 'EXE_FILE' -
 	'OBJECT_FILE', -
-        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-        'OPT_FILE'/OPTION
+	'SSL_LIB' /LIBRARY, -
+	'CRYPTO_LIB' /LIBRARY, -
+	'OPT_FILE' /OPTIONS
 $!
 $! End The TCP/IP Library Check.
 $!
@@ -281,10 +284,10 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable VAX C Runtime Library.
 !
-SYS$SHARE:VAXCRTL.EXE/SHARE
+SYS$SHARE:VAXCRTL.EXE /SHAREABLE
 $EOD
 $!
 $!  End The Option File Check.
@@ -313,8 +316,8 @@ $DECK
 ! Default System Options File To Link Agianst 
 ! The Sharable C Runtime Library.
 !
-GNU_CC:[000000]GCCLIB/LIBRARY
-SYS$SHARE:VAXCRTL/SHARE
+GNU_CC:[000000]GCCLIB.OLB /LIBRARY
+SYS$SHARE:VAXCRTL.EXE /SHAREABLE
 $EOD
 $!
 $!  End The Option File Check.
@@ -348,7 +351,7 @@ $DECK
 ! Default System Options File To Link Agianst 
 ! The Sharable DEC C Runtime Library.
 !
-SYS$SHARE:DECC$SHR.EXE/SHARE
+SYS$SHARE:DECC$SHR.EXE /SHAREABLE
 $EOD
 $!
 $!    Else...
@@ -363,8 +366,8 @@ $DECK
 ! Default System Options File For non-VAX To Link Agianst 
 ! The Sharable C Runtime Library.
 !
-SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
-SYS$SHARE:CMA$OPEN_RTL/SHARE
+SYS$SHARE:CMA$OPEN_LIB_SHR.EXE /SHAREABLE
+SYS$SHARE:CMA$OPEN_RTL.EXE /SHAREABLE
 $EOD
 $!
 $!    End The DEC C Option File Check.
@@ -622,9 +625,9 @@ $!    Use DECC...
 $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
-	 THEN CC = "CC/DECC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
+	 THEN CC = "CC /DECC"
+$     CC = CC + "/''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=ANSI89" + -
+           "/NOLIST /PREFIX=ALL" + -
 	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
@@ -656,14 +659,14 @@ $     THEN
 $	WRITE SYS$OUTPUT "There is no VAX C on ''ARCH'!"
 $	EXIT
 $     ENDIF
-$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC /VAXC"
+$     CC = CC + "/''CC_OPTIMIZE' /''DEBUGGER' /NOLIST" + -
 	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
 $!
-$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$     DEFINE /NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -688,7 +691,7 @@ $     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
 $!
 $!    Use GNU C...
 $!
-$     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+$     CC = "GCC /NOCASE_HACK /''GCC_OPTIMIZE' /''DEBUGGER' /NOLIST" + -
 	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
@@ -723,7 +726,7 @@ $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $!  Show user the result
 $!
-$   WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
+$   WRITE /SYMBOL SYS$OUTPUT "Main Compiling Command: ", CC
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!
@@ -757,7 +760,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -768,7 +771,7 @@ $!
 $   IF P3.EQS."MULTINET"
 $   THEN
 $!
-$!    Set the library to use UXC emulation.
+$!    Set the library to use UCX emulation.
 $!
 $     P3 = "UCX"
 $!
@@ -783,13 +786,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -803,7 +806,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -901,7 +904,7 @@ $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
 $!
 $! Set up the logical name OPENSSL to point at the include directory
 $!
-$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$ DEFINE OPENSSL /NOLOG '__INCLUDE'
 $!
 $! Done
 $!
@@ -915,7 +918,7 @@ $ IF __SAVE_OPENSSL .EQS. ""
 $ THEN
 $   DEASSIGN OPENSSL
 $ ELSE
-$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
+$   DEFINE /NOLOG OPENSSL '__SAVE_OPENSSL'
 $ ENDIF
 $!
 $! Done

tools/c_rehash.in

@@ -7,6 +7,7 @@
 my $openssl;
 
 my $dir;
+my $prefix;
 
 if(defined $ENV{OPENSSL}) {
 	$openssl = $ENV{OPENSSL};
@@ -24,7 +25,7 @@ if (defined(&Cwd::getcwd)) {
 }
 my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
 
-$ENV{PATH} .= "$path_delim$dir/bin";
+$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path
 
 if(! -x $openssl) {
 	my $found = 0;

util/libeay.num

@@ -3752,7 +3752,7 @@ TS_REQ_set_policy_id                    4138	EXIST::FUNCTION:
 d2i_TS_RESP_fp                          4139	EXIST::FUNCTION:
 ENGINE_get_pkey_asn1_meth_engine        4140	EXIST:!VMS:FUNCTION:ENGINE
 ENGINE_get_pkey_asn1_meth_eng           4140	EXIST:VMS:FUNCTION:ENGINE
-WHIRLPOOL_Init                          4141	EXIST::FUNCTION:WHIRLPOOL
+WHIRLPOOL_Init                          4141	EXIST:!VMSVAX:FUNCTION:WHIRLPOOL
 TS_RESP_set_status_info                 4142	EXIST::FUNCTION:
 EVP_PKEY_keygen                         4143	EXIST::FUNCTION:
 EVP_DigestSignInit                      4144	EXIST::FUNCTION:
@@ -3761,7 +3761,7 @@ TS_REQ_dup                              4146	EXIST::FUNCTION:
 GENERAL_NAME_dup                        4147	EXIST::FUNCTION:
 ASN1_SEQUENCE_ANY_it                    4148	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_SEQUENCE_ANY_it                    4148	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-WHIRLPOOL                               4149	EXIST::FUNCTION:WHIRLPOOL
+WHIRLPOOL                               4149	EXIST:!VMSVAX:FUNCTION:WHIRLPOOL
 X509_STORE_get1_crls                    4150	EXIST::FUNCTION:
 ENGINE_get_pkey_asn1_meth               4151	EXIST::FUNCTION:ENGINE
 EVP_PKEY_asn1_new                       4152	EXIST::FUNCTION:
@@ -3812,7 +3812,7 @@ DSO_global_lookup                       4195	EXIST::FUNCTION:
 TS_CONF_set_tsa_name                    4196	EXIST::FUNCTION:
 i2d_ASN1_SET_ANY                        4197	EXIST::FUNCTION:
 ENGINE_load_gost                        4198	EXIST::FUNCTION:ENGINE,GOST,STATIC_ENGINE
-WHIRLPOOL_BitUpdate                     4199	EXIST::FUNCTION:WHIRLPOOL
+WHIRLPOOL_BitUpdate                     4199	EXIST:!VMSVAX:FUNCTION:WHIRLPOOL
 ASN1_PCTX_get_flags                     4200	EXIST::FUNCTION:
 TS_TST_INFO_get_ext_by_NID              4201	EXIST::FUNCTION:
 TS_RESP_new                             4202	EXIST::FUNCTION:
@@ -3861,10 +3861,10 @@ EVP_PKEY_meth_set_sign                  4243	EXIST::FUNCTION:
 CRYPTO_THREADID_current                 4244	EXIST::FUNCTION:
 EVP_PKEY_decrypt_init                   4245	EXIST::FUNCTION:
 NETSCAPE_X509_free                      4246	EXIST::FUNCTION:
-i2b_PVK_bio                             4247	EXIST::FUNCTION:
+i2b_PVK_bio                             4247	EXIST::FUNCTION:RC4
 EVP_PKEY_print_private                  4248	EXIST::FUNCTION:
 GENERAL_NAME_get0_value                 4249	EXIST::FUNCTION:
-b2i_PVK_bio                             4250	EXIST::FUNCTION:
+b2i_PVK_bio                             4250	EXIST::FUNCTION:RC4
 ASN1_UTCTIME_adj                        4251	EXIST::FUNCTION:
 TS_TST_INFO_new                         4252	EXIST::FUNCTION:
 EVP_MD_do_all_sorted                    4253	EXIST::FUNCTION:
@@ -3975,7 +3975,7 @@ X509_PUBKEY_get0_param                  4356	EXIST::FUNCTION:
 TS_MSG_IMPRINT_dup                      4357	EXIST::FUNCTION:
 PKCS7_print_ctx                         4358	EXIST::FUNCTION:
 i2d_TS_REQ_bio                          4359	EXIST::FUNCTION:
-EVP_whirlpool                           4360	EXIST::FUNCTION:WHIRLPOOL
+EVP_whirlpool                           4360	EXIST:!VMSVAX:FUNCTION:WHIRLPOOL
 EVP_PKEY_asn1_set_param                 4361	EXIST::FUNCTION:
 EVP_PKEY_meth_set_encrypt               4362	EXIST::FUNCTION:
 ASN1_PCTX_set_flags                     4363	EXIST::FUNCTION:
@@ -3986,7 +3986,7 @@ ENGINE_register_all_pkey_meths          4367	EXIST::FUNCTION:ENGINE
 TS_RESP_CTX_set_status_info_cond        4368	EXIST:!VMS:FUNCTION:
 TS_RESP_CTX_set_stat_info_cond          4368	EXIST:VMS:FUNCTION:
 EVP_PKEY_verify                         4369	EXIST::FUNCTION:
-WHIRLPOOL_Final                         4370	EXIST::FUNCTION:WHIRLPOOL
+WHIRLPOOL_Final                         4370	EXIST:!VMSVAX:FUNCTION:WHIRLPOOL
 X509_CRL_METHOD_new                     4371	EXIST::FUNCTION:
 EVP_DigestSignFinal                     4372	EXIST::FUNCTION:
 TS_RESP_CTX_set_def_policy              4373	EXIST::FUNCTION:
@@ -4068,7 +4068,7 @@ ERR_remove_thread_state                 4445	EXIST::FUNCTION:
 EVP_PKEY_meth_add0                      4446	EXIST::FUNCTION:
 TS_TST_INFO_set_tsa                     4447	EXIST::FUNCTION:
 EVP_PKEY_meth_new                       4448	EXIST::FUNCTION:
-WHIRLPOOL_Update                        4449	EXIST::FUNCTION:WHIRLPOOL
+WHIRLPOOL_Update                        4449	EXIST:!VMSVAX:FUNCTION:WHIRLPOOL
 TS_CONF_set_accuracy                    4450	EXIST::FUNCTION:
 ASN1_PCTX_set_oid_flags                 4451	EXIST::FUNCTION:
 ESS_SIGNING_CERT_dup                    4452	EXIST::FUNCTION:
@@ -4173,6 +4173,8 @@ X509_STORE_CTX_get0_cur_issuer          4546	EXIST:VMS:FUNCTION:
 X509_issuer_name_hash_old               4547	EXIST::FUNCTION:MD5
 X509_subject_name_hash_old              4548	EXIST::FUNCTION:MD5
 EVP_CIPHER_CTX_copy                     4549	EXIST::FUNCTION:
-UI_method_get_prompt_constructor        4550	EXIST::FUNCTION:
-UI_method_set_prompt_constructor        4551	EXIST::FUNCTION:
+UI_method_get_prompt_constructor        4550	EXIST:!VMS:FUNCTION:
+UI_method_get_prompt_constructr         4550	EXIST:VMS:FUNCTION:
+UI_method_set_prompt_constructor        4551	EXIST:!VMS:FUNCTION:
+UI_method_set_prompt_constructr         4551	EXIST:VMS:FUNCTION:
 EVP_read_pw_string_min                  4552	EXIST::FUNCTION:

util/mkdef.pl

@@ -978,6 +978,12 @@ sub do_defs
 	$platform{"SHA512_Update"} = "!VMSVAX";
 	$platform{"SHA512_Final"} = "!VMSVAX";
 	$platform{"SHA512"} = "!VMSVAX";
+	$platform{"WHIRLPOOL_Init"} = "!VMSVAX";
+	$platform{"WHIRLPOOL"} = "!VMSVAX";
+	$platform{"WHIRLPOOL_BitUpdate"} = "!VMSVAX";
+	$platform{"EVP_whirlpool"} = "!VMSVAX";
+	$platform{"WHIRLPOOL_Final"} = "!VMSVAX";
+	$platform{"WHIRLPOOL_Update"} = "!VMSVAX";
 
 
 	# Info we know about

util/pl/VC-32.pl

@@ -122,21 +122,26 @@ else	# Win32
     }
 $mlflags='';
 
-$out_def="out32"; $out_def.='_$(TARGETCPU)' if ($FLAVOR =~ /CE/);
-$tmp_def="tmp32"; $tmp_def.='_$(TARGETCPU)' if ($FLAVOR =~ /CE/);
+$out_def ="out32";	$out_def.="dll"			if ($shlib);
+			$out_def.='_$(TARGETCPU)'	if ($FLAVOR =~ /CE/);
+$tmp_def ="tmp32";	$tmp_def.="dll"			if ($shlib);
+			$tmp_def.='_$(TARGETCPU)'	if ($FLAVOR =~ /CE/);
 $inc_def="inc32";
 
 if ($debug)
 	{
 	$cflags=$dbg_cflags.$base_cflags;
-	$lflags.=" /debug";
-	$mlflags.=' /debug';
 	}
 else
 	{
 	$cflags=$opt_cflags.$base_cflags;
 	}
 
+# generate symbols.pdb unconditionally
+$app_cflag.=" /Zi /Fd$tmp_def/app";
+$lib_cflag.=" /Zi /Fd$tmp_def/lib";
+$lflags.=" /debug";
+
 $obj='.obj';
 $asm_suffix='.asm';
 $ofile="/Fo";
@@ -176,18 +181,15 @@ $lfile='/out:';
 $shlib_ex_obj="";
 $app_ex_obj="setargv.obj" if ($FLAVOR !~ /CE/);
 if ($FLAVOR =~ /WIN64A/) {
-	if (`nasm -v` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) {
-		$asm='nasm -f win64 -DNEAR -Ox';
-		$asm.=' -g' if $debug;
+	if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) {
+		$asm='nasm -f win64 -DNEAR -Ox -g';
 		$afile='-o ';
 	} else {
-		$asm='ml64 /c /Cp /Cx';
-		$asm.=" /Zi" if $debug;
+		$asm='ml64 /c /Cp /Cx /Zi';
 		$afile='/Fo';
 	}
 } elsif ($FLAVOR =~ /WIN64I/) {
-	$asm='ias';
-	$asm.=" -d debug" if $debug;
+	$asm='ias -d debug';
 	$afile="-o ";
 } elsif ($nasm) {
 	my $ver=`nasm -v 2>NUL`;
@@ -197,8 +199,7 @@ if ($FLAVOR =~ /WIN64A/) {
 	$asmtype="win32n";
 	$afile='-o ';
 } else {
-	$asm='ml /nologo /Cp /coff /c /Cx';
-	$asm.=" /Zi" if $debug;
+	$asm='ml /nologo /Cp /coff /c /Cx /Zi';
 	$afile='/Fo';
 	$asmtype="win32";
 }
@@ -230,9 +231,7 @@ if (!$no_asm)
 if ($shlib && $FLAVOR !~ /CE/)
 	{
 	$mlflags.=" $lflags /dll";
-	$lib_cflag=" -D_WINDLL";
-	$out_def="out32dll";
-	$tmp_def="tmp32dll";
+	$lib_cflag.=" -D_WINDLL";
 	#
 	# Engage Applink...
 	#
@@ -262,13 +261,9 @@ elsif ($shlib && $FLAVOR =~ /CE/)
 	{
 	$mlflags.=" $lflags /dll";
 	$lflags.=' /entry:mainCRTstartup' if(defined($ENV{'PORTSDK_LIBPATH'}));
-	$lib_cflag=" -D_WINDLL -D_DLL";
-	$out_def='out32dll_$(TARGETCPU)';
-	$tmp_def='tmp32dll_$(TARGETCPU)';
+	$lib_cflag.=" -D_WINDLL -D_DLL";
 	}
 
-$cflags.=" /Fd$out_def";
-
 sub do_lib_rule
 	{
 	local($objs,$target,$name,$shlib)=@_;